![](https://img-blog.csdnimg.cn/20201014180756927.png?x-oss-process=image/resize,m_fixed,h_64,w_64)
SQL注入
~羽~.
只是野蛮生长
展开
-
sqli-labs:less-33(宽字节绕过addslashes())
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-10-19 11:28:12 · 196 阅读 · 0 评论 -
sqli-labs:less-32(宽字节注入)
宽字节注入产生原因:1、mysql 在使用 GBK 编码的时候,会认为两个字符为一个汉字,例如%aa%5c 就是一个汉字(前一个 ascii 码大于 128 才能到汉字的范围)2、mysqli_real_escape_string() 函数转义在 SQL 语句中使用的字符串中的特殊字符。mysqli_real_escape_string(*connection,escapestring*)connection 必需。规定要使用的 MySQL 连接 escapestr...原创 2021-10-19 11:19:44 · 3056 阅读 · 1 评论 -
sqli-labs:less-29(双服务器单引号字符型注入)
关于搭建双服务器这件事,就先鸽了。看别人的wp做个记录吧。注:截图等来自《MySQL注入天书:Less 29》服务器端有两个部分:第一部分为 tomcat 为引擎的 jsp 型服务器,第二部分为 apache 为引擎的 php 服务器,真正提供 web 服务的是 php 服务器。工作流程为:client 访问服务器,能直接访问到 tomcat 服务器,然后 tomcat 服务器再向 apache 服务器请求数据。数据返回路径则相反。接下来是参数解析的问题。问:index.php...转载 2021-10-13 21:46:20 · 144 阅读 · 0 评论 -
sqli-labs:less-28a
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-10-11 17:01:19 · 106 阅读 · 0 评论 -
sqli-labs:less-28(过滤了union和select)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; cha...原创 2021-09-15 19:42:16 · 246 阅读 · 0 评论 -
sqli-labs:less-27a(过滤了union和select)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-15 19:25:18 · 126 阅读 · 0 评论 -
sqli-labs:less-27(过滤select和union)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-14 12:53:27 · 463 阅读 · 0 评论 -
sqli-labs:less-26a(过滤了空格和注释,不能报错注入)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-14 11:02:42 · 326 阅读 · 0 评论 -
sqli-labs:less-26(过滤了空格和注释)
图片提示过滤了空格和注释<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="tex...原创 2021-09-13 16:37:34 · 192 阅读 · 0 评论 -
sqli-labs:less-25a(过滤了or和and)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-13 15:38:16 · 99 阅读 · 0 评论 -
sqli-labs:less-25(过滤了and,or)
很人性化,还可以返回被过滤的语句。方便学习。<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" con..原创 2021-09-12 17:14:39 · 207 阅读 · 0 评论 -
sqli-labs:less-24(POST 二次注入)
mysql_real_escape_string(string,connection)因为在后端PHP中所有传入的参数被这个函数进行了转化,使得SQL注入相关的一些字符没转换了。\x00 \n \r \ ' " \x1a而且在登录的时候,很多页面也不返回SQL注入的数据。只会返回一些固定图片或语句,这样只能是盲注,不过又因为有这个函数的过滤,就被堵住了。<html><head></head><body bgcolor="#0...原创 2021-09-12 16:56:29 · 152 阅读 · 0 评论 -
sqli-labs:less-23
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-11 21:45:28 · 80 阅读 · 0 评论 -
sqli-labs:less-22
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-11 17:17:08 · 98 阅读 · 0 评论 -
sqli-labs:less-21
和20题很像。然后一看cookie是一个base64编码的,解码一下,是Dumb。所以cookie一个是注入点,只是有个base64编码随便提一下:base32 只有大写字母和数字数字组成,或者后面有三个等号。base64 只有大写字母和数字,小写字母组成,后面一般是两个等号。这样也就是要将原来的注入语句进行base64编码以后在放到cookie中进行注入。<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 T...原创 2021-09-10 18:45:03 · 173 阅读 · 0 评论 -
sqli-labs:less-20
回显了很多http头。注入点应该就是cookie头<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-...原创 2021-09-10 15:52:21 · 156 阅读 · 0 评论 -
sqli-labs:less-19
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-09 10:42:45 · 100 阅读 · 0 评论 -
sqli-labs:less-18
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-08 16:26:07 · 161 阅读 · 0 评论 -
sqli-labs:less-17
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-09-06 14:34:37 · 116 阅读 · 0 评论 -
sqli-labs:less-16
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; cha...原创 2021-08-29 14:48:23 · 188 阅读 · 0 评论 -
sqli-labs:less-15
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; cha...原创 2021-08-29 13:50:28 · 170 阅读 · 0 评论 -
sqli-labs:less-14
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; cha...原创 2021-08-16 16:12:05 · 151 阅读 · 0 评论 -
sqli-labs:less-13
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; cha...原创 2021-07-24 18:38:19 · 169 阅读 · 0 评论 -
sqli-labs:less-12
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; cha...原创 2021-07-23 15:46:06 · 144 阅读 · 0 评论 -
sqli-labs:less-11
POST 单引号注入<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text...原创 2021-07-22 18:12:09 · 124 阅读 · 0 评论 -
sqli-labs:less-10
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-07-21 19:26:20 · 73 阅读 · 0 评论 -
sqli-labs:less-9(时间盲注)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset...原创 2021-07-21 19:22:01 · 414 阅读 · 0 评论 -
sqli-labs:less-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-07-15 16:08:18 · 104 阅读 · 0 评论 -
sqli-labs:less-7
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-07-14 14:09:48 · 304 阅读 · 0 评论 -
sqli-labs:pass-6(双引号报错注入)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-07-13 21:03:33 · 96 阅读 · 0 评论 -
sqli-labs:less-5(单引号报错注入)
?id=1?id=2?id=3这时只回显这个界面<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Con...原创 2021-07-13 20:49:07 · 238 阅读 · 1 评论 -
sqli-labs:less-4(双引号报错注入)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-07-13 13:47:46 · 199 阅读 · 0 评论 -
sqli-labs:less-3(字符型报错注入——有()包裹数据)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; char...原创 2021-07-13 13:28:12 · 130 阅读 · 0 评论 -
sqli-labs:less-2(数字型报错注入)
贴上源代码:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html...原创 2021-07-12 15:23:21 · 215 阅读 · 0 评论 -
sqli-labs:less-1(字符型报错注入)
id=1id=1 and 1=1(正常)id=1 and 1=2(正常)所以判断不是数字型id=1'(报差)id=1'--+(正常)id=1' or '1'='1(正常)所以是字符型id=1' and '1'='2(报错)id=1' order by 1--+id=1' order by 2--+id=1' order by 3--+id=1' order by 4--+(查无此列)id=-1' union select 1,2,3--(返回2,3)id=-1' uni...原创 2021-07-12 14:57:34 · 154 阅读 · 0 评论